If you are interested to know more about AWS Chicago Summit, please use the following to register: http://amzn.to/1RooPPL
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this webinar, we discuss advanced networking features in Amazon VPC, including VPC Peering, Enhanced Networking, ClassicLink, and private connectivity.
Learning Objectives:
• Learn how to enable Enhanced Networking to reduce latency
• Understand the use cases for advanced VPC features including VPC Peering
• For EC2-Classic customers, learn how ClassicLink enables you to adopt VPC incrementally
Who Should Attend:
• DevOps Engineers and System Architects responsible for VPC design and implementation
2. Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
ARC205 – VPC Fundamentals and Connectivity
ARC401 – Black Belt Networking for Cloud Ninja
• Application centric, network monitoring, management, floating IPs
ARC403 – From One to Many: Evolving VPC Design
SDD302 – A Tale of One Thousand Instances
• Example of EC2-Classic customer adopting VPC
SDD419 – Amazon EC2 Networking Deep Dive
• Network performance, placement groups, enhanced networking
5. Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
6. Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region
13. Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
14. Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets
15. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.
16. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
17. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
18. VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
19. Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing
table(s) with routes present in the VGW
20. Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b
aws ec2 create-route-table --vpc vpc-c15180a4
aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW
22. Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances
23. Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
default routing table
24. Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internet
aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
29. VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
30. VPC peering – Additional considerations
Security groups – use IP prefixes to allow access
No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs
• Example: Cannot access VPC C from VPC A via VPC B
• Workaround: Create a direct peering from VPC A to VPC C
Peer VPC address ranges cannot overlap
• But, you can peer with 2+ VPCs that themselves overlap
• Use subnets/routing tables to pick the VPC to use
31. VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peering
aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
37. SR-IOV: Is this thing on?
It may already be!
For many newer AMIs, enhanced networking is
already on:
Newest Amazon Linux AMIs
Windows Server 2012 R2 AMI
No need to configure
52. VPC Endpoints for Amazon S3
Highly reliable
Designed for the largest workloads
Use S3 from VPC without an Internet
Gateway or NAT instance
Additional security controls
53. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
55. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Application resolves mypics.s3.amazonaws.com
DNS responds with the usual IP addresses for Amazon S3
Application connects to the chosen IP address
56. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Destination Target
pl-1a2b3c4d vpce-abcd1234
Prefix List
com.amazonaws.us-west-1.s3
57. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets
59. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets
60. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on bucket ‘mypics’
Allow access from vpce-abcd1234
Deny all other
62. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details
• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring
• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open
• Come and see what AWS and the cloud can do for you.
63. CTA Script
- If you are interested in learning more about how to navigate the cloud to grow
your business - then attend the AWS Summit Chicago, July 1st.
- Register today to learn from technical sessions led by AWS engineers, hear best
practices from AWS customers and partners, and participate in some of the 30+
paid sessions and labs.
- Simply go to
https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc
amps&trk=Webinar_slide
to register today.
- Registration is FREE.
TRACKING CODE:
- Listed above.