Upload
amazon-web-services
View
2.277
Download
1
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Koen vd Biggelaar, Sr. Mgr. Solution Architecture, AWSJurjan Woltman, Architect, Wehkamp
May 2016
Creating Your Virtual Data CenterVPC Fundamentals and Connectivity Options
What to Expect from the Session
• Get familiar with VPC concepts• Walk through a basic VPC setup• Learn about the ways in which you can tailor
your virtual network to meet your needs• Get a customer story • And there is more
Creating an Internet-Connected VPC: Steps
Choosing an address range
Setting up subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from the VPC
Choosing IP Address Ranges for Your VPC
172.31.0.0/16
Recommended: RFC1918 range
Recommended: /16
(64K addresses)
Choosing IP Address Ranges for Your Subnets
172.31.0.0/16
Availability Zone Availability Zone Availability ZoneVPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
More on Subnets
• Recommended for most customers:• /16 VPC (64K addresses)• /24 subnets (251 addresses)• One subnet per Availability Zone
Routing in Your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table• …but you can assign different route tables
to different subnets
Security Groups Follow the Structure of Your Application
“MyWebServers” security group
“MyBackends” security group
Allow only “MyWebServers”
Security Groups = Stateful Firewall
In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
Security Groups = Stateful Firewall
In English: Only instances in the MyWebServerssecurity group can reach instances in this security group
Security Groups in VPCs: Additional Notes
• VPC allows creation of egress as well as ingress security group rules
• Best practice: Whenever possible, specify allowed traffic by reference (other security groups)
• Many application architectures lend themselves to a 1:1 relationship between security groups (who can reach me) and IAM roles (what I can do).
Beyond Internet Connectivity
Subnet routing options Connecting to your corporate network
Connecting to other VPCs
Different Route Tables for Different Subnets
VPC subnet
VPC subnet
Has route to Internet
Has no route to Internet
Internet Access via NAT Gateway
VPC subnet VPC subnet
0.0.
0.0/
0
0.0.0.0/0
Public IP: 54.161.0.39
NAT Gateway
Shared Services VPC Using VPC Peering
Common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning
Steps to Establish Peering: Initiate Request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Steps to Establish Peering: Accept Request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2
Accept peering request
Steps to Establish Peering: Create Route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the peered VPC should go to the peering
VPN: What you need to know
Customer gateway
Virtual gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
Routing to a Virtual Private Gateway
In English: Traffic to my 192.168.0.0/16 network goes out the VPN tunnel
VPN vs Direct Connect
• Both allow secure connections between your network and your VPC
• VPN is a pair of IPSec tunnels over the Internet
• Direct Connect is a dedicated line with lower per-GB data transfer rates
• For highest availability: Use both
EC2 DNS Hostnames in a VPC
Internal DNS hostname: Resolves to Private IP address
External DNS name: Resolves to …
EC2 DNS Hostnames Work From Anywhere:Outside Your VPCC:\>nslookup ec2-52-18-10-57.eu-west-1.compute.amazonaws.comServer: globaldnsanycast.amazon.comAddress: 10.4.4.10
Non-authoritative answer:Name: ec2-52-18-10-57.eu-west-1.compute.amazonaws.comAddress: 52.18.10.57
Outside your VPC:PublicIP address
EC2 DNS Hostnames Work From Anywhere:Inside Your VPC[ec2-user@ip-172-31-0-201 ~]$ dig ec2-52-18-10-57.eu-west-1.compute.amazonaws.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.38.amzn1 <<>> ec2-52-18-10-57.eu-west-1.compute.amazonaws.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36622;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. IN A
;; ANSWER SECTION:ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. 60 IN A 172.31.0.137
;; Query time: 2 msec;; SERVER: 172.31.0.2#53(172.31.0.2);; WHEN: Wed Sep 9 22:32:56 2015;; MSG SIZE rcvd: 81
Inside your VPC:Private IP address
Route 53 Private Hosted Zones
• Control DNS resolution for a domain and subdomains
• DNS records take effect only inside associated VPCs
• Can use it to override DNS records “on the outside”
Almost end-of life
On Premise
Monolith .NET
No Automation
Scalability limit reached
FrontendTechnologystack– 2012
● Reactive Micro-services architecture● Polyglot Programmming: Scala, .Net, NodeJS, Java● Blend of SaaS & Wehkamp proprietary services● Services expose REST API’s over HTTP/JSON● Open for integration, internally and externally● Support for Multi-instances e.g, countries, labels
● And last but not least: Scalable & Resilient Infrastructure
Why AWS
● Maturity & Feature Richness
● Ease of Use
● Development Tooling –
Automation is key
● Scalability & Resilience
Availability Zone
A
Availability Zone
C
Availability Zone
B
Dublin
One Region with Three Availability Zones
WEHKAMP.IOCIDR: 10.200.48.0/20
Blaze OTACIDR: 10.200.16.0/20
Blaze PCIDR: 10.200.0.0/20
AWS VPC’s
CIDR: 10.200.0.0/16
On Premise
VPNConnections
Three VPCs to split Development & Production
10.x.x.x/20
Public A10.x.0.0/24
Public B10.x.1.0/24
Public C10.x.2.0/24
Private C10.x.13.0/24
Private B10.x.14.0/24
Private A10.x.15.0/24
VIF
• /20 per VPC
• /24 per Subnet
• Public & Private per AZ
10.x.x.x/20
Public A10.x.0.0/24
Public B10.x.1.0/24
Public C10.x.2.0/24
Private C10.x.13.0/24
Private B10.x.14.0/24
Private A10.x.15.0/24
VIF
Mesos Container Platform
Cassandra
Elastic Search
• Our platform is deployed in 3 AZ’s
• Pick middleware / tools which are aware
WEHKAMP.IOCIDR: 10.200.48.0/20
Blaze OTACIDR: 10.200.16.0/20
Blaze PCIDR: 10.200.0.0/20
AWS VPC’s
CIDR: 10.200.0.0/16
On Premise
VPNConnections
Three VPC’s to split Development & Production
Billing
IAM
SharedServices
Back-up
AuditTrail
control
dev acc prd
label (nl.wehkamp)
control
dev acc prd
label (be.wehkamp)
Reporting
Account & VPC REDESIGN
● Single Responsibility● Security● Fault-Tolerant● Shared Resources
redundantfiber
SharedServices
control
dev acc prd
label (nl.wehkamp)
control
dev acc prd
label (be.wehkamp)
Direct Connect
Replace VPN by Direct Connect
What did we learn?
● Start simple and small● Automate everything!
● VPC’s are different than on-premise
networks
● Isolation & strong (naming)
conventions
VPC Flow Logs: See All Your Traffic
Visibility into effects of security group rulesTroubleshooting network connectivityAbility to analyze traffic