© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Webinar

https://amzn.to/JPWebinar https://amzn.to/JPArchive

Solutions Architect

2019/4/17

Amazon VPC Advanced

[AWS Black Belt Online Seminar]

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 2

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Black Belt Online Seminar

•

•

①吹き出しをクリック②質問を入力③ Sendをクリック

Twitter

#awsblackbelt

3

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

• 2019 4 17

AWS (http://aws.amazon.com)

• AWS

AWS

•

• AWS does not offer binding price quotes. AWS pricing is publicly available and is subject to

change in accordance with the AWS Customer Agreement available at

http://aws.amazon.com/agreement/. Any pricing information included in this document is provided

only as an estimate of usage charges for AWS services based on certain information that you

have provided. Monthly charges will be based on your actual use of AWS services, and may vary

from the estimates provided.

4

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

• VPC Sharing

• Transit Gateway

• PrivateLink

5

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 6

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

東京リージョン

Amazon Virtual Private Cloud (VPC)

(http://aws.amazon.com/jp/vpc/)

• AWS

• AWS

•

仮想プライベートクラウドサービス

VPC ( 172.16.0.0/16)

既存システム

プライベートサブネット

パブリックサブネット

インターネット

VPNor

専用線

ネットワークを要件に応じて設定

インターネットゲートウェイ

7

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

VPC

• 2009-8 Limited Beta

• 2009-12 Unlimited Beta

• 2010-2 EBS Support

• 2010-9

(MC)

• 2011-3 IGW, EIP, NAT

instance, NACL, SG

• 2011-8 Multi-AZ

• 2011-9 DirectConnect(DX)

• 2012-6 Multiple IP

• 2012-7 Internal ELB

• 2013-10 DX MC

• 2013-12 Default VPC

• 2014-3 VPC peering

• 2014-9 R53 Private host zone

8

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

VPC

• 2015-6 VPC flow logs

• 2015-12 NAT gateway

• 2016-7 DNS for VPC peering

• 2016-8 RDS in your VPC

• 2016-12 IPv6

• 2017-8 Add CIDRs

• 2017-11 PrivateLink

• 2017-11 Inter-Region VPC

Peering

• 2018-10 BYOIP

• 2018-11 Agentless network

assessments

• 2018-11 Transit Gateway

• 2018-12 VPC Sharing

• 2018-12 ClientVPN

9

2019.4のReference

Network Architecture

Internet

Account Account

Account Account

Account Account

Account Account

Account Account

Account Account

VP

N

AWS Direct

Connect *

Account Account Account Account IAM, cross-account roles

Route

tables

Route

tables

Transit Gateway

Available Q1

2019 10

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

東京リージョン

Amazon Virtual Private Cloud (VPC)

特徴 (http://aws.amazon.com/jp/vpc/)

• AWS上にプライベートネットワークを構築

• AWSと既存環境のハイブリッド構成を実現

• きめ細かいネットワーク設定が可能

仮想プライベートクラウドサービス

VPC ( 172.16.0.0/16)

既存システム

プライベートサブネット

パブリックサブネット

インターネット

VPNor

専用線

ネットワークを要件に応じて設定

インターネットゲートウェイ

ここが歴史です

11

2019.4のReference

Network Architecture

Internet

Account Account

Account Account

Account Account

Account Account

Account Account

Account Account

VP

N

AWS Direct

Connect *

Account Account Account Account IAM, cross-account roles

Route

tables

Route

tables

Transit Gateway

Available Q1

2019 12

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

VPC Sharing

13

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Mini-Agenda

VPC

– VPC

14

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

なぜマルチアカウントか？

15

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Answers

AWS Multiple Account Security Strategy

16

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Multi-Account view

Production Account Test/UAT Account Development Account

Master Account

17

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 18

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Production Account Test/UAT Account Development Account

Master Account

VPC VPC VPC

10.1.0.0/16 10.2.0.0/16 10.3.0.0/16PeeringPeering

Private VIF Private VIF

Private VIF

NAT

gateway

NAT

gatewayNAT

gateway

19

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

App A Production Account App A Test/UAT Account App A Development Account

Master Account

App B Production Account App B Test/UAT Account App B Development Account

Business Unit A

Business Unit B

VPC VPC VPC

VPC VPCVPC

VPC VPC VPC VPC

VPC VPC

NAT gateway NAT gateway NAT gateway

NAT gateway

NAT gateway

PeeringPeeringPeeringPeering

Private VIF

Private VIFPrivate VIF

Private VIF

20

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

•

•

•

•

•

•

•

•

•

•

•

21

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 22

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

VPC

App A Production Account App A Test/UAT Account App A Development Account

Master Account

App B Production Account App B Test/UAT Account App B Development Account

Business Unit A

Business Unit B

Prod VPC VPC

VPC

Dev/Test VPCNAT gateway NAT gateway

Private VIF Private VIF

23

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

VPC

VPC

• IPv4

•

• AWS

• AWS

24

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

IP

IPv4 CIDR

VPC peering, Transit VPC

•

VPC

25

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Admin

Users

Account A (VPC Owner) Account B (Participant)

Common VPC

Same AWS Organization

AWS Resource

Access Manager

Shared Subnet

Share subnet

with Resource

Share

EC2

Instance

owned by

Account A

RDS

Instance

owned by

Account B

Traffic

26

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

VPC Sharing

VPC

• VPC

•

VPC Sharing

• VPC

• VPC,

27

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 28

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

to

VPC

VPN

29

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Transit Gateway

1000以上のVPCとオンプレミス間の相互接続を簡単に

オンプレミスデータセンター

AWS VPCAWS Transit

Gateway

30

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Transit Gateway:

AWS Transit

Gateway

VPCとオンプレミス間のルーティングポリシーを集中管理

マルチアカウント間での1000を超えるVPC間接続をサポート

柔軟なルーティングテーブルの分割とルーティングルール

スケーラブル

マルチVPNコネクションのスループット向上

運用の単純化

31

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

• アカウント間の複数VPC間の相互接続の集中管理• VPNとDirect Connectの接続点を集中化• ピアツーピアネットワークが必要であった構成の削減、または廃止が可能

• ECMPルーティングによるVPNスループットの向上(50 Gbps+)

• AWS Transit Gatewayによりリージョン間のピアリングが可能• AWSグローバルネットワークを活用して、低遅延のクロスリージョン接続を実現

• Regional construct reduces blast radius

• AWSとオンプレミス間の設定時間を削減• 1カ所で管理および監視が簡単に可能• CloudWatchとVPC Flow Logsとの統合• 既存のVPCセキュリティグループとネットワークアクセスコントロールリストを利用可能

ネットワーク構成の単純化

Global

Connectivity

AWS Transit Gateway:

32

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 33

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

–

VPC

• 複数のVPCを使用しているお客様

• 多数のVPCにまたがるアプリケーションを構築するお客様

• ネットワークサービスの共有が可能 (DNS, Active Directory, ファイアーウォール, IDS)

• 管理のオーバーヘッドを削減

34

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

–

• すべてのVPCで共通のVPNまたはDirect Connect Gateway（DXGW）を共有

• 複数のVPCにオンプレミスネットワークを接続する時間を短縮

• AWS Transit GatewayにVPCを追加する際、追加する顧客ネットワークに変更は不要

35

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Use Case –

• 共有のVPCホストセキュリティツール

• Firewall as a service

• Webアプリケーションファイアウォール（WAF）、データ損失防止（DLP）、侵入検知/保護（IDS / IPS）

• ネイティブAWSサービスでスケールアウト

36

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 37

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Internet

Account Account

Account Account

開発環境

Account Account

Account Account

テスト環境

Account Account

Account Account

本番環境

アウトバウンド

URL filtering

NAT gateway

DLP / Proxy

エッジサービス

WAF / ADC

SD-WAN

VPN / Firewall

IDS / IPS

Firewall / NGFW

インラインサービス

共有サービス

Authentication, Monitoring

VPNAWS Direct

Connect *

Account Account Account Account

管理アカウント (logging, AWS Organizations, billing, landing zone)

IAM, Cross-account roles

Route

tables

Route

tables

Transit GatewayEast-West + North-South

Available 1H

2019

AWS Transit Gateway

38

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

VPC

Account Account

Account Account

Development

Account Account

Account Account

Testing

Account Account

Account Account

Production 共有サービス

Authentication, monitoring

Route

tables

Route

tables

Transit Gateway

VRF)

Account Account

Account Account

Acquisition

Example applications

• 認証• ロギング• DevOps ツール• セキュリティリソース

AWS Transit Gateway

39

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Transit Gateway PrivateLink

AWS Transit Gateway

• 多対多、1対多でルーティングテーブルを利用するもの

• Highly scalable• 1時間当たりのAZエンドポイン

トコスト

Account Account

Account Account

Development

Account Account

Account Account

Testing

Account Account

Account Account

ProductionShared Services

Authentication, Monitoring

R

o

u

t

e

T

a

b

l

e

s

R

o

u

t

e

T

a

b

l

e

s

Transit Gateway

適用範囲：アプリケーション共有サービス

信頼モデル：VPC間に相互信頼をもたない

依存関係：ロードバランサとアプリケーションアーキテクチャ

規模：数千のスポークVPC

対象範囲：多数のVPCへのネットワーク共有サービス

信頼モデル：VPC単位の信頼、集中管理

依存関係：Transit Gatewayによる集中管理

規模：数千のスポークVPC

AWS PrivateLink

• 1対多のコネクティビティ• Highly scalable• IPアドレス重複のサポート• Elastic Load Balancingの使用• ロードバランサと1時間当たり

のエンドポイントコスト

40

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Transit Gateway VPN

VPN

Route

tables

Route

tables

Transit Gateway

Customer

Gateway

Transit Gateway (TGW)によるVPNの統合• VPNはVirtual Private Gateway (VGW)に接続しているように動作• 帯域、設定、API,コストおよびエクスペリエンスは従来通り

• VPNはVGWではなくTGWに接続• VGW同様トンネルあたり1.25 gbpsの帯域幅を適用

多数のVPCのエッジへの暗号化• トラフィックはVPC内に入るまで暗号化• VPC間の通信は自動では暗号化されない

• インターリージョンVPCはデフォルト暗号化

41

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Transit Gateway VPN: VPN

VPN

Route

tables

Route

tables

Transit Gateway

Customer

Gateway

複数トンネルによるトラフィックの分散サポート• BGPマルチパスによるEqual Cost Multi Path（ECMP）のサポート

• 最大50 Gbpsの帯域までテスト済み• トラフィックの小さな複数のフローへの分割, マルチパートアップロード, etc.

オンプレミス環境側の設定確認事項• マルチパスBGPサポート• ECMPサポート, ECMPのパスの最大数, reverse-path

forwarding/spoofing機能の有無• BGP、スタティックルートサポート

42

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Direct Connect Transit Gateway

Direct Connect VPC Public接続を利用したDirect Connect上にVPNを張る暗号化

Account Account

Account Account

Development

Account Account

Account Account

Testing

Account Account

Account Account

Production Shared

VPN AWS Direct

Connect

Route

Tables

Route

Tables

Transit Gatewayvirtual

interfaces

VPN

AWS Direct

Connect

Route

Tables

Route

Tables

Transit Gateway

Public virtual

interface

AWS Cloud

Receive AWS

public IP

addresses

20191Hサポート予定

43

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

構成例

44

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Transit Gatewayで自由に通信させる route domains

Transit Gateway

Route Destination

10.1.0.0/16 vpc-att-1xxxxxxx

10.2.0.0/16 vpc-att-2xxxxxxx

10.3.0.0/16 vpc-att-3xxxxxxx

10.0.0.0/8 VPN

Default

routing domain

ルートテーブルは１つ

45

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Transit Gatewayで通信制限する route domains

Transit GatewayShared

services

VP

N

VPC

Route Destination

10.1.0.0/16 vpc-att-1xxxx

10.2.0.0/16 vpc-att-2xxxx

Route Destination

10.3.0.0/16 vpc-att-3xxxx

10.4.0.0/16 vpc-att-4xxxx

Route Destination

10.0.0.0/8 VPN

10.4.0.0/16 vpc-att-4xxxx

VPCs attach to a route table with routes to shared resources

Shared resources attach to a route table with routes to all resources

Shared serviceとVPN向けのみの経路

それぞれのVPC向けの経路

46

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

インターネットに抜けるOutbound Route Domains

Transit Gateway

VP

N

Route Destination

10.1.0.0/16 vpc-att-1xxxxxxx

10.2.0.0/16 vpc-att-2xxxxxxx

10.3.0.0/16 vpc-att-3xxxxxxx

10.0.0.0/8 VPN

0.0.0.0/0 vpc-att-4xxxxxx

Default

routing domain

インターネットVPC向けの経路

47

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

インターネットに抜けるOutbound Route Domains

Transit Gateway

VP

N

Route Destination

10.1.0.0/16 vpc-att-1xxxxxxx

10.2.0.0/16 vpc-att-2xxxxxxx

10.3.0.0/16 vpc-att-3xxxxxxx

10.0.0.0/8 VPN

0.0.0.0/0 vpc-att-4xxxxxx

Default

routing domain

インターネットVPC向けの経路

48

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

PrivateLink

49

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS PrivateLink

• https://aws.amazon.com/jp/about-aws/whats-

new/2017/11/introducing-aws-privatelink-for-aws-services/

• パブリック IP を使用することなく、またインターネット全体を横断するトラフィックを必要とすることなく、Amazon Virtual Private Cloud (VPC) から AWS のサービスにプライベートにアクセスできます。

• 対応サービス• https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html

• 最近ではECR,ECS,Fargateも

50

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

PrivateLink

• 別の AWS アカウントでホストされるサービス、AWS Marketplace のサードパーティサービスにセキュアに接続• お客様の VPC とこうしたいずれかのサービス間のトラフィックはAmazon のネットワークの外に出ない• サービスと通信するためにインターネットゲートウェイ、NAT デバイス、パブリック IP アドレス、VPN 接続は不要

51

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Transit Gateway PrivateLink

AWS Transit Gateway

• 多対多、1対多でルーティングテーブルを利用するもの

• Highly scalable• 1時間当たりのAZエンドポイン

トコスト

Account Account

Account Account

Development

Account Account

Account Account

Testing

Account Account

Account Account

ProductionShared Services

Authentication, Monitoring

R

o

u

t

e

T

a

b

l

e

s

R

o

u

t

e

T

a

b

l

e

s

Transit Gateway

適用範囲：アプリケーション共有サービス

信頼モデル：VPC間に相互信頼をもたない

依存関係：ロードバランサとアプリケーションアーキテクチャ

規模：数千のスポークVPC

対象範囲：多数のVPCへのネットワーク共有サービス

信頼モデル：VPC単位の信頼、集中管理

依存関係：Transit Gatewayによる集中管理

規模：数千のスポークVPC

AWS PrivateLink

• 1対多のコネクティビティ• Highly scalable• IPアドレス重複のサポート• Elastic Load Balancingの使用• ロードバランサと1時間当たり

のエンドポイントコスト

52

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

• VPC Sharing

• Transit Gateway

• PrivateLink

3

Transit Gateway AWS Summit Tokyo

Dive Deep

53

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Q&A

AWS Japan Blog https://aws.amazon.com/jp/blogs/news/

54

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS AWS

https://amzn.to/JPArchive55

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

•

•

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

AWS Webinar

https://amzn.to/JPWebinar https://amzn.to/JPArchive