Upload
matthew-boeckman
View
539
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The AWS Virtual Private Cloud platform provides a mature network topology for your ec2 resources. It enables you to restrict access to resources in much finer grained ways than possible in ec2. Additionally, VPC allows site to site VPN; allowing you to extend your non-ec2 networks to ec2. In this presentation, we explore an actual migration from ec2-classic to VPC, with lessons learned along the way.
Citation preview
VPC - Flying Blind on a Rocket Cycle
Matthew Boeckman - VP of DevOps at Craftsy.com@matthewboeckmanhttp://enginerds.craftsy.com
Who is Craftsy
● Instructor led training videos for passionate hobbyists● #19 on Forbes’ Most Promising Companies 2014
VPC - Why
VPC is mature network topology for AWS
VPC - Why
Network ACL’s allow for true edge blocking
VPC - Why
Instances can be members of multiple Security Groups
SG membership can change post-instance launch
Site to Site VPN connectivity enables extension of your network to AWS
VPC - Why
Three things
Keep it simple
Get there now
Keep it simple
*disclaimer
Our stack in ec2-classic
What we hate about ec2-classic
● inflexible security groups● per-IP maintenance of SG’s across regions● ALLOW TCP 22 FROM 0.0.0.0/0● no edge● no edge
● no edge●no edge
Our stack in VPC
routing
Private subnets can only route traffic destined for the internet to a
NAT instance (eni-0…). Public subnets route to the IGW. Routes
can be automatically propagated from VPN connections.
NAT instances
HOW BIG?!
● we chose m1-medium… because…. it seems big enough?
sure. ● failover
Site to Site VPN
● AWS docs on this are perfect - check if your firewall is on the supported list. If so, one click configuration for your firewall
● A VPN connection - includes two tunnels, connected to two different IP’s at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER
Cross region VPN
http://aws.amazon.com/articles/5472675506466066
http://fortycloud.com/interconnecting-two-aws-vpc-regions/
AWS has no product offering here. You can easily VPN two VPC’s in
the same region but not, you know, in different regions.
reservations!
Instance reservations purchased in EC2
classic DO NOT MAGICALLY MOVE TO
VPC
Do. Not. Forget. This. Step.
seriously?
VPC - flying blind
netcat, tcpdump and patience
be the packet
host a
host b
SG
SGACL
ACL
outout,in
out,in
out,in
in
out
out,in
out,in
out,inin
LIMITS
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
ACL’s ARE NOT STATEFUL
ALLOW tcp 80 src 10.85.0.0/16
ALLOW tcp 443 src 10.85.1.0/24
ALLOW tcp established any
DENY ALL
SNS, Redshift, Route53, RDS
SNS - has no legs in VPC. Systems subscribing to SNS topics from private subnets need an HTTP proxy in a public subnet for SNS to reach them.
Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to VPC (yay!)
Route53 - no support for “views” in VPC.
migration time best time
- use AWS support or account teams
- start with subnets and basic nat, vpn
- dev environments, soak
- preprod, soak
cloned production
shut it down
thank you
QUESTIONS!
Matthew Boeckman
@matthewboeckman
http://enginerds.craftsy.com
(deck will be there & slideshare)