Mais conteúdo relacionado Semelhante a Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit (20) Mais de Amazon Web Services (20) Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sidhartha Chauhan
Solutions Architect, AWS
SRV323
Planning Advanced AWS Networking
Architectures
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
Core services Compute Storage Database Networking
Infrastructure RegionsAvailability Zones Edge locations
Platform
services
Analytics IoT Deployment Mobile
Virtual
desktops
Collaboration
& sharing
App delivery Email
Access
control
Auditing Monitoring EncryptionSecurity
Applications
A
P
I
&
S
D
K
s
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundations: Amazon VPC
Your own private, isolated section of the AWS Cloud
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC CIDR 10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A
10.1.1.11 /24
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Only one internet gateway and
one VGW per VPC
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region - eg: US-WEST1
Our VPC from earlier
AWS Region
AWS Region level services (plus many more)
Amazon VPC internal services (e.g., Amazon EMR,
Elastic Load Balancing, Amazon RDS)
Internet gateway, gateway between AWS
region level services and internal VPC
services
Instance A
10.1.1.11 /24
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3
Amazon Glacier
Amazon DynamoDB
AWS Lambda
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open question and answer
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advanced VPC and other services
Lets add some AWS services outside of VPC
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
peering
On premises
VPC
Amazon
CloudWatch
VPN
AWS
Direct Connect
Amazon
EC2
Amazon
VPC
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public subnet Public subnet
Private subnet Private subnet
NAT
VGW
IGW
VPC Flow
LogsEIP: 54.1.13.43=10.1.1.11
NAT Gateway
Internet
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-region
VPC peering
Internet
On premises
VPC
VPN
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public subnet Public subnet
Private subnet Private subnet
NAT
VGW
IGW
NAT Gateway
VPC CIDR 10.1.0.0/16, 10.2.0.0/16
Expand your existing VPC
VPN BYO tunnel IP
and custom PSK
Security group rule
descriptions
IPv6 for VPC
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-region
VPC peering
On premises
VPC
AWS Direct
Connect
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public subnet Public subnet
Private subnet Private subnet
NAT
VGW
IGW
NAT Gateway
VPC CIDR 10.1.0.0/16, 10.2.0.0/16
Expand your existing VPC
DX Gateway, link aggregation,
new POPs, and global public
access
Security group rule
descriptions
IPv6 for VPC
Internet
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-region
VPC peering
On premises
VPC
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance D
10.1.4.44/24
Public subnet Public subnet
Private subnet Private subnet
VGW
IGW
Security group rule
descriptions
VPC CIDR 10.1.0.0/16, 10.2.0.0/16
Expand your existing VPC
DX Gateway, link aggregation,
new POPs, and global public
access
Amazon EC2
Elastic Load Balancing
Kinesis Data Streams
AWS Service Catalog
EC2 Systems Manager
PrivateLink for AWS
services and service
providers
CloudWatch metrics
for VPN, DX, and
NATGW
IPv6 for VPC
AWS Direct
Connect
Internet
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
AWS Lambda
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
How it works Without endpoints:
• Instances need public
connectivity
• Security groups
required to block
outside access
• Mindset that
customers are
traversing the public
internet
Enter:
Virtual private endpoint
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
How it works We no longer need the
following for Amazon S3
access:
• Elastic IP addresses
per instance
• Default routes
pointing to an
internet gateway
• NAT instances
• Or even an internet
gateway!
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
How it works After the VPCE is created:
• ”Prefix-list” entries are
needed for each route
table.
• Now all traffic for the PL-
XXX destinations will
traverse the VPCE instead
of the internet gateway.
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
How it works Restricting Access to
Amazon S3:
• IAM policy at VPC
endpoints restricting
access
• IAM policy at S3 bucket
restricting access
IAM policy at VPC endpoint:
Restrict actions of VPC in
Amazon S3
IAM policy at S3 bucket: Make
accessible from VPC endpoint only
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to AWS
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On premises
VPN connectivity Provisioning VPN connections
1. Build your AWS infrastructure
2. Create your virtual private gateway (VGW) and attach to your
virtual private cloud (VPC)
3. Define your customer gateway
4. Create your VPN connection between the VGW and customer
gateway
5. Download your template configuration
6. Configure your customer gateway and watch your tunnels come up
and enjoy encrypted connectivity!
Internet access
IPsec tunnel 1 - Primary
IPsec tunnel 2- Secondary
Internet
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Customer DCColocation Facility - e.g. Equinix SV1
VPC CIDR 10.1.0.0/16
Customer subnet
192.168.0.0/16
DX PoP
Colocation facility
Customer or partner device
AWS Direct Connect
Point of Presence
Customer Gateway
Cross connect
Customer data center
Service provider backhaul
Anatomy of AWS Direct Connect
Private virtual interface
Configure customer gateway
VPC VGW
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Standard Interface & BGP configuration
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.807
description "Direct Connect to your Amazon VPC or AWS Cloud"
encapsulation dot1Q 807
ip address 172.16.7.5 255.255.255.252
router bgp 65001
neighbor 172.16.7.6 remote-as 7224
neighbor 172.16.7.6 password 7 $1$zVOvlUSp$UrqWP2awtiG8ZbXo9BwcB
network 0.0.0.0
exit
Physical Interface that fiber is plugged into
Sub-interface (generally matches VLAN)
VLAN association
/30 private P2P address
BGP ASN
Route advertisement to AWS
Just a description
BGP MD5 password
Neighbor peer address
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Customer DCColocation Facility - e.g. Equinix SV1
Customer subnet
192.168.0.0/16
Configure customer gateway
Customer Gateway
BGP comes up, prefixes are advertised
%BGP-5-ADJCHANGE: neighbor 172.16.6.6 Up
AWS Direct Connect
Point of Presence
Anatomy of DX, continued
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Customer DCColocation Facility - e.g. Equinix SV1
Customer subnet
172.160.0.0/16
Anatomy of DX, continued
Customer Gateway
AWS Direct Connect
Point of Presence
My private virtual interface is up, now what?
What about my S3 bucket or Amazon DynamoDB? – In comes public virtual interfaces!
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3 Amazon DynamoDB
AWS Region - eg: US-WEST1
AWS LambdaAmazon Glacier
Customer DCColocation Facility - e.g. Equinix SV1
Customer subnet
172.160.0.0/16
Customer Gateway
AWS Regions much larger than just what’s inside a VPC
Create public virtual interface
Configure customer gateway
BGP comes up, prefixes are advertised (public only)
%BGP-5-ADJCHANGE: neighbor 203.50.24.5 Up
Anatomy of DX, continued
AWS Direct Connect
Point of Presence
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Anatomy of a redundant DX
Customer subnet
172.160.0.0/16
Double connectivity
The standard connectivity we built earlierVPC VGW
Redundant DX POP locationOther AWS services
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3 Amazon DynamoDB
AWS Region - eg: US-WEST1
AWS LambdaAmazon Glacier
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advanced architectures
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What does transitive routing look like?
Can I do anything to make this thing not so strictly coupled?
Using a transitive VPC
Lots of caveats
• ECMP is currently broken
• You can get switched back to VPNv1
(losing VPNv2 capabilities)
• VPN throughputs apply
• We need scaling of the VGW VPN
• NAT needed outbound on FW
• Cross AZ charges may apply
• Statefulness does not work today
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing sandwich
Deploying firewalls inline
Elastic Load Balancing sandwich
• Works if we are talking web traffic, and more suited when a WAF is required
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling
Group
Auto Scaling the Elastic Load Balancing sandwich
CloudWatch
Custom Metrics
can trigger alarms
Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Launch More
Instances
Amazon CloudWatch
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How do you bootstrap a firewall?
Simple Queue
Service
Route 53
Auto Scaling
event
Auto Scaling
group
Worker node puts VPN instance
into service when configured
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Gateway
One private virtual interface can be attached to multiple VGWs
Enter: AWS Direct Connect gateway
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service provider
network
VLAN BPrivate VIF
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Gateway
Note: VPCs must reside in the same
account
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service provider
network
VLAN BPrivate VIF
Account 1
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Gateway
Note: VPCs must have
non-overlapping addresses
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service provider
network
VLAN BPrivate VIF
Account 1
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multiple VIF attachments to a gateway, up to
10
Multiple VGW/VPC attachments to a gateway,
up to 10
VIFs and VGWs can be in any region
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region private VIFs
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service Provider
Network
VLAN BPrivate VIF
AWS Direct Connect
Gateway
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Region 1
Region 2
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
There are some disallowed data paths
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service Provider
Network
VLAN BPrivate VIF
X
X
AWS Direct Connect
Gateway
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Region 1
Region 2
VPN connection
X
X
Secondary AWS Direct Connect
Private VIF to Private VIF
VGW to VGW
Private VIF to VPN
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open question and answer
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Follow-ups
AWS re:Invent sessions
Another Day, Another Billion Packets
https://www.youtube.com/watch?v=3qln2u1Vr2E
From One to Many, Evolving VPC Design
https://www.youtube.com/watch?v=3Gv47NASmU4
Creating Your Virtual Data Center, VPC Fundamentals and
Connectivity Options
https://www.youtube.com/watch?v=Ul2NsPNh9Ik
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Follow-ups
AWS whitepapers
https://aws.amazon.com/whitepapers/
AWS reference architectures and AWS quick start guides:
https://aws.amazon.com/architecture/
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Submit session feedback
1. Tap the Schedule icon.
2. Select the session you attended.
3. Tap Session Evaluation to submit
your feedback.
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Appendix
43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Interface VPC endpoint
P o w e r e d b y A W S P r i v a t e L i n k
44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Interface VPC endpoints
A n e l a s t i c n e t w o r k i n t e r f a c e w i t h a p r i v a t e I P
a d d r e s s t h a t s e r v e s a s a n e n t r y p o i n t f o r t r a f f i c
d e s t i n e d t o a s u p p o r t e d A W S s e r v i c e
AWS public services
Amazon EC2 (API) & EC2 SSM
Elastic Load Balancing
Amazon Kinesis
AWS Service Catalog
1 0 . 1 . 1 0 . 5 0
45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it works AWS public services
Amazon EC2 (API) & EC2 SSM
Amazon Kinesis
AWS Service Catalog
1 0 . 1 . 1 0 . 5 0
S u b n e t - 1 0 . 1 . 1 0 . 4 5
E C 2 f l e e t
h o s t i n g a p p l i c a t i o n
Availability Zone A
M a k e s a r e q u e s t t o
E l a s t i c L o a d B a l a n c i n g
e n d p o i n t n a m e
k i n e s i s . u s - e a s t -
1 . a m a z o n a w s . c o m
R E S O L V E S T O T H E
P R I V A T E I P O F T H E
e l a s t i c n e t w o r k
i n t e r f a c e
Elastic Load Balancing
46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Interfac e V PC en d p oints
No routes in your route table
No IAM policy for endpoint
Not accessible via (VGW) VPN
One subnet per AZ per one endpoint
Supports TCP only
aws ec2 create-vpc-endpoint
--vpc-id vpc-ec43eb89
--vpc-endpoint-type Interface
--service-name com.amazonaws.us-east-1.elasticloadbalancing
--subnet-id subnet-abababab subnet-catbatratsat
--security-group-id sg-1a2b3c4d
47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
C r e a t i n g
i n t e r f a c e V P C
e n d p o i n t s
aws ec2 create-vpc-endpoint
--vpc-id vpc-ec43eb89
--vpc-endpoint-type Interface
--service-name com.amazonaws.us-east-1.elasticloadbalancing
--subnet-id subnet-abababab subnet-catbatratsat
--security-group-id sg-1a2b3c4d
S u b n e t
Availability Zone A
S u b n e t
Availability Zone B
S u b n e t
Availability Zone C
v p c - i d v p c - e c 4 3 e b 8 9
Amazon EC2 (API) & EC2 SSMAmazon Kinesis AWS Service CatalogElastic Load Balancing
aws ec2 describe-vpc-endpoints
48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A c c ess th rou g h
interfac e V PC
en d p oints
I f c r e a t e d i n O r e g o n ,
w h i c h h a s t h r e e A Z S
Endpoint-specific regional DNS hostname
vpce-0fe5b17a0707d6abc-29p5708s.kinesis.us-west-2.vpce.amazonaws.com
Endpoint-specific zonal DNS hostname
vpce-0fe5b17a0707d6abc-29p5708s-us-west-2a.kinesis.us-west-2.vpce.amazonaws.com
vpce-0fe5b17a0707d6abc-29p5708s-us-west-2b.kinesis.us-west-2.vpce.amazonaws.com
vpce-0fe5b17a0707d6abc-29p5708s-us-west-2c.kinesis.us-west-2.vpce.amazonaws.com
Default public DNS hostname
kinesis.us-west-2.amazonaws.com
Private IP address of the endpoint network interface
10.1.10.50 10.1.20.50 10.1.30.50
Submit requests to the supported service
via an endpoint URL
49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Oregon (us-west-2) Region
CIDR: 10.0.0.0/16
Availability Zone - A
Private subnet: 10.0.1.0/24
Private IP : 10.0.1.7
Amazon Kinesis
EC2
Private IP:
10.0.1.12
Availability Zone - B
Private subnet: 10.0.2.0/24
10.0.2.7
Private IP:
10.0.2.120
VPCE-2222.KINESIS.AMAZON.COM
Private connection over
AWS network
Consider
VPCE-2222.KINESIS.AMAZON.COM
Customer
network
Connecting endpoints in another region
Connecting to endpoints across a VPN
Service provider traffic origination
Advertising with customer DNS name
50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
S e c u r i n g a c c e s s t o A m a z o n i n t e r f a c e V P C e n d p o i n t s
S u b n e t 1 0 . 0 . 1 . 0 / 2 4
Availability Zone A
S u b n e t : 1 0 . 0 . 2 . 0 / 2 4
Availability Zone B
S u b n e t : 1 0 . 0 . 3 . 0 / 2 4
Availability Zone C
S e c u r i t y g r o u p
V P C C I D R : 1 0 . 0 . 0 . 0 / 1 6
51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use cases for interface VPC endpoints
• Endpoint consumers can establish private connectivity to Amazon services
• Customers can share internal services between VPCs, both within a single AWS account
and between AWS accounts
• Partners can deliver services to their customers’ VPCs, or on-premises networks via DX
52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A. You are unable to connect to endpoints in another region
B. Endpoints cannot be accessed across a VPN that uses Amazon VGW
C. Traffic cannot be originated by service providers
D. TCP traffic only
Things to note
53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Connecting to resources over DX
54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Connecting to VPC over DX
VPC
VPC
VPC
Customer
router
Production
Test
Development
VPC
VPC
VPC
Non-productionProduction
US West (Oregon)
Switch SUPERNAP 8,
Las Vegas, NV
DX devices
55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Private VIF
VPC
VPC
VPC
VPC
VPC
VPC
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Non-productionProduction
Production
Test
Development
56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Private VIF
DX location
VPC
VPC
VPC
VPC
VPC
VPC
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Non-productionProduction
Production
Test
Development
57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Private VIF
VPC
VPC
VPC
VPC
VPC
VPC
BGP
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Non-productionProduction
Production
Test
Development
58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VLAN
600
Private VIF – Multiple VPCs
VPC
VPC
VPC
VPC
VPC
VPC
VLAN
500
DX location
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Non-productionProduction
Production
Test
Development
59. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VLAN
600
Private VIF – Multiple VPCs
VPC
VPC
VPC
VPC
VPC
VPC
VLAN
500
DX location
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
BGP
BGP
US West (Oregon)
BGP
DX devices
Non-productionProduction
Production
Test
Development
60. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Public VIF
VPC
VPC
VPC
VPC
VPC
VPC
DX location
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Non-productionProduction
Production
Test
Development
61. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
VPC
VPC
VPC
VPC
VPC
DX location
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
Public VIF
VLAN
800
BGP
BGP
DX devices
Non-productionProduction
Production
Test
Development
62. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DX device Customer
router
Colocation
DX location
Region – Asia Pacific (Singapore)
Private VIF
Region – US West (Oregon)
AWSglobalBackbone
Connecting to VPC using DX gateway
VPC
VPCEC2
EC2
DX gateway
VPCEC2
VLAN 100
N E W !
Switch SUPERNAP 8,
Las Vegas, NV
App 1
App 2
App 1 DR
63. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer
router
Colocation
DX location
Region – Asia Pacific (Singapore)
VLAN 100
Private VIF
Connecting to VPC
VPC
VPCEC2
EC2
Direct Connect
Gateway
VPCEC2
VLAN 100
Region – US West (Oregon)
DX device
App 1
App 2
App 1 DR
64. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer
router
Colocation
DX location
Region – Asia Pacific (Singapore)
VLAN 100
Private VIF
AmazonBackbone
Connecting to VPC
VPC
VPCEC2
EC2
DX gateway
VPCEC2
VLAN 100
Region – US West (Oregon)
DX device
App 1
App 2
App 1 DR
65. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Connecting to VPC over DX
AWS region – US West
(Oregon)
Switch SUPERNAP 8,
Las Vegas, NV
Corporate data center
AWS region – Asia Pacific
(Mumbai)
Switch SUPERNAP 8,
Las Vegas, NV
AWS region – U.S West
(Oregon)
Corporate data center
AWS region – U.S East
(Virginia)
AWS region – Central
(Canada)
VPC VPC
VPC VPC
VPC Private VIF
Private VIF
VPC
66. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transit VPC
C o n n e c t i n g t o A W S
67. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer concerns
Implement Layer 7 security for all hybrid traffic
Corporate data center
VPC subnet
VPC subnet
68. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer concerns
Too many VPN tunnels when connecting to VPCs at scale
Overlapping IP addresses between VPC and remote sites
69. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transit VPC architecture
Transit VPC architecture enables you to connect to any remote network
while transiting all traffic through a pair of EC2 instances
A
B
Transit VPC
Remote customer officeSpoke VPC
70. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transit VPC architecture
VPC n
VGW
Subnet 1
AZ 1a
Remote office
Customer
gateway
Amazon S3
VGW
….. VGW
VPC BVPC A
Detached
VGW
DX location
Customer
router
VLAN 100
Subnet 2
AZ 1b
Transit hub VPC
DX device
71. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transit VPC use cases
• Reducing the number of VPN tunnels from on premises required to connect to a
large number of VPCs
• Implementing a security layer at the transit point
• Allow overlapping IP address range between VPC and on-premises/remote networks
• Requiring remote access to Gateway VPC endpoints
• Building a global VPN infrastructure