PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Laura Caicedo
Partner Solutions Architect
AWS
G P S T E C 3 0 6
Nick Matthews
Principal Solutions Architect
AWS
PrivateLink for Partners:
Connectivity, Scale, Security
Laura Caicedo
Partner Solutions Architect
AWS
Nick Matthews
Principal Solutions Architect
AWS
Jonathan Sander
Security Field CTO
Snowflake Computing
Paul Barber
Managing Director, Product Architecture
Airlines Reporting Corporate (ARC)

Agenda
• What is PrivateLink
• Benefits
• Architecture
• Deployment types
• Architecture design options
• Snowflake use case

Problem …
$

IGW
EIP or
Public
DNS
Sharing a service without AWS PrivateLink

Route table
maintenance
Sharing a service without AWS PrivateLink: Peering
10.10.0.0/16 -> pcx-xxxxxx 172.31.0.0/16 -> pcx-xxxxxx

Sharing a service without AWS PrivateLink: Peering
10.10.0.0/16 -> pcx-xxxxxx
192.168.0.0/16 -> pcx-xxxxxx
10.10.0.0/16 -> pcx-xxxxxx ???

VPC
Endpoint
Private IP 10.10.1.6
NLB
Endpoint
Service
Sharing a service with AWS PrivateLink

Benefits of AWS PrivateLink
Secure
your traffic
Simplify
network
management
Accelerate
hybrid cloud
migration
Scalability

Endpoint Service
Service name: com.amazonaws…
One-way
access
Security
group for
the endpoint
Private IP
Support for
overlapping
addresses
PrivateLink benefits: Security and management
NLB VPC
Endpoint
Private IP

PrivateLink benefits: Scalability & hybrid cloud
Share to
thousands of
VPCs
Grow your
business
Hybrid cloud
adoption
Endpoint Service
NLB
VPC
Endpoint
VPC
Endpoint

Network load balancer
• Connection-based load balancing
• Built-in health checks
• High throughput
• Low latency
• Preserve source IP address
• Static IP and elastic IP support
• Load balancing using IP addresses
as targets
• Fully fault-tolerant
AZ-3AZ-2
AWS Region
Elastic load
balancing
AZ-1
Web Web Web Web Web Web

NLB
Endpoint Service
vpce-svc-02d91882a635HAPPY
• Whitelist principals
• Accept endpoint connections
• Notifications
Set up PrivateLink for providers

• Virtual networking card
• Has a private IP in the address range of
your subnet
• Can be owned by you or managed by an
AWS service
• Apply security groups to an elastic
network interface
Elastic network
interfaces

Accessing AWS services from your VPC
Gateway VPC
endpoints for AWS
Interface VPC
endpoints for AWS

Amazon S3 and your VPC
Amazon
S3 bucket
Internet
VPC
Endpoint
Route S3-bound traffic
to the VPC endpoint
• No IGW
• No NAT
• No public IPs
• Robust access
control
• Free

Interface VPC endpoints

Interface endpoint service available
• Amazon API Gateway
• AWS CloudFormation
• Amazon CloudWatch
• Amazon CloudWatch Events
• Amazon CloudWatch Logs
• AWS CodeBuild
• AWS Config
• Amazon EC2 API
• Elastic Load Balancing API
• AWS Key Management Service
• Amazon Kinesis Data Streams
• Amazon SageMaker Runtime
• AWS Secrets Manager
• AWS Security Token Service
• AWS Service Catalog
• Amazon SNS
• AWS Systems Manager
• Endpoint services hosted by other AWS
accounts
• Supported AWS Marketplace partner
services
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html

vpce-svc-
0..635HAPPY
Setting up PrivateLink for consumers
VPC
Endpoint
vpce-….ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
SaaS Service
• Endpoint DNS names are
created:
• 1 regional FQDN for the
endpoint
• 1 or more zonal FQDNs for
each Availability Zone
Security
groups
CNAME api.example.com
--> ALIAS vpce-xxxx.vpce-
svc-xxxx.eu-west-
1.vpce.amazonaws.com
VPC
Endpoint
• Notifications
• If PrivateDNS enable:

Packet walkthrough (1/2) – DNS
1. If Private DNS is enabled,
requests endpoint
resolution from Route
53—private hosted zone
2. Consumer forwards to the
local IP 10.0.1.6 from
source IP 10.0.1.8
3. Traffic is sent to the
service endpoint
Client looks for service
api.example.com (Alias)
Amazon Route 53
Private hosted zone
10.10.1.8
ENI’s endpoint forwards
traffic to the provider
10.10.1.6
SaaS consumer account

Packet walkthrough (2/2) – NAT
4. NLB does source NAT
1. Source 10.0.1.8 translated to
Source 172.31.1.60
5. App replies to 172.31.1.60
6. NLB changes the source
back to 10.10.1.6
Source NAT
SaaS consumer account
Amazon Route 53
Private hosted zone
10.10.1.810.10.1.6
I am receiving traffic
from 172.31.1.60

PrivateLink deployment types
SaaS
• Silo
• Bridge
• Pool
Within an organization
• Marketplace offers
• Internal environments
• Managed service providers

NLB
Endpoint Service
VPC Endpoint
Private IP - 10.10.1.6
SaaS deployment types: Silo
• Expose custom
addresses to customers
• Expose only what’s
needed
• Provider management
can be shared
• Onboarding
• Management
• Operations
• Billing
NLB
Endpoint Service
VPC Endpoint

SaaS deployment types: Pool
• Elasticity and agility of a
shared infrastructure
footprint
• Custom addresses per
customer with one set of
infrastructure
• Management,
deployment, and
operation are easier
• One or more load
balancer per shared
service
• API
• Front-end
• Resource
NLB
Endpoint Service
VPC Endpoint
VPC Endpoint
VPC Endpoint

NLB
Endpoint Service
SaaS deployment types: Bridge
• Hybrid between pool
and silo
• Different service
names
NLB
Endpoint Service
VPC Endpoint
VPC Endpoint
VPC Endpoint

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SaaS Marketplace
• Easily create secure endpoints
• No public IP address
• Curated SaaS products
• Discoverability of the services when
customers purchase SaaS on AWS
Marketplace

Marketplace: DNS Vanity
vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Service Base DNS Name
Service ID Region Sub Domain
vpce-12345.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Endpoints DNS Name on Client Side
VPC Endpoint
ID
vpce-67890.vpce-svc-1a2b3c4d.us-west-1.vpce.amazonaws.com
us-east-1.vpce.myexample.com
Service Vanity DNS Name
Region Sub Domain
vpce-12345.us-east-1.vpce.myexample.com
Endpoints DNS Name on Client Side
VPC
Endpoint
ID
vpce-67890.us-west-1.vpce.myexample.com

Internal environments
NLB
Endpoint Service
VPC Endpoint
VPC Endpoint
Private IP – 172.31.1.6

Reference
architecture
NLB
Dedicated On-premises Endpoint VPCProvider SaaS VPC
Customer VPC
AWS Direct
Connect Location
(Anywhere)
Direct Connect
Gateway
Service
Customer chosen Availability Zones
CIDR: Deﬁned by customer
On-premises
Service
NLB placed in every
Availability Zone
A api.example.com
10.x.x.x
10.x.x.y
api.example.com
CIDR: Provider chosen range
Customer chosen Availability Zones
Route 53 Private
Hosted Zone
CNAME api.example.com
--> ALIAS vpce-xxxx.vpce-svc-
xxxx.us-east-2.vpce.amazonaws.com
WANVPC Endpoint VPC Endpoint
VPC Endpoint VPC Endpoint
DNS Server
Forward api.example.com to AWS
DNS
OR
Customer
Gateway
VPN

Connectivity options from on-premises
Load Balancer
Endpoint Service
VPC Endpoint

Source IP address visibility: proxy protocol
The Proxy Protocol header includes
private IP of the consumer and the ID
of the endpoint.
Type-Length-Value (TLV) vector:
I am receiving traffic from
172.31.1.60,
Proxy Protocol Header has
source IP 10.0.1.8
Source IP
10.0.1.8
Proxy
Protocol V2
Field
Length
(in octets)
Description
Type 1
PP2_TYPE_AWS
(0xEA)
Length 2
The length of
value (0x01)
Placeholder 1
PP2_SUBTYPE_AW
S_VPCE_ID
SaaS consumer
account
172.31.1.60
VPC
Endpoint

Application
Cross-region
peering
us-east-1
eu-west-1
PrivateLink and cross-region peering : IP load balancing
How do you handle
global connectivity?
• AWS PrivateLink now
supports access over
Inter-Region VPC
Peering
IP as a target
VPC
Endpoint
VPC
Endpoint

PrivateLink and cross-region peering: Remote endpoints
NLB
VPC
Endpoint
Cross-region
Peering
us-east-1
eu-west-1
VPC
Endpoint

SSL offloading

Resource-based PrivateLink
• Can it be load balanced?
• Database
• Logging service
• Enterprise application
Solutions
• Use one NLB per resource
• Use a single NLB using different listening ports
• 10.1.1.100:8081
• 10.1.1.100:8082

Services that initiate new connections to clients
Provider services that need to initiate connections or have bidirectional connections
• Use VPC peering or a two-way PrivateLink design
VPC
Endpoint
VPC
Endpoint

Snowflake: The data warehouse built for the cloud

AWS VPN
Connection
Give your
VPN authorized
access to services
on AWS
AWS Direct
Connect
Give your
on-premises
resource access
to services on AWS
How Snowflake integrates with PrivateLink
Each customer is uniquely configured with an NLB in their region
PrivateLink is often a piece of a larger private comms requirement
VPC endpoint
Create an interface
VPC endpoint
Network load
balancer
Connect the endpoint
to the network load
balancer of the
service of your choice
JDBC/ODBC,
programs, snowsql
Customer
Other systems on
customer resources
Amazon EC2
Instance

Some quick background …
$88.5 billion in ticket transactions
287 million passenger trips
World’s most comprehensive air ticket
transaction data
www.arccorp.com

An easy choice …
Data security is always top of mind.
No negative impact in how our products perform.
Implemented in a day.

Sharing is simple …

Thank you!
Laura Caicedo, lauracai@amazon.com
Nick Matthews, nickmatt@amazon.com

PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018

Similaire à PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018 (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018