Upload
amazon-web-services
View
4.530
Download
1
Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Robert Alexander, AWS Principal Solutions Architect
October 2015
From One to ManyEvolving VPC Design
ARC 403
Assuming you’ve heard of…
Route Table
Elastic
Network
Interface
Amazon VPC
Internet
Gateway
Customer
Gateway Virtual
Private
Gateway
VPN
Connection
VPC subnet
Network ACL
Security group
Enhanced
Networking
VPC
Peering
AWS Direct
Connect
us-west-2
VPC
us-east-1
sa-east-1
ap-southeast-2
eu-central-1VPCVPC
VPC
VPC VPC
eu-west-1
ap-southeast-1
VPC
… to many
VPC
ap-northeast-1
VPC
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
VPC
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
.1
VPC
.1
.1 .1
.1 .1
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
Internet
Public Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
VPC
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
InternetAnd what if instances
in a private subnet
need to reach outside
the VPC?
They have no route to
the IGW and no public
IP address.
VPC
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
InternetWhy go outside?
VPC• AWS API endpoints
• Regional services
• Third-party services
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
Internet Deploy an instance
providing:
N etwork
A ddress
T ranslationNAT
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT instance
VPC
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
Internet
NAT
VPC
Deploy an instance
providing:
N etwork
A ddress
T ranslation
Private Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 NAT instance
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Black Hole
To NAT, or not to NAT…
• Leave NAT for less bandwidth-critical connectivity
• Don’t bottleneck high-bandwidth-out workloads
• Run high-bandwidth components from public subnets
• Goal is full-instance bandwidth out of VPC
Evolving design requirements
• Public subnets for high-bandwidth public talkers
• Private subnets with access to public AWS network
• Highly available NAT
• One AWS account
• One VPC
• One region
EC2 status checks
StatusCheckFailed_System
StatusCheckFailed_Instance
CloudWatch
per-instance metrics:
Amazon CloudWatch alarm actions
Instance
status check fails?
REBOOT
System
status check fails?
RECOVER
Instance ID
Instance metadata
Private IP addresses
Elastic IP addresses
EBS volume attachments
Instance retains:
A few things to remember…
• Recover action only applies to system status checks
• Limited to C3, C4, M3, R3, and T2 instance types
• Cannot use local instance store
• Cannot be dedicated instances
• Use EC2ActionsAccess AWS Identity and
Access Management (IAM) role
Amazon EC2 Auto Recovery
Amazon EC2
Auto Recovery
Set your failed check threshold
Choose 1-minute period
and statistic minimum
Choose recover action
Metric = StatusCheckFailed_System
CloudWatch
Console
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
Web
Back end
Web
Back end
AWS region
Internet
NAT
VPC
NAT
Average tested recovery time:
~ 1 to 4 minutes
Could be shorter or longer
depending on nature of failure
HA NAT
with
EC2 Auto Recovery
+ Auto Reboot
Availability Zone A
Private subnet
Public subnet
Private subnet
AWS region
Internet
NAT
VPC
Availability Zone B
Private subnet
Private subnet
NAT
Private subnet
Private subnet
NAT
Private subnet
Public subnet
Private subnet
NAT
Private subnet
Private subnet
NAT
Private subnet
Private subnet
NAT
Scaling NAT
AWS
region
Considering multiple VPCs
Public-facing
web apps
Internal
company
apps
What’s next?
VPN
connection
VPC VPC VPC
Customer
network
Common customer use cases
Application isolation
Scope of audit containment
Risk-level separation
Separate production from nonproduction
Multi-tenant isolation
Business unit alignment
Considerations for one or many VPCs
Know your inter-VPC traffic
Separate AWS accounts
IAM/resource permissions and controls
Know your VPC limits:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
AWS region
Internal application to VPC
Public-facing
web app
Internal
company
app
VPN
connection
VPCVPC
Customer
network
Availability Zone A
Private subnet Private subnet
AWS region
Virtual
Private
Gateway
VPN
connection
Intranet
app
Intranet
app
Availability Zone B
Internal customers
Private Route Table
Destination Target
10.1.0.0/16 Local
Corp CIDR VGW
VPC
Internal application to VPC
Customer
network
Evolving design requirements
• VPN connectivity to private-only VPC
• No egress in the VPC to public networks
• Private IP access to Amazon S3
• Content-specific access controls
• One AWS account
• One VPC
• One region
Availability Zone A
Private subnet Private subnet
AWS
region
Virtual
Private
Gateway
VPN
connection
Intranet
app
Intranet
app
Availability Zone B
You really don’t want to do this:
Amazon
S3
Internet
Customer
border router
Customer VPN
Internet
VPC
Customer
network
Availability Zone A
Private subnet Private subnet
AWS
region
Virtual
Private
Gateway
Intranet
app
Intranet
app
Availability Zone B
So do this instead:
Amazon
S3
VPC
VPN
connection
VPC Endpoints
• No IGW
• No NAT
• No public IPs
• Free
• Robust access
control
Customer
network
“Currently, we support endpoints for connections with
Amazon S3 within the same region only. We'll add support for
other AWS services later.”
From the Amazon VPC User Guide:
VPC endpoints
$ aws ec2 describe-vpc-endpoint-servicesSERVICENAMES com.amazonaws.us-west-2.s3
Creating S3 VPC endpoint
aws ec2 create-vpc-endpoint
--vpc-id vpc-40f18d25
--service-name com.amazonaws.us-west-2.s3
--route-table-ids rtb-2ae6a24f rtb-61c78704
Private subnet
VPCRoute Table
Destination Target
10.1.0.0/16 Local
Corp CIDR VGW
Prefix List for S3 us-west-2 VPCE
Creating S3 VPC endpoint
aws ec2 create-vpc-endpoint
--vpc-id vpc-40f18d25
--service-name com.amazonaws.us-west-2.s3
--route-table-ids rtb-2ae6a24f rtb-61c78704
Public subnet
VPCRoute Table
Destination Target
10.1.0.0/16 Local
0.0.0.0 IGW
Prefix List for S3 us-west-2 VPCE
Prefix lists
aws ec2 describe-prefix-lists
PREFIXLISTS pl-68a54001 com.amazonaws.us-west-2.s3
CIDRS 54.231.160.0/19
• Logical route destination target
• Dynamically translates to service IPs
• S3 IP ranges change over time
• S3 prefix lists abstract change
Private subnet
Controlling VPC access to Amazon S3
IAM policy on VPCE:
VPC
{
"Statement": [
{
"Sid": "vpce-restrict-to-backup-bucket",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject”
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::backups-reinvent2015",
"arn:aws:s3:::backups-reinvent2015/*"]
}
]
}
Backups bucket?
Private subnet
Controlling VPC access to Amazon S3
S3 bucket policy:
VPC
From
vpce-bc42a4e5?
{
"Statement": [
{
"Sid": "bucket-restrict-to-specific-vpce",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::backups-reinvent2015",
"arn:aws:s3:::backups-reinvent2015/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-bc42a4e5”
}
}
}
]
}
Controlling VPC access to Amazon S3
Recap on security layers:
1. Route table association
2. VPCE policy
3. Bucket policy
4. Security groups with prefix list
Private subnet
VPC
1.
2.
3.
4.
Private subnet Private subnet
AWS
region
Intranet
apps
Compliance
app
Endpoints in action
VPC
Compliance Backups
VPCE1 VPCE2
Private subnet
Intranet
apps
Private subnet Private subnet
AWS
region
Intranet
apps
Compliance
app
Endpoints in action
VPC
Compliance Backups
VPCE1 VPCE2
Private subnet
Intranet
appsPrivate subnet Private subnet
Private subnet
What about Amazon Linux?
Compliance VPCE policy modified:
{
"Statement": [
{
"Sid": "vpce-restrict-to-backup-bucket-and-alinux",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject”
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::compliance-reinvent2015",
"arn:aws:s3:::compliance-reinvent2015/*",
"arn:aws:s3:::repo.us-west-2.amazonaws.com",
"arn:aws:s3:::repo.us-west-2.amazonaws.com/*",
"arn:aws:s3:::packages.us-west-2.amazonaws.com",
"arn:aws:s3:::packages.us-west-2.amazonaws.com/*"]
}
]
}
VPCE1
Compliance
What about Amazon Linux?
Backup VPCE policy modified:
{
"Statement": [
{
"Sid": "vpce-restrict-to-backup-bucket-and-alinux",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject”
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::backups-reinvent2015",
"arn:aws:s3:::backups-reinvent2015/*",
"arn:aws:s3:::repo.us-west-2.amazonaws.com",
"arn:aws:s3:::repo.us-west-2.amazonaws.com/*",
"arn:aws:s3:::packages.us-west-2.amazonaws.com",
"arn:aws:s3:::packages.us-west-2.amazonaws.com/*"]
}
]
}
VPCE2
Backups
Private subnet Private subnet
AWS
region
Intranet
apps
Compliance
app
Access to Amazon Linux repositories
VPC
Compliance Backups
VPCE1 VPCE2
Private subnet
Intranet
appsPrivate subnet Private subnet
Private subnet
Repo Packages
A few things to remember…
• Endpoint and bucket must be in same region
• Amazon DNS enabled on VPC
• Source IPs to S3 will be private
• Don’t forget about S3 dependent services
VPC endpoints for Amazon S3
AWS region
Public-facing
web apps
Internal-
only
apps
What’s next?
VPN
connection
VPC VPC VPC
Customer
networkCustomer Gateway
(CGW)
AWS
region
VPC
VPC
VPC
VPC VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPCVPC
Customer
network
Public
apps
Internal
apps
AWS region
VPC
HA VPN Pair
Availability Zone A
HA VPN
To
VPC
iBGP
eBGP
Customer CIDRs or Default Route
eBGP
AWS ASN 7224
Re-advertise VPC CIDR via IGP
VGW
VPC CIDR
Customer ASN (Public or Private)
CGW1 CGW2
VPN1
Tun1
VPN1
Tun2
Availability Zone A
VPN2
Tun1
VPN2
Tun2
Reuse your CGW Public IP
to connect to more VPCs
Customer
network
AWS
region
VPCVPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
• DNS
• Directory
• Logging
• Monitoring
• SecurityShared services
Customer
network
Evolving design requirements
• Centralize network connectivity to and from cloud
• Centralize management, security, and common services
• Account owners in control of own VPC resources
• Many AWS accounts
• Many VPCs
• One region
AWS
regionVPC
VPC
VPC
VPC
VPC
VPC
• DNS
• Directory
• Logging
• Monitoring
• SecurityShared services
Hub and
Spoke
with
Peering
VPC
Shared
services
VPC
VPC
Customer
network
Spoke VPC
Spoke VPC
Spoke VPCSpoke VPC
Spoke VPC
Spoke VPC
VPC
Customer
network
AWS region
VPC
Hub VPC
Private subnet
VPC
Spoke VPC
Public subnet
10.2.0.0/1610.1.0.0/16
Private subnet
Private Route Table
Destination Target
10.1.0.0/16 Local
10.2.0.0/16 PCX-1
Private Route Table
Destination Target
10.2.0.0/16 Local
10.1.11.0/24 PCX-1
VPC peering
Shared services
10.2.22.0/24
10.1.11.0/24
AWS region
VPC
Hub VPC
Private subnet
VPC
Spoke VPC
Public subnet
10.2.0.0/1610.1.0.0/16
Private subnet
Private Route Table
Destination Target
10.1.0.0/16 Local
10.2.0.0/16 PCX-1
Private Route Table
Destination Target
10.2.0.0/16 Local
10.1.11.0/24 PCX-1
172.16.0.0/16 PCX-1
Edge-to-edge routing
Shared services
10.2.22.0/24
10.1.11.0/24
172.16.0.0/16Customer
network
AWS region
VPC
Hub VPC
Private subnet
VPC
Spoke VPC
Proxy
subnets
10.2.0.0/1610.1.0.0/16
Private Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/16 PCX-1
Edge-to-edge via proxy
PCX-1 10.2.22.0/24
Internal
ELB
Proxy
fleet
Internet
Public
services
S3VPC
Customer
network
Proxy Route Table
Destination Target
10.1.0.0/16 local
10.2.0.0/16 PCX-1
172.16.0.0/16 VGW
Proxy Route Table
Destination Target
10.1.0.0/16 Local
10.2.0.0/16 PCX-1
172.16.0.0/16 VGW
0.0.0.0/0 IGW
S3 Prefix List VPCE
Customer
network
Availability Zone A
Private subnet
Public subnet
Private subnet
Elastic
Load
Balancer
Shared
services
AWS region
Internet
VPC
Auto Scaling
proxy
fleet
Public
servicesS3
PCX-1
Availability Zone B
Private subnet
Public subnet
Private subnet
Elastic
Load
Balancer
Shared
services
Auto Scaling
proxy
fleet
Spoke VPC
VPC
Private subnet
Proxy in practice
Hub VPC
Availability Zone A
Private subnet
Public subnet
Private subnet
Elastic
Load
Balancer
Shared
services
AWS region
Internet
VPC
Auto Scaling
proxy
Fleet
Public
servicesS3
PCX-1
Availability Zone B
Private subnet
Public subnet
Private subnet
Elastic
Load
Balancer
Bastion
host
Auto Scaling
proxy
fleet
Spoke VPC
VPC
Private subnet
Proxy in practice
Hub VPC
Customer
network
A few things to remember…
• Use IAM to restrict spoke AWS accounts
• Create a NetOps IAM role in all accounts
• Enable AWS CloudTrail and AWS Config for all accounts
• Integrate CloudTrail with CloudWatch Logs and create alarms:
Shared Services Hub and Spoke
https://aws.amazon.com/blogs/aws/
cloudtrail-integration-with-cloudwatch-now-available-in-four-more-regions/
AWS region
VPCVPC
VPC
VPC
VPC
• DNS
• Directory
• Logging
• Monitoring
• Security
VPC
VPC
VPC
VPC
VPC VPC
VPC
VPC
VPC
VPC
Shared services
Customer
network
Dev hubProd hub
Data
services
hub
Evolving design requirements
• Audit VPC network security configuration
• Analyze network usage
• Automated responses to network security alarms
• Many AWS accounts
• Many VPCs
• Many regions
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
VPC Flow Logs: Automation
Amazon
SNS
CloudWatch
Logs
Private subnet
Compliance
app
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Log group
CloudWatch
alarm
Source IP
https://aws.amazon.com/blogs/aws/new-amazon-elasticsearch-service/
VPC Flow Logs
• Amazon
Elasticsearch
Service (ES)
• Amazon
CloudWatch
Logs
subscriptions
• Kibana
AWS region
VPCVPC
VPC
VPC
VPC
• DNS
• Directory
• Logging
• Monitoring
• Security
VPC
VPC
VPC
VPC
VPC VPC
VPC
VPC
VPC
VPC
Shared services
Customer
network
Dev hubProd hub
Data
services
hubs
Evolving design requirements
• Many Gbps network connectivity to AWS
• Cost-effective
• Predictable latency
• Leverage existing corporate network
• Many AWS accounts
• Many VPCs
• Many regions
Customer
network
AWS Direct Connect
location
AWS Direct Connect Private Virtual
Interface (PVI) connects to VGW on
VPC• 1 PVI per VPC
• 1 eBGP peer per VPC
• 1 802.1Q VLAN Tags per VPC
Private fiber connectionOne or multiple
50 – 500 Mbps,
1 Gbps or 10 Gbps pipes
Simplify with AWS Direct Connect
AWS region
VPCVPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC VPC
VPC
VPC
VPC
VPC
Dev hubProd hub
Data
services
hub
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
10 20 30 40 50 60 70 80 90 100
$ P
ER
MO
NT
H
TB PER MONTH
AWS Direct Connect vs EC2 Data Out Cost
EC2 Data Out 2 x 1 Gbps DX 2 x 10 Gbps DX
* Calculated from us-west-2 and does not include telco cost to reach a DX location if required
AWS Direct Connect (DX) in the United States
SuperNAP
Equinix SE
Coresite LA
N. Virginia
N. California
Oregon
Coresite NY
Equinix DC
Equinix
SV
AWS Direct Connect (DX) in Europe and Asia Pacific
TelecityEircom Interxion
Sydney
Frankfurt
Ireland
Tokyo
Singapore
Equinix OS
Beijing
Equinix TY
Equinix
FR
Equinix SY
Global Switch
Equinix SG
CIDS
Sinnet
Bring it
Headquarters
Branch
Branch
DX Location
Provider Edge (PE)Customer Edge (CE)
eBGP
Provider
MPLS
Network
PECE
PECE
AWS region
MPLS / IPVPN
PE DX
eBGP
CE PE
Bring It
Headquarters
Branch
Branch
DX Location
L2
Provider
VPLS
Network
PECE
PECE
AWS region
VPLS
PE DX
L2
CE PE
eBGP
Prod hub
Private Virtual Interface 1
VLAN Tag 101
BGP ASN 7224
BGP Announce 10.1.0.0/16
Interface IP 169.254.251.5/30 10.1.0.0/16
VGW 1
Multiple VPCs over AWS Direct Connect
Customer
Switch + Router
Customer Interface 0/1.101
VLAN Tag 101
BGP ASN 65001
BGP Announce Customer Internal
Interface IP 169.254.251.6/30
VLAN 101
VLAN 102
VLAN 103
Data hub
10.2.0.0/16
VGW 2
Dev hub
10.3.0.0/16
VGW 3
Private Virtual Interface 2
VLAN Tag 102
BGP ASN 7224
BGP Announce 10.2.0.0/16
Interface IP 169.254.251.9/30
Customer Interface 0/1.102
VLAN Tag 102
BGP ASN 65002
BGP Announce Customer Internal
Interface IP 169.254.251.10/30
Customer Interface 0/1.103
VLAN Tag 103
BGP ASN 65003
BGP Announce Customer Internal
Interface IP 169.254.251.14/30
Private Virtual Interface 3
VLAN Tag 103
BGP ASN 7224
BGP Announce 10.3.0.0/16
Interface IP 169.254.251.13/30
Route Table
Destination Target
10.1.0.0/16 PVI 1
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
VPC
Customer
networkVPC
VPC
Prod hub
Public Virtual Interface 1
VLAN Tag 501
BGP ASN 7224
BGP Announce AWS Regional
Public CIDRs
Interface IP Public /30 Provided
10.1.0.0/16
VGW 1
Public AWS + VPCs over AWS Direct Connect
Customer
Switch + Router
Customer Interface 0/1.501
VLAN Tag 501
BGP ASN 65501 (or Public)
BGP Announce Customer Public
Interface IP Public /30 Provided
VLAN 101
VLAN 102
VLAN 103
VLAN 501
Data hub
10.2.0.0/16
VGW 2
Dev hub
10.3.0.0/16
VGW 3
Public US AWS
regions
Route Table
Destination Target
10.1.0.0/16 PVI 1
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
Public AWS PVI 5
NAT + Security layer
Customer
network
VPC
VPC
VPC
AWS Direct Connect in the United States
Equinix SV
us-west-1
us-west-2
us-east-1
AWS Private Network Disaster recovery
VPN to VGW
A few things to remember…
AWS Direct Connect
• Be selective in your public network announcements
• Remember prefix lists
• Authoritative AWS public IP list available:
https://ip-ranges.amazonaws.com/ip-ranges.json
• For notification of IP changes, subscribe to SNS topic:
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
Headquarters
Branch
Branch
Seattle DX Location
eBGP
Provider
MPLS
Network
PECE
PECE
AWS
Oregon
region
Multi-region DX
PE DX
eBGP
CE PE
London DX Location
AWS
Ireland
region
PE DX
eBGP
Going global
AS 7224
AS 7224
100 BGP Route Max
100 BGP Route Max
BGP AS override
router bgp <asn>
address-family ipv4 vrf <vrf-id>
neighbor <AWS DX eBGP Peer IP> as-override
neighbor <AWS DX eBGP Peer IP> as-override
PE DX
set protocols bgp group <group-name> neighbor <AWS DX eBGP Peer IP> peer-as 7224
set protocols bgp group <group-name> neighbor <AWS DX eBGP Peer IP> as-override
Cisco IOS:
Junos OS:
Provider
MPLS
Network
VPCVPC
VPC
VPC
EU-West-1 region
London DX
US-West-2 region
Seattle DX
AP-Northeast-1
region
Tokyo DX
VPC
VPC
VPCVPC
VPC
VPC
VPCBranch
HQ
Branch Branch
Evolving design requirements
• Cross-region network between all VPCs
• Scalable, full-mesh IPsec network
• Minimal operational overhead
• Leverage AWS network
• Many AWS accounts
• Many VPCs
• Many regions
Dynamic Multipoint VPN
DMVPN:
Built with Cisco Cloud Services Router (CSR) 1000V
• Available on the AWS Marketplace
• A virtualized ASR with full IOS-XE software stack
• BYOL or Pay-as-you-Go license models
Dynamic Multipoint VPN
Proven, scalable VPN design framework
Key components:
Next Hop Resolution Protocol (NHRP - RFC2332)
Multipoint GRE (mGRE)
IPsec
us-west-2
VPCNHRP hub
10.1.0.0/16
us-east-1
VPC10.2.0.0/16
Spoke 1
eu-west-1VPC
10.3.0.0/16
Spoke 2
ap-northeast-1VPC
10.5.0.0/16
Spoke 4
eu-central-1
VPC
10.4.0.0/16
Spoke 3
Global AWS
network
DMVPNDynamic
Multipoint
Virtual
Private
Network:
Phase 3
DMVPN
network
10.100.0.0/24
NHRP
request
us-west-2
VPCNHRP Hub 1
10.1.0.0/16
us-east-1
VPC10.2.0.0/16
Spoke 1
eu-west-1VPC
10.3.0.0/16
Spoke 2
ap-northeast-1VPC
10.5.0.0/16
Spoke 4
VPC
10.10.0.0/16
NHRP Hub 2 DMVPNDual hub
Single subnet
10.100.0.1
10.100.0.2
10.100.0.3
10.100.0.410.100.0.5
Global AWS
network
DMVPN
network
10.100.0.0/24
VPC
10.4.0.0/16
Spoke 3
10.100.0.6
eu-central-1
DMVPN hub configuration
interface Tunnel0
bandwidth 1000000
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 192
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1
tunnel mode gre multipoint mGRE
DMVPN spoke configuration
interface Tunnel0
bandwidth 1000000
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 192.168.0.1 52.24.102.22
ip nhrp map multicast 52.24.102.22
ip nhrp map 192.168.0.5 52.64.165.176
ip nhrp map multicast 52.64.165.176
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
ip nhrp nhs 192.168.0.5
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1
tunnel mode gre multipoint
Hub 1
Hub 2
us-west-2
VPC
us-east-1
Regional HQ
Remote
workforce
eu-central-1VPCVPC
eu-west-1
Branches
VPC
From one to many
ap-northeast-1
VPC
Global HQ
Regional HQ
• Many AWS Accounts
• Many VPCs
• Many regions
• Public subnets for high-bandwidth public talkers
• Private subnets with access to public AWS Network
• Highly available NAT
• VPN connectivity to private-only VPC
• No egress in the VPC to public networks
• Private IP access to Amazon S3
• Content-specific access controls
• Centralize network connectivity to and from cloud
• Centralize management, security, and common services
Account Owners in control of own VPC resources
Evolving design requirements
Related Sessions
ARC402 – Double Redundancy with AWS Direct Connect
NET403 – Another Day, Another Billion Packets
NET404 – Making Every Packet Count
NET406 – Deep Dive: AWS Direct Connect and VPNs
NET308 – Consolidating DNS Data in the Cloud with
Amazon Route 53