Networking in AWS. Carl Simpson Technical Architect, Zen Internet Limited

Transcription

1 Networking in AWS Carl Simpson Technical Architect, Zen Internet Limited

2 About Me:

3 About Me: Technical Architect Cloud & Zen Internet Limited

4 About Me: Technical Architect Cloud & Zen Internet Limited 12 years at Zen Internet

5 About Me: Technical Architect Cloud & Zen Internet Limited 12 years at Zen Internet Networking guy turned Cloud guy

6 About Me: Technical Architect Cloud & Zen Internet Limited 12 years at Zen Internet Networking guy turned Cloud guy Makes comments like: Someone should do a talk on AWS networking!

7 What we re going to cover:

8 What we re going to cover: VPC

9 What we re going to cover: VPC VPC End Points

10 What we re going to cover: VPC VPC End Points VPC Peering

11 What we re going to cover: VPC VPC End Points VPC Peering Direct Connect

12 What is a VPC?

13 What is a VPC? VPC = Virtual Private Cloud

14 What is a VPC? VPC = Virtual Private Cloud A private network container within your AWS account:

15 VPC A Container for:

16 VPC A Container for: IP Subnet IP Subnet

17 VPC A Container for: Route Table IP Subnet IP Subnet Route Table

18 VPC A Container for: Security Group Route Table IP Subnet IP Subnet Security Group Route Table

19 VPC A Container for: Security Group Route Table IP Subnet IP Subnet EC2 instance Security Group EC2 instance Route Table

20 VPC A Container for: Security Group Route Table IP Subnet IP Subnet EC2 instance Security Group EC2 instance Route Table Amazon RDS

21 VPC A Container for: Security Group Route Table IP Subnet IP Subnet EC2 instance Security Group EC2 instance Route Table Redis Amazon RDS

22 Setting up your VPC

23 Pick a region AWS Region AWS Region

24 Choose VPC address space AWS Region VPC IPv4 CIDR block: /16 VPC /16

25 Pick some Availability Zones *Use three AZ where available AWS Region AZ A AZ B AZ - A AZ - B VPC /16

26 Create some subnets AWS Region AZ A AZ B Public Subnet A Public Subnet A Public Subnet B Public Subnet B Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A VPC /16

27 Create some subnets AWS Region AZ A AZ B Public Subnet A Public Subnet A Public Subnet B Public Subnet B Private Subnet 1A Private Subnet 1A Private Subnet 1A Private Subnet 1B Private Subnet 2A Private Subnet 2A Private Subnet 2A Private Subnet 2B VPC /16

28 Suitable for most cases /22 /22 /22 /20 /20 /20

29 What makes a subnet public? AWS Region AZ A AZ B Public Subnet A Public Subnet A Public Subnet B Public Subnet B Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A VPC /16

30 What makes a subnet public? AWS Region Public Route Table AZ A Public Subnet A Public Subnet A AZ B Public Subnet B Public Subnet B Public Route Table Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A VPC /16

31 What makes a subnet private? AWS Region AZ A AZ B Public Subnet A Public Subnet B Public Route Table Private Subnet 1A Private Subnet 1A Private Subnet 1A Private Subnet 1B Private Subnet 2A Private Subnet 2A Private Subnet 2A Private Subnet 2B VPC /16

32 What makes a subnet private? AWS Region NAT Gateway AZ A Public Subnet A AZ B Public Subnet B VPC NAT gateway VPC NAT gateway Public Route Table Private Route Table 1 Private Subnet 1A Private Subnet 1A Private Subnet 1A Private Subnet 1B Private Route Table 2 Private Subnet 2A Private Subnet 2A Private Subnet 2A Private Subnet 2B Private Route Table 1 Private Route Table 2 VPC /16

33 What might a private subnet have? AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway VPC NAT gateway Public Route Table Private Subnet 1A Private Subnet 1A Private Subnet 1A Private Subnet 1B Private Subnet 2A Private Subnet 2A Private Subnet 2A Private Subnet 2B Private Route Table 1 Private Route Table 2 VPC /16

34 What might a private subnet have? AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway VPC NAT gateway Public Route Table Private Subnet 1A Private Subnet 1A Private Subnet 1A Private Subnet 1B Private Subnet 2A Private Subnet 2A Private Subnet 2A Private Subnet 2B Private Route Table 1 Private Route Table 2 VPC /16 VGW Virtual Private Gateway

35 Adding some servers/services AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway Elastic Load Balancer VPC NAT gateway Public Route Table Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

36 Adding some servers/services Load Balancer (ELB) AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway Elastic Load Balancer VPC NAT gateway Public Route Table Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

37 Adding some servers/services Load Balancer (ELB) AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway Elastic Load Balancer VPC NAT gateway Public Route Table Web Server Private Subnet 1A Web Server Private Subnet 1A Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

38 Adding some servers/services Load Balancer (ELB) AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway Elastic Load Balancer VPC NAT gateway Public Route Table Web Server Private Subnet 1A Web Server Private Subnet 1A Web Server Database Server Private Subnet 2A DB Server Private Subnet 2A DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

39 What s outside the VPC? AWS Region AZ A AZ B Public Subnet A Public Subnet B VPC NAT gateway Elastic Load Balancer VPC NAT gateway Public Route Table Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

40 What s outside the VPC? AWS Public Services AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B Amazon S3 VPC NAT gateway Elastic Load Balancer VPC NAT gateway Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

41 What s outside the VPC? AWS Public Services AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B Amazon S3 VPC NAT gateway Elastic Load Balancer VPC NAT gateway Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

42 But I want my stuff to be totally private! AWS Region AWS Public Services AZ A AZ B Amazon S3 Amazon DynamoDB Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

43 But I want my stuff to be totally private! AWS Region AWS Public Services AZ A AZ B Amazon S3 Amazon DynamoDB Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Web Server DB Server Private Subnet 2A Web Server DB Server Internet Private Route Table 1 Private Route Table 2 VPC /16 VGW

44 Use VPC Endpoints AWS Region VPC NAT gateway VPG Amazon DynamoDB AWS Public Services Lambda function Amazon S3

45 Use VPC Endpoints AWS Region VPC NAT gateway VGW Saves money on NAT Gateway data transfer! VPC Endpoint * VPC Endpoint VPC Endpoint Amazon DynamoDB AWS Public Services Lambda function Amazon S3 * Currently in preview. Endpoints for other services coming

46 Why use VPC Endpoints?

47 Why use VPC Endpoints? Improve Security

48 Why use VPC Endpoints? Improve Security Reference them in security groups

49 Why use VPC Endpoints? Improve Security Reference them in security groups Restrict S3 buckets to only VPC end point access (bucket policy) { } "Sid": "Access-to-specific-VPCE-only", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"], "Condition": { "StringNotEquals": { "aws:sourcevpce": "vpce-1a2b3c4d" }

50 Why use VPC Endpoints? Improve Security Reference them in security groups Restrict S3 buckets to only VPC end point access (bucket policy) Performance

51 Why use VPC Endpoints? Improve Security Reference them in security groups Restrict S3 buckets to only VPC end point access (bucket policy) Performance Save Money

52 VPC Endpoints AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 VPC Endpoint Amazon DynamoDB VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

53 VPC Endpoints AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 VPC Endpoint Amazon DynamoDB VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

54 VPC Endpoints AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 VPC Endpoint Amazon DynamoDB VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

55 Putting it all together AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 Public Subnet A Public Subnet B VPC NAT gateway Elastic Load Balancer VPC NAT gateway VPC Endpoint Amazon DynamoDB Public Route Table VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server Private Route Table 1 Private Route Table 2 VPC /16 VGW

56 What VPC things haven t I mentioned?

57 What VPC things haven t I mentioned? IPv6

58 What VPC things haven t I mentioned? IPv6 VPC Flow s

59 IPv4 reminder AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B Amazon S3 VPC NAT gateway VPC NAT gateway Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A Private Route Table 1 Private Route Table 2 VPC /16 VGW

60 Dual Stack (IPv4 & IPv6) AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B Amazon S3 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A Private Route Table 1 Private Route Table 2 + VPC / :DB8::/56

61 Dual Stack (IPv4 & IPv6) AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B Amazon S3 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A AWS assigned /56 IPv6 address space + VPC / :DB8::/56 Private Route Table 1 Private Route Table 2

62 Focusing on IPv6 - /64s Everywhere AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B /64 /64 Amazon S3 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 AWS assigned /56 IPv6 address space Private Subnet 2A Private Subnet 2A /64 /64 Private Route Table 1 Private Route Table 2 VPC / :DB8::/56

63 Focusing on IPv6 (Public Subnet Routing) AWS Region AWS Public Services AZ A Public Subnet A AZ B Public Subnet B /64 /64 Amazon S3 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 AWS assigned /56 IPv6 address space Private Subnet 2A Private Subnet 2A /64 /64 Private Route Table 1 Private Route Table 2 VPC / :DB8::/56

64 Focusing on IPv6 (Private Subnet Routing) AWS Region Egress Only Gateway Egress Only GW AWS Public Services AZ A Public Subnet A AZ B Public Subnet B /64 /64 Amazon S3 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 AWS assigned /56 IPv6 address space Private Subnet 2A Private Subnet 2A /64 /64 Private Route Table 1 Private Route Table 2 VPC / :DB8::/56

65 Focusing on IPv6 (External Private Routing) AWS Region Egress Only GW AWS Public Services AZ A Public Subnet A AZ B Public Subnet B /64 /64 Amazon S3 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 Private Subnet 2A Private Subnet 2A /64 /64 AWS assigned /56 IPv6 address space VPC / :DB8::/56 Private Route Table 1 Private Route Table 2 VGW

66 Dual Stack All together Egress Only Gateway AWS Region Egress Only GW AWS Public Services AZ A Public Subnet A AZ B Public Subnet B Amazon S3 VPC NAT gateway VPC NAT gateway Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Web Server Web Server Private Subnet 2A Private Subnet 2A DB Server DB Server AWS assigned /56 IPv6 address space + VPC / :DB8::/56 Private Route Table 1 Private Route Table 2 VGW

67 Some CloudFormation IPv6 nonsense

68 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet

69 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet

70 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet

71 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet

72 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet What you need to do: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join': - '00' - - 'Fn::Select': - '0' - 'Fn::Split': - '00::/56' - 'Fn::Select': - '0' - 'Fn::GetAtt': - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

73 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet What you need to do: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join': - '00' - - 'Fn::Select': - '0' - 'Fn::Split': - '00::/56' - 'Fn::Select': - '0' - 'Fn::GetAtt': - Vpc Look up the /56 CIDR Block - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

74 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet What you need to do: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join': - '00' - - 'Fn::Select': - '0' - 'Fn::Split': - '00::/56' - 'Fn::Select': Split on 00::/56 and grab the 1 st part - '0' - 'Fn::GetAtt': - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

75 Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock:!Ref Ipv6SubnetCidrBlock SubnetId:!Ref Ipv6TestSubnet What you need to do: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join': - '00' - - 'Fn::Select': - '0' - 'Fn::Split': - '00::/56' - 'Fn::Select': - '0' - 'Fn::GetAtt': Join your chosen: Subnet hextet, AWS assigned prefix & /::64 - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

76 Auditing (VPC Flow Logs)

77 Auditing (VPC Flow Logs) elastic network adapter elastic network adapter flow logs

78 So we re done?

79 BIG

80 BIG

81 BIG

82 BIG

83 BIG No! There s more!

84 You can have lots of VPCs Baby Baby Baby Baby Baby Baby

85 Baby Baby Baby So why have multiple VPCs? Baby Baby Baby

86 Baby Baby Baby So why have multiple VPCs? Baby Baby Baby Question: Why have multiple AWS accounts?

87 Why have multiple accounts?

88 Why have multiple accounts? Damage limitation

89 Why have multiple accounts? Damage limitation Control/Autonomy

90 Why have multiple accounts? Damage limitation Control/Autonomy

91 Why have multiple accounts? Damage limitation Control/Autonomy Regulation

92 Why have multiple accounts? Damage limitation Control/Autonomy Regulation Disaster Recovery

93 But I need my resources to communicate with those in other VPCs!

94 Use VPC Peering A B

95 VPC Peering

96 VPC peering got much better in the last year!

97 VPC peering got much better in the last year! Reference Security Groups in peered VPCs

98 Reference Security Groups in peered VPCs e.g. VPC A Security Group ID sg a allows inbound port 80 from Security Group ID sg b which is applied to resources in VPC B A B

99 VPC peering got much better in the last year! Reference Security Groups in peered VPCs Resolve DNS in peered VPCs

100 Resolve DNS in peered VPCs e.g. When VPC A resolves ec eu-west- 2.compute.amazonaws.com which lives in VPC B, it resolves to not A B

101 VPC peering got much better in the last year! Reference Security Groups in peered VPCs Resolve DNS in peered VPCs

102 VPC peering got much better in the last year! Reference Security Groups in peered VPCs Resolve DNS in peered VPCs AWS have good (not cheap) transit VPC solutions

103 VPC peering limitations

104 VPC peering limitations Unique address space required

105 VPC peering limitations Unique address space required No VPC Transit

106 No (native) VPC transit

107 VPC peering full mesh

108 Why would I want to transit a VPC anyway?

109 Why would I want to transit a VPC anyway? Force all traffic through central firewall(s)

110 Force all traffic through central firewall(s)

111 Force all traffic through central firewall(s) local routes create real challenges!

112 Force all traffic through central firewall(s) Local Routes create real challenges! Subnet A Web Subnet B FW/ IDS Subnet C DB

113 Force all traffic through central firewall(s) Local Routes create real challenges! Subnet A Web Subnet B FW/ IDS Subnet C DB

114 Force all traffic through central firewall(s) Local Routes create real challenges! Subnet A Web Subnet B FW/ IDS Subnet C DB

115 Force all traffic through central firewall(s) Local Routes create real challenges! Subnet A Web Subnet B FW/ IDS Subnet C DB

116 Force all traffic through central firewall(s) Local Routes create real challenges! Subnet A Web Subnet B P FW/ IDS Subnet C DB

117 Route53 (health checked & RR/weighted DNS) query Clients Customer-VPC /16 AZ A AZ B Routing Table: /16 via local /0 via IGW Routing Table: /24 via connected /24 via connected /0 via AWS Pub1 RT /24 via CiscoASA-A-int-A /24 via CiscoASA-A-int-A /24 via CiscoASA-A-int-A /24 via CiscoASA-A-int-A Routing Table: /24 via connected /24 via connected /0 via AWS Pub2 RT /32 via F5-int-B /24 via CiscoFP-A-int-A /24 via CiscoFP-A-int-A /24 via CiscoFP-A-int-A /24 via CiscoFP-A-int-A Routing Table: /24 via connected /24 via connected /0 via CiscoASA-int-B /32 via CiscoASA-int-B /24 via AWS Pri RT-A-int-A /24 via AWS Pri RT-A-int-A /24 via AWS Pri RT-A-int-A /24 via AWS Pri RT-A-int-A Routing Table: /16 via local via CiscoFP-A-int-B via CiscoFP-B-int-B /0 via CiscoASA-A-int-B AWS Pub1 RT SNAT to PubSub2A /24 AWS Pri RT-A A B C D PubSub1A /24 TransitSub1A /24 TransitSub2A / /24 - DBSub1A CiscoASA-A /24 - WebFarmSub1A Web-i /24 WebFarmSub2A Web2-i1 A LbSG1 F5-A B A CiscoFP-A B Web-i2 A B WebSG2 Web2-i2 DB-SG1 DB-i1 EIP1 WebSG1 Web-i3 Web2-i3 EIP3 Co-lo AWS Pub2 RT AWS RT (unused) CiscoASA IGW VGW AWS Pub2 RT AWS RT (unused) CiscoASA EIP4 PubSub1B /24 EIP2 PubSub2B /24 CiscoASA-B B TransitSub1B / /24 - DBSub1B DB-SG1 DB-i2 Author A B TransitSub2B /24 A /24 WebFarmSub2B /24 WebFarmSub2B Diagram Status A LbSG1 F5-B B A CiscoFP-B WebSG1 Web-i41 Web-i5 Web-i6 WebSG2 Web2-i4 Web2-i5 Web2-i6 SNAT to B C D Carl Simpson Zen Internet Ltd Draft Version 3 Date 27/08/2015 AWS Pub1 RT AWS Pri RT-B Routing Table: /16 via local /0 via IGW Routing Table: /24 via connected /24 via connected /0 via AWS Pub1 RT /24 via CiscoASA-B-int-A /24 via CiscoASA-B-int-A /24 via CiscoASA-B-int-A /24 via CiscoASA-B-int-A Routing Table: /24 via connected /24 via connected /0 via AWS Pub2 RT /32 via F5-int-B /24 via CiscoFP-B-int-A /24 via CiscoFP-B-int-A /24 via CiscoFP-B-int-A /24 via CiscoFP-B-int-A Routing Table: /24 via connected /24 via connected /0 via CiscoASA-int-B /32 via CiscoASA-int-B /24 via AWS Pri RT-B-int-A /24 via AWS Pri RT-B-int-A /24 via AWS Pri RT-A-int-A /24 via AWS Pri RT-A-int-A Routing Table: /16 via local via CiscoFP-B-int-B via CiscoFP-A-int-B /0 via CiscoASA-int-B AZ C: SNAT F5 load balancer /24 PubSub1C /24 PubSub2C /24 TransitSub1C /24 TransitSub2C /24 WebFarmSub1C /24 WebFarmSub2C /24 DbSub1C Force all (inter-subnet) traffic through a firewall (for IDS/IPS)

118 Why would I want to transit a VPC anyway? Force all traffic through a firewall Privately route between VPCs in remote regions

119 AWS Global VPC Transit Solution

120 Direct Connect

121 Why use Direct Connect?

122 Why use Direct Connect? Lower latency

123 EU-WEST-1 (Dublin) You Are Here! EU-WEST-2 (London)

124 EU-WEST-1 (Dublin) Manchester EU-WEST-2 (London)

125 EU-WEST-1 (Dublin) Manchester EU-WEST-2 (London)

126 EU-WEST-1 (Dublin) Manchester Best Direct Connect Path EU-WEST-2 (London)

127 Why use Direct Connect? Lower latency X

128 Why use Direct Connect? Lower latency Service Level Agreement X

129 Lets check the AWS Direct Connect FAQs: Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?

130 Lets check the AWS Direct Connect FAQs: Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)? Answer: Not at this time.

131 Why use Direct Connect? Lower latency Service Level Agreement X X

132 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth X X

133 AWS Direct Connect Bandwidth

134 AWS Direct Connect Bandwidth Provides 1 Gbps and 10 Gbps ports

135 AWS Direct Connect Bandwidth Provides 1 Gbps and 10 Gbps ports Now supports LACP

136 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth X X

137 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance X X

138 Consistent Network Performance?

139 Consistent Network Performance? Dedicated Links

140 Consistent Network Performance? Dedicated Links Isolated from Internet Routing changes

141 Consistent Network Performance? Dedicated Links Isolated from Internet Routing changes More controlled environment

142 Consistent Network Performance? Dedicated Links Isolated from Internet Routing changes More controlled environment

143 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance X X

144 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance Private Connectivity to Amazon VPC X X

145 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance Private Connectivity to Amazon VPC Private Connectivity to AWS public services X X

146 Connectivity Options - Single Site Solution VGW Customer Office

147 Connectivity Options - Single Site Solution Use Zen, we can provide this! :-) VGW Customer Office

148 Connectivity Options - Multi-site solution VGW Customer IPVPN/ MPLS Customer Office(s) Customer Data Centre(s)

149 Connectivity Options - Multi-site solution Use Zen, we can provide this too! :-) VGW Customer IPVPN/ MPLS Customer Office(s) Customer Data Centre(s)

150 Connectivity Options Multi-site solution (private and public) Use Zen, we can provide this too! :-) VGW Customer IPVPN/ MPLS Customer Office(s) Customer Data Centre(s) Amazon SQS Public Services Lambda function Amazon S3 Customer Requires Public IP space for access to public services!

151 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance Private Connectivity to Amazon VPC Private Connectivity to AWS public services X X

152 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance Private Connectivity to Amazon VPC Private Connectivity to AWS public services X X

153 Why use Direct Connect? Lower latency Service Level Agreement High Bandwidth Consistent Network Performance Private Connectivity to Amazon VPC Private Connectivity to AWS public services X X

154 So how do I get Direct Connect?

155 So how do I get Direct Connect? DIY connection 1G or 10G bandwidth options only Build your network out to a direct connect location

156 So how do I get Direct Connect? DIY connection 1G or 10G bandwidth options only Build your network out to a direct connect location Hosted connection 50M bandwidth and up Partner may bring the connection to you

157 Direct Connect - A little more detail

158 Direct Connect Routing Amazon ASN Customer/Partner ASN VLAN 1 VGW AWS Router Customer /Partner Router

159 Direct Connect Routing Amazon ASN ebgp VLAN 1 Customer/Partner ASN VGW AWS Router Customer /Partner Router

160 Direct Connect Routing Amazon ASN Announce Routes ebgp VLAN 1 Announce Routes Customer/Partner ASN VGW AWS Router Customer /Partner Router

161 Direct Connect Routing MED and AS PATH prepending supported Announce Routes Announce Routes Amazon ASN ebgp VLAN 1 Customer/Partner ASN VGW AWS Router Customer /Partner Router

162 Direct Connect Routing MED and AS PATH prepending supported Announce Routes Announce Routes Amazon ASN ebgp Customer/Partner ASN Direct Connect preferred over VPN connection VGW AWS Router VLAN 1 Customer /Partner Router

163 What we ve covered: VPC VPC End Points VPC Peering Direct Connect

164 Final thing

165 Public Cloud Connect AWS (EU-West) Regions Public Cloud Connect: for multi-cloud access Customer Site 1 Customer Site 2 Another Cloud Provider Customer Site n

166 Thanks!

167 Questions?