Amazon’s Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud and gives you complete control over your virtual networking environment. Amazon VPC continues to evolve with new capabilities and enhancements. These features give you increasingly greater isolation, control, and visibility at the all-important networking layer. In this session, we review some of the latest changes, discuss their value, and describe their use cases.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Camil Samaha, Solutions Architecture
Kaartik Viswanath, Product Manager, EC2 Networking
December 2, 2016
NET303
NextGen Networking
New Capabilities for the Amazon Virtual
Private Cloud

2. What to Expect from the Session
• Review Amazon Virtual Private Cloud concepts
• Learn about new capabilities released over the
past year
• Discuss the value provided by these new
features
• Describe use cases

3. Introducing VPC
EC2 instance
10.2.2.2
10.3.3.3
54.1.2.3
54.2.3.4

4. Introducing VPC
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4

5. Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b

6. Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
Destination Target Status
10.10.0.0/16 local Active
Traffic destined to my VPC
stays in my VPC

7. DNS support for non-RFC 1918 addresses (NEW)
• RFC 1918 private address ranges:
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Native EC2 DNS support for private VPC IP addresses
outside of the RFC 1918 space
• Removes the need for running custom DNS servers

9. Authorize traffic
10.10.1.0/24
us-west-2a
10.10.2.0/24
us-west-2b
security group

10. Authorize traffic
• Network access control lists (ACLs)
• Can be applied at the subnet level
• Act as a stateless firewall for associated subnets
• Security groups (SGs)
• Can be applied at the instance level
• Act as a stateful firewall for associated instances
• New: Create up to 500 SGs per VPC (per region)

11. Security group limits
• 500 security groups per VPC (per region)
• 50 inbound and 50 outbound rules per security group
• 5 security groups per network interface (max 16)
• Number to remember: 250
• (# of rules) * (# of security groups per interface) <= 250
• Example 1: if you want to increase the # of rules to 100, then
we decrease your # of security groups per interface to 2
• Example 2: if you want 10 security groups per interface, we
decrease your # of rules per security group to 25

12. Establish public connectivity
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 igw-5a1ae13f Active
Everything not destined for
my VPC goes to the Internet

13. Internet access via a NAT instance
10.10.1.0/24 10.10.2.0/24
0.0.0.0/0
0.0.0.0/0
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-instance-id Active
NAT instance
54.2.0.12 (EIP)
Everything not destined for
my VPC goes to the Internet
via the NAT instance

14. Internet access via NAT Gateway (NEW)
10.10.1.0/24 10.10.2.0/24
0.0.0.0/0
0.0.0.0/0
Public IP: 54.2.0.12
NAT Gateway
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-0da73389b88c2bd3 Active
Everything not destined for
my VPC goes to the Internet
via the NAT Gateway

15. Amazon VPC NAT Gateway
• Managed network address translation service
• You assign an Elastic IP address at creation
• Connections initiated from the Internet are prevented
• Each NAT gateway is created in a specific Availability
Zone (AZ)
• Built-in redundancy for high availability in the AZ
• Create a NAT gateway in each of your AZs for an AZ-
independent architecture

16. Amazon VPC NAT Gateway (cont.)
• Automatic scaling
• Uniform offering; you don’t need to decide on the type or
size
• Up to 10 Gbps of bursty TCP, UDP, and ICMP traffic
• Use multiple gateways in multiple subnets for > 10 Gbps
• Can use a network ACL to control traffic to/from subnet

17. Create a NAT Gateway

18. Create a NAT Gateway

19. Update subnet routing table

20. VPC public connectivity via NAT
NAT instance(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Lots of work to manage
• Scaling hard, limited
NAT gateway
Pros
• Managed & maintained by AWS
• Highly available
• Optimized for NAT traffic
• Automatic scaling
Cons
• Port forwarding not supported
• TCP & ICMP fragmentation not
supported

21. VPC Endpoints for Amazon S3
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
pl-68a54001 vpce-a610f4cf Active
Prefix list for Amazon S3;
IP range changes over time
and is managed by AWS

22. Amazon EMR clusters in VPC private subnets
Private subnet
Public subnet
Amazon EMR
Service
Amazon S3S3 endpointCluster
IGW
NAT gateway
ENI

23. Access resources in a VPC from AWS Lambda
Private subnet
Public subnet
Amazon Redshift
Amazon S3
S3 endpoint
IGW
NAT gateway
ENI
AWS Lambda
function
Amazon ElastiCache
Amazon RDS

24. Amazon Redshift enhanced VPC routing
Private subnet
Public subnet
Amazon Redshift Amazon S3S3 endpoint
IGW
NAT gateway
ENI
Amazon S3
us-east-1 us-west-2

25. VPC peering: Connecting VPCs without the Internet
10.10.1.0/24
VPC A
10.10.0.0/16
10.20.1.0/24
VPC B
10.20.0.0/16
Destination Target Status
10.10.0.0/16 local Active
10.20.0.0/16 pcx-44eb539a Active
Traffic destined for the peered
VPC should go to the peering

26. VPC peering
10.10.1.0/24
10.10.0.0/16 10.20.0.0/16
10.20.1.0/24
10.20.30.0/24
New: Support for security group references between peered VPCs
Source Protocol Port Range
10.20.1.0/24 All All
10.20.30.7/32 All All
10.20.30.56/32 All All
Source Protocol Port Range
sg-530afe56 All All

27. VPC peering
10.10.1.0/24
10.10.0.0/16 10.20.0.0/16
10.20.1.0/24
New: Support for DNS resolution between peered VPCs
10.20.1.35
54.4.5.6
#Before# dig ec2-54-4-5-6.compute-1.amazonaws.com +short
54.4.5.6
#After# dig ec2-54-4-5-6.compute-1.amazonaws.com +short
10.20.1.35

28. IPv6 VPC/EC2 support (NEW)
• /56 CIDR block of globally unique addresses per VPC
• /64 GUA CIDR block per subnet
• Security groups, NACLs, Flow Logs
• Local, Internet gateway, Direct Connect, VPC peering
• Egress only internet gateway
• Supported EC2 instances: all current generation
instance types except M3 and G2
• IPv6 in the Cloud Overview and Deep Dive sessions
18,446,744,073,709,551,616

29. 2001:db8:1234:1a00::/64
IPv6 connectivity
10.10.1.0/24 10.10.2.0/24
10.10.0.0/16
NAT gateway
Internet gateway Egress-only Internet gateway
IPv4: 10.10.1.35 IPv4: 10.10.1.35
Elastic IP: 198.51.4.2
Elastic IP: 198.51.4.5
2001:db8:1234:1a00::/56
2001:db8:1234:1a02::/64
IPv6: 2001:db8:1234:1a00::123
IPv6: 2001:db8:1234:1a02::432
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 igw-id
::/0 igw-id
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 nat-id
::/0 eigw-id

30. ClassicLink: Connecting VPC and EC2-Classic
• Connectivity over private IP addresses between linked
instances in EC2-Classic and VPC
• Phased migration to VPC
• Classic instances can take membership in VPC security
groups
• New: Support for DNS resolution of public
hostnames to private IP addresses

31. ClassicLink over VPC peering (NEW)
VPC BVPC AClassic

32. 10000s instances.
1000s services.
Dozens of teams.
Moving at their own schedule.
Netflix – Migration from Classic to VPC

33. Netflix

34. Thank you!

35. Remember to complete
your evaluations!

36. Related Sessions
• NET201 – Creating Your Virtual Data Center: VPC Fundamentals
and Connectivity Options
• NET204 – IPv6 in the Cloud: Protocol and AWS Service Overview
• NET304 – Moving Mountains: Netflix’s Migration into VPC
• NET307 – IPv6 in the Cloud: Virtual Private Cloud Deep Dive
• NET402 – Deep Dive: AWS Direct Connect and VPNs