Contenu connexe Similaire à SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options (20) Plus de Amazon Web Services (20) SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gina Morris
Engineering manager, EC2 Networking
SRV204
Creating Your Virtual Data Center:
VPC Fundamentals and Connectivity
Options
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2
instance
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
Amazon Virtual Private Cloud (Amazon VPC)
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
• Get familiar with VPC concepts
• Walk through a basic VPC setup
• Learn about the ways in which you can tailor your
virtual network to meet your needs
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Walkthrough:
Setting up an internet-connected VPC
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating an internet-connected VPC:
Steps
Choosing an
address range
Create subnets in
Availability Zones
Creating a route
to the internet
Authorizing
traffic to & from
the VPC
Internet
gateway
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CIDR range example:
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
CIDR notation review
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16
(65,536 addresses)
Avoid ranges that overlap with
other networks to which you
might connect
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnets
VPC Subnet
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet recommendations
• /16 VPC (65,536 addresses)
• At least /24 subnets (251 addresses)
• Use multiple Availability Zones per VPC through
multiple subnets
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route to the internet
Internet
gateway
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table
• But, you can assign different route tables to different
subnets
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my
VPC stays in my VPC
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
Send packets here if you
want them to reach the
internet
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything that isn’t destined for the
VPC:
Send to the internet
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security in your VPC:
Security groups
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security groups follow application structure
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
Allow all HTTP traffic
Rule descriptions
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
Allow application traffic
from web servers only
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups in VPC: Additional
notes
• Follow the “principle of least privilege”
• VPC allows creation of egress in addition to ingress
security group rules
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectivity options for VPCs
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Beyond internet connectivity
Restricting
internet access
Connecting to your
corporate network
Connecting to other
VPCs
VPC subnet
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restricting internet access:
Routing by subnet
VPC subnet
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing by subnet
VPC subnet
VPC subnet
Has route to internet
Has no route to
internet
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound-only internet access: NAT gateway
private subnet public subnet
0.0.0.0/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Egress-only internet gateways for IPv6
Private subnet Public subnet
::/0
::/0
Egress-only internet
gateway
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security group pattern for SSH bastion
Virtual Private Cloud
Public subnet
SSH bastion
(EC2 instance)
Private subnet
Allows connections on port
22 from known IP range
Allows connections on port
22 from Bastion group
SSH Access security group Bastion security group
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-VPC connectivity:
VPC peering
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
Example VPC peering use:
Shared services VPC
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups across peered VPCs
VPC peering
172.31.0.0/16 10.55.0.0/16
Orange security group Blue security group
Allow
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate
request
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering
request
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept
request
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering
request
Step 2
Accept peering
request
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create a route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering
request
Step 2
Accept peering
request
Step 3
Traffic destined for the peered VPC
should go to the peering
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises
networks:
AWS Virtual Private Network
and AWS Direct Connect
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend an on-premises network into your
VPC
VPN
AWS Direct
Connect
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN basics
Customer
gateway
Virtual
private
gateway
Two IPsec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Both allow secure connections between
your network and your VPC
• VPN is a pair of IPsec tunnels over the
internet
• AWS Direct Connect is a dedicated line
with lower per-GB data transfer rates
• For highest availability, use both
AWS VPN and AWS Direct Connect
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC and the rest of AWS
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC and the rest of AWS
AWS services in
your VPC
VPC endpointsDNS in-VPC with
Amazon Route 53
Logging VPC traffic
with VPC Flow Logs
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS in a VPC
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
hostnames to instances
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org
172.31.0.99
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS services in your VPC
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Amazon RDS database in your VPC
Reachable via DNS name: mydb-
cluster-1 ….us-west-
2.rds.amazonaws.com
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Application Load Balancer in your
VPC
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
S3 bucket
Your applications
Your data
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC endpoints
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints: Amazon S3 and Amazon
DynamoDB
S3 bucket
Route S3-bound traffic
to the VPC endpoint
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy for VPC endpoints
S3 bucket
IAM policy at VPC endpoint:
restrict actions of VPC in
Amazon S3 or Amazon
DynamoDB
IAM policy at S3
bucket: make
accessible from VPC
endpoint only
53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC endpoints
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for AWS services
Private IP:
10.10.1.6
Private IP:
10.10.2.10
vpce-….ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
EC2 APIs
55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoint Services (AWS
PrivateLink)
Network Load
Balancer (NLB)
Endpoint Service vpce-svc-0d8d
Private IP:
10.10.1.6
endpoint
vpce-1234
vpce-1234-ktfdt2an.vpce-svc-0d8d.us-east-
1.vpce.amazonaws.com
EC2 APIs
56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs:
VPC Traffic Metadata in Amazon
CloudWatch Logs
57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Visibility into effects of
security group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
VPC Flow Logs
10.10.1.0/24
AZ A
58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs: Setup
VPC traffic metadata captured in
Amazon CloudWatch Logs
59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs data in CloudWatch
Logs
Who is this?
# dig +short -x 52.90.45.101
ec2-52-90-45-101.compute-1.amazonaws.com.
ACCEP
T
TCP port 443 =
HTTPS
60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC: Your Private Network in AWS
61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The VPC network
62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC network security
63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC connectivity
64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app.
65. Submit session feedback
1. Tap the Schedule icon. 2. Select the session
you attended.
3. Tap Session
Evaluation to submit your
feedback.
66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!