Amazon’s Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud and gives you complete control over your virtual networking environment. Amazon VPC continues to evolve with new capabilities and enhancements. These features give you increasingly greater isolation, control, and visibility at the all-important networking layer. In this session, we review some of the latest changes, discuss their value, and describe their use cases.
2. What to Expect from the Session
• Review Amazon Virtual Private Cloud concepts
• Learn about new capabilities released over the
past year
• Discuss the value provided by these new
features
• Describe use cases
5. Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
6. Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
Destination Target Status
10.10.0.0/16 local Active
Traffic destined to my VPC
stays in my VPC
7. DNS support for non-RFC 1918 addresses (NEW)
• RFC 1918 private address ranges:
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Native EC2 DNS support for private VPC IP addresses
outside of the RFC 1918 space
• Removes the need for running custom DNS servers
10. Authorize traffic
• Network access control lists (ACLs)
• Can be applied at the subnet level
• Act as a stateless firewall for associated subnets
• Security groups (SGs)
• Can be applied at the instance level
• Act as a stateful firewall for associated instances
• New: Create up to 500 SGs per VPC (per region)
11. Security group limits
• 500 security groups per VPC (per region)
• 50 inbound and 50 outbound rules per security group
• 5 security groups per network interface (max 16)
• Number to remember: 250
• (# of rules) * (# of security groups per interface) <= 250
• Example 1: if you want to increase the # of rules to 100, then
we decrease your # of security groups per interface to 2
• Example 2: if you want 10 security groups per interface, we
decrease your # of rules per security group to 25
12. Establish public connectivity
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 igw-5a1ae13f Active
Everything not destined for
my VPC goes to the Internet
13. Internet access via a NAT instance
10.10.1.0/24 10.10.2.0/24
0.0.0.0/0
0.0.0.0/0
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-instance-id Active
NAT instance
54.2.0.12 (EIP)
Everything not destined for
my VPC goes to the Internet
via the NAT instance
14. Internet access via NAT Gateway (NEW)
10.10.1.0/24 10.10.2.0/24
0.0.0.0/0
0.0.0.0/0
Public IP: 54.2.0.12
NAT Gateway
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-0da73389b88c2bd3 Active
Everything not destined for
my VPC goes to the Internet
via the NAT Gateway
15. Amazon VPC NAT Gateway
• Managed network address translation service
• You assign an Elastic IP address at creation
• Connections initiated from the Internet are prevented
• Each NAT gateway is created in a specific Availability
Zone (AZ)
• Built-in redundancy for high availability in the AZ
• Create a NAT gateway in each of your AZs for an AZ-
independent architecture
16. Amazon VPC NAT Gateway (cont.)
• Automatic scaling
• Uniform offering; you don’t need to decide on the type or
size
• Up to 10 Gbps of bursty TCP, UDP, and ICMP traffic
• Use multiple gateways in multiple subnets for > 10 Gbps
• Can use a network ACL to control traffic to/from subnet
20. VPC public connectivity via NAT
NAT instance(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Lots of work to manage
• Scaling hard, limited
NAT gateway
Pros
• Managed & maintained by AWS
• Highly available
• Optimized for NAT traffic
• Automatic scaling
Cons
• Port forwarding not supported
• TCP & ICMP fragmentation not
supported
21. VPC Endpoints for Amazon S3
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
pl-68a54001 vpce-a610f4cf Active
Prefix list for Amazon S3;
IP range changes over time
and is managed by AWS
22. Amazon EMR clusters in VPC private subnets
Private subnet
Public subnet
Amazon EMR
Service
Amazon S3S3 endpointCluster
IGW
NAT gateway
ENI
23. Access resources in a VPC from AWS Lambda
Private subnet
Public subnet
Amazon Redshift
Amazon S3
S3 endpoint
IGW
NAT gateway
ENI
AWS Lambda
function
Amazon ElastiCache
Amazon RDS
25. VPC peering: Connecting VPCs without the Internet
10.10.1.0/24
VPC A
10.10.0.0/16
10.20.1.0/24
VPC B
10.20.0.0/16
Destination Target Status
10.10.0.0/16 local Active
10.20.0.0/16 pcx-44eb539a Active
Traffic destined for the peered
VPC should go to the peering
28. IPv6 VPC/EC2 support (NEW)
• /56 CIDR block of globally unique addresses per VPC
• /64 GUA CIDR block per subnet
• Security groups, NACLs, Flow Logs
• Local, Internet gateway, Direct Connect, VPC peering
• Egress only internet gateway
• Supported EC2 instances: all current generation
instance types except M3 and G2
• IPv6 in the Cloud Overview and Deep Dive sessions
18,446,744,073,709,551,616
29. 2001:db8:1234:1a00::/64
IPv6 connectivity
10.10.1.0/24 10.10.2.0/24
10.10.0.0/16
NAT gateway
Internet gateway Egress-only Internet gateway
IPv4: 10.10.1.35 IPv4: 10.10.1.35
Elastic IP: 198.51.4.2
Elastic IP: 198.51.4.5
2001:db8:1234:1a00::/56
2001:db8:1234:1a02::/64
IPv6: 2001:db8:1234:1a00::123
IPv6: 2001:db8:1234:1a02::432
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 igw-id
::/0 igw-id
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 nat-id
::/0 eigw-id
30. ClassicLink: Connecting VPC and EC2-Classic
• Connectivity over private IP addresses between linked
instances in EC2-Classic and VPC
• Phased migration to VPC
• Classic instances can take membership in VPC security
groups
• New: Support for DNS resolution of public
hostnames to private IP addresses
36. Related Sessions
• NET201 – Creating Your Virtual Data Center: VPC Fundamentals
and Connectivity Options
• NET204 – IPv6 in the Cloud: Protocol and AWS Service Overview
• NET304 – Moving Mountains: Netflix’s Migration into VPC
• NET307 – IPv6 in the Cloud: Virtual Private Cloud Deep Dive
• NET402 – Deep Dive: AWS Direct Connect and VPNs