1 / 51

Bryan Van Hook, TAM

Learn about AWS networking services including Virtual Private Cloud (VPC), Elastic IP (EIP), Direct Connect, Elastic Load Balancer (ELB), and Route53. Explore features such as network topology, routing tables, and advanced security options.

peltier
Download Presentation

Bryan Van Hook, TAM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bryan Van Hook, TAM Networking in AWS March 13, 2019

  2. Overview • AWS networking services including: VPC – Extend your network into a virtual private cloud EIP – Elastic IP Direct Connect – Physical cross connect into AWS ELB – Managed load balancer service Route53 – Managed DNS service

  3. 1 Amazon VPC

  4. Amazon Virtual Private Cloud (VPC) • Your own logically isolated section of AWS • Bring your own network: • IP Addresses • Subnets • Network Topology • Routing Tables • Multiple Connectivity Options • Advanced Security Features

  5. Networking Building BlocksAmazon Virtual Private Cloud (VPC) • Bring your own network Your Network goes here VPC – Virtual Private Cloud Availability Zone B Availability Zone A

  6. Networking Building BlocksAmazon Virtual Private Cloud (VPC) • Bring your own network • Create your own subnets VPC Subnet VPC Subnet VPC – Virtual Private Cloud Availability Zone B Availability Zone A

  7. Plan your VPC IP space before creating it IP Addressing • Consider future AWS region expansion • Consider future connectivity to corporate networks • Consider subnet design • VPC can be /16 between and /28 • CIDR cannot be modified once created • But you can add new CIDRs to expand the VPC IP addressing • Overlapping IP spaces = future headache

  8. Network Building BlocksNetwork Control – Security Groups Anything Else TCP 443 TCP 80 TCP 80 TCP 80 Public Subnet – Web/App Tier TCP 3306 TCP 3306 TCP 3306 Private Subnet – DB Tier

  9. Network Building BlocksNetwork Control – Security Groups • Inbound / Outbound • Instance level inspection • Microsegmentation • Mandatory, all instances have an associated Security Group • Stateful • Can be cross referenced • Works across VPC Peering • Only supports allow rules • Implicit deny all at the end

  10. Network Building BlocksNetwork Control – Network Access List 10.0.10.0/24 Public Subnet TCP 3306 * 10.0.30.0/24 Private Subnet VPC – Virtual Private Cloud

  11. Network Building BlocksNetwork Control – Network Access List • Optional level of security • By default, allow all traffic • Subnet level inspection • Stateless • IP and TCP/UDP port based • Supports allow and deny rules • Deny all at the end

  12. Network Building BlocksNetwork Control – Route Rules 192.168.0.0/16 10.0.10.0/16 VPC Public Subnet 10.0.20.0/16 Private Subnet 172.16.0.0/16 VPC – Virtual Private Cloud Corporate Datacenter AWS Cloud

  13. Network Building BlocksNetwork Control – Route Rules • Each subnet can have a unique Route Table • Direct traffic out of the VPC • IGW • VGW • VPC Endpoints • Direct Connect • VPC Peering

  14. Network Building BlocksVPN – Virtual Private Network (1.25 Gbps max) API Gateway 2x IPSEC Tunnel Amazon S3 Other AWS Services DynamoDB VPN Connection Virtual Private Gateway (VGW) VPC – Virtual Private Cloud Customer Gateway (CGW) AWS Cloud Corporate Datacenter

  15. How to connect my Datacenter to AWS? VGW – Virtual Private Gateway • One VGW per VPC • Redundant VPN Tunnels • Terminating in different AZs • IPSec • AES 256-bit encryption • SHA-2 hashing • Scalable • BGP or Static Routing

  16. Network Building BlocksAWS Direct Connect (10 Gbps max) API Gateway Public VIF Amazon S3 Other AWS Services DynamoDB Private VIF VGW DirectConnect Customer Gateway VPC – Virtual Private Cloud WAN DirectConnect Location AWS Cloud Corporate Datacenter

  17. Network Building BlocksVPC Gateways – Internet Gateway (IGW) Public Internet Internet Gateway Elastic IP: 198.51.100.2 Private IP: 10.0.10.6 Private IP: 10.0.10.7 Public Subnet Private IP: 10.0.20.9 Private IP: 10.0.20.9 Private Subnet VPC – Virtual Private Cloud AWS Cloud

  18. Network Building BlocksConnecting to Instances – Elastic IP Address Public Internet Internet Gateway Elastic IP: 198.51.100.2 Private IP: 10.0.10.6 Private IP: 10.0.10.7 Public Subnet Private IP: 10.0.20.9 Private IP: 10.0.20.9 Private Subnet VPC – Virtual Private Cloud AWS Cloud

  19. Network Building BlocksInternet Gateway + Elastic IPs • IGW - Internet Gateway • One per VPC • Horizontally scaling • Redundant • Highly available • EIP - Elastic IPs • Public IP address • Can be reassociated

  20. Network Building BlocksConnecting to Instances – Load Balancer Elastic Load Balancer Public Subnet Elastic Load Balancer Private Subnet VPC – Virtual Private Cloud

  21. Network Building BlocksNAT Gateway Public Internet Internet Gateway NAT Gateway Public Subnet Private IP: 10.0.20.9 Private Subnet VPC – Virtual Private Cloud AWS Cloud

  22. Network Building BlocksNAT Gateway Connect to the internet No incoming connection High available Up to 10Gbps bandwidth Fully managed by AWS Supports TCP, UDP, and ICMP protocols Network ACLs apply to NAT gateway’s traffic

  23. How to connect to public AWS Services?VPC Endpoints API Gateway VPC Endpoint Endpoint Service 3rd Party Service Private IP: 10.0.0.6 VPC – Virtual Private Cloud VPC Endpoint VPC Endpoint Public Subnet Amazon S3 Private IP: 10.0.0.6 DynamoDB Private Subnet VPC – Virtual Private Cloud AWS Cloud

  24. How to connect to public AWS Services?VPC Endpoints Scalable and high available • Don’t require public IPs • Robust access control • Private connection to supported AWS services • Connection to VPC Endpoint Services • Other VPCs • SaaS Providers

  25. How to connect to public AWS Services?VPC Endpoints • There are two types of VPC endpoints: • Gateway: A gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service. • Supported Services: Amazon S3 and DynamoDB • Interface: An elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. • Supported Services: EC2 and ELB API, AWS Systems Manager, Kinesis Data Streams, AWS KMS, AWS Service Catalog, etc, Endpoint Services hosted by other accounts and AWS Marketplace Partner services

  26. How to connect to public AWS Services?VPC Endpoints – Interface VPC Endpoints • Enables customers to connect to services powered by AWS PrivateLink • IP connectivity is private—no public IP addresses • Endpoints have regional and zonal names • Private DNS Support for default AWS Service DNS name – no configuration changes required • Works with Amazon VPC security groups • Works with IAM policies

  27. How to connect to another VPC?VPC Peering Private IP: 10.0.10.0 Private IP: 192.168.10.0 Public Subnet Public Subnet VPC Peering Private IP: 10.0.20.0 Private IP: 192.168.20.0 Private Subnet Private Subnet VPC – Virtual Private Cloud VPC – Virtual Private Cloud AWS Cloud

  28. How to connect to another VPC?VPC Peering • Scalable and high available • Inter-account peering • Inter-region peering • Remote Security groups can be referenced • Routing policy with Route Tables • No transitive routing

  29. How to isolate my resources inside AWS?Default VPC Default VPC • Simplicity and Convenience • Automatically assigned network and subnets Security of VPC • Customer may create additional subnets and change routing rules • Additional network controls (Security Groups, NACLs, routing) • Hardware VPN options between corporate networks • Instances in default subnets have Security Group−controlled public and private IPs

  30. Recap • Create VPC • Create Subnets – Across Multiple AZ’s • Configure RouteTables • Create Gateways – IGW and VGW (VPN and DX) • Configure Security – Security Groups and NACLs • Create VPCEndpoints • Create NATGateway • Configure VPC Peering • CreateInstances

  31. 2 Direct Connect

  32. How to connect to my Datacenter to AWS?Dedicated Connection - AWS Direct Connect API Gateway Public VIF Amazon S3 Private VIF DynamoDB Other AWS Services Private IP: 172.16.0.0/24 DirectConnect Customer Gateway WAN DirectConnect Location VPC – Virtual Private Cloud AWS Cloud Corporate Datacenter

  33. How to connect to my Datacenter to AWS?Direct Connect, aka DX (1/2) • 1 Gbps or 10 Gbps fiber cross connect • 50M - 500M available through APN Partners • Single VIF per connection through APN Partners • Consistent Network Performance • Lower latency compared to a VPN connection

  34. How to connect to my Datacenter to AWS?Direct Connect, aka DX (1/2) • Reduced Bandwidth Charges • Public and Private VIF options • Multiple Private VIFs on the 1G or 10G links • BGP Supported

  35. How to connect to my Datacenter to AWS?Dedicated connection + Redundancy API Gateway Public VIF Amazon S3 Private VIF DirectConnect DynamoDB Other AWS Services DirectConnect Customer Gateway Customer Gateway WAN WAN WAN WAN DirectConnect Location DirectConnect Location VPC – Virtual Private Cloud AWS Cloud Corporate Datacenter

  36. How to connect to my Datacenter to AWS?Direct Connect redundancy • Redundant DX locations • Redundant DX Connections • LAG/LACP Supported • Redundant AWS DX routers • Every DX location • Routing policies • AS Path Prepend • Scope BGP Communities • Local Preference BGP Communities

  37. How to connect to my Datacenter to AWS?Connect multiple AWS Regions – DX Gateway Private VIF Private VIF VPC – Virtual Private Cloud AWS Region #1 Direct Connect Gateway Direct Connect VPC – Virtual Private Cloud Customer Gateway WAN DirectConnect Location AWS Region #2 AWS Cloud Corporate Datacenter

  38. AWS Direct ConnectCross-Connect Details • Decide on an AWS DX location and port size • Use AWS Management Console  to create connection request(s) • Sends Letter of Authorization – Connecting Facility Assignment (LOA-CFA) via email • Establish WAN connectivity to DX location* • APN Partner or a network carrier of your choice • Provide LOA-CFA to an APN Partner or your service provider to establish the connection at the DX location • Use AWS Management Console  to configure one or more virtual interfaces * Can be done in parallel with remaining steps once the AWS DX location has been selected

  39. 3 ELB

  40. How to distribute traffic across Instances?Elastic Load Balancing Elastic Load Balancer Public Subnet Public Subnet Elastic Load Balancer Private Subnet Private Subnet Availability Zone A Availability Zone B VPC – Virtual Private Cloud

  41. How to distribute traffic across Instances?Elastic Load Balancer (ELB) – Classic Load Balancer • Layer 4 & Layer 7 Load Balancing • Region level service • Cross AZ • Built-in Health Check • Auto Scaling Integration • SSL Supported • Client SSL Termination • Backend ELB-to-Server mutual SSL • Sticky Sessions

  42. How to distribute traffic across Instances?ELB - Application Load Balancer • Layer 7 Load Balancing • Content-Based Routing (host and path based) • Containerized Application Support (ECS, EKS) • HTTP/2 Support • WebSockets Support • Deletion Protection • Request Tracing • Web Application Firewall (WAF) integration

  43. How to distribute traffic across Instances?ELB - Network Load Balancer • Layer 4 Load Balancing • Connection-based Load Balancing • High Throughput • Low Latency • Preserve source IP address • Static IP and Elastic IP • Long-lived TCP Connections • Ideal for WebSockets • IP addresses as Targets

  44. Elastic Load BalancingFeatures Comparison

  45. 4 Route53

  46. How to direct traffic to my domain?Route 53 Route 53 Main Site healthy? Yes No A/B Testing 95% 5% App Version A App Version B App DR AWS Region AWS Region AWS Cloud

  47. How to direct traffic to my domain?Route 53 • AWS DNS service • 100% availability SLA • Domain Registration • Domain name resolution • Health Checks • DNS Failover • Latency Based Routing • Geo Based Routing • Weighted Round Robin • Private DNS for VPC

  48. Route53 • Zone Apex integration • ELB, S3, CloudFront • Private DNS within VPC • Internal DNS names not exposed to Internet • Supports split-horizon DNS

  49. Route53 Pricing Dimensions • Pay only for managing domains through the service • the number of domains • the number of queries that the service answers for each of your domains • No minimum fees • No minimum usage commitments • No overage charges

  50. Route53Getting Started • Register DNS name with Route 53 or transfer from external registrar • Create a Route53 hosted zone • AWS Management Console or API • Update your domain registrar (if transferred) • Provide Route53 name servers associated with your hosted zone • Create DNS resource records for your domain

More Related