Contenu connexe Similaire à PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018 (20) Plus de Amazon Web Services (20) PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laura Caicedo
Partner Solutions Architect
AWS
G P S T E C 3 0 6
Nick Matthews
Principal Solutions Architect
AWS
PrivateLink for Partners:
Connectivity, Scale, Security
Laura Caicedo
Partner Solutions Architect
AWS
Nick Matthews
Principal Solutions Architect
AWS
Jonathan Sander
Security Field CTO
Snowflake Computing
Paul Barber
Managing Director, Product Architecture
Airlines Reporting Corporate (ARC)
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• What is PrivateLink
• Benefits
• Architecture
• Deployment types
• Architecture design options
• Snowflake use case
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Problem …
$
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IGW
EIP or
Public
DNS
Sharing a service without AWS PrivateLink
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route table
maintenance
Sharing a service without AWS PrivateLink: Peering
10.10.0.0/16 -> pcx-xxxxxx 172.31.0.0/16 -> pcx-xxxxxx
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing a service without AWS PrivateLink: Peering
10.10.0.0/16 -> pcx-xxxxxx
192.168.0.0/16 -> pcx-xxxxxx
10.10.0.0/16 -> pcx-xxxxxx ???
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Endpoint
Private IP 10.10.1.6
NLB
Endpoint
Service
Sharing a service with AWS PrivateLink
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of AWS PrivateLink
Secure
your traffic
Simplify
network
management
Accelerate
hybrid cloud
migration
Scalability
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Endpoint Service
Service name: com.amazonaws…
One-way
access
Security
group for
the endpoint
Private IP
Support for
overlapping
addresses
PrivateLink benefits: Security and management
NLB VPC
Endpoint
Private IP
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PrivateLink benefits: Scalability & hybrid cloud
Share to
thousands of
VPCs
Grow your
business
Hybrid cloud
adoption
Endpoint Service
Service name: com.amazonaws…
NLB
VPC
Endpoint
VPC
Endpoint
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network load balancer
• Connection-based load balancing
• Built-in health checks
• High throughput
• Low latency
• Preserve source IP address
• Static IP and elastic IP support
• Load balancing using IP addresses
as targets
• Fully fault-tolerant
AZ-3AZ-2
AWS Region
Elastic load
balancing
AZ-1
Web Web Web Web Web Web
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NLB
Endpoint Service
Service name: com.amazonaws…
vpce-svc-02d91882a635HAPPY
• Whitelist principals
• Accept endpoint connections
• Notifications
Set up PrivateLink for providers
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Virtual networking card
• Has a private IP in the address range of
your subnet
• Can be owned by you or managed by an
AWS service
• Apply security groups to an elastic
network interface
Elastic network
interfaces
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Accessing AWS services from your VPC
Gateway VPC
endpoints for AWS
Interface VPC
endpoints for AWS
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
Amazon
S3 bucket
Internet
VPC
Endpoint
Route S3-bound traffic
to the VPC endpoint
• No IGW
• No NAT
• No public IPs
• Robust access
control
• Free
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC endpoints
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC endpoints
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface endpoint service available
• Amazon API Gateway
• AWS CloudFormation
• Amazon CloudWatch
• Amazon CloudWatch Events
• Amazon CloudWatch Logs
• AWS CodeBuild
• AWS Config
• Amazon EC2 API
• Elastic Load Balancing API
• AWS Key Management Service
• Amazon Kinesis Data Streams
• Amazon SageMaker Runtime
• AWS Secrets Manager
• AWS Security Token Service
• AWS Service Catalog
• Amazon SNS
• AWS Systems Manager
• Endpoint services hosted by other AWS
accounts
• Supported AWS Marketplace partner
services
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
vpce-svc-
0..635HAPPY
Setting up PrivateLink for consumers
VPC
Endpoint
vpce-….ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
SaaS Service
• Endpoint DNS names are
created:
• 1 regional FQDN for the
endpoint
• 1 or more zonal FQDNs for
each Availability Zone
Security
groups
CNAME api.example.com
--> ALIAS vpce-xxxx.vpce-
svc-xxxx.eu-west-
1.vpce.amazonaws.com
VPC
Endpoint
• Notifications
• If PrivateDNS enable:
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Packet walkthrough (1/2) – DNS
1. If Private DNS is enabled,
requests endpoint
resolution from Route
53—private hosted zone
2. Consumer forwards to the
local IP 10.0.1.6 from
source IP 10.0.1.8
3. Traffic is sent to the
service endpoint
Client looks for service
api.example.com (Alias)
Amazon Route 53
Private hosted zone
10.10.1.8
ENI’s endpoint forwards
traffic to the provider
10.10.1.6
SaaS consumer account
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Packet walkthrough (2/2) – NAT
4. NLB does source NAT
1. Source 10.0.1.8 translated to
Source 172.31.1.60
5. App replies to 172.31.1.60
6. NLB changes the source
back to 10.10.1.6
Source NAT
SaaS consumer account
Amazon Route 53
Private hosted zone
10.10.1.810.10.1.6
I am receiving traffic
from 172.31.1.60
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PrivateLink deployment types
SaaS
• Silo
• Bridge
• Pool
Within an organization
• Marketplace offers
• Internal environments
• Managed service providers
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NLB
Endpoint Service
Service name: com.amazonaws…
VPC Endpoint
Private IP - 10.10.1.6
SaaS deployment types: Silo
• Expose custom
addresses to customers
• Expose only what’s
needed
• Provider management
can be shared
• Onboarding
• Management
• Operations
• Billing
NLB
Endpoint Service
Service name: com.amazonaws…
VPC Endpoint
Private IP - 10.10.2.6
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS deployment types: Pool
• Elasticity and agility of a
shared infrastructure
footprint
• Custom addresses per
customer with one set of
infrastructure
• Management,
deployment, and
operation are easier
• One or more load
balancer per shared
service
• API
• Front-end
• Resource
NLB
Endpoint Service
Service name: com.amazonaws…
VPC Endpoint
Private IP - 10.10.1.6
VPC Endpoint
Private IP - 10.10.2.6
VPC Endpoint
Private IP - 10.10.1.6
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NLB
Endpoint Service
Service name: com.amazonaws…
SaaS deployment types: Bridge
• Hybrid between pool
and silo
• Different service
names
NLB
Endpoint Service
Service name: com.amazonaws…
VPC Endpoint
Private IP - 10.10.1.6
VPC Endpoint
Private IP - 10.10.2.6
VPC Endpoint
Private IP - 10.10.1.6
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SaaS Marketplace
• Easily create secure endpoints
• No public IP address
• Curated SaaS products
• Discoverability of the services when
customers purchase SaaS on AWS
Marketplace
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Marketplace: DNS Vanity
vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Service Base DNS Name
Service ID Region Sub Domain
vpce-12345.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Endpoints DNS Name on Client Side
VPC Endpoint
ID
vpce-67890.vpce-svc-1a2b3c4d.us-west-1.vpce.amazonaws.com
us-east-1.vpce.myexample.com
Service Vanity DNS Name
Region Sub Domain
vpce-12345.us-east-1.vpce.myexample.com
Endpoints DNS Name on Client Side
VPC
Endpoint
ID
vpce-67890.us-west-1.vpce.myexample.com
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internal environments
NLB
Endpoint Service
Service name: com.amazonaws…
VPC Endpoint
Private IP - 10.10.1.6
VPC Endpoint
Private IP – 172.31.1.6
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference
architecture
NLB
Dedicated On-premises Endpoint VPCProvider SaaS VPC
Customer VPC
AWS Direct
Connect Location
(Anywhere)
Direct Connect
Gateway
Service
Customer chosen Availability Zones
CIDR: Defined by customer
On-premises
Service
NLB placed in every
Availability Zone
A api.example.com
10.x.x.x
10.x.x.y
api.example.com
CIDR: Provider chosen range
Customer chosen Availability Zones
Route 53 Private
Hosted Zone
CNAME api.example.com
--> ALIAS vpce-xxxx.vpce-svc-
xxxx.us-east-2.vpce.amazonaws.com
WANVPC Endpoint VPC Endpoint
VPC Endpoint VPC Endpoint
DNS Server
Forward api.example.com to AWS
DNS
OR
Customer
Gateway
VPN
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectivity options from on-premises
Load Balancer
Endpoint Service
Service name: com.amazonaws…
VPC Endpoint
Private IP - 10.10.1.6
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source IP address visibility: proxy protocol
The Proxy Protocol header includes
private IP of the consumer and the ID
of the endpoint.
Type-Length-Value (TLV) vector:
I am receiving traffic from
172.31.1.60,
Proxy Protocol Header has
source IP 10.0.1.8
Source IP
10.0.1.8
Proxy
Protocol V2
Field
Length
(in octets)
Description
Type 1
PP2_TYPE_AWS
(0xEA)
Length 2
The length of
value (0x01)
Placeholder 1
PP2_SUBTYPE_AW
S_VPCE_ID
SaaS consumer
account
172.31.1.60
VPC
Endpoint
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application
Cross-region
peering
us-east-1
eu-west-1
PrivateLink and cross-region peering : IP load balancing
How do you handle
global connectivity?
• AWS PrivateLink now
supports access over
Inter-Region VPC
Peering
IP as a target
VPC
Endpoint
VPC
Endpoint
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PrivateLink and cross-region peering: Remote endpoints
NLB
VPC
Endpoint
Cross-region
Peering
us-east-1
eu-west-1
VPC
Endpoint
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SSL offloading
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource-based PrivateLink
• Can it be load balanced?
• Database
• Logging service
• Enterprise application
Solutions
• Use one NLB per resource
• Use a single NLB using different listening ports
• 10.1.1.100:8081
• 10.1.1.100:8082
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Services that initiate new connections to clients
Provider services that need to initiate connections or have bidirectional connections
• Use VPC peering or a two-way PrivateLink design
VPC
Endpoint
VPC
Endpoint
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Snowflake: The data warehouse built for the cloud
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN
Connection
Give your
VPN authorized
access to services
on AWS
AWS Direct
Connect
Give your
on-premises
resource access
to services on AWS
How Snowflake integrates with PrivateLink
Each customer is uniquely configured with an NLB in their region
PrivateLink is often a piece of a larger private comms requirement
VPC endpoint
Create an interface
VPC endpoint
Network load
balancer
Connect the endpoint
to the network load
balancer of the
service of your choice
JDBC/ODBC,
programs, snowsql
Customer
Other systems on
customer resources
Amazon EC2
Instance
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some quick background …
$88.5 billion in ticket transactions
287 million passenger trips
World’s most comprehensive air ticket
transaction data
www.arccorp.com
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
An easy choice …
Data security is always top of mind.
No negative impact in how our products perform.
Implemented in a day.
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing is simple …
53. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laura Caicedo, lauracai@amazon.com
Nick Matthews, nickmatt@amazon.com
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.