Mais conteúdo relacionado
Semelhante a VPC Design and New Capabilities for Amazon VPC (20)
Mais de Amazon Web Services (20)
VPC Design and New Capabilities for Amazon VPC
- 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Steve Seymour
Principal Specialist Solutions Architect, AWS
Tom Adamski
Specialist Solutions Architect, AWS
VPC Design and New Capabilities
for Amazon VPC
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional Network
VPN VPN
WAN
Fiber
Applications Applications
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an Amazon Virtual Private Cloud (VPC)?
“A virtual network that
closely resembles a
traditional network that
you'd operate in your own
data center” Instance
Availability Zone
Instance
Availability Zone
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating an Internet-connected VPC: Steps
Choosing an
address range
Create subnets in
Availability Zones
Creating a route
to the Internet
Authorizing
traffic to/from
the VPC
IGW
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CIDR range example:
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
CIDR notation review
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16
(65,536 addresses)
Avoid ranges that overlap with
other networks to which you
might connect.
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
Amazon Global Unicast
Addresses (GUA) –
Internet Routable
Associate an /56 IPv6 CIDR
(Automatically allocated)
2001:db8:1234:1a00::/56
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnets
VPC Subnet
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Expand your existing Amazon VPC
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
172.31.3.33/24
Instance A
172.31.1.11/24
Instance B
172.31.2.22/24
Instance D
172.31.4.44/24
Subnet Subnet
Subnet Subnet
VPC CIDR 172.31.0.0/16
172.31.0.0/16
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
172.31.3.33/24
Instance A
172.31.1.11/24
Instance B
172.31.2.22/24
Instance D
172.31.4.44/24
Subnet Subnet
Subnet Subnet
Availability Zone C
172.31.0.0/16
VPC CIDR 172.31.0.0/16
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
172.31.3.33/24
Instance A
172.31.1.11/24
Instance B
172.31.2.22/24
Instance D
172.31.4.44/24
Subnet Subnet
Subnet Subnet
Availability Zone C
Instance E
172.21.1.11/24
Instance F
172.21.2.22/24
Subnet
Subnet
172.31.0.0/16
172.21.0.0/16
VPC CIDR 172.31.0.0/16 172.21.0.0/16
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet recommendations
• /16 VPC (65,536 addresses)
• Expand your VPC when necessary
• At least /24 subnets (251 addresses)
• Use multiple Availability Zones per VPC through multiple
subnets
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route to the InternetIGW
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default (main) route table
• But, you can assign different route tables to different
subnets
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC
stays in my VPC
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
Send packets here if you want
them to reach the Internet
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything that isn’t destined for the VPC:
send to the Internet
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security in your VPC:
Security groups
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security groups follow application structure
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
Allow all HTTP traffic
Rule descriptions
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
Allow application traffic
from web servers only
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Beyond Internet connectivity
Restricting
Internet access
Connecting to your
corporate network
Connecting to other
VPCs
VPC Subnet
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restricting Internet access:
Routing by subnet
VPC Subnet
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing by subnet
public subnet
private subnet
Has route to Internet
Has no route to Internet
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound-only internet access: NAT gateway
private subnet public subnet
0.0.0.0/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-VPC connectivity:
VPC peering
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example VPC peering use:
Shared services VPC
• Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate request
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering
request
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept request
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering
request
Step 2
Accept peering
request
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create a route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering
request
Step 2
Accept peering
request
Step 3
Traffic destined for the peered VPC
should go to the peering
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
- 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-Region VPC Peering
eu-west-1 (Ireland) us-east-1 (N.Virginia)
VPC A VPC B
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some notes…
Inter-Region VPC Peering encrypts with no single point of
failure or bandwidth bottleneck
Traffic using Inter-Region VPC Peering always stays on the
global AWS backbone
- 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
- 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises networks:
AWS Virtual Private Network
and AWS Direct Connect
- 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend an on-premises network into your VPC
VPN
AWS Direct
Connect
- 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN basics
Virtual
Private
Gateway
Two IPSec tunnels
172.31.0.0/16
192.168/16
Customer
Gateway
192.168.0.0/16
Your networking deviceTraffic destined for the VPN/Direct
Connect via the VGW
- 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
VGW Private
Virtual Interface
“Attachment”
Direct Connect
Location
(London)
VGW
“Association”
192.168.0.0/16
Direct Connect
Gateway
- 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
VGW
Private
Virtual Interface
“Attachment”
Direct Connect
Location
(London)
VGW
“Association”
EU-CENTRAL-1
172.16.0.0/16
VGW
VGW
“Association”
Direct Connect
Gateway
- 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
VGW
Virtual Interface
“Attachment”
Direct Connect
Location
(London)
VGW
“Association”
EU-CENTRAL-1
172.16.0.0/16
VGW
Direct Connect
Location
(Frankfurt)
VGW
“Association”
Virtual Interface
“Attachment”
Direct Connect
Gateway
- 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
VGW Virtual Interface
“Attachment”
Direct Connect Location
VGW
“Association”
VGW
VGW
“Association”
Direct Connect Location
Virtual Interface
“Attachment”
- 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
VGW Virtual Interface
“Attachment”
Direct Connect Location
VGW
“Association”
VGW
VGW
“Association”
Direct Connect Location
Virtual Interface
“Attachment”
- 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN and AWS Direct Connect
• Both allow secure connections between
your network and your VPC
• VPN is a pair of IPSec tunnels over the
Internet
• AWS Direct Connect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both
- 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
- 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services
Inside of the VPC Outside of the VPC
VPC VPC
- 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services in your VPC
- 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Amazon RDS Database in your VPC
- 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Application Load Balancer in your VPC
- 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services outside your VPC
- 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints for AWS Services
- 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
S3 bucket
Your applications
Your data
- 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC Endpoints
- 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints: Amazon S3 and DynamoDB
S3 bucket
Route S3-bound traffic
to the VPC endpoint
- 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy for VPC Endpoints
S3 bucket
IAM policy at VPC endpoint:
restrict actions of VPC in Amazon
S3 or Amazon DynamoDB
IAM policy at S3 bucket:
make accessible from
VPC endpoint only
- 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC Endpoints
- 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for AWS Services
EC2 APIs
Private IP:
172.31.1.6
Private IP:
172.31.2.10
vpce-….ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
- 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for Customer & Partner Applications
Powered by Network
Load Balancer
Secure endpoint
within Client VPC
Integrated with
AWS Marketplace
Share services privately and securely between
VPCs, AWS accounts, and on-premises networks
Available in all public AWS regions, except CN-NORTH-1
- 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs:
VPC traffic metadata in Amazon
CloudWatch Logs
- 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs
• Visibility into effects of
security group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
172.31.1.0/24
AZ A
- 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs: Setup
VPC traffic metadata captured in
Amazon CloudWatch Logs
- 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
REJECT
UDP Port 27015
- 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The VPC Network
- 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Network Security
- 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Connectivity
- 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
C1
• 1 Gbps
CC1
• 10 Gbps
C3
• Enhanced
networking
• 20x PPS
• <100-µs
latency
C4
• EBS
optimized
by default
C5
• Elastic
Network
Adapter
• 25 Gbps
• <50-µs
latency
On-Instance Networking Improvements
- 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25 Gbps
to Amazon S3
25 Gbps
within region
Instance Bandwidth Limits
25 Gbps
within placement group
5 Gbps
for other sources
- 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Time Sync Service
Highly reliable service with a redundant
array of satellite and atomic clock
sources
- 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
Steve Seymour
Principal Specialist Solutions Architect
Tom Adamski
Specialist Solutions Architect