Networking Advanced VPC Design and New Capabilities
1. Advanced VPC Design and New
Capabilities for Amazon VPC
Bruce Wang, Solutions Architect
2. Previously, from AWS
AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet Public subnet
VPC CIDR 10.1.0.0/16 + Expand + IPv6
3. AWS Lambda
Previously, from AWS
AWS Region
Availability zone 2Availability zone 1
Private subnet
VGW
VPC
Peering
VPC
Flow Logs
VPN
AWS Direct
Connect
The
Internet
Private subnet
Public subnet
Instance A
Public subnet
AWS IoTAmazon
DynamoDB
Amazon S3 Amazon SQS Amazon SNS
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target Intra or
Inter
region
10.1.0.0/16 Local
0.0.0.0/0 Instance B
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
AWS
PrivateLink
NAT
On-Premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
NAT-GW
NAT-GW
4. Previously, from AWS
AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet
Instance A
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Instance B
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
AWS
PrivateLink
NAT NAT-GW
NAT-GW
• API Endpoints for Amazon EC2
and Elastic Load Balancing (ELB)
• Amazon Kinesis Data Streams
• AWS Service Catalog
• Amazon EC2 Systems Manager
7. AWS PrivateLink:
• PrivateLink is a way to
reach additional public
services, privately from
your Amazon Virtual
Private Cloud (Amazon
VPC)
• Each PrivateLink is
represented by a private
IP from the subnet
assigned
• API Endpoints for Amazon EC2
and Elastic Load Balancing (ELB)
• Amazon Kinesis Streams
• AWS Service Catalog
• Amazon EC2 Systems Manager• No Route Table
update required
Amazon S3
Amazon DynamoDB
After: VPC Endpoints for Amazon Simple
Storage Service (Amazon S3) and Amazon
DynamoDB
Before:
8. AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet
Instance A
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
NAT NAT-GW
AmazonAPIGateway
AWSCloudFormation
AmazonCloudWatch
AmazonCloudWatchEvents
AmazonCloudWatchLogs
AWSCodeBuild
AWSConfig
AmazonEC2API
ElasticLoadBalancingAPI
AWSKeyManagementService
AmazonKinesisDataStreams
AmazonSageMakerRuntime
AWSSecretsManager
AWSSecurityTokenService
AWSServiceCatalog
AmazonSNS
AWSSystemsManager
+More
After: 19 services now supported over
AWS PrivateLink
10. Bonus: AWS PrivateLink now supports access
over AWS VPN and Inter-region Peering
V P N: h t t ps :// amz n.to /2Iv0U Ao
I n t er - re gio n P e e r i ng:
h t t ps:// am z n.to /2NB TFI0
13. L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
15. L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
16. L l a m aP e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n aS t e v eS u e
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant
17. Amazon VPC owners are responsible for creating, managing
and deleting all VPC level entities.
Amazon VPC owners cannot modify or delete participant
resources.
Amazon VPC Owner
18. Participants that are in a shared Amazon VPC are responsible for the creation,
management and deletion of their resources including Amazon Elastic Compute
Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon
RDS) databases, and load balancers.
However, they cannot modify any Amazon VPC-level entities including route
tables, network ACLs or subnets (Or view / modify resources belonging to other
participants).
Amazon VPC Participant
20. Why use Amazon VPC sharing?
P r e s erve I P s p a c e
U s e f e we r I P v 4 C I DRs
I n t erc onnec tiv ity
N o V P C P e e r i ng r e q uired
B i l l i n g a n d S e c u r i t y
C o n t i n u e t o e n j o y s e g r e g a t i o n
w i t h m u l t i p l e a c c o u n t s
S e p a r a t i o n o f d u t i e s
A c e n t r a l t e a m c a n c r e a t e a n d
m a n a g e y o u r A m a z o n V P C
S a m e A Z c o s t f o r d a t a t r a n s f e r i s n i l !
27. Client StateAWS’s Global
Network
Static Anycast
IP’s
Applications can keep state,
with connections routed to
the same endpoint, after
initial connection.
Traffic routed through
Accelerator traverses AWS
global network (instead of
the public internet).
Global Accelerator uses
Static IP addresses are a
fixed entry point to your
applications. These IP
addresses are anycast from
AWS edge locations
30. On-Premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
Virtual private
gateway
VGW
IPSEC tunnel over
the internet
Customer
gateway
CGW
The Internet
33. After AWS Client VPN
AWS now supports client-to-site VPN termination
with Open VPN clients through the Client VPN
Endpoint
34. Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
Client VPN
Endpoint
Client
The
InternetAmazon
DynamoDB
Amazon S3
On-Premises
47. After: AWS Tra n sit Ga t ewa y (TGW)
AWS Transit Gateway
(TGW)
48. B Local
0.0.0.0/0
Destination Target
A B
TGW
After: AWS Tra n sit Ga t ewa y (TGW)
C
TGW
1 2
3 4
TGW Route Table(s)
VPC A : Attachment 1
VPC B : Attachment 2
VPC C : Attachment 3
On-prem : VPN 4
RT1
RT2
On-Premises
49. Attachment
The connection from a
Amazon VPC and VPN to
a TGW
Association
The route table used to
route packets coming from
an attachment (from an
Amazon VPC and VPN)
Propagation
The route table where the
attachment’s routes are
installed
50. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.1.0.0/16 Local
0.0.0.0/0 TGW
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/8 TGW
51. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
52. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
Propagation turned off, you can still
statically configure routes
53. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem fromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via Z
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
54. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem fromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via Z
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCLlama
DSTOn-prem
55. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem fromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via Z
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCLlama
DSTOn-prem
56. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem fromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via Z
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRC:Barry
DSTOn-prem
57. Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem fromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via Z
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCBarry
DSTOn-prem
58. Aft er: AWS Transit Gateway (TGW) – The console
66. Amazon VPC Peering for
full mesh connectivity
VPC
VPC
VPC
A
B
C
On-Premises
I P S e c b e t w e e n V P C s ( l i m i t s a p p l y )
Instance based
Transit Amazon VPC
VPN Connection
per Amazon VPC
67. After TGW
Up to 5000 Amazon VPC
attachments per TGW
1.25Gbps per VPN Connection
with ECMP
10,000 routes per TGW
Multiple TGW route tables for
finer routing control
50 Gbps of bandwidth per
attachment per availability zone
Centralized hub for routing between
Amazon VPCs and on-premises to AWS