Creating your Virtual Data Centre VPC Fundamentals and Connectivity Options Paul Burne, Senior Technical Account Manager, Enterprise Support - 28 th June 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Instance
54.4.5.6 172.31.0.128 172.31.1.24 54.2.3.4 172.31.0.129 172.31.1.27
What to Expect from the Session Get familiar with VPC concepts Walk through a basic VPC setup Learn about the ways in which you can tailor your virtual network to meet your needs
Setting up an Internet Connected VPC
Creating an Internet-connected VPC Choosing an Setting up subnets Creating a route to Authorizing traffic address range in Availability Zones the Internet to/from the VPC
Choosing an IP Address Range
CIDR Notation Review CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000
Choosing an IP Address Range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
Subnets
VPC Subnets and Availability Zones 172.31.0.0/16 eu-west-1a eu-west-1b eu-west-1c 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 VPC subnet VPC subnet VPC subnet Availability Zone Availability Zone Availability Zone
VPC Subnet Recommendations /16 VPC (64K addresses) /24 Subnets (251 addresses) One subnet per Availability Zone
Route to the Internet
Routing in your VPC Route tables contain rules for which packets go where Your VPC has a default route table but you can assign different route tables to different subnets
Routing Table Traffic destined for my VPC stays in my VPC
Internet Gateway Send packets here if you want them to reach the Internet
Routing Table Everything that isn t destined for the VPC: Send to the Internet
Network Security in VPC: Network ACLs and Security Groups
Network ACLs: Stateless firewalls Can be applied on a subnet basis English translation: Allow all traffic in
Security Groups Follow Application Structure MyWebServers Security Group Allow only MyWebServers MyBackends Security Group
Security Groups Example: MyWebServers In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
Security Groups Example: MyBackends In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
Security Groups in VPC: Additional Notes Follow the Principle of Least Privilege VPC allows creation of egress as well as ingress Security Group rules Many application architectures lend themselves to a 1:1 relationship between Security Groups (who can reach me) and IAM roles (what I can do).
Connectivity Options for VPCs
Beyond Internet Connectivity Restricting Internet access Connecting to other VPCs Connecting to your corporate network
Restricting Internet Access by Subnet
Routing by Subnet Has route to Internet VPC subnet Has no route to Internet VPC subnet
Outbound-only Internet Access: NAT Gateway Public IP: 54.161.0.39 0.0.0.0/0 0.0.0.0/0 NAT Gateway VPC subnet VPC subnet
Inter-VPC Connectivity: VPC Peering
Example VPC Peering Use: Shared Services VPC Common/core services Authentication/directory Monitoring Logging Remote administration Scanning
Security Groups Across Peered VPCs 172.31.0.0/16 10.55.0.0/16 VPC Peering ALLOW Orange Security Group Blue Security Group
Establish VPC Peering: Initiate Request 172.31.0.0/16 10.55.0.0/16 Step 1
Establish VPC Peering: Accept Request 172.31.0.0/16 10.55.0.0/16 Step 1 Step 2
Establish VPC Peering: Create Route 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request In English: Traffic destined for the peered VPC should go to the peering Step 2 Accept peering request Step 3
Connecting to On-premises Networks: Virtual Private Network & Direct Connect
Extend an On-Premises Network Into Your VPC VPN Direct Connect
AWS VPN basics 192.168.0.0/16 172.31.0.0/16 Customer Gateway Virtual Gateway 192.168/16 Two IPSec tunnels Your networking device
VPN and Amazon Direct Connect Both allow secure connections between your network and your VPC VPN is a pair of IPSec tunnels over the Internet DirectConnect is a dedicated line with lower per-gb data transfer rates For highest availability: Use both
VPC and the Rest of AWS
VPC and the Rest of AWS AWS Services in Your VPC VPC Endpoints for Amazon DNS in-vpc with Amazon Logging VPC Traffic with VPC S3 Route53 Flow Logs
AWS Services in Your VPC
Best practices for in-vpc AWS services Many AWS Services support running in-vpc. Use Security Groups for Least-Privilege network access. For best availability, use multiple Availability Zones. Multi-zone RDS deployments Use a zonal mount point for EFS access
Example: Amazon RDS database in Your VPC Reachable via DNS Name: mydb-cluster-1.us-west-2.rds.amazonaws.com
Example: AWS Lambda Function in Your VPC
VPC Endpoints
S3 and Your VPC Your applications Your data S3 Bucket
AWS VPC Endpoints for S3 S3 Bucket
AWS VPC Endpoints for S3 Route S3-bound traffic to the VPCE S3 Bucket
IAM Policy for VPC Endpoints IAM Policy at VPC Endpoint: Restrict actions of VPC in S3 S3 Bucket IAM Policy at S3 Bucket: Make accessible from VPC Endpoint only
DNS in a VPC
VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
Route53 Private Hosted Zones Example.demohostedzone.org à 172.31.0.99 Private Hosted Zone
VPC Flow Logs: VPC traffic Metadata in Amazon CloudWatch Logs
VPC Flow Logs Visibility into effects of Security Group rules Troubleshooting network connectivity Ability to analyze traffic
VPC Flow Logs: setup VPC traffic metadata captured in CloudWatch Logs
VPC Flow Logs data in CloudWatch Logs Who s this? # dig +short -x 109.236.86.32 internetpolice.co. UDP Port 53 = DNS REJECT
VPC: Your Private Network in AWS
The VPC network
VPC Connectivity
VPC Network Security
Want to Dive Deeper? Visit the AWS YouTube Channel NET303 - Next-Gen Networking: New Capabilities for Amazon s Virtual Private Cloud NET304 - Moving Mountains: Netflix s Migration Into VPC NET401 - Another Day, Another Billion Packets NET402 - Deep Dive: AWS Direct Connect and VPN NET404 - Making Every Packet Count
Thank you!