I crafted this presentation for the AWS Chicago Meetup. This deck covers the rationale, building blocks, guidelines, and several best practices for Amazon Web Services Virtual Private Cloud. I classify it as a somewhere between a 101 and 201 level presentation.
If you like the presentation, I would appreciate you clicking the Like button.
4. What is Amazon’s VPC?
Logically isolated network in the AWS Cloud that you control
AWS Reference Model 10K Foot View
“You are here”
4
Internet
AWS
VPC
5. 5
Why use VPC?
Control of network architecture
Topology & subnet architecture, IP address
ranges, routing, & gateways
Further secure your resources
Egress sec groups, routing rules, & NACL’s
Evolving EC2 feature set
Multiple NIC’s
Modifiable security groups on instances
Static Private IP Address
T2 instances exclusively in VPC
Enables Hybrid Cloud architectures
Extend your on-prem network into the AWS
cloud
Privately Internetwork with other
organizations
VPC Peering
Lines of business, Partners, Communities
Intelligently address increasing
Infrastructure demands
Environments, applications, and workloads
Your workloads can be better integrated and secured using AWS VPC
6. Who can use VPC?
You
>= 12/04/2013 EC2-VPC
< 03/18/2013 EC2-Classic & EC2-VPC
EC2 Classic in regions already launched
Otherwise, Default VPC in region
03/18/2013 < Account registered <= 12/14/2013
Depends: Might be EC2-VPC only.
VPC Cost = $0
VPN $0.05/hr
VPC Enabled Services
EC2 (incl. Dedicated instances)
AutoScaling
Elastic Load Balancer
RDS
RedShift
Elastic Map Reduce
ElasticCache
Elastic Beanstalk
Data Pipeline
6
9. 9 IP Address Blocks
Shape private network
Select VPC network size
CIDR/16 down to CIDR/28
Select IP prefix
Partition network space
Subnet / instance ratio
AWS reserves 5 addr per subnet
VPC VPC
CIDR/16
~65536 Addresses
CIDR/28
~16
Addresses
VPC is a private network in AWS only
CIDR = Classless Inter-domain Routing
Coarse Grained Control Fine Grained Control
10. VPC Example: Topology + IP Address Blocks
158.16.45.12
Availability Zone ‘A’ Availability Zone ‘B’
10.0.0.0/24
10.0.1.0/24
us-west-2
10.0.0.0/16
10.0.2.0/24
10.0.3.0/24
10.0.0.5
10.0.1.2
10.0.2.52
10.0.3.101
10.0.sub.host
10.0.2.52
158.16.45.12
Instance
Private IP
Public IP
256
256
Network
Subnets
Addr per Subnet
10
11. Gateways VPN’s
11
VPC Access
Internet Gateway (IGW)
Ingress & egress internet access
Virtual Private Gateway (VPG)
AWS side of secure VPN connection
Customer Gateway (CG)
Customer side of VPN connection
Direct Connect
Dedicated & isolated bandwidth to AWS
No internet
HA connectivity supported
Hardware based VPN
On-prem device to AWS over internet
Major brands: Cisco, Juniper, & generic
supported
HA connectivity supported (&
recommended)
12. VPC Gateways & Hardware VPN
IGW
Internet access
Access to regional AWS Services (e.g. S3, DynamoDB)
Virtual Private Gateway & Customer Gateway
Redundant Connections for High availability
IPSec secure tunnel
12
Internet
On-prem
VPN
Internet
DynamoDB
13. AWS Direct Connect
Private connectivity between your site & VPC (e.g. not over Internet)
Secure IPSec connection
QOS: 1 Gbps or 10 Gbps fiber cross connect
Consistent Network Performance
Highly Available, redundant connectivity
Customer Network
AWS Direct
Connect Location
Customer WAN
13
Internet
14. Routing Traffic
Determines where network traffic is directed
Route tables
Main
Custom
Optionally contain Gateways targets
Route table association
Main the default
1 to N relationship
Subnet associations
Public Subnet
Routes through IGW
Private Subnet
Does not route through IGW
NATs may be used
14
NAT
Public Subnet
Private Subnet 2
Customer
10.0.0.0/16
Private Subnet 1
Custom Route Table
15. 15 VPC Peering
Inter-VPC Routing
18.52.0.0/16
PCX-1
172.16.0.0/16 10.0.0.0/16
Features
Topology flexibility
Same or another AWS Account
Additional dimension of isolation
Considerations
Single Region only
No overlapping network addresses
No transitive peering property
16. VPC Network Controls
VPC Security Groups
Resource level traffic firewall (instance, ELB, etc.)
Ingress & Egress
Stateful
Return traffic always allowed
Network Access Control Lists
Source and Protocol filtering
Subnet level traffic firewall
Separate Inbound & Outbound rule set
Stateless
Traffic strictly filtered
16
Web
(HTTP)
Security Group Firewall
Load
Balancer
Security Group Firewall
Security Group Firewall
DB
Server
3306
Web
Server
Web
Server
NACL (3306, 49152-65535)
VPC Security Group
NACL Ruleset
17. VPC Network Control Example
Tiered Security Groups
Restrict ingress Source IP to ELB_SG for Web Tier
NACL Rules
Block all inbound traffic to Private Subnet except 3306 or 22
Block all outbound traffic from Private Subnet except 80, 443, & 49152+
17
Public Subnet Private Subnet
Port 3306 packets
Availability Zone ‘A’
Port: 80
Port: 80
Port 23 packets
NACL:
Source IP: 10.0.12.0/24
IN=3306, 22
OUT=80, 443, 49152-65535
ELB_SG
Port: 23
WebApp_SG
10.0.12.0/24
DB_SG
21. VPC Considerations
Topic Tradeoff Consideration
Environments Segregate at VPC or subnet level?
Hybrid Cloud Private or Internet based VPN connectivity?
Network Topology Subnets with large # instances / NAT bottlenecks
Network Auditing Control, monitor, filter outbound traffic ?
21
22. Best Practice
Use VPC!
Plan your Network
Subnet strategy, avoid overlapping CIDR blocks
Reserve address space (subnets and instance addresses) across AZ’s for future expansion
Control your Network
Align subnets to Tiers (e.g. DMZ/proxy, ELB, Web/App, DB)
Leverage appropriate control per tier (subnet tiering, NACLs, etc…)
Everything in private subnets by default
Only ELB or Filter/monitoring solutions in Public Subnets
Secure IGW usage
Don’t add IGW to main routing table
Minimize use of IGW enabled Custom route table(s)
Minimize subnet size holding NAT or internet facing proxy services (e.g. Squid)
Use IAM for Access Control
Supplement with AWS Marketplace Solutions
22