Upload
amazon-web-services
View
221
Download
4
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Becky Weiss, Senior Principal Engineer, EC2
Creating Your Virtual Data Center
VPC Fundamentals and Connectivity Options
NET201
November 30, 2016
What to Expect from the Session
• Get familiar with VPC concepts
• Walk through a basic VPC setup
• Learn about the ways in which you
can tailor your virtual network to meet
your needs
Creating an Internet-connected VPC: steps
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16
(64K addresses)
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
VPC subnet recommendations
• /16 VPC (64K addresses)
• /24 subnets (251 addresses)
• One subnet per Availability Zone
Routing in your VPC
• Route tables contain rules for which
packets go where
• Your VPC has a default route table
• … but you can assign different route
tables to different subnets
Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis
“MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security groups follow application structure
Security groups example: web servers
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)
Security groups example: backends
In English: Only instances in the MyWebServers
Security Group can reach instances in this
Security Group
Security groups in VPC: additional notes
• Follow the Principle of Least Privilege
• VPC allows creation of egress as well as ingress
Security Group rules
• Many application architectures lend themselves to a 1:1
relationship between security groups (who can reach
me) and IAM roles (what I can do).
Beyond Internet connectivity
Restricting Internet accessConnecting to your
corporate network
Connecting to other
VPCs
Outbound-only Internet access: NAT gateway
VPC subnet VPC subnet
0.0
.0.0
/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway
Example VPC peering use:
shared services VPC
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
Security groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2
Accept peering request
Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the
peered VPC should go to the peering
AWS VPN basics
Customer
Gateway
Virtual
Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
VPN and AWS Direct Connect
• Both allow secure connections
between your network and your VPC
• VPN is a pair of IPSec tunnels over
the Internet
• DirectConnect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both
VPC and the rest of AWS
AWS Services in
Your VPC
VPC Endpoints for
Amazon S3
DNS in-VPC with
Amazon Route 53
Logging VPC Traffic
with VPC Flow Logs
Example: Amazon RDS database in your VPC
Reachable via DNS Name: mydb-cluster-1
….us-west-2.rds.amazonaws.com
Best practices for in-VPC AWS services
• Many AWS services support running in-VPC.
• Use security groups for Least-Privilege network access.
• For best availability, use multiple Availability Zones.
Examples:
• Multi-zone RDS deployments
• Use a zonal mount point for EFS access
IAM policy for VPC endpoints
S3 Bucket
IAM Policy at VPC Endpoint:
Restrict actions of VPC in S3
IAM Policy at S3 Bucket:
Make accessible from
VPC Endpoint only
VPC Flow Logs
Visibility into effects of security
group rules
Troubleshooting network
connectivity
Ability to analyze traffic
VPC Flow Logs data in CloudWatch Logs
Who’s this?# dig +short -x 109.236.86.32 internetpolice.co.
REJECT
UDP Port 53 = DNS