Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
S U MM I TB E R L I N
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Networking – Advanced Concepts and New Capabilities
Viktor GoldbergCloud Infrastructure ArchitectAWS Professional Services
Matt JohnsonManager, Solutions ArchitectureAWS WWPS UK
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud (Amazon VPC) enables you to have complete control
over your AWS virtual networking environment.
In this session, we will work through the process and features involved to build an
advanced hybrid and connected architecture exploring the new capabilities
including VPC Shared Subnets, AWS Transit Gateway, Route 53 Resolver and AWS
Global Accelerator.
We dive into how they work and how you might use them.
What to expect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
What not to expect
• Explanation of VPC basics; we assume that you know:• VPCs
• Subnets
• Route Tables
• Security Groups / NACLs
• Explanation of AWS core services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Agenda
Account
Strategy
VPN
WAN
AWS Direct Connect
Transit VPC
Network
Services
Connectivity
WAN
Shared
ServicesMulti-Region
Options
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Our starting point
VPN
WAN
AWS Direct Connect
Virtual private gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Challenge: Adding more VPCs
VPN
WAN
AWS Direct Connect
Dev Prod Dev Prod Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Challenge: Peering VPCs
VPN
WAN
AWS Direct Connect
Dev Prod Dev Prod Dev Prod
Connect dev and prod
VPC peering
Connect the yellow environment
How does this scale?
Let’s:
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN
WAN
AWS Direct Connect
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
Scaling connections?
Scaling VPC peering?
Shared services?
Firewall and services?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Transit VPC
VPN
WAN
AWS Direct Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN
WAN
AWS Direct Connect
Transit Gateway
AWSTransit Gateway
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
Strict security groups and routing
Identifying resources with tags
S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s
Account and VPC segmentat ion
Infrastructure and
NetworkingPolicy and IAM
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation: Decision inputs
Relationship between accounts, VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or a VPC level
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Baseline security
IAM
Security groups
Segmentation options: Layers
Application Application
Application Application
Application
Application
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation in a VPC with network ACLs
Inbound network ACL
# Source Action
100 10.0.1.0/24 ALLOW
101 10.0.101.0/24 ALLOW
200 10.0.0.0/16 DENY
300 0.0.0.0/0 ALLOW
Mimic behavior of a single VPC:
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
both?
Provide granular account control with centralized infrastructure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPC sharing
Easily share VPC networks between AWS accounts, providing
central oversight and control for networking engineers
VPC Sharing and Resource Access ManagerShare subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account
VPC Sharing and Resource Access ManagerAccount owners only see subnets and their resources
Account
Account
VPC Sharing and Resource Access ManagerAccount owners only see subnets and their resources
Account
Account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation in a Shared VPC with network ACLs
Account
Account
Account
Account
Public subnet
Private subnet Private subnet
Resource share
• Public subnets
• Private subnets
Resource share
• Public subnets
• Private subnets
Public subnet
10.0.1.0/24 10.0.2.0/24
10.0.101.0/24 10.0.102.0/24
Inbound network ACL
# Source Action
100 10.0.1.0/24 ALLOW
101 10.0.101.0/24 ALLOW
200 10.0.0.0/16 DENY
300 0.0.0.0/0 ALLOW
Mimic behavior of a single VPC:
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPC Sharing benefits
Less unused resources
• Higher density subnets, add up
to 5 additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and VPC
structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid VPC peering charges
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation considerations: Where to start
Security groups and IAM are effective and proven• Encourage IAM and security group use and monitor security configuration
Shared VPCs• Tenants should limit access from the internet and other tenants• VPCs using VPC peering are likely to benefit from Shared VPCs• Design around resource and limit contention
Separate VPCs• Often the best security decision is the simplest. Separate VPCs are simple.• Use separate VPCs for strong network segmentation and resource isolation• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)
Transit Gateway route tables define multi-VPC policy• Consider isolating environments (dev and prod) and allow access to shared resources
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Shared services connectivity options
VPC peering
• One-to-one connectivity
• Scales to 100 VPCs
• Security groups across VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth constrained
• Complex management
• Instance and licensing costsVPN
WAN
AWS Direct Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many with route tables
• Highly scalable
• Hourly per AZ endpoint costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly endpoint costs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN
WAN
AWS Direct Connect
Transit VPC
Transit VPC Mechanics
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Transit VPC: Routing
Virtual private
gateway (VGW)
Virtual Private
Network (VPN)
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Internet
The VPN Instances
advertise routes to each
VGW with BGP. This can be
a default route or individual
routes.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why doesn’t peer ing work?
VPC peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why doesn’t peer ing work?
VPC peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet
Destination: InternetTraffic must either
originate or terminate
on a network interface
in the VPC
Transitive routing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why does VPN work?
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Internet
Destination: Internet
Virtual Private
Network (VPN)
Traffic must either
originate or terminate
on a network interface
in the VPC
Transitive routing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Shared services connectivity options at scale
VPC Peering
• 1-to-1 connectivity
• Scales to 100 VPCs
• Security groups across VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
AWS Transit Gateway
• Many-to-many or one-to-many with route tables
• Highly scalable
• Hourly per AZ endpoint costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly endpoint costs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
What is the AWS Transit Gateway?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Introducing: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing domain
Routing domain
AWS Direct
Connect *
Regional service
Scalable
Flexible routing
Available Q1 2019
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Flat: Transit Gateway route domains (route tables)
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Flat: Transit Gateway route domains (route tables)
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
Routing domain
for VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Routing domain for VPCs
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Associate
go
Propagate routescan reach
Routing domain
for VPN
Routing domain for VPCs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Routing domain
for VPN
Routing domain for VPCs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit GatewayShared
services
VPN
VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Route Destination
10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
VPCs associate to a route table with routes to shared resources
Shared resources attach to a route table with routes to all resources
Reference Network Architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPNAWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1 2019
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Quick comparison: Transit Gateway and Transit VPC
VPN
WAN
AWS Direct Connect
Transit VPC
Transit VPC Transit Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud
Global Infrastructure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
160 Points of Presence (PoPs)
• 149 Edge Locations
• 11 Regional Edge Caches
Points of Presence
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Amazon Global Network
• Redundant 100 GbE network
• Private network capacity betweenall AWS region, except China
Global Network
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud
160 Points of Presence (PoPs)
• 149 Edge Locations
• 11 Regional Edge Caches
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Multiple services traverse the backbone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Content Distribution with Amazon CloudFront
Fast, massively scaled and
globally distributed
Highly Programmable
Deep Integration with AWS
Network and application
protection at the edge
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Local ISP Network A B C D E F
Access Application!
Accessing your application is not this straightforward!It can take many networks to reach the application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Introducing AWS Global Accelerator
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Local ISP AWS Network
Accessing your web applications with AWS Global Accelerator
Adding AWS Global Accelerator removes these inefficiencies
Leverages the Global AWS Network
Resulting in improved performance
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Connecting to on-premises
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 Gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by management complexity
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Connecting to On-premises at Scale
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by management complexity
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Private connectivity with AWS Direct Connect
Dedicated private connection
from on-premised to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Direct Connect to Many VPCs
AWS Region
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private virtual interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
location 2
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect and Transit Gateway
Use Direct Connect in parallel Use VPN over a Direct Connect public virtual interface (VIF)
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit GatewayPrivate virtual
interfaces
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public virtual
interface
AWS Region
Receive AWS
public IP addresses
Native Direct Connect support planned for Q1 2019
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN With Transit Gateway
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Consolidate VPN at the Transit Gateway (TGW)
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a TGW instead of a VGW
• Same 1.25 gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs
• Traffic is encrypted until it’s inside the VPC
• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN with Transit Gateway: Add more bandwidth
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal Cost Multi-Path (ECMP) support with BGP multi-
path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Route 53 Resolver
Managed DNS Resolver service from Route 53
Create conditional forwarding rules to re-direct
query traffic
Enables hybrid connectivity over AWS Direct Connect
and Managed VPN
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
X
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
X
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Route 53 Resolver
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Reduced Complexity
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Availability
• Use AWS high availability architecture
• Create additional redundancy by provisioning more ENIs in different AZs
VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Client VPN
Support for OpenVPN clients
Available in 4 regions at
launch; others coming soon
Connected users charged per user per hour
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
Client VPN Endpoint
Client
The
InternetAmazon
DynamoDBAmazon S3
On-Premises
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Private connectivity with Inter-region Peering
Private connectivity for two
or more VPCs between regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Multiple Regions
WAN
On-premises
AWS Direct Connect
location
Private virtual
interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
AWS Region
AWS Direct Connect
location 2
Direct
Connect
gateway
Account
AWS Region
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Takeaways
We have tools and architectures that horizontally scale to many VPCs
There’s wiggle room for your specific use cases
Use services in combination to meet scale and security requirements
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Advice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test
Thank you!
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.