Networking in AWS · Networking in AWS Carl Simpson –Technical Architect, Zen Internet Limited...

Preview:

Click to see full reader

Citation preview

Networking in AWSCarl Simpson – Technical Architect, Zen Internet Limited

carl.simpson@zeninternet.co.uk

About Me:

About Me:

• Technical Architect – Cloud & Hosting @ Zen Internet Limited

About Me:

• Technical Architect – Cloud & Hosting @ Zen Internet Limited

• 12 years at Zen Internet

About Me:

• Technical Architect – Cloud & Hosting @ Zen Internet Limited

• 12 years at Zen Internet

• Networking guy turned Cloud guy

About Me:

• Technical Architect – Cloud & Hosting @ Zen Internet Limited

• 12 years at Zen Internet

• Networking guy turned Cloud guy

• Makes comments like: • “Someone should do a talk on AWS networking!”

What we’re going to cover:

What we’re going to cover:

• VPC

What we’re going to cover:

• VPC

• VPC End Points

What we’re going to cover:

• VPC

• VPC End Points

• VPC Peering

What we’re going to cover:

• VPC

• VPC End Points

• VPC Peering

• Direct Connect

What is a VPC?

What is a VPC?

• VPC = Virtual Private Cloud

What is a VPC?

• VPC = Virtual Private Cloud

• A private network ‘container’ within your AWS account:

VPC – A Container for:

VPC – A Container for:

IP Subnet

IP Subnet

VPC – A Container for:

IP SubnetRoute Table

Route Table

IP Subnet

VPC – A Container for:

IP SubnetRoute Table

Security Group

Security Group

Route Table

IP Subnet

VPC – A Container for:

IP SubnetRoute Table

EC2

instance

Security Group

Security Group

Route Table

EC2

instanceIP Subnet

VPC – A Container for:

IP SubnetRoute Table

EC2

instance

Amazon RDS

Security Group

Security Group

Route Table

EC2

instanceIP Subnet

VPC – A Container for:

IP SubnetRoute Table

EC2

instance

Amazon RDSRedis

Security Group

Security Group

Route Table

EC2

instanceIP Subnet

Setting up your VPC

Pick a region

AWS Region

AWS Region

Choose VPC address space

AWS Region

VPC 10.0.0.0/16

VPCIPv4 CIDR block:10.0.0.0/16

Pick some Availability Zones*Use three AZ where available

AWS Region

AZ BAZ A

VPC 10.0.0.0/16

AZ - A AZ - B

Create some subnets

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Subnet A Public Subnet B

Create some subnets

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Subnet B

Private Subnet 1B

Private Subnet 2B

Suitable for ‘most’ cases

/22 /22 /22

/20 /20 /20

What makes a subnet public?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Subnet A Public Subnet B

What makes a subnet public?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Route Table

Public Subnet A Public Subnet B

What makes a subnet private?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

What makes a subnet private?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

Private Route Table 1 Private Route

Table 2

NAT Gateway

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

What might a private subnet have?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

What might a private subnet have?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

VGW

Virtual Private Gateway

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

Adding some servers/services

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Adding some servers/services

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Load Balancer (ELB)

Adding some servers/services

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Load Balancer (ELB)

Web Server

Adding some servers/services

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Load Balancer (ELB)

Web Server

Database Server

What’s outside the VPC?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

What’s outside the VPC?

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC10.0.0.0/16

AWS Public Services

What’s outside the VPC?

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC10.0.0.0/16

AWS Public Services

But I want my stuff to be totally private!

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

But I want my stuff to be totally private!

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

Internet

Use VPC Endpoints

AWS Region

Amazon S3Lambda function

AWS Public Services

VPGVPC NAT gateway

Amazon DynamoDB

Use VPC Endpoints

AWS Region

Amazon S3Lambda function

AWS Public Services

VGWVPC NAT gateway

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

Saves money on NAT Gateway data transfer!

• * Currently in preview.• Endpoints for other services coming

*

Why use VPC Endpoints?

Why use VPC Endpoints?

• Improve Security

Why use VPC Endpoints?

• Improve Security• Reference them in security groups

Why use VPC Endpoints?

• Improve Security• Reference them in security groups

• Restrict S3 buckets to only VPC end point access (bucket policy)

{"Sid": "Access-to-specific-VPCE-only","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::examplebucket",

"arn:aws:s3:::examplebucket/*"],"Condition": {

"StringNotEquals": {"aws:sourceVpce": "vpce-1a2b3c4d"

}}

Why use VPC Endpoints?

• Improve Security• Reference them in security groups

• Restrict S3 buckets to only VPC end point access (bucket policy)

• Performance

Why use VPC Endpoints?

• Improve Security• Reference them in security groups

• Restrict S3 buckets to only VPC end point access (bucket policy)

• Performance

• Save Money

VPC Endpoints

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

VPC Endpoints

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

VPC Endpoints

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

Putting it all together

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

What VPC things haven’t I mentioned?

What VPC things haven’t I mentioned?

IPv6

What VPC things haven’t I mentioned?

IPv6

VPC Flow s

IPv4 reminder

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

VGW

Amazon S3

Lambda function

Amazon DynamoDB

Dual Stack (IPv4 & IPv6)

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

+

Dual Stack (IPv4 & IPv6)

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

AWS assigned /56 IPv6 address space

+

Focusing on IPv6 - /64s Everywhere

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

AWS assigned /56 IPv6 address space

/64 /64

/64 /64

/64 /64

Focusing on IPv6 (Public Subnet Routing)

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

AWS assigned /56 IPv6 address space

/64 /64

/64 /64

/64 /64

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

Egress Only GW

Focusing on IPv6 (Private Subnet Routing)

AWS assigned /56 IPv6 address space

/64 /64

/64 /64

/64 /64

Egress Only Gateway

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

VGW

Amazon S3

Lambda function

Amazon DynamoDB

Egress Only GW

Focusing on IPv6 (External Private Routing)

AWS assigned /56 IPv6 address space

/64 /64

/64 /64

/64 /64

Dual Stack – All together

AWS assigned /56 IPv6 address space

Egress Only GatewayAWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

VPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

Egress Only GW

+

Some CloudFormation IPv6 nonsense

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

What you need to do:Ipv6TestSubnetCidrBlock:

Type: 'AWS::EC2::SubnetCidrBlock'

Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a

DependsOn: VpcIpv6CidrBlock

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

What you need to do:Ipv6TestSubnetCidrBlock:

Type: 'AWS::EC2::SubnetCidrBlock'

Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a

DependsOn: VpcIpv6CidrBlock

Look up the /56 CIDR Block

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

What you need to do:Ipv6TestSubnetCidrBlock:

Type: 'AWS::EC2::SubnetCidrBlock'

Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a

DependsOn: VpcIpv6CidrBlock

Split on 00::/56 and grab the 1st

part

Some CloudFormation IPv6 nonsense

What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet

What you need to do:Ipv6TestSubnetCidrBlock:

Type: 'AWS::EC2::SubnetCidrBlock'

Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a

DependsOn: VpcIpv6CidrBlock

Join your chosen:• Subnet ‘hextet’,• AWS assigned prefix &• /::64

Auditing (VPC Flow Logs)

Auditing (VPC Flow Logs)

flow logs

elastic network

adapter

elastic network

adapter

So we’re done?

BIG

BIG

BIG

BIG

BIGNo! There’s more!

You can have lots of VPCs

Baby

Baby

BabyBaby

Baby

Baby

So why have multiple VPCs?Baby

Baby

Baby

Baby

Baby

Baby

So why have multiple VPCs?

Question: “Why have multiple AWS accounts?”

Baby

Baby

Baby

Baby

Baby

Baby

Why have multiple accounts?

Why have multiple accounts?

• Damage limitation

Why have multiple accounts?

• Damage limitation

• Control/Autonomy

Why have multiple accounts?

• Damage limitation

• Control/Autonomy

Why have multiple accounts?

• Damage limitation

• Control/Autonomy

• Regulation

Why have multiple accounts?

• Damage limitation

• Control/Autonomy

• Regulation

• Disaster Recovery

“But I need my resources to communicate with those in other VPCs!”

Use VPC Peering

A B

VPC Peering

VPC peering got much better in the last year!

VPC peering got much better in the last year!

• Reference Security Groups in peered VPCs

Reference Security Groups in peered VPCs

A B

e.g. VPC A Security Group ID sg-000001a allows inbound port 80 from Security Group ID sg-000001b which is applied to resources in VPC B

VPC peering got much better in the last year!

• Reference Security Groups in peered VPCs

• Resolve DNS in peered VPCs

Resolve DNS in peered VPCs

A B

e.g. When VPC A resolves ‘ec2-35-176-15-190.eu-west-2.compute.amazonaws.com’ which lives in VPC B, it resolves to 10.10.0.162 not 35.176.15.190

VPC peering got much better in the last year!

• Reference Security Groups in peered VPCs

• Resolve DNS in peered VPCs

VPC peering got much better in the last year!

• Reference Security Groups in peered VPCs

• Resolve DNS in peered VPCs

• AWS have good (not cheap) transit VPC solutions

VPC peering limitations

VPC peering limitations

• Unique address space required

VPC peering limitations

• Unique address space required

• No VPC Transit

No (native) VPC transit

VPC peering full mesh

Why would I want to transit a VPC anyway?

Why would I want to transit a VPC anyway?

• Force all traffic through central firewall(s)

Force all traffic through central firewall(s)

Force all traffic through central firewall(s)

‘local’ routes create real challenges!

Force all traffic through central firewall(s)

Local Routes create real challenges! Subnet A

Subnet B

Subnet C

Web

DB

FW/IDS

Force all traffic through central firewall(s)

Local Routes create real challenges! Subnet A

Subnet B

Subnet C

Web

DB

FW/IDS

Force all traffic through central firewall(s)

Local Routes create real challenges! Subnet A

Subnet B

Subnet C

Web

DB

FW/IDS

Force all traffic through central firewall(s)

Local Routes create real challenges! Subnet A

Subnet B

Subnet C

Web

DB

FW/IDS

Force all traffic through central firewall(s)

Local Routes create real challenges! Subnet A

Subnet B

Subnet C

Web

DB

FW/IDS

P

Force all (inter-subnet) traffic through a firewall (for IDS/IPS)

Customer-VPC - 10.0.0.0/16AZ B

Author

Diagram Status

Carl Simpson – Zen Internet Ltd

Draft – Version 3

TransitSub1B10.0.103.0/24

PubSub2B10.0.102.0/24

Co-lo

10.0.107.0/24 - DBSub1B

DB-i2DB-SG1

CiscoASA-B

A

B

AWSPri RT-B

TransitSub2B10.0.104.0/24 A

10.0.105.0/24 – WebFarmSub2B B

10.0.106.0/24 – WebFarmSub2B C

B

CiscoFP-B

A

B

Web2-i4 Web2-i5 Web2-i6

Web-i41 Web-i5 Web-i6

D

Routing Table:10.0.0.0/16 via local192.168.0.1 via CiscoFP-B-int-B 192.168.0.2 via CiscoFP-A-int-B 0.0.0.0/0 via CiscoASA-int-B

Routing Table:10.0.102.0/24 via connected10.0.103.0/24 via connected0.0.0.0/0 via AWS Pub2 RT 192.168.0.2/32 via F5-int-B 10.0.5.0/24 via CiscoFP-B-int-A 10.0.6.0/24 via CiscoFP-B-int-A 10.0.105.0/24 via CiscoFP-B-int-A 10.0.106.0/24 via CiscoFP-B-int-A

Routing Table:10.0.101.0/24 via connected10.0.102.0/24 via connected0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-B-int-A 10.0.6.0/24 via CiscoASA-B-int-A 10.0.105.0/24 via CiscoASA-B-int-A 10.0.106.0/24 via CiscoASA-B-int-A

Routing Table:10.0.0.0/16 via local0.0.0.0/0 via IGW

SNAT to 192.168.0.2

WebSG1

WebSG2

Routing Table:10.0.103.0/24 via connected10.0.104.0/24 via connected0.0.0.0/0 via CiscoASA-int-B 192.168.0.2/32 via CiscoASA-int-B 10.0.105.0/24 via AWS Pri RT-B-int-A 10.0.106.0/24 via AWS Pri RT-B-int-A 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A

AWS RT(unused)

AWSPub2 RT

EIP4

PubSub1B10.0.101.0/24

AWSPub1 RT

F5-B

AEIP2 LbSG1

AZ A

TransitSub1A10.0.3.0/24

PubSub2A10.0.2.0/24

10.0.7.0/24 - DBSub1A

DB-i1DB-SG1

CiscoASA-A

A

B

AWSPri RT-A

TransitSub2A10.0.4.0/24A

10.0.5.0/24 - WebFarmSub1AB

10.0.6.0/24 – WebFarmSub2AC

IGW

B

CiscoFP-A

A

B

Web2-i3Web2-i2Web2-i1

Web-i3Web-i2Web-i1

D

Routing Table:10.0.0.0/16 via local192.168.0.1 via CiscoFP-A-int-B 192.168.0.2 via CiscoFP-B-int-B 0.0.0.0/0 via CiscoASA-A-int-B

Routing Table:10.0.2.0/24 via connected10.0.3.0/24 via connected0.0.0.0/0 via AWS Pub2 RT 192.168.0.1/32 via F5-int-B 10.0.5.0/24 via CiscoFP-A-int-A 10.0.6.0/24 via CiscoFP-A-int-A 10.0.105.0/24 via CiscoFP-A-int-A 10.0.106.0/24 via CiscoFP-A-int-A

Routing Table:10.0.1.0/24 via connected10.0.2.0/24 via connected0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-A-int-A 10.0.6.0/24 via CiscoASA-A-int-A 10.0.105.0/24 via CiscoASA-A-int-A 10.0.106.0/24 via CiscoASA-A-int-A

Routing Table:10.0.0.0/16 via local0.0.0.0/0 via IGW

SNAT to 192.168.0.1

WebSG1

WebSG2

Routing Table:10.0.3.0/24 via connected10.0.4.0/24 via connected0.0.0.0/0 via CiscoASA-int-B 192.168.0.1/32 via CiscoASA-int-B 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A 10.0.105.0/24 via AWS Pri RT-A-int-A 10.0.106.0/24 via AWS Pri RT-A-int-A

AWS RT(unused)

AWSPub2 RT

EIP3

PubSub1A10.0.1.0/24

AWSPub1 RT

F5-A

A EIP1 LbSG1

Date 27/08/2015

VGW

CiscoASACiscoASA

Route53(health checked & RR/weighted

DNS)

Clientsquery

AZ C:192.168.0.3 – SNAT F5 load balancer 10.0.201.0/24 – PubSub1C 10.0.202.0/24 – PubSub2C10.0.203.0/24 – TransitSub1C10.0.204.0/24 – TransitSub2C10.0.205.0/24 – WebFarmSub1C10.0.206.0/24 – WebFarmSub2C10.0.207.0/24 – DbSub1C

Why would I want to transit a VPC anyway?

• Force all traffic through a firewall

• Privately route between VPCs in remote regions

AWS Global VPC Transit Solutionhttps://aws.amazon.com/answers/networking/transit-vpc/

Direct Connect

Why use Direct Connect?

Why use Direct Connect?

• Lower latency

EU-WEST-1(Dublin)

You Are Here!

EU-WEST-2(London)

EU-WEST-1(Dublin)

Manchester

EU-WEST-2(London)

EU-WEST-1(Dublin)

Manchester

EU-WEST-2(London)

EU-WEST-1(Dublin)

Manchester

EU-WEST-2(London)

Best DirectConnect Path

Why use Direct Connect?

• Lower latency X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

X

Lets check the AWS Direct Connect FAQs:

“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”

Lets check the AWS Direct Connect FAQs:

“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”

Answer:

“Not at this time.”

Why use Direct Connect?

• Lower latency

• Service Level Agreement

X

X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

X

X

AWS Direct Connect Bandwidth

AWS Direct Connect Bandwidth

• Provides 1 Gbps and 10 Gbps ports

AWS Direct Connect Bandwidth

• Provides 1 Gbps and 10 Gbps ports

• Now supports LACP

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

X

X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

X

X

Consistent Network Performance?

Consistent Network Performance?

• Dedicated Links

Consistent Network Performance?

• Dedicated Links

• Isolated from Internet Routing changes

Consistent Network Performance?

• Dedicated Links

• Isolated from Internet Routing changes

• More controlled environment

Consistent Network Performance?

• Dedicated Links

• Isolated from Internet Routing changes

• More controlled environment

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

X

X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

• Private Connectivity to Amazon VPC

X

X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

• Private Connectivity to Amazon VPC

• Private Connectivity to AWS public services

X

X

Connectivity Options - Single Site Solution

Customer Office

VGW

Connectivity Options - Single Site SolutionUse Zen, we can provide this! :-)

Customer Office

VGW

Connectivity Options - Multi-site solution

Customer Office(s)

Customer IPVPN/MPLS

Customer Data Centre(s)

VGW

Connectivity Options - Multi-site solutionUse Zen, we can provide this too! :-)

Customer Office(s)

Customer IPVPN/MPLS

Customer Data Centre(s)

VGW

Connectivity Options –Multi-site solution (private and public)Use Zen, we can provide this too! :-)

Customer Requires Public IP space for access to public services!

Customer Office(s)

Customer IPVPN/MPLS

Customer Data Centre(s)

Amazon S3Lambda functionAmazon SQS

Public Services

VGW

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

• Private Connectivity to Amazon VPC

• Private Connectivity to AWS public services

X

X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

• Private Connectivity to Amazon VPC

• Private Connectivity to AWS public services

X

X

Why use Direct Connect?

• Lower latency

• Service Level Agreement

• High Bandwidth

• Consistent Network Performance

• Private Connectivity to Amazon VPC

• Private Connectivity to AWS public services

X

X

So how do I get Direct Connect?

So how do I get Direct Connect?

• DIY connection• 1G or 10G bandwidth options only

• Build your network out to a direct connect location

So how do I get Direct Connect?

• DIY connection• 1G or 10G bandwidth options only

• Build your network out to a direct connect location

• Hosted connection• 50M bandwidth and up

• Partner ‘may’ bring the connection to you

Direct Connect - A little more detail

Direct Connect Routing

AWS Router

Customer/Partner Router

VLAN 1

Customer/Partner ASN

Amazon ASN

VGW

Direct Connect Routing

AWS Router

Customer/Partner Router

VLAN 1

eBGP Customer/Partner ASN

Amazon ASN

VGW

Direct Connect Routing

AWS Router

Customer/Partner Router

VLAN 1

eBGP Customer/Partner ASN

Amazon ASN

VGW

Announce Routes Announce Routes

Direct Connect Routing

AWS Router

Customer/Partner Router

VLAN 1

eBGP Customer/Partner ASN

Amazon ASN

VGW

Announce Routes Announce Routes

MED and AS PATH prepending supported

Direct Connect Routing

AWS Router

Customer/Partner Router

VLAN 1

eBGP Customer/Partner ASN

Amazon ASN

VGW

Announce Routes Announce Routes

MED and AS PATH prepending supported

Direct Connect preferred over VPN connection

What we’ve covered:

• VPC

• VPC End Points

• VPC Peering

• Direct Connect

Final thing…

Public Cloud Connect

Another Cloud Provider

AWS (EU-West) RegionsPublic Cloud Connect:for multi-cloud access Customer Site 1

Customer Site 2

Customer Site n

Thanks!

Questions?

Recommended

Deploy AWS RDS Database In AWS VPC › wp-content › uploads › 2018 › 04 › ... · AWS Region AWS VPC - Overview Networking Setup AWS VPC Availability Zone A Availability Zone
Documents
Introduction to AWS - Amazon S3s3-ap-southeast-2.amazonaws.com/scico-labs/docs/immersion-day-aws...Introduction to AWS ... AWS Global Infrastructure Application Services Networking
Documents
CloudEOS Router At-a-Glance 03.10.2020 (04-0033-02)€¦ · Accelerated Networking and Amazon AWS Enhanced Networking for efficient resource utilization in public cloud instances
Documents
AWS Networking Fundamentals - aws-de …aws-de-media.s3.amazonaws.com/images/AWS_Summit... · © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tom Adamski
Documents
Advanced Enterprise Networking in AWS EC2 / Google
Technology
Zen Mind, Zen Horse BLAD
Documents
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availability (GPST401)
Technology
(SDD419) Amazon EC2 Networking Deep Dive and Best Practices | AWS re:Invent 2014
Technology
THE ZEN DEFINITION – A GUIDELINE FOR THE ZEN PILOT AREAS · 2019-11-15 · ZEN REPORT No. 11 ZEN Research Centre 2018 2 ZEN REPORT No. 10 ZEN Research Centre 2018 ZEN Report No
Documents
Kubernetes networking in AWS
Technology
Chapter 1: Introduction to AWS - Network Expert Inc.training.networkexpert.ca/.../12/Sample-Module-Introduction-to-AWS.… · Amazon EC2 AWS provides a variety of compute and networking
Documents
Pcc #97 Zen And The Art Of Networking Public
Documents
Understanding AWS Storage Options - · PDF fileAWS Foundation Services AWS FoundationServices Compute Storage Database Networking AWS Global Infrastructure Regions AvailabilityZones
Documents
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
Technology
Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016
Technology
AWS Advanced Networking Specialty Practice Quetions
Education
ZEN BODİ ZEN FİT ZENPRO ZEN SHAPE
Health & Medicine
Zen Flesh Zen Bones
Documents
Networking in AWS
Documents
SECURITY ON AWS - wmich.edu ON AWS By Max Ellsberry AWS ... (CSA) Cloud Security Alliance ... AWS provides a range of networking services that enable you to create a logically
Documents