View
89
Download
0
Category
Preview:
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC and DX PoP @ HKG
Ken ChanProduct Business Development Manager
Greater Chinakenchan@amazon.com
Customers have Data Centers
DeployDeploy
DEVELOPMENT& TEST
ALL TOGETHER NEW APPLICATIONS
DIGITAL
ANALYTICSBIG DATA
MOBILEDC MIGRATION
MISSIONCRITICAL APPS
ALL IN
1 2 3 4
The journey to AWS is a well-trodden path
HYBIRD
Integrated networking
Integrated access control
and VDI
Integrated storage and backups and
DR
Integrated Management
# 10.0.100.0
# 10.0.200.0
Microsoft Active Directory
Custom LDAP
App 1
AWS Storage Gateway
Integrating AWS with existing On-Premises Infrastructure
AmazonWorkspaces
AmazonS3
11’s 9 durability
AWS Directory Service
Marke
tplac
e
Create VPC
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Launch EC2 Instances
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Establish Public Connectivity
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Your default VPC is already configured this way
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
I love VPC what about … ?
Security ?Connectivity Option? DMZ / No Internet ?
??
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Endpoints for Amazon S3:Getting to Amazon S3 without the Internet
Amazon S3 without an Internet Gateway
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
Setting up an Amazon S3 endpoint
aws ec2 create-vpc-endpoint --vpc-id vpc-c15180a4 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-ef36e58a
Routes: Amazon S3 Connectivity
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|||| Routes |||||+-----------------------+-----------------------------------------+||||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||||+-----------------------+-------------------------+----------------||||| 10.10.0.0/16 | | local ||||| | pl-68a54001 | vpce-a610f4cf ||+-------------------------+-------------------------+---------------+||
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed NAT Gateways
Network Address Translation Gateway for AWS
Managed NAT Gateways in VPC• How do these feature work? – New Architecture Implementations
Managed NAT Gateways• 1 managed NAT per AZ• No down time in case of failure –
AWS managed availability
Note: • NAT Gateways Exist within a
public subnet (OR rather their ENI’s do)
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
VPC Peering:Getting between VPCs without the Internet
Shared Services VPC using VPC peering
• Common/Core Services– Authentication/directory– Monitoring– Logging– Remote administration– Scanning
VPC peering for VPC-to-VPC Connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16vpc-c15180a4
10.10.1.0/24AZ A
10.20.1.0/24AZ A
VPC B - 10.20.0.0/16vpc-062dfc63
VPC peering Across Accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16vpc-c15180a4
10.10.1.0/24AZ A
10.20.1.0/24AZ A
VPC B - 10.20.0.0/16vpc-062dfc63Account ID 472752909333
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPN and AWS Direct Connect:Getting between VPC and your data center
Customer data centerAWS Direct Connect
location
AWS Direct Connect Private Virtual Interface (PVI) connects to VGW on VPC• 1 PVI per VPC• 802.1Q VLAN Tags isolate traffic
across AWS Direct Connect
Private fiber connectionOne or multiple50 – 500 Mbps,1 Gbps or 10 Gbps pipes
Simplify with AWS Direct Connect
Public-facingweb app
AWS region
Prod QA Dev
At the Direct Connect location
CORP
AWS DirectConnect Routers
Customer Router
Colocation
DX Location
Customernetwork`
AWS backbonenetwork
Cross- connect
Customer router
Customer’s network
Demarcation
Dedicated port through Direct Connect partner
CORP
AWS DirectConnect Routers
Colocation
DX Location
Partner network
AWS backbonenetwork
Cross- connect
Customer router
Partnernetwork
Accesscircuit
Demarcation
Partnerequipment
VPC 1
Private Virtual Interface 1
VLAN Tag 101
BGP ASN 7224
BGP Announce 10.1.0.0/16
Interface IP 169.254.251.5/30 10.1.0.0/16
VGW 1
Multiple VPCs over AWS Direct Connect
CustomerSwitch + Router
Customer Interface 0/1.101
VLAN Tag 101
BGP ASN 65001
BGP Announce Customer Internal
Interface IP 169.254.251.6/30
VLAN 101
VLAN 102
VLAN 103
VPC 2
10.2.0.0/16
VGW 2
VPC 3
10.3.0.0/16
VGW 3
Private Virtual Interface 2
VLAN Tag 102
BGP ASN 7224
BGP Announce 10.2.0.0/16
Interface IP 169.254.251.9/30
Customer Interface 0/1.102
VLAN Tag 102
BGP ASN 65002
BGP Announce Customer Internal
Interface IP 169.254.251.10/30
Customer Interface 0/1.103
VLAN Tag 103
BGP ASN 65003
BGP Announce Customer Internal
Interface IP 169.254.251.14/30
Private Virtual Interface 3
VLAN Tag 103
BGP ASN 7224
BGP Announce 10.3.0.0/16
Interface IP 169.254.251.13/30
Route Table
Destination Target
10.1.0.0/16 PVI 1
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
Customer Internal Network
Customer internal network
VPC 1
Public Virtual Interface 1
VLAN Tag 501
BGP ASN 7224
BGP Announce AWS Regional Public CIDRs
Interface IP Public /30 Provided
10.1.0.0/16
VGW 1
Public AWS + VPCs over AWS Direct Connect
Customer Interface 0/1.501
VLAN Tag 501
BGP ASN 65501 (or Public)
BGP Announce Customer Public
Interface IP Public /30 Provided
VLAN 101
VLAN 102
VLAN 103
VLAN 501
VPC 2
10.2.0.0/16
VGW 2
VPC 3
10.3.0.0/16
VGW 3
Public AWSRegions for S3
Route Table
Destination Target
10.1.0.0/16 PVI 1
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
Public AWS PVI 5
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dedicated 1G or 10G port
AWS Direct Connect Requirements• 1 Gbps: 1000BASE-LX (1310nm) over single-mode fiber (SMF)• 10 Gbps: 10GBASE-LR (1310nm) over single-mode fiber (SMF)• Single Connector (SC)• 802.1Q VLAN Tags• Auto-negotiation is off• Full Duplex. Speed is 1Gbps
• Cannot downgrade to 100Mbps
• Private• AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP
session and will advertise the VPC CIDR block over BGP• Public
• A public or private ASN. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 65000 range
• Public IPs (/30) allocated by you for the BGP session
Getting Started with DX
Create Connection to issue LOA
LOA
Pass this LOA to our DX partner to get cross connection setup
VPN Connection
Corporate Data Center
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Using AWS Direct Connect
Corporate Data Center
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7
Redundant VPN connection
Remote Connectivity Best Practices
Availability: GoodCorporate Data Center
Availability Zone Availability Zone
BGP Each VPN connection consists of 2 IPSec tunnels.
Use Border Gateway Protocol (BGP) for failure recovery.
BGP
Remote Connectivity Best Practices
Availability: BetterCorporate Data Center
Availability Zone Availability Zone
BGP A pair of VPN
connections (4 IPSec tunnels total) protects against failure of your
customer gateway
BGP BGP
BGP
Availability: BestCorporate Data Center
Availability Zone Availability Zone
BGP
Redundant AWS Direct Connect connections
with VPN backupBGP
BGP
BGP
Remote Connectivity Best Practices
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Putting it All together, what does VPC look like for Typical Enterprise Hybrid Architecture ?
Availability Zone 1b
Availability Zone 1a
DX Connection
Internal customers On-PremiseHKG
Symantec DPM
InternetAWS API
VPC Peering
ShareServices
AD, DNS
MonitoringLogging
VPC Peering
Private Subnet
Apps 1
VPC CIDR: 10.1.0.0/16
Private Subnet
Apps 3
VPC CIDR: 10.3.0.0/16
Private Subnet
Apps 2
VPC CIDR: 10.2.0.0/16
VLAN 101 VLAN 102
VLAN 103
VPC CIDR: 172.1.0.0/16
VPC CIDR: 172.2.0.0/16
I love AWS what about … ?
??
Hybrid Management ?
Migration ?
Reliability ?Scalability
Availability ?Performance ?
Support ?Skills to adopt
quickly ?
Security ?Compliance and
Audit ?
Certifications and accreditations for workloads that matter
AWS CloudTrail - AWS API call logging for governance & compliance
Stores data in S3, or archive to Glacier
Log and review user activity
Architected for Enterprise Security Requirements
You are making API calls...
On a growing set of services around
the world…
AWS CloudTrail is continuously recording API
calls…
And delivering log files to you
RedshiftAWS CloudFormation
AWS Elastic Beanstalk
AWS CloudTrail
Store/ archive
Troubleshoot
Monitor and alarm
You are making API
calls...
On a growing set of AWS services
around the world..
CloudTrail is continuously recording API
calls
Amazon Elastic Block Store
(Amazon EBS)
Amazon S3 bucket
Using CloudWatch and AWS CloudTrail for Real-time Alert
Amazon SNS
CloudWatchLogs
Private subnet
Complianceapp
AWS Lambda
If SSH REJECT > 10, then…
ElasticNetwork Interface
Metric filter
Filter on all SSH REJECTFlow Log group
CloudWatch alarm
Source IP
Using CloudWatch and VPC Log for Realtime Alert
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
AWS Config
AWS Config Continue …
• VPC Security Groups (mandatory)– Instance level, stateful– Supports ALLOW rules only– Default deny inbound, allow outbound
• VPC NACLs (optional)– Subnet level, stateless– Supports ALLOW and DENY– Default allow all– Use as guard rails (port 135, 21, 23…)
• EC2 dedicated instance also available • No Additional cost for SGs/NACLs: $0
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
… Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
Security Group Functional Diagram
Built-In Firewall: Security Groups and NACLs
Amazon VPC
Dedicated Host also Available too !
World Class Storage Systems Amazon EBS
• Increases Performance and Capacity of General Purpose (SSD) and Provisioned IOPS (SSD) volumes + Encryption using AWS KMS
AWS EBS Volume Types Capacity IOPS Throughput
Amazon EBS General Purpose (SSD) 16 TB(up from 1TB)
10000 IOPS(up from 3000 IOPS)
160 MB/s *
Amazon EBS Provisioned IOPS (SSD) 16 TB(up from 1TB)
20000 IOPS(up from 4000 IOPS)
320 MB/s *
EBS
Tamper-resistant customer controlled hardware security modules within your VPC• Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified• No access from Amazon administrators who manage and
maintain the appliance• High availability and replication with on-premise HSMs
Reliable & Durable Key Storage• Use for transparent data encryption on self-managed
databases and natively with AWS Redshift• Integrate with applications using Java APIs and AWS SDKs• Integration with marketplace disk-encryption and SSL
You can store your encryption keys in AWS CloudHSM
AWS IAM (Identity and Access Management)
• Various authentication token issued for each user Access key and Secret key for authentication upon use of SDKs Security Certificate (X.509) Login password for AWS management console Multi-Factor Authentication (MFA) device
For providing additional level of security for management console
AWSDevelopers O&M
AWS IAM (Identity and Access Management) Continue…
Authorizes every request from API and Management Console
All operations granted
All S3 operations granted
S3 Read-only access granted
Administrator group
Developer group
O&M group
New directory in AWS Connect existing directory to AWS
Simple AD AD ConnectorBased on Samba 4 Custom federation proxy
On-premises
AWS Directory Services
Directory Connect
DX
p2.16xlarge
vCPU = 16
732GB RAM
x1.32xlarge
vCPU = 128
2TB RAM
X1 Memory Optimized InstancesIntel® Xeon E7-8880 v3 (Haswell) ProcessorsThis custom processor, designed specifically for EC2Support Enhanced Networking (SRIOV)I/O Performance: Very High (20 Gigabit Ethernet) via ENA
Broad Set of Compute Instance Types …
P2 GPU InstancesIntel® Xeon® E5-2686 v4 (Broadwell) processorsNVIDIA K80 GPUSupport Enhanced Networking (SRIOV)I/O Performance: Very High (20 Gigabit Ethernet) via ENA
16 x NVIDIA GPUs2496 Cores12GB MemoryGPU P2P
Availability Zone A
Region
Availability Zone B
High Availability across data centers Multi AZ
Amazon EC2 SLA 99.95%
Amazon RDS SLA 99.95% forMulti-AZ
AWS Services Health Dashboard Reliability Track Record
• Real time update– http://status.aws.amazon.com/
and rich console services Control
AWS Management Portal for vCenter ControlVM Import/Export also available for vmdk, vhd and ova
VMWare on AWS Partnership
AWS Application Discovery Services
Customerpremises
Application users
AWS
• Start a replication instance• Connect to source and target
databases• Select tables, schemas, or
databases
Let AWS DMS create tables, load data, and keep them in sync
Switch applications over to the target at your convenience
AWSDMS
AWS DX
Amazon Database Migration Services (DMS)
Amazon Server Migration Services (SMS)
Run Command Maintenance Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,and Administer
Track andUpdate
Shared Capabilities
Amazon EC2 System Manager (Manage Hybrid Environment)
Support for many language stacks and tools
Android iOS Java nodeJS .NET PHP Python Ruby
and specialized cloud tools integrated in your development environment
Eclipse Visual Studio CLI Powershell
AWS provide Rich set of APIs for programming platform or language
AWS Hong Kong CustomersAWS Customers in Hong Kong
AWS Instructor-Led Training Courses
24x7 AWS Business and Enterprise
Support
AWS Professional
Services
AWS are ready to serve you !
• Cloud Adoption Framework• Architecture Jumpstart• Application Portfolio Assessment• Security Operations Playbook• Resident Architect
Remember to complete your evaluations!
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thankyou
Ken ChanProduct Business Development Manager
Greater Chinakenchan@amazon.com
Recommended