If you are interested to know more about AWS Chicago Summit, please use the following to register: http://amzn.to/1RooPPL Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this webinar, we discuss advanced networking features in Amazon VPC, including VPC Peering, Enhanced Networking, ClassicLink, and private connectivity. Learning Objectives: • Learn how to enable Enhanced Networking to reduce latency • Understand the use cases for advanced VPC features including VPC Peering • For EC2-Classic customers, learn how ClassicLink enables you to adopt VPC incrementally Who Should Attend: • DevOps Engineers and System Architects responsible for VPC design and implementation

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kevin Miller, EC2 Networking
May 21, 2015
Deep Dive: Virtual Private Cloud

2. Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
ARC205 – VPC Fundamentals and Connectivity
ARC401 – Black Belt Networking for Cloud Ninja
• Application centric, network monitoring, management, floating IPs
ARC403 – From One to Many: Evolving VPC Design
SDD302 – A Tale of One Thousand Instances
• Example of EC2-Classic customer adopting VPC
SDD419 – Amazon EC2 Networking Deep Dive
• Network performance, placement groups, enhanced networking

3. aws vpc –-expert-mode

4. Topics today

5. Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...

6. Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region

7. Confirming your default VPC
describe-account-attributes
VPC only

8. Routing and private connections

9. Implementing a hybrid architecture
Corporate Data Center

10. Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

11. Create VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

12. Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3
aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

13. Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7

14. Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets

15. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.

16. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway

17. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup

18. VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7

19. Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing
table(s) with routes present in the VGW

20. Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b
aws ec2 create-route-table --vpc vpc-c15180a4
aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW

21. Software VPN for VPC-to-VPC connectivity
# VPC A
aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check
aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# VPC B
aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check
aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a

22. Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances

23. Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
default routing table

24. Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internet
aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

25. VPC Peering

26. Shared services VPC using VPC peering
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning

27. Provides infrastructure zoning
Dev: VPC B
Test: VPC C
Production: VPC D

28. VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63

29. VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333

30. VPC peering – Additional considerations
Security groups – use IP prefixes to allow access
No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs
• Example: Cannot access VPC C from VPC A via VPC B
• Workaround: Create a direct peering from VPC A to VPC C
Peer VPC address ranges cannot overlap
• But, you can peer with 2+ VPCs that themselves overlap
• Use subnets/routing tables to pick the VPC to use

31. VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peering
aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87

32. Enhanced Networking

33. Latency: Packets per second
Instance 1 Instance 2
...........

34. Packet processing in Amazon EC2:
VIF
Virtualization layer
eth0
eth1
Instance Virtual NICs
Physical NIC

35. Packet processing in Amazon EC2:
SR-IOV
eth0
Instance
VF Driver
eth1
VF
Virtualization layer
Physical NIC

36. Inter-instance latency

37. SR-IOV: Is this thing on?
It may already be!
For many newer AMIs, enhanced networking is
already on:
Newest Amazon Linux AMIs
Windows Server 2012 R2 AMI
No need to configure

38. SRIOV: Is this thing on? (Linux)
No Yes!
[ec2-user@ip-10-0-3-70
~]$ ethtool -i eth0
driver: vif
version:
firmware-version:
bus-info: vif-0
…
[ec2-user@ip-10-0-3-70 ~]$
ethtool -i eth0
driver: ixgbevf
version: 2.14.2+amzn
firmware-version: N/A
bus-info: 0000:00:03.0
…

39. SRIOV: Is this thing on? (Windows)
No Yes!

40. AMI/instance support for SR-IOV
C3, C4, I2, D2, R3 instance families: 23 types
HVM virtualization type
Required kernel version
• Linux: 2.6.32+
• Windows: Server 2008 R2+
Appropriate VF driver
• Linux: ixgbevf 2.14.2+ module
• Windows: Intel® 82599 Virtual Function driver

41. Walkthrough: Enabling enhanced networking
(Amazon Linux)
amzn-ami-hvm-2012.03.1.x86_64-ebs
hvm

42. Walkthrough: Enabling enhanced networking
(Amazon Linux)
--attribute
sriovNetSupport
InstanceId i-37c5d1d9
Not yet!

43. Walkthrough: Enabling enhanced networking
(Amazon Linux)
[ec2-user@ip-10-0-3-125 ~]$ sudo yum update
OS update

44. Walkthrough: Enabling enhanced networking
(Amazon Linux)
reboot-instances
Reboot
(OS update)

45. Walkthrough: Enabling enhanced networking
(Windows)

46. Walkthrough: Enabling enhanced networking
(Windows)
Add to Windows driver store

47. Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
Stop the instance

48. Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
--sriov-net-support
simple
Enable SRIOV
Cannot be undone

49. Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
Start

50. Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
--attribute
sriovNetSupport
InstanceId i-37c5d1d9
Value simple
We’re on

51. VPC Endpoints for Amazon S3

52. VPC Endpoints for Amazon S3
Highly reliable
Designed for the largest workloads
Use S3 from VPC without an Internet
Gateway or NAT instance
Additional security controls

53. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234

54. Creating a VPC Endpoint
ec2-create-vpc-endpoint

55. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Application resolves mypics.s3.amazonaws.com
DNS responds with the usual IP addresses for Amazon S3
Application connects to the chosen IP address

56. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Destination Target
pl-1a2b3c4d vpce-abcd1234
Prefix List
com.amazonaws.us-west-1.s3

57. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets

58. VPC Endpoint Policy

59. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets

60. VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on bucket ‘mypics’
Allow access from vpce-abcd1234
Deny all other

61. S3 Bucket Policy

62. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details
• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring
• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open
• Come and see what AWS and the cloud can do for you.

63. CTA Script
- If you are interested in learning more about how to navigate the cloud to grow
your business - then attend the AWS Summit Chicago, July 1st.
- Register today to learn from technical sessions led by AWS engineers, hear best
practices from AWS customers and partners, and participate in some of the 30+
paid sessions and labs.
- Simply go to
https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc
amps&trk=Webinar_slide
to register today.
- Registration is FREE.
TRACKING CODE:
- Listed above.

64. Thank You!!