2. • Google “Windsor AWS User Group”
• Click “Join”
• Click “Presentations”
Presentation
3. “It’s Complicated”
• “the phrase has been a consistent go-to for describing romantic conundrums” -
https://www.thecut.com/2014/11/long-linguistic-life-of-its-complicated.html
• 2009 movie starring Meryl Streep and Alec Baldwin
• Facebook status
• Machine Gun Kelly & Camila Cabello in “Bad Things” sing:
Don’t think that I can explain it
What can I say, it's complicated
• AWS Data Transfer Rates
4. Next Meetup
• Hosting “static” web sites on Amazon S3 and CloudFront
• Guest presenter: John Haldeman
• Cost effective, scalable solution that unburdens us from running, maintaining,
and managing web servers
6. Regions and Availability
Zones - I
• Region is a separate geographic area.
• Region has multiple isolated locations called Availability Zones
• Each AZ has at least one DC and represents a Fault Domain
• AZ is a logical representation of one or more DCs
• Some services have sub-AZ resilience (EBS, etc)
• When launching an instance we select an Availability Zone
• AZ are foundation of all resilience designs
• Region codes: ca-central-1 (Friendly name: Canada Central 1)
• Availability Zone code: ca-central-1a
7. Regions and Availability
Zones - II
• AWS independently maps AZ to identifiers for each account
• AZ ca-central-1a in InfoSec Account and ca-central-1a in SharedServices
account may or may not be inside the same AZ (DC/set of DCs)
• Latency between AZs is <2ms
• Latency inside AZ is <0.2ms
• Regional Endpoint used to reduce data latency in applications.
• Entry point is URL: https://dynamodb.us-west-2.amazonaws.com
• Some services are global (IAM, Organizations, …)
• Edge locations (CloudFront) - small DCs to one rack - provides local
ingress/egress traffic
10. Amazon Virtual Private
Cloud
• Enables us to launch AWS resources into a private virtual network inside our
own AWS account
• Equivalent to Data Center network with benefits of scalable AWS infrastructure
• It is a networking layer for Amazon EC2
• Isolated logical network
11. Creating a VPC
• VPC Name Tag
• IPv4 CIDR Block
• Tip: Must get right; if not, must delete all resources inside the VPC and the
VPC
• Use IP address ranges form RFC1918; could use publicly routable IPv4
addresses - will not support direct access to the internet
• Smallest VPC uses /28 (11 usable IPs) and largest uses a /16 netmask
• IPv6 CIDR Block (optional)
• Tenancy - Default or Dedicated
• Tip: be at least 5000% sure before selecting Dedicated
12. Architecting Network Design
• Assume multi-account strategy
• One or more VPCs per account
• VPN / DirectConnect / VPC Peering with other VPCs in the same account or
other accounts /
• IP Addressing Design
• Future requirements - assume more subnets will be needed than current
requirements
• Tip 1: Go Big!!!! Use /16 CIDR.
• Tip 2: Go small only when trying to avoid address overlap with existing
networks, such as cloud and/or on-premise networks.
13. General Best Practices for
Single VPC Design
• Ensure that your VPC network range (CIDR block) does not overlap with your
organization’s other private network ranges.
• Do not allocate all network addresses at once; instead ensure that you
reserve some address space for future use.
• Divide your VPC network range evenly across all available Availability Zones
(AZs) in a region.
• Create one subnet per available AZ for each group of hosts that have unique
routing requirements (e.g., public vs. private subnets).
• Size your VPC CIDR and subnets to support significant growth for the
expected workload(s).
18. Secondary IPv4 CIDR Block
• When a secondary CIDR block is associated with your VPC a route is added to
your VPC route table to enable routing within the VPC
19. Security
• Security Groups (who can this instance talk to)
• Network ACLs (who can instances in this subnet talk to)
• Controlling Access with IAM (what can I do)
• VPC Flow Logs
20. Security Groups
• Security Group - virtual firewall for EC2 instances; controls inbound and
outbound traffic
• SGs are associated with network interfaces
• SGs are STATEFUL!!
• Support only allow rules
• Up to 5 per instance; will process all rules before allowing or denying traffic
• VPC includes a default security group whose initial rules are to deny all
inbound traffic, allow all outbound traffic, and allow all traffic between instances
in the group. You can't delete this group; however, you can change the group's
rules.
21. NACLs
• Network Access Control List operates at subnet level
• Supports both ALLOW and DENY rules
• Rules processed in order
• Applies to all instances in the subnet automatically
22. VPC Flow Logs
• Enable you to capture meta data (NOT DATA) about your IP traffic
• Some traffic is not captured - instance metadata, DHCP traffic, Amazon
Windows license activation, DNS traffic to Amazon DNS server….
• Flow log record: version account-id interface-id srcaddr dstaddr srcport dstport
protocol packets bytes start end action log-status
23. VPC Networking
Components - ENI - 1
• Elastic Network Interface - virtual network interface; cannot detach primary
ENI; number varies per instance; can be detached then attached to another
instance attributes follow:
• a primary private IPv4 address
• one or more secondary private IPv4 addresses
• one Elastic IP address per private IPv4 address
• one public IPv4 address, which can be auto-assigned to the network
interface for eth0 when you launch an instance
• one or more IPv6 addresses
• one or more security groups
• a MAC address
• a source/destination check flag
• a description
24. VPC Networking
Components - ENI - 2
• Use multiple ENIs when you want to:
• Create a management network.
• Use network and security appliances in your VPC.
• Create dual-homed instances with workloads/roles on distinct subnets.
• Create a low-budget, high-availability solution.
25. VPC Networking
Components - EIP & IGW
• Elastic IP address is a static, public IPv4 address design for cloud computing.
• Internet gateway - scalable, redundant, and highly available VPC component
that allows communication between VPC and the Internet.
26. VPC Networking Components
- VPC Endpoints
• Private connection between your VPC and one of AWS supported services
(S3/DynamoDB)
27. VPC Networking Components
- DNS & DHCP Options Sets
• Default VPC - Amazon provides the instance with public and private DNS
hostanames
• Custom (Non-defualt) VPC - Amazon provides the instance with a private DNS
hostname and might provide a public DNS hostname - depends on DNS
attributes
• ip-private-ipv4-address.ec2.internal (us-east-1)
• ip-private-ipv4-address.region.compute.internal for other regions
• ec2-public-ipv4-address.compute-1.amazonaws.com (us-east-1)
• ec2-public-ipv4-address.region.amazonaws.com for other regions
• Use internal names when communicating with internal instances
• Use DHCP Option set to specify private DNS , domain name, NTP servers,
NetBIOS name servers and NetBIOS node type
28. VPC Networking Components
- NAT Gateways I
• NAT device enables Internet and other AWS services access for instances in a
private subnet
• NAT gateway - requires a public subnet and EIP
• Update routing tables for private subnets to point Internet traffic to the NAT
gateway
• Use multiple NGW if more than 10 Gbps bursts are required
• Use SG with your instances in private subnets to control the traffic to and from
instances
• Use NACL to control the traffic to and from the subnet where NGW is located
• Uses one private IP address from the IP address range for your subnet
• Use Amazon CloudWatch to monitor NGWs
30. VPC Networking
Components - NAT Instances
• Use Amazon Linux AMIs with string amzn-ami-vpc-nat in the names
• Must disable SRC / DEST check on the NAT instance
31. Pricing for Amazon VPC -
I
• No charges for using Amazon VPC
• VPN Connections $0.05 per VPN connection hour
• NAT Gateway Pricing for Canada (Central) $0.05 per hour per NAT gateway
plus $0.05 per GB data processed
• Data Transfer rates: https://aws.amazon.com/ec2/pricing/on-
demand/#Data_Transfer
32. Pricing for Amazon VPC - II
• Elastic IP Addresses - No charge for the first EIP on a running instance
• Hourly charges for each additional EIP associated with that instance
• Small hourly charge when EIPs are not associated with a running instance or
associated with a stopped instance or unassigned
• Region Canada Central:
• $0.00 for one Elastic IP address associated with a running instance
• $0.005 per additional Elastic IP address associated with a running instance per hour on a pro rata basis
• $0.005 per Elastic IP address not associated with a running instance per hour on a pro rata basis
• $0.00 per Elastic IP address remap for the first 100 remaps per month
• $0.10 per Elastic IP address remap for additional remaps over 100 per month
Who is using VPC / knows what VPC is?
Who has basic routing knowledge?
Anyone here who don’t care about VPC but interested in CloudFormation?
Anyone here wants to team up on CloudCommit or ML presentation?
Stickers!!
Also can use account ID instead of alias
Also can use account ID instead of alias
Not all services available in all regions
Also can use account ID instead of alias
CIDR (Classless Inter-Domain Routing)notation is a compact representation of an IP address and its associated routing prefix. The notation is constructed from an IP address, a slash ('/') character, and a decimal number. The number is the count of leading 1 bits in the routing mask, traditionally called the network mask.
Your private network inside AWS
Public - host reachable from the Internet
Private - host can reach Internet but NOT reachable from the Internet
Some services are on public addresses and some are inside the VPC such as RDS
Stateful - return traffic automatically allowed
5 SGs x 50 rules + 20 rules per NACL = 270
ENI resides inside AZ and cannot be moved
Ability to analyze traffic
Troubleshoot network connectivity
Visibility into effects of Security Group rules
VPC traffic metadata captured in CloudWatch logs
ENI resides inside AZ and cannot be moved
Route table updated automatically
Prefix list represents S3 endpoints
Additional security - IAM Policy at Endpoint - restrict action of VPC in S3
IAM Policy at S3 bucket - Make accessible from VPC Endpoint only