8. VPC Endpoint Services
Customer VPC
Service provider VPC
Application, e.g. SaaS
NLB
AWS
PrivateLink
Before:
Powered by AWS PrivateLink
9. VPC Endpoint Services
Customer VPC
Service provider VPC
Application, e.g. SaaS
NLB
AWS
PrivateLink
- Tagging for Endpoint Services
Powered by AWS PrivateLink
After:
- Reachable over intra and inter region VPC peering
VPC Peering
MyEndpoint
11. AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
Before:
12. AWS Global Accelerator
- Application endpoints in additional regions
After:
- Source IP preservation of client IP
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
VPC VPC
Source IP of clients
preserved through to
destination
Application endpoints in
additional regions
13. AWS Global Accelerator
AWS Region 2
3.10.3.125
Global
Accelerator
Private subnet
- Application endpoints in additional regions
After:
- Source IP preservation of client IP
- Support for EC2 instance endpoints
26. Before:
Attachment
to Amazon
VPC
TLS-based tunnel
over the Internet
User with Open
VPN Client
Client VPN
service
Client
The
Internet
On-premises
Amazon S3 Amazon
DynamoDB
Client VPN
- Client VPN support for CloudFormation
After:
- Client VPN support for split-tunneling
e.g. Traffic not destined for AWS
- Client VPN support for multi-factor authentication for
Active Directory
MFA
Split Tunnel
28. What is Amazon VPC Traffic Mirroring?
EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
Internet gateway
29. SessionsTargets Filters
The destination for mirrored
traffic
A set of rules that define the
traffic that is copied in a traffic
mirror session
An entity that describes traffic
mirroring from a source to a
target using filters
VPC Traffic Mirroring: Three components
32. The destination for mirrored traffic
A traffic mirror session has three components:
33. Note: Production traffic has a higher priority
than mirrored traffic when there is traffic
congestion
and EC2 network performance
34. vs.VPC Flow Logs VPC Traffic Mirroring
- Real network packets with the
ability to truncate
- Destination: Another elastic network
interface or Network Load Balancer
- Logs of network flows
- Each record captures the network
flow for a specific 5-tuple, for a
specific capture window
- Destination: Amazon S3 or Amazon
CloudWatch Logs
- Real network packets
40. Customer or
partner cage
Service provider
network
AWS Region
On-premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16Private VIF
Public VIF
VGW
AWS Direct Connect
A quick detour
41. Customer or
partner cage
Service provider
network
AWS Region
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour
42. Customer or
partner cage
Service provider
network
AWS Region
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
AWS Direct
Connect
Gateway
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour
43. Customer or
partner cage
Service provider
network
AWS Region 1
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
AWS Region 2
AWS Direct
Connect
Gateway
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour
44. Customer or
partner cage
Service provider
network
AWS Account 1
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
10.2.0.0/16
VGW
VGW
AWS Account 2
AWS Direct
Connect
Gateway
Multi-account DX gateway
NEW
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour
Private VIF
45. Customer or
partner cage
Service provider
network
AWS Account 1
On-premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Transit VIF
10.2.0.0/16
AWS Account 2
AWS Direct
Connect
Gateway
Transit VIF with DX gateway
NEW
AWS Direct Connect
A quick detour
AWS Transit
Gateway
Up to 3x TGWs
50. AWS Transit Gateway Cross-Region Peering
Full mesh network across multiple
regions with static peering
Private and performant connectivity
across the AWS Global Network
All traffic across Transit Gateway Cross-
Region peering is encrypted
Horizontally scalable
56. Global network connectivity
Leverage the AWS Global Network
Combine AWS Global Accelerator with
VPN
Lower latency, less jitter, consistent
connectivity
Ideal for branch connectivity