Which is better: a single VPC with multiple subnets or multiple accounts with many VPCs? Should you simplify management with a single VPC or use multiple VPCs to lessen the blast radius of network changes? In this session, we hear from customers who've implemented each approach and discuss how they addressed management, security, and connectivity for their Amazon EC2 environments.

1. Selecting the Best VPC Network Architecture
Eric Schultze, AWS
Roshan Vilat & Phil Schulz, Vodafone Australia
Clay Parker, Trimble Navigation
November 15, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Why we’re here
• Choosing a VPC architecture
• Benefits and Challenges
• Lessons Learned

3. Before we get started…

4. Selecting the Best VPC Network Architecture
Vodafone Australia Case Study
Roshan Vilat & Phil Schulz, Vodafone Australia
November 15, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

5. Vodafone Australia
• Presentation:
– Cloud Transformation Roadmap
– Multi VPC Solution

6. Vodafone Group
– One of the world’s leading
telecommunications groups
– Vodafone operates in more than
30 countries across five continents
– 404 million customers globally
– One of the top 10 brands in the world

7. 1. Public Facing Website in the Cloud
– Migration from traditional data center to the Cloud
– Saved one year in time to market
– Saved at least $1,000,000

8. 2. Re-architecting for the Cloud
– AWS Opened a Data Centre in Australia
– Migration from the US to AU
– Re-Architecture into Cloud Orientated Architecture:
Auto Scaling; Elastic IPs; Amazon RDS database;
AWS CloudFormation; Highly Available File Storage;
Self Healing Environments
– Agile Delivery with Cross Functional Teams;
Behavior Driven Development; Automated Testing;
Continuous Integration; Daytime Deployments

9. 3. Business Critical Applications
–
–
–
–
–
–
Greenfield Enabler for Multiple Digital Services
Supporting Customer Sensitive Data
Direct Connection into Backend Services
Suite of Security Tools
Live Business Intelligence
New Support Model

10. Project Partners
–
–
–
–
–
–
–
Core Team
InfoSec
Networks
Service Management
Operational Support Services
Vodafone Group
My Account App Team

11. To Multi-VPC or not to Multi-VPC?

12. Project Key Requirements
1.
2.
3.
4.
5.
Secure – protect customer sensitive data
Networked – low latency, stable connectivity
Automated
Supportable
Resilient, Scalable, and Available.

13. VPC Design Evolution
• 100s of VPCs
• Single VPC
• Multi-VPC

14. 100s of VPCs
TEST

15. 100’s of VPCs

16. 100s of VPCs
Pros
• Strong Isolation
Cons
• Sheer number of VPCs
• Management nightmare
• Networking nightmare
• Equivalent of creating a
datacenter per
application?

17. Single VPC

18. Single VPC
Pros
• Simplifies AWS Direct
Connect
Cons
• Low isolation – security,
billing implications
• No role separation – IAM
limitation
• AWS account and VPC
limits
• Difficult to contain blast
radius!

19. Single VPC
Pros
• Simplifies AWS Direct
Connect
Cons
• Low isolation – security
implications
• No role separation – IAM
limitation
• AWS account and VPC
limits
• Difficult to contain blast
radius!

20. Multi VPC

21. Multi VPC

22. Design Benefits
• Multi-account for role separation, cost control
and resource limits
• Balance of isolation and management
complexity
• AWS Direct Connect provides stable inter-VPC
and Vodafone-VPC communication
• AWS Direct Connect provides central network
control point

23. Lessons Learned
• Ensure team has domain experts
• Capture all stakeholder requirements
• Differences between traditional and cloud-based
methodologies
• Use multiple constructs to achieve desired isolation
– Accounts, VPCs, security groups, etc.
• AWS account and VPC limits
• IAM access control capabilities

24. Project Outcome
• First cloud-based environment for business
critical apps
• Built in 4 months
• MyAccount (Online Self-Service) in production
• Shared security and operational services in
production
• Next 4 applications in build stage

25. Selecting the Best Virtual Private Cloud
Architecture In AWS
Clay Parker, Trimble Navigation
November 15, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

26. Trimble Navigation
•
•
•
•
•
A world leader in transforming how work is done across multiple industries
and professions
Our customers gain significant economic breakthroughs at the same time
improving quality, safety, regulatory compliance and reducing environmental
impact
Our technological capabilities span positioning and sensing, global
connectivity, 3D design, modeling & measurement, machine and process
automation, and powerful data analytics
2012 Revenue US $2Billion; 6,500 employees
Founded in 1978, headquartered in Sunnyvale, California with Offices in 35
countries, partners in 125 countries and customers in 150 – from some of
the world’s largest corporations to some of the smallest family firms

27. Trimble Hosting Services
•
•
•
•
•
•
•
•
•
We are a Trimble Division
We exist to help Trimble businesses with external
end-user-facing application hosting and 24x7x365
support
74 staff in seven locations in five countries
Production infrastructure in seven data centers
Development infrastructure in six Trimble offices
Facilitate hosting in Amazon Web Services (AWS)
Our ISMS is ISO27001 certified for hosting in THS infrastructure and in AWS
Staff have specific expertise in:
Node4 Northampton
United Kingdom
Ireland
AT&T Ashburn
Milpitas
NOC
CT Xi’an
Equinix Slough
- Server virtualization
- Storage management
- Network engineering
- Database management
- Program & project management
- Cloud hosting
- Operations
- Information security
- Finance
21Vianet Beijing
Global Admin Network
SunGard
Equinix Dallas
Scottsdale
Chennai NOC

28. Current use of Amazon Web Services
• Shared Production Account
– Multi-tenant environments in several regions to support multiple
customers
– Single production account with one VPC per region
– No tenant write access to the AWS Management Console
– VPN connectivity to private cloud production data centers
– All AWS resources tagged for customer identification
– All AWS resources under change management control

29. Current use of Amazon Web Services
• Shared Development Account
– Multi-tenant environments in several regions to support multiple
customers
– Single development account with one VPC per region
– Controlled tenant access to the AWS Management Console
– VPN connectivity to private cloud development data centers
– All AWS resources tagged for customer identification

30. Current use of Amazon Web Services
• Customer Development Accounts
– One per customer
– VPN connectivity to our development data centers only
– Unlimited access to the AWS Management Console (except
Amazon VPC)
– Linked to our master account for consolidated billing

31. Current use of Amazon Web Services
• Billing Only Accounts
– One for each customer
– Linked to our master account for consolidated billing

32. Private / Public / Hybrid Clouds
• Private
– Trimble Private Cloud (TPC)
– THS owns & manages infrastructure
• Public
– Amazon Web Services (AWS)
– AWS owns & manages infrastructure
• Hybrid
– Uses infrastructure in both TPC & AWS
– Take advantage of the best of both worlds
www.myconnectedassets.com
Route 53
Hosted
Zone
Client
Users
Mobile Client
Shared VMware &
SAN Infrastructure
Common Core Network
Elastic Load
Balancer
Redundant physical and/or virtual
Web & Application servers
Web
Data Center
Core Network
Web App
Server
Web App
Server
Amazon Linux
EC2 Instance
Amazon Linux
EC2 Instance
Security Group
BGP
Routers
Core
Switches
App
App
Database
Redundant
physical
database
cluster
SAN
ISP
VPN Connection
Security Group
Database
Wireless Carrier
VPC Subnet
Availability Zone A
App
Web
Web
ISP
Wireless Carrier
Other
Trimble Hosted
Applications
Availability Zone B
Pipe to DR
Data Center
AWS Region 1
Amazon
CloudWatch
Alarms
Common Services:
Monitoring
LAN, SAN management
VMware management
Other
Trimble Mgmt
Monitoring
Managment

33. Trimble Integrated Cloud
PHX1
AZ
Cust A Subnet
Cust B Subnet
THS
CSN
LHR1
UK
SJC3
LHR2
CA
UK
MAA1
India
Trimble Corporate WAN
To
A
PDX
THS Common Services Network /
Admin Backbone
d
Pro
v
De
S
T HS
TH
DA
IA rod
To P
Cust B Subnet
v
De v
st D e
C u u st
XA A C
PD DX
P
To
A
IAD
THS
CSN
XIY1
China
Cust A Subnet
THS
CSN
IAD2
VA
THS
CSN
Cust B Subnet
AWS Virtual
Private Gateways
Cust B Subnet
Cust A Subnet
Cust A Subnet
IADA
AWS US-East
N. Virginia
China
T HS
To
To
Trimble
Users
PEK1
PDXA
AWS US-West
Oregon

34. Criteria for using fewer VPCs
• Shared Production & Development Accounts
–
–
–
–
–
Single VPC per region
Modeled after our physical data center environment
Less confusion for all concerned
Able to use a single VPN for connectivity
Less complexity for ITOps support

35. Advantages of using fewer VPCs
• Reduces complexity of managing internal IP
address space
• Single place to manage:
– Subnets
– Security groups
– Routes and VPN configuration

36. Challenges of using fewer VPCs
• Perceived customer data bleeding
• Complexity of managing access to individual
resources
• Complexity of individual tenant billing from a
shared account
• Risk of users deleting resources that are not
theirs

37. Questions
• Contact information
– Email parkclay@gmail.com
– Twitter @parkclay

38. Please give us your feedback on this
presentation
CPN208
As a thank you, we will select prize
winners daily for completed surveys!