View
3
Download
1
Category
Preview:
Citation preview
Networking in AWSCarl Simpson – Technical Architect, Zen Internet Limited
carl.simpson@zeninternet.co.uk
About Me:
About Me:
• Technical Architect – Cloud & Hosting @ Zen Internet Limited
About Me:
• Technical Architect – Cloud & Hosting @ Zen Internet Limited
• 12 years at Zen Internet
About Me:
• Technical Architect – Cloud & Hosting @ Zen Internet Limited
• 12 years at Zen Internet
• Networking guy turned Cloud guy
About Me:
• Technical Architect – Cloud & Hosting @ Zen Internet Limited
• 12 years at Zen Internet
• Networking guy turned Cloud guy
• Makes comments like: • “Someone should do a talk on AWS networking!”
What we’re going to cover:
What we’re going to cover:
• VPC
What we’re going to cover:
• VPC
• VPC End Points
What we’re going to cover:
• VPC
• VPC End Points
• VPC Peering
What we’re going to cover:
• VPC
• VPC End Points
• VPC Peering
• Direct Connect
What is a VPC?
What is a VPC?
• VPC = Virtual Private Cloud
What is a VPC?
• VPC = Virtual Private Cloud
• A private network ‘container’ within your AWS account:
VPC – A Container for:
VPC – A Container for:
IP Subnet
IP Subnet
VPC – A Container for:
IP SubnetRoute Table
Route Table
IP Subnet
VPC – A Container for:
IP SubnetRoute Table
Security Group
Security Group
Route Table
IP Subnet
VPC – A Container for:
IP SubnetRoute Table
EC2
instance
Security Group
Security Group
Route Table
EC2
instanceIP Subnet
VPC – A Container for:
IP SubnetRoute Table
EC2
instance
Amazon RDS
Security Group
Security Group
Route Table
EC2
instanceIP Subnet
VPC – A Container for:
IP SubnetRoute Table
EC2
instance
Amazon RDSRedis
Security Group
Security Group
Route Table
EC2
instanceIP Subnet
Setting up your VPC
Pick a region
AWS Region
AWS Region
Choose VPC address space
AWS Region
VPC 10.0.0.0/16
VPCIPv4 CIDR block:10.0.0.0/16
Pick some Availability Zones*Use three AZ where available
AWS Region
AZ BAZ A
VPC 10.0.0.0/16
AZ - A AZ - B
Create some subnets
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Public Subnet A Public Subnet B
Create some subnets
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Subnet B
Private Subnet 1B
Private Subnet 2B
Suitable for ‘most’ cases
/22 /22 /22
/20 /20 /20
What makes a subnet public?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Public Subnet A Public Subnet B
What makes a subnet public?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Public Route Table
Public Subnet A Public Subnet B
What makes a subnet private?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Private Subnet 1A
Private Subnet 2A
Private Subnet 1B
Private Subnet 2B
What makes a subnet private?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VPC NAT gateway
Private Route Table 1 Private Route
Table 2
NAT Gateway
Private Subnet 1A
Private Subnet 2A
Private Subnet 1B
Private Subnet 2B
What might a private subnet have?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VPC NAT gateway
Private Subnet 1A
Private Subnet 2A
Private Subnet 1B
Private Subnet 2B
What might a private subnet have?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VPC NAT gateway
VGW
Virtual Private Gateway
Private Subnet 1A
Private Subnet 2A
Private Subnet 1B
Private Subnet 2B
Adding some servers/services
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Adding some servers/services
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Load Balancer (ELB)
Adding some servers/services
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Load Balancer (ELB)
Web Server
Adding some servers/services
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Load Balancer (ELB)
Web Server
Database Server
What’s outside the VPC?
AWS Region
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
What’s outside the VPC?
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
VPC10.0.0.0/16
AWS Public Services
What’s outside the VPC?
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
VPC10.0.0.0/16
AWS Public Services
But I want my stuff to be totally private!
AWS Region
AWS PublicServices
AZ BAZ A
Private Subnet 1A
Private Subnet 2A
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
But I want my stuff to be totally private!
AWS Region
AWS PublicServices
AZ BAZ A
Private Subnet 1A
Private Subnet 2A
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
Internet
Use VPC Endpoints
AWS Region
Amazon S3Lambda function
AWS Public Services
VPGVPC NAT gateway
Amazon DynamoDB
Use VPC Endpoints
AWS Region
Amazon S3Lambda function
AWS Public Services
VGWVPC NAT gateway
Amazon DynamoDB
VPC Endpoint
VPC Endpoint
VPC Endpoint
Saves money on NAT Gateway data transfer!
• * Currently in preview.• Endpoints for other services coming
*
Why use VPC Endpoints?
Why use VPC Endpoints?
• Improve Security
Why use VPC Endpoints?
• Improve Security• Reference them in security groups
Why use VPC Endpoints?
• Improve Security• Reference them in security groups
• Restrict S3 buckets to only VPC end point access (bucket policy)
{"Sid": "Access-to-specific-VPCE-only","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],"Condition": {
"StringNotEquals": {"aws:sourceVpce": "vpce-1a2b3c4d"
}}
Why use VPC Endpoints?
• Improve Security• Reference them in security groups
• Restrict S3 buckets to only VPC end point access (bucket policy)
• Performance
Why use VPC Endpoints?
• Improve Security• Reference them in security groups
• Restrict S3 buckets to only VPC end point access (bucket policy)
• Performance
• Save Money
VPC Endpoints
AWS Region
AWS PublicServices
AZ BAZ A
Private Subnet 1A
Private Subnet 2A
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
VPC Endpoint
VPC Endpoint
VPC Endpoint
VPC Endpoints
AWS Region
AWS PublicServices
AZ BAZ A
Private Subnet 1A
Private Subnet 2A
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
VPC Endpoint
VPC Endpoint
VPC Endpoint
VPC Endpoints
AWS Region
AWS PublicServices
AZ BAZ A
Private Subnet 1A
Private Subnet 2A
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
VPC Endpoint
VPC Endpoint
VPC Endpoint
Putting it all together
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
Elastic Load BalancerVPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
VPC Endpoint
VPC Endpoint
VPC Endpoint
What VPC things haven’t I mentioned?
What VPC things haven’t I mentioned?
IPv6
What VPC things haven’t I mentioned?
IPv6
VPC Flow s
IPv4 reminder
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC 10.0.0.0/16
VPC NAT gateway
VGW
Amazon S3
Lambda function
Amazon DynamoDB
Dual Stack (IPv4 & IPv6)
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
Amazon S3
Lambda function
Amazon DynamoDB
+
Dual Stack (IPv4 & IPv6)
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
Amazon S3
Lambda function
Amazon DynamoDB
AWS assigned /56 IPv6 address space
+
Focusing on IPv6 - /64s Everywhere
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
Amazon S3
Lambda function
Amazon DynamoDB
AWS assigned /56 IPv6 address space
/64 /64
/64 /64
/64 /64
Focusing on IPv6 (Public Subnet Routing)
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
Amazon S3
Lambda function
Amazon DynamoDB
AWS assigned /56 IPv6 address space
/64 /64
/64 /64
/64 /64
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
Amazon S3
Lambda function
Amazon DynamoDB
Egress Only GW
Focusing on IPv6 (Private Subnet Routing)
AWS assigned /56 IPv6 address space
/64 /64
/64 /64
/64 /64
Egress Only Gateway
AWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
VGW
Amazon S3
Lambda function
Amazon DynamoDB
Egress Only GW
Focusing on IPv6 (External Private Routing)
AWS assigned /56 IPv6 address space
/64 /64
/64 /64
/64 /64
Dual Stack – All together
AWS assigned /56 IPv6 address space
Egress Only GatewayAWS Region
AWS PublicServices
AZ B
Public Subnet B
AZ A
Public Subnet A
Private Subnet 1A
Private Subnet 2A
Public Route Table
VPC NAT gateway
Private Route Table 1 Private Route Table 2
Private Subnet 1A
Private Subnet 2A
VPC10.0.0.0/16
2001:DB8::/56
VPC NAT gateway
VGW
DB
Server
Web
Server
DB
Server
Web
Server
Amazon S3
Lambda function
Amazon DynamoDB
Egress Only GW
+
Some CloudFormation IPv6 nonsense
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
What you need to do:Ipv6TestSubnetCidrBlock:
Type: 'AWS::EC2::SubnetCidrBlock'
Properties:
Ipv6CidrBlock:
'Fn::Join':
- '00'
- - 'Fn::Select':
- '0'
- 'Fn::Split':
- '00::/56'
- 'Fn::Select':
- '0'
- 'Fn::GetAtt':
- Vpc
- Ipv6CidrBlocks
- '::/64'
SubnetId:
Ref: PubSubnet1a
DependsOn: VpcIpv6CidrBlock
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
What you need to do:Ipv6TestSubnetCidrBlock:
Type: 'AWS::EC2::SubnetCidrBlock'
Properties:
Ipv6CidrBlock:
'Fn::Join':
- '00'
- - 'Fn::Select':
- '0'
- 'Fn::Split':
- '00::/56'
- 'Fn::Select':
- '0'
- 'Fn::GetAtt':
- Vpc
- Ipv6CidrBlocks
- '::/64'
SubnetId:
Ref: PubSubnet1a
DependsOn: VpcIpv6CidrBlock
Look up the /56 CIDR Block
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
What you need to do:Ipv6TestSubnetCidrBlock:
Type: 'AWS::EC2::SubnetCidrBlock'
Properties:
Ipv6CidrBlock:
'Fn::Join':
- '00'
- - 'Fn::Select':
- '0'
- 'Fn::Split':
- '00::/56'
- 'Fn::Select':
- '0'
- 'Fn::GetAtt':
- Vpc
- Ipv6CidrBlocks
- '::/64'
SubnetId:
Ref: PubSubnet1a
DependsOn: VpcIpv6CidrBlock
Split on 00::/56 and grab the 1st
part
Some CloudFormation IPv6 nonsense
What the docs say:Ipv6TestSubnetCidrBlock:
Type: "AWS::EC2::SubnetCidrBlock"
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
What you need to do:Ipv6TestSubnetCidrBlock:
Type: 'AWS::EC2::SubnetCidrBlock'
Properties:
Ipv6CidrBlock:
'Fn::Join':
- '00'
- - 'Fn::Select':
- '0'
- 'Fn::Split':
- '00::/56'
- 'Fn::Select':
- '0'
- 'Fn::GetAtt':
- Vpc
- Ipv6CidrBlocks
- '::/64'
SubnetId:
Ref: PubSubnet1a
DependsOn: VpcIpv6CidrBlock
Join your chosen:• Subnet ‘hextet’,• AWS assigned prefix &• /::64
Auditing (VPC Flow Logs)
Auditing (VPC Flow Logs)
flow logs
elastic network
adapter
elastic network
adapter
So we’re done?
BIG
BIG
BIG
BIG
BIGNo! There’s more!
You can have lots of VPCs
Baby
Baby
BabyBaby
Baby
Baby
So why have multiple VPCs?Baby
Baby
Baby
Baby
Baby
Baby
So why have multiple VPCs?
Question: “Why have multiple AWS accounts?”
Baby
Baby
Baby
Baby
Baby
Baby
Why have multiple accounts?
Why have multiple accounts?
• Damage limitation
Why have multiple accounts?
• Damage limitation
• Control/Autonomy
Why have multiple accounts?
• Damage limitation
• Control/Autonomy
Why have multiple accounts?
• Damage limitation
• Control/Autonomy
• Regulation
Why have multiple accounts?
• Damage limitation
• Control/Autonomy
• Regulation
• Disaster Recovery
“But I need my resources to communicate with those in other VPCs!”
Use VPC Peering
A B
VPC Peering
VPC peering got much better in the last year!
VPC peering got much better in the last year!
• Reference Security Groups in peered VPCs
Reference Security Groups in peered VPCs
A B
e.g. VPC A Security Group ID sg-000001a allows inbound port 80 from Security Group ID sg-000001b which is applied to resources in VPC B
VPC peering got much better in the last year!
• Reference Security Groups in peered VPCs
• Resolve DNS in peered VPCs
Resolve DNS in peered VPCs
A B
e.g. When VPC A resolves ‘ec2-35-176-15-190.eu-west-2.compute.amazonaws.com’ which lives in VPC B, it resolves to 10.10.0.162 not 35.176.15.190
VPC peering got much better in the last year!
• Reference Security Groups in peered VPCs
• Resolve DNS in peered VPCs
VPC peering got much better in the last year!
• Reference Security Groups in peered VPCs
• Resolve DNS in peered VPCs
• AWS have good (not cheap) transit VPC solutions
VPC peering limitations
VPC peering limitations
• Unique address space required
VPC peering limitations
• Unique address space required
• No VPC Transit
No (native) VPC transit
VPC peering full mesh
Why would I want to transit a VPC anyway?
Why would I want to transit a VPC anyway?
• Force all traffic through central firewall(s)
Force all traffic through central firewall(s)
Force all traffic through central firewall(s)
‘local’ routes create real challenges!
Force all traffic through central firewall(s)
Local Routes create real challenges! Subnet A
Subnet B
Subnet C
Web
DB
FW/IDS
Force all traffic through central firewall(s)
Local Routes create real challenges! Subnet A
Subnet B
Subnet C
Web
DB
FW/IDS
Force all traffic through central firewall(s)
Local Routes create real challenges! Subnet A
Subnet B
Subnet C
Web
DB
FW/IDS
Force all traffic through central firewall(s)
Local Routes create real challenges! Subnet A
Subnet B
Subnet C
Web
DB
FW/IDS
Force all traffic through central firewall(s)
Local Routes create real challenges! Subnet A
Subnet B
Subnet C
Web
DB
FW/IDS
P
Force all (inter-subnet) traffic through a firewall (for IDS/IPS)
Customer-VPC - 10.0.0.0/16AZ B
Author
Diagram Status
Carl Simpson – Zen Internet Ltd
Draft – Version 3
TransitSub1B10.0.103.0/24
PubSub2B10.0.102.0/24
Co-lo
10.0.107.0/24 - DBSub1B
DB-i2DB-SG1
CiscoASA-B
A
B
AWSPri RT-B
TransitSub2B10.0.104.0/24 A
10.0.105.0/24 – WebFarmSub2B B
10.0.106.0/24 – WebFarmSub2B C
B
CiscoFP-B
A
B
Web2-i4 Web2-i5 Web2-i6
Web-i41 Web-i5 Web-i6
D
Routing Table:10.0.0.0/16 via local192.168.0.1 via CiscoFP-B-int-B 192.168.0.2 via CiscoFP-A-int-B 0.0.0.0/0 via CiscoASA-int-B
Routing Table:10.0.102.0/24 via connected10.0.103.0/24 via connected0.0.0.0/0 via AWS Pub2 RT 192.168.0.2/32 via F5-int-B 10.0.5.0/24 via CiscoFP-B-int-A 10.0.6.0/24 via CiscoFP-B-int-A 10.0.105.0/24 via CiscoFP-B-int-A 10.0.106.0/24 via CiscoFP-B-int-A
Routing Table:10.0.101.0/24 via connected10.0.102.0/24 via connected0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-B-int-A 10.0.6.0/24 via CiscoASA-B-int-A 10.0.105.0/24 via CiscoASA-B-int-A 10.0.106.0/24 via CiscoASA-B-int-A
Routing Table:10.0.0.0/16 via local0.0.0.0/0 via IGW
SNAT to 192.168.0.2
WebSG1
WebSG2
Routing Table:10.0.103.0/24 via connected10.0.104.0/24 via connected0.0.0.0/0 via CiscoASA-int-B 192.168.0.2/32 via CiscoASA-int-B 10.0.105.0/24 via AWS Pri RT-B-int-A 10.0.106.0/24 via AWS Pri RT-B-int-A 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A
AWS RT(unused)
AWSPub2 RT
EIP4
PubSub1B10.0.101.0/24
AWSPub1 RT
F5-B
AEIP2 LbSG1
AZ A
TransitSub1A10.0.3.0/24
PubSub2A10.0.2.0/24
10.0.7.0/24 - DBSub1A
DB-i1DB-SG1
CiscoASA-A
A
B
AWSPri RT-A
TransitSub2A10.0.4.0/24A
10.0.5.0/24 - WebFarmSub1AB
10.0.6.0/24 – WebFarmSub2AC
IGW
B
CiscoFP-A
A
B
Web2-i3Web2-i2Web2-i1
Web-i3Web-i2Web-i1
D
Routing Table:10.0.0.0/16 via local192.168.0.1 via CiscoFP-A-int-B 192.168.0.2 via CiscoFP-B-int-B 0.0.0.0/0 via CiscoASA-A-int-B
Routing Table:10.0.2.0/24 via connected10.0.3.0/24 via connected0.0.0.0/0 via AWS Pub2 RT 192.168.0.1/32 via F5-int-B 10.0.5.0/24 via CiscoFP-A-int-A 10.0.6.0/24 via CiscoFP-A-int-A 10.0.105.0/24 via CiscoFP-A-int-A 10.0.106.0/24 via CiscoFP-A-int-A
Routing Table:10.0.1.0/24 via connected10.0.2.0/24 via connected0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-A-int-A 10.0.6.0/24 via CiscoASA-A-int-A 10.0.105.0/24 via CiscoASA-A-int-A 10.0.106.0/24 via CiscoASA-A-int-A
Routing Table:10.0.0.0/16 via local0.0.0.0/0 via IGW
SNAT to 192.168.0.1
WebSG1
WebSG2
Routing Table:10.0.3.0/24 via connected10.0.4.0/24 via connected0.0.0.0/0 via CiscoASA-int-B 192.168.0.1/32 via CiscoASA-int-B 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A 10.0.105.0/24 via AWS Pri RT-A-int-A 10.0.106.0/24 via AWS Pri RT-A-int-A
AWS RT(unused)
AWSPub2 RT
EIP3
PubSub1A10.0.1.0/24
AWSPub1 RT
F5-A
A EIP1 LbSG1
Date 27/08/2015
VGW
CiscoASACiscoASA
Route53(health checked & RR/weighted
DNS)
Clientsquery
AZ C:192.168.0.3 – SNAT F5 load balancer 10.0.201.0/24 – PubSub1C 10.0.202.0/24 – PubSub2C10.0.203.0/24 – TransitSub1C10.0.204.0/24 – TransitSub2C10.0.205.0/24 – WebFarmSub1C10.0.206.0/24 – WebFarmSub2C10.0.207.0/24 – DbSub1C
Why would I want to transit a VPC anyway?
• Force all traffic through a firewall
• Privately route between VPCs in remote regions
AWS Global VPC Transit Solutionhttps://aws.amazon.com/answers/networking/transit-vpc/
Direct Connect
Why use Direct Connect?
Why use Direct Connect?
• Lower latency
EU-WEST-1(Dublin)
You Are Here!
EU-WEST-2(London)
EU-WEST-1(Dublin)
Manchester
EU-WEST-2(London)
EU-WEST-1(Dublin)
Manchester
EU-WEST-2(London)
EU-WEST-1(Dublin)
Manchester
EU-WEST-2(London)
Best DirectConnect Path
Why use Direct Connect?
• Lower latency X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
X
Lets check the AWS Direct Connect FAQs:
“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”
Lets check the AWS Direct Connect FAQs:
“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”
Answer:
“Not at this time.”
Why use Direct Connect?
• Lower latency
• Service Level Agreement
X
X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
X
X
AWS Direct Connect Bandwidth
AWS Direct Connect Bandwidth
• Provides 1 Gbps and 10 Gbps ports
AWS Direct Connect Bandwidth
• Provides 1 Gbps and 10 Gbps ports
• Now supports LACP
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
X
X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
X
X
Consistent Network Performance?
Consistent Network Performance?
• Dedicated Links
Consistent Network Performance?
• Dedicated Links
• Isolated from Internet Routing changes
Consistent Network Performance?
• Dedicated Links
• Isolated from Internet Routing changes
• More controlled environment
Consistent Network Performance?
• Dedicated Links
• Isolated from Internet Routing changes
• More controlled environment
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
X
X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
• Private Connectivity to Amazon VPC
X
X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
• Private Connectivity to Amazon VPC
• Private Connectivity to AWS public services
X
X
Connectivity Options - Single Site Solution
Customer Office
VGW
Connectivity Options - Single Site SolutionUse Zen, we can provide this! :-)
Customer Office
VGW
Connectivity Options - Multi-site solution
Customer Office(s)
Customer IPVPN/MPLS
Customer Data Centre(s)
VGW
Connectivity Options - Multi-site solutionUse Zen, we can provide this too! :-)
Customer Office(s)
Customer IPVPN/MPLS
Customer Data Centre(s)
VGW
Connectivity Options –Multi-site solution (private and public)Use Zen, we can provide this too! :-)
Customer Requires Public IP space for access to public services!
Customer Office(s)
Customer IPVPN/MPLS
Customer Data Centre(s)
Amazon S3Lambda functionAmazon SQS
Public Services
VGW
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
• Private Connectivity to Amazon VPC
• Private Connectivity to AWS public services
X
X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
• Private Connectivity to Amazon VPC
• Private Connectivity to AWS public services
X
X
Why use Direct Connect?
• Lower latency
• Service Level Agreement
• High Bandwidth
• Consistent Network Performance
• Private Connectivity to Amazon VPC
• Private Connectivity to AWS public services
X
X
So how do I get Direct Connect?
So how do I get Direct Connect?
• DIY connection• 1G or 10G bandwidth options only
• Build your network out to a direct connect location
So how do I get Direct Connect?
• DIY connection• 1G or 10G bandwidth options only
• Build your network out to a direct connect location
• Hosted connection• 50M bandwidth and up
• Partner ‘may’ bring the connection to you
Direct Connect - A little more detail
Direct Connect Routing
AWS Router
Customer/Partner Router
VLAN 1
Customer/Partner ASN
Amazon ASN
VGW
Direct Connect Routing
AWS Router
Customer/Partner Router
VLAN 1
eBGP Customer/Partner ASN
Amazon ASN
VGW
Direct Connect Routing
AWS Router
Customer/Partner Router
VLAN 1
eBGP Customer/Partner ASN
Amazon ASN
VGW
Announce Routes Announce Routes
Direct Connect Routing
AWS Router
Customer/Partner Router
VLAN 1
eBGP Customer/Partner ASN
Amazon ASN
VGW
Announce Routes Announce Routes
MED and AS PATH prepending supported
Direct Connect Routing
AWS Router
Customer/Partner Router
VLAN 1
eBGP Customer/Partner ASN
Amazon ASN
VGW
Announce Routes Announce Routes
MED and AS PATH prepending supported
Direct Connect preferred over VPN connection
What we’ve covered:
• VPC
• VPC End Points
• VPC Peering
• Direct Connect
Final thing…
Public Cloud Connect
Another Cloud Provider
AWS (EU-West) RegionsPublic Cloud Connect:for multi-cloud access Customer Site 1
Customer Site 2
Customer Site n
Thanks!
Questions?
Recommended