Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
•
9 j'aime•3,059 vues
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (18)
Similaire à Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
Similaire à Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC (20)
Plus de Amazon Web Services
Plus de Amazon Web Services (20)
Dernier
Dernier (20)
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
- 1. Networking and Security Securing Your AWS Resources with Amazon’s Virtual Private Cloud Mark Ryland Solutions Architect AWS Public Sector team
- 2. Agenda Review: EC2 standard networking • Power and limits EC2 networking with Virtual Private Cloud • Key concepts • New capabilities • Common use cases DirectConnect and VPC
- 3. EC2 Standard Networking Distinct private/internal and public/external IPs • True 1:1 NAT (no port translation) • “Split-brained” DNS Security groups control ingress Elastic IPs: fixed public IPs
- 4. Internet EC2 instances dynamically assigned private IP addresses from the one large internal Amazon IP address range 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.8 10.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3
- 5. 23.20.151.66 23.20.146.1 23.20.103.11 72.43.2.77 23.19.11.5 72.43.22.45 Internet 72.43.22.5 23.20.148.59 72.44.32.9 72.44.21.7 23.19.10.51 72.43.1.7 EC2 instances dynamically assigned public IP addresses on border network from Amazon’s public IP address blocks 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.8 10.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3
- 6. Value and Limits of Standard Networking Security groups • Ingress only • Limited dynamism • Different from subnet-based controls • Mental model issue No private networking, DMZs, or NAT/PAT No consistent / “fixed” IP addrs for instances
- 7. Introducing AWS Virtual Private Cloud User-defined virtual IP networking for EC2 Private or mixed private/public addressing and ingress/egress Re-use of proven and well-understood networking concepts and technologies
- 8. VPC Capabilities in a Nutshell User-defined address space up to /16 Up to 20* user-defined subnets up to /16 User-defined: • Virtual routing, DHCP servers, and NAT instances • Internet gateways, private, customer gateways, and VPN tunnels Private IPs stable once assigned Elastic Network Interfaces
- 9. Internet VPC customers can launch instances in their own isolated network 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.8 10.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3 VPC Customer
- 10. Internet VPCcan assign your launch instances thetheir own isolated network You customers can own IP range to in VPC network 10.0.1.5 10.0.1.6 10.0.0.5 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
- 11. Internet Instances can belong to different subnets. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
- 12. Internet Add access control lists to your subnets. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
- 13. Internet Add a Virtual Private Gateway to your VPC to make it an extension of your datacenter. All traffic to and from the VPC traverses the VPN Connection. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Virtual Private GatewayZone 1b Availability VPN Connection Customer Gateway Customer Data Center
- 14. Internet Add an Internet Gateway to let instances talk directly to the Internet Internet Gateway VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Virtual Private GatewayZone 1a Availability VPN Connection Customer Gateway Customer Data Center
- 15. Enhanced Security Capabilities Network topology, routing, and subnet ACLs Security group enhancements • Egress control; dynamic (re)assignment; richer protocol support Multiple network interfaces per instance Completely private networking via VPN Support for dedicated instances
- 16. Common Use Cases Mixing public and private resources • E.g., web-facing hosts with DMZ subnets, control plane subnets Workloads that expect fixed IPs and/or multiple NICs AWS cloud as private extension of on-premises network • Accessible from on-premises hosts • No change to addressing • No change to Internet threat/risk posture
- 17. Rich Capabilities in VPC ELB, AutoScaling, and CloudWatch Relational Database Service (MySQL engine, for now) Elastic MapReduce CloudFormation And many others, with more to come… “Blackbox” services with public endpoints reachable via Internet gateway (or VPN)
- 18. DirectConnect: Private X-Connect to AWS Dedicated bandwidth to AWS border network in 1gbps or 10gbps chunks Full access to public endpoints, EC2 standard, VPCs • VLAN tagging maps to public side or VPCs Benefits: • Faster / more consistent throughput • Increased isolation and control Great companion technology to VPC
- 19. Networking and Security Securing Your AWS Resources with Amazon’s Virtual Private Cloud Questions and answers
Notes de l'éditeur
- Websiteprecis: The AWS Virtual Private Cloud (VPC) is fast becoming the networking option of choice for enterprise and government customers because it provides a powerful set of virtual networking capabilities. VPC allows you to isolate, control, connect, and empower your systems at the network level. Did you know that, for example, that VPC allows you to attach a single EC2 instance to multiple private subnets? To create DMZs, control subnet routing, and enable totally private interconnects with your on-premises systems? To deploy dedicated, isolated, single tenant hardware for your virtual machines within the public cloud? Come learn about the extensive set of features specific to VPC that you should know about before your next cloud deployment.
- Mention that there will be demos along the way.
- Data egress charges are a measure of the packet flows across the public IP address at the network edge (i.e., gray lines in the slide), even if the packets return into EC2. Internal to internal traffic and internal to AWS service endpoints traffic is all free. [Will add more valid public IPs to the animation later]Example valid ranges:216.182.224.0/20 (216.182.224.0 - 216.182.239.255) 72.44.32.0/19 (72.44.32.0 - 72.44.63.255) 67.202.0.0/18 (67.202.0.0 - 67.202.63.255) 75.101.128.0/17 (75.101.128.0 - 75.101.255.255) 174.129.0.0/16 (174.129.0.0 - 174.129.255.255) 204.236.192.0/18 (204.236.192.0 - 204.236.255.255) 184.73.0.0/16 (184.73.0.0 – 184.73.255.255) NEW
- “User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
- Egress ControlYou control what the instances can talk toE.g.; Let the instance initiate communication with the yum repository, but don’t let it browse anywhere else.Network TopologyCreate subnets (public vs. privately accessible)Route traffic down VPN or out to the InternetNetwork Address TranslationPrivate subnet instances with no public IP can still establish connections to the Internet3rd party Appliance and applicationsLeverage software appliances and security applicationsMultiple InterfacesLaunch or configure instances with a second network interface