AWS Networking Fundamentals - DevOps School...What is an Amazon Virtual Private Cloud (VPC)? “A...
Transcript of AWS Networking Fundamentals - DevOps School...What is an Amazon Virtual Private Cloud (VPC)? “A...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tom Adamski
Specialist Solutions Architect, AWS
AWS Networking Fundamentals
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional Network
VPN VPN
WAN
Fiber
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN VPN
(VPC Peering)
WAN
Fiber
(AWS Direct Connect)
Applications Applications
AWS Network
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an Amazon Virtual Private Cloud (VPC)?
“A virtual network that closely resembles a
traditional network that you'd operate in your own
data center” Instance
Availability Zone
Instance
Availability Zone
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creat ing an Internet-connected VPC: Steps
Choosing an address range
Create subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from
the VPC
IGW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CIDR range example:
172.31.0.0/161010 1100 0001 1111 0000 0000 0000 0000
CIDR notation review
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16Recommended: RFC1918 range
Recommended: /16
(65,536 addresses)
Avoid ranges that overlap with other networks to which you might connect.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
Amazon Global Unicast Addresses (GUA) –Internet Routable
Associate an /56 IPv6 CIDR(Automatically allocated)
2001:db8:1234:1a00::/56
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SubnetsVPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability ZoneVPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Expand your existing Amazon VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C172.31.3.33/24
Instance A172.31.1.11/24
Instance B172.31.2.22/24
Instance D172.31.4.44/24
Subnet Subnet
Subnet Subnet
VPC CIDR 172.31.0.0/16172.31.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C172.31.3.33/24
Instance A172.31.1.11/24
Instance B172.31.2.22/24
Instance D172.31.4.44/24
Subnet Subnet
Subnet Subnet
Availability Zone C
172.31.0.0/16VPC CIDR 172.31.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C172.31.3.33/24
Instance A172.31.1.11/24
Instance B172.31.2.22/24
Instance D172.31.4.44/24
Subnet Subnet
Subnet Subnet
Availability Zone C
Instance E172.21.1.11/24
Instance F172.21.2.22/24
Subnet
Subnet
172.31.0.0/16
172.21.0.0/16
VPC CIDR 172.31.0.0/16 172.21.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet recommendations
• /16 VPC (65,536 addresses)
• Expand your VPC when necessary
• At least /24 subnets (251 addresses)
• Use multiple Availability Zones per VPC through multiple subnets
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route to the InternetIGW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default (main) route table
• But, you can assign different route tables to different subnets
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC stays in my VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
Send packets here if you want them to reach the Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything that isn’t destined for the VPC:send to the Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security in your VPC:Security groups
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“MyWebServers” Security Group
“MyBackends” Security Group
Allow web traffic
on 0.0.0.0/0
Allow only “MyWebServers”
Security groups follow application structure
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
Allow all HTTP traffic
Rule descriptions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
Allow application traffic from web servers only
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN VPN
(VPC Peering)
WAN
Fiber
(AWS Direct Connect)
Applications Applications
AWS Network - Progress
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Beyond Internet connectivity
RestrictingInternet access
Connecting to your corporate network
Connecting to other VPCs
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restricting Internet access:Routing by subnet
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing by subnet
public subnet
private subnet
Has route to Internet
Has no route to Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound-only internet access: NAT gateway
private subnet public subnet
0.0.
0.0/
0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-VPC connectivity:VPC peering
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example VPC peering use:Shared services VPC
• Common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning
A
D10.2.0.0/16
172.16.0.0/16
E10.3.0.0/16
C192.168.0.0/16
F172.17.0.0/16
B10.0.0.0/16
G10.4.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate request
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept request
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create a route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3Traffic destined for the peered VPC should go to the peering
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-Region VPC Peering
eu-west-1 (Ireland) us-east-1 (N.Virginia)
VPC A VPC B
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some notes…
Inter-Region VPC Peering encrypts with no single point of failure or bandwidth bottleneck
Traffic using Inter-Region VPC Peering always stays on the global AWS backbone
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN VPN
(VPC Peering)
WAN
Fiber
(AWS Direct Connect)
Applications Applications
AWS Network - Progress
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises networks:AWS Virtual Private Network
and AWS Direct Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend an on-premises network into your VPC
VPN
AWS Direct Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN basics
Virtual Private
Gateway
Two IPSec tunnels
172.31.0.0/16
192.168/16
Customer Gateway
192.168.0.0/16
Your networking deviceTraffic destined for the VPN/Direct Connect via the VGW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1172.31.0.0/16
VGW PrivateVirtual Interface
“Attachment”
Direct Connect Location(London)
VGW“Association”
192.168.0.0/16
Direct Connect Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1172.31.0.0/16
VGW PrivateVirtual Interface
“Attachment”
Direct Connect Location(London)
VGW“Association”
192.168.0.0/16
Direct Connect Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1172.31.0.0/16
VGW
PrivateVirtual Interface
“Attachment”
Direct Connect Location(London)
VGW“Association”
EU-CENTRAL-1172.16.0.0/16
VGW
VGW“Association”
Direct Connect Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1172.31.0.0/16
VGWVirtual Interface
“Attachment”
Direct Connect Location(London)
VGW“Association”
EU-CENTRAL-1172.16.0.0/16
VGW
Direct Connect Location
(Frankfurt)
VGW“Association”
Virtual Interface“Attachment”
Direct Connect Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
VGW Virtual Interface“Attachment”
Direct Connect Location
VGW“Association”
VGWVGW
“Association”
Direct Connect Location
Virtual Interface“Attachment”
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
VGW Virtual Interface“Attachment”
Direct Connect Location
VGW“Association”
VGWVGW
“Association”
Direct Connect Location
Virtual Interface“Attachment”
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN and AWS Direct Connect
• Both allow secure connections between your network and your VPC
• VPN is a pair of IPSec tunnels over the Internet
• AWS Direct Connect is a dedicated line with lower per-GB data transfer rates
• For highest availability: Use both
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN VPN
(VPC Peering)
WAN
Fiber
(AWS Direct Connect)
Applications Applications
AWS Network - Progress
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services
Inside of the VPC Outside of the VPC
VPC VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Amazon RDS Database in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Application Load Balancer in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services outside your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints for AWS Services
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
S3 bucket
Your applications
Your data
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC Endpo int s
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints: Amazon S3 and DynamoDB
S3 bucket
Route S3-bound traffic to the VPC endpoint
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy for VPC Endpoints
S3 bucket
IAM policy at VPC endpoint: restrict actions of VPC in Amazon
S3 or Amazon DynamoDB
IAM policy at S3 bucket: make accessible from
VPC endpoint only
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
I n te r face VPC Endpo int s
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for AWS Services
EC2 APIs
Private IP: 172.31.1.6
Private IP: 172.31.2.10
vpce-….ec2.eu-west-1.vpce.amazonaws.comvpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.comvpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for Customer & Partner Applications
Powered by Network Load Balancer
Secure endpointwithin Client VPC
Integrated with AWS Marketplace
Share services privately and securely betweenVPCs, AWS accounts, and on-premises networks
Available in all public AWS regions, except CN-NORTH-1
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs: VPC traffic metadata in Amazon
CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs
• Visibility into effects of security group rules
• Troubleshooting network connectivity
• Ability to analyze traffic
172.31.1.0/24AZ A
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs: Setup
VPC traffic metadata captured in Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs data in CloudWatch Logs
Who’s this?# dig +short -x 109.236.86.32 internetpolice.co.
REJECT
UDP Port 27015
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The VPC Network
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Network Security
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Connectivity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
C1
• 1 Gbps
CC1
• 10 Gbps
C3
• Enhanced networking
• 20x PPS• <100-µs
latency
C4
• EBS optimized by default
C5
• Elastic Network Adapter
• 25 Gbps• <50-µs
latency
On-Instance Networking Improvements
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25 Gbpsto Amazon S3
25 Gbpswithin region
Instance Bandwidth Limits
25 Gbpswithin placement group
5 Gbpsfor other sources
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Time Sync Service
Highly reliable service with a redundant array of satellite and atomic clock
sources
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
Tom Adamski
Specialist Solutions Architect