Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Deep Dive - Amazon Virtual Private Cloud (VPC)

9 463 vues

Publié le

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this talk, we discuss advanced tasks in Amazon VPC, including the implementation of Amazon VPC peering, the creation of multiple network zones, the establishment of private connections, and the use of multiple routing tables. We also provide information for current Amazon EC2-Classic network customers and help you prepare to adopt Amazon VPC.

Speakers:
Steve Seymour, AWS Solutions Architect
Eamonn O'Neill, Director, Lemongrass Consulting
Jackie Wong, Head of Networks, Financial Times

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

Deep Dive - Amazon Virtual Private Cloud (VPC)

  1. 1. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Amazon Virtual Private Cloud Deep Dive Steve Seymour, Solutions Architect, Networking Specialist
  2. 2. aws vpc –-expert-mode
  3. 3. Topics today
  4. 4. Virtual networking options EC2-Classic Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups Default VPC The best of both Get started using the EC2-Classic experience If and when needed, begin using any VPC feature you require VPC Advanced virtual networking services: ENIs and multiple IPs routing tables egress security groups network ACLs private connectivity Enhanced networking And more to come...
  5. 5. Virtual networking options EC2-Classic Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups Default VPC The best of both Get started using the EC2-Classic experience If and when needed, begin using any VPC feature you require VPC Advanced virtual networking services: ENIs and multiple IPs routing tables egress security groups network ACLs private connectivity Enhanced networking And more to come... All accounts created after 12/4/2013 support VPC only and have a default VPC in each region
  6. 6. Confirming your default VPC describe-account-attributes VPC only
  7. 7. 1. Routing & private connections
  8. 8. Implementing a hybrid architecture Corporate Data Center
  9. 9. Create VPC Corporate Data Center aws ec2 create-vpc --cidr 10.10.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
  10. 10. Create VPN connection Corporate Data Center aws ec2 create-vpn-gateway --type ipsec.1 aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4 aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500 aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
  11. 11. Launch instances Corporate Data Center aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3 aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
  12. 12. Using AWS Direct Connect Corporate Data Center aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24, virtualGatewayId=vgw-f9da06e7
  13. 13. Configuring route table Corporate Data Center 192.168.0.0/16 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7 Each VPC has a single routing table at creation time, used by all subnets
  14. 14. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone Each VPN connection consists of 2 IPSec tunnels. Use BGP for failure recovery.
  15. 15. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone BGP A pair of VPN connections (4 IPSec tunnels total) protects against failure of your customer gateway BGP
  16. 16. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone BGP Redundant AWS Direct Connect connections with VPN backup
  17. 17. VPC with private and public connectivity Corporate Data Center 192.168.0.0/16 aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
  18. 18. Automatic route propagation from VGW Corporate Data Center 192.168.0.0/16 aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16 aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7 Used to automatically update routing table(s) with routes present in the VGW
  19. 19. Isolating connectivity by subnet Corporate 192.168.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b aws ec2 create-route-table --vpc vpc-c15180a4 aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f Subnet with connectivity only to other instances and the Internet via the IGW
  20. 20. Software VPN for VPC-to-VPC connectivity # VPC A aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc # VPC B aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
  21. 21. Software VPN for VPC-to-VPC connectivity Software VPN between these instances
  22. 22. Software VPN for VPC-to-VPC connectivity Enabling communication between instances in these subnets; adding routes to the default routing table
  23. 23. Software firewall to the Internet Routing all traffic from subnets to the Internet via a firewall is conceptually similar # Default routing table directs traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc # Routing table for 10.10.3.0/24 directs to the Internet aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
  24. 24. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Road to Automation - aka CloudFormation Jackie Wong, Network Manager, Financial Times
  25. 25. Financial Times •  International Media Company •  Pioneer of Selling Digital Subscriptions •  Speed to Market
  26. 26. Repetitive and Manual Deployment •  Some history … •  Manual deployment; •  Time Consuming •  Inconsistent •  Human Error •  Repetitive
  27. 27. CloudFormation – JSON { “Recognize Similarity” : [ { “Key” : “Subnets” }, { “Key” : “ Security” }, { “Key” : “ Routing” }, { “Key” : “ Internet” }, { “Key” : “ Corporate” }, { “Key” : “ etc” } ] } •  Using Mapping and Parameters within JSON to make it [{“Universal”}]
  28. 28. Outcome - Speed to Market •  Faster deployment •  Consistent •  Accurate Deployment •  Easy to manage and update •  Stored Centrally
  29. 29. Give it a Go It is addictive………..in a good way!
  30. 30. 2. VPC peering
  31. 31. Shared services VPC using VPC peering •  Common/core services –  Authentication/directory –  Monitoring –  Logging –  Remote administration –  Scanning
  32. 32. Provides infrastructure zoning •  Dev: VPC B •  Test: VPC C •  Production: VPC D
  33. 33. VPC peering for VPC-to-VPC connectivity aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87 VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87 VPC A - 10.10.0.0/16 vpc-c15180a4 VPC B - 10.20.0.0/16 vpc-062dfc63
  34. 34. VPC peering across accounts aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333 # In owner account 472752909333 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A - 10.10.0.0/16 vpc-c15180a4 VPC B - 10.20.0.0/16 vpc-062dfc63 Account ID 472752909333
  35. 35. VPC peering – Additional considerations •  Security groups not supported across peerings –  Workaround: specify rules by IP prefix •  No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs –  Example: Cannot access VPC C from VPC A via VPC B –  Workaround: Create a direct peering from VPC A to VPC C •  Peer VPC address ranges cannot overlap –  But, you can peer with 2+ VPCs that themselves overlap –  Use subnets/routing tables to pick the VPC to use
  36. 36. VPC peering with software firewall VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16 # Default routing table directs Peer traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc # Routing table for 10.10.3.0/24 directs to the Peering aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
  37. 37. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved VPC Design for the Enterprise Eamonn O'Neill, Director, Lemongrass Consulting
  38. 38. VPC Layout Singapore Singapore Cloud Controller Ireland Website Primary DR Tokyo Workspaces Ireland Seaco Main Account Seaco DR Account Lemongrass Account
  39. 39. User Connections to AWS Singapore Primary Seaco WAN Direct Connect (100Mb) Cloud Controller Lemongrass Support 3rd Parties Remote Seaco Users MiamiShanghai Hamburg VPN VPN VPN Singapore India London Livorno Moscow3rd Parties Remote Seaco Users Remote Desktop Services
  40. 40.   SAP DR App Servers App Servers App. Servers App. Servers Subnet Layout   ap-southeast-1b   ap-southeast-1a   DMZ   Management & Non-SAP   ap-southeast-1b   VPN VPN Server Active Directory Domain Controller Remote Desktop Services   DMZ   VPN VPN Server Active Directory Remote Desktop Services SQL Server   Management & Non-SAP Domain Controller SQL Server System Centre 2012   SAP Production Database Servers App. Servers App. Servers App. Servers   SAP Non-Production Database Servers App. Servers Primary VPC VPC Peering   DMZ   VPN VPN Server Database Servers App Servers SAP Web Dispatcher Domain Controller DR VPC
  41. 41. Lemongrass Consulting “Transforming the Workplace through Mobile and Cloud” S24
  42. 42. Related Presentations – Videos online https://www.youtube.com/user/AmazonWebServices •  ARC205 – VPC Fundamentals and Connectivity •  ARC401 – Black Belt Networking for Cloud Ninja –  Application centric, network monitoring, management, floating IPs •  ARC403 – From One to Many: Evolving VPC Design •  SDD302 – A Tale of One Thousand Instances –  Example of EC2-Classic customer adopting VPC •  SDD419 – Amazon EC2 Networking Deep Dive –  Network performance, placement groups, enhanced networking
  43. 43. LONDON Please complete your session evaluation!

×