Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)

1. AWS$201$
Using$Amazon$Virtual$Private$Cloud$
(VPC)$
Markku$Lepistö$B$Technology$Evangelist$
@markkulepisto$

2. Housekeeping
• Presentation ~40mins
• Post Questions Online
• Q&A at the end using the online chat
• Reminder – Fill in the survey!

3. What is Hybrid IT?

4. Hybrid IT: A Definition
$
$
$
$
$
hIp://www.gartner.com/technology/research/technicalBprofessionals/hybridBcloud.jsp$
“Hybrid IT is the result of combining internal and
external services, usually from a combination of
internal and public clouds, in support of a business
outcome.”

5. $
$
$
$
$
hIp://www.gartner.com/technology/research/technicalBprofessionals/hybridBcloud.jsp$
“Hybrid IT is the result of combining internal and
external services, usually from a combination of
internal and public clouds, in support of a business
outcome.”
Hybrid IT: A Definition

6. Build$ Deliver$
Hybrid IT: A Definition
Services( Business(
Outcomes(
Solu1ons(

7. AWS Service Building Blocks

8. Services: AWS Platform
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute

9. Our “Hybrid” Focus
Cloud AppsOn-Premise Apps
Private Connections
Workload Migrations
Access Control Integration
Work with Existing
Management Tools
Your Data Centers

10. Tools to Support Hybrid IT Architectures
VM Import/Export
VPC Network
IAM Policies
Virtual Images
On-Premise Apps
Private Network
Your Data Centers
VPC
Corporate Directory
Your Cloud Apps
Your Data Our Storage

11. Services: Networking: VPC
Compute$ Storage$
AWS$Global$Infrastructure$
Database$
App$Services$
Deployment$&$AdministraVon$
Networking$
Extend your data center with Amazon VPC

12. Compute$ Storage$
AWS$Global$Infrastructure$
Database$
App$Services$
Deployment$&$AdministraVon$
Networking$
Services: Networking: VPC
Extend your data center with Amazon VPC
• Create logically isolated section of AWS Cloud using
your own network address space
• Complete control over your virtual networking environment
including creation of subnets, IP addressing, routing tables
and network gateways
• Create private or public subnets in multiple Availability Zones
• You choose where to deploy EC2 instances
• You manage network security at subnet level using NACLs
• You manage EC2 Instance Security Groups,
providing stateful network firewall per instance
10.100.0.0/16(Application
Server$
Availability Zone BAvailability Zone A
10.100.2.0/23$10.100.0.0/23$

13. Integrate your network with Amazon VPC
• Connect via standard IPSEC Internet VPN tunnels, or
• Private link to AWS Direct Connect peering location,
or a combination of both
• Connection port speeds from 50M to 10G, you choose the
connection speed you want
• Connect multiple VPCs using industry standard VLANs and
layer 3 routing protocols
• Integrate your network to your private VPC resources
• Deploy your own network equipment into Direct Connect
peering location, e.g. WAN Optimization Devices
Compute$ Storage$
AWS$Global$Infrastructure$
Database$
App$Services$
Deployment$&$AdministraVon$
Networking$
Customer VPC
Internet VPN
Connection$
Customer IPSEC
Router/Firewall$
Customer Direct
Connect Router$
Private$Direct$
Connect
Customer Corporate
Network
Services: Networking: VPN & Direct Connect

14. Demo step 1
Create a new VPC in Singapore

15. VPN
Tunnels$
Office VPN
Gateway$
Workstation
VPC Configuration - Singapore
• VPC CIDR Network: 10.100.0.0/16
• VPC Subnet 1: 10.100.0.0/23
• VPC Subnet 2: 10.100.2.0/23
• VPN Type: Dynamic BGP
Office Configuration - Tokyo
• Corporate Network: 10.96.0.0/16
• Office Network: 10.96.24.0/21
• VPN Gateway: 54.178.135.26 (public IP)
Our First Virtual Private Cloud
Availability Zone BAvailability Zone A

16. Demo starts

17. You can create multi-tier architectures
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2(
10.0.5.0/24
Bas1on(
10.0.4.0/24
EC2(App( Log(
EC2(Web(
Load(
balancing(

18. Firewall every single compute instance
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2(
10.0.5.0/24
Bas1on(
10.0.4.0/24
EC2(App(
“Web servers will accept Port 80
from load balancers”
“App servers will
accept Port 8080
from web
servers”
“Allow SSH
access only from
Bastion hosts”
Log(
EC2(Web(
Load(
balancing(

19. Enable Network Access Control on every subnet
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2(
10.0.5.0/24
Bas1on(
10.0.4.0/24
EC2(App( Log(
EC2(Web(
“Deny all traffic between the web
server subnet and the database
server subnet”
Load(
balancing(

20. Control every Internet connection
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2(
10.0.3.0/24
EC2(
10.0.4.0/24
EC2(App(
EC2(Web(EC2(Web(EC2(EC2(Web(
Internet$Gateway$
Control(Internet(rou1ng(
• Create$Public$subnets$and$
Private$subnets$
• Create(Internet(Gateways(or$
NAT(instances(for$controlling$
internetBfacing$traffic$
• Allocate$Elas1c(IP(addresses(
• Implement$DMZ$
architectures$as$per$normal$
best$pracVces$
Load(
balancing(

21. Connect in private to your existing datacenters
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2(
10.0.3.0/24
EC2(
10.0.4.0/24
EC2(App(
EC2(Web(EC2(Web(EC2(EC2(Web(
Use Internet VPNs
or use AWS Direct
Connect
Your(office(/(DC(
Load(
balancing(

22. You can route to the Internet using your gateway
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2(
10.0.3.0/24
EC2(
10.0.4.0/24
EC2(App(
EC2(Web(EC2(Web(EC2(EC2(Web(
Use Internet VPNs
or use AWS Direct
Connect
Load(
balancing(
Your(office(/(DC(

23. Common Hybrid Workloads

24. Disaster Recovery
Application
Server$
Virtual
Server$
File
Server$
Database
Server$
Backup
Server$
Cloud on standby DR setup
• Eliminate need for DR data center
• Reduce capital expense for duplicate infrastructure
• Pay for only what you use
• Real-time, secure, database replication from on-premise to
down-sized database server running on AWS
• Application backups and virtual server images stored on S3
• Storage appliance volume data preserved on S3 as snapshot
Amazon S3$
Database
Server$

25. Disaster Recovery
Amazon S3$
Application
Server$
Virtual
Server$
File
Server$
Database
Server$
Cloud on standby DR invocation
• AWS services available within minutes
• Pay only for services used during DR failover
• Ability to test DR by replicating entire environment in
another VPC with same configuration
• Amazon EC2 instances created, data restored from backup
• Database server resized to production requirements
• Storage appliances started on EC2
• File server data preserved on S3 as image snapshot
• Virtual Servers restored via VMimport process
Users

26. App A$
App B$ App C$
Development and Test
Development VPC$ Test VPC$
Corporate Network
App A$
App B$ App C$
AWS Elastic Beanstalk$
AWS Opsworks$
AWS CloudFormation$

27. Development and Test
Development VPC$
Corporate Network
App A$
App B$ App C$
AWS Elastic Beanstalk$
AWS Opsworks$
AWS CloudFormation$
Archive to
Amazon S3$

28. Corporate Network
Proof Of Concept – Big Data Analytics
Deploy Proof Of Concept environments
• Test new products or new version of existing products
• Create POC environments in isolated VPCs
• Alleviate need for capital investments
• Deploy with pre-defined templates
• Leverage AWS Marketplace for range of different solutions,
pay by the hour for enterprise software
BI Analytics
Platform$
Amazon S3$
AWS
Redshift$
Amazon
EMR$

29. Demo step 2 –
Create IPSEC VPN tunnels between
the VPC and our Office,
Deploy a CMS within the VPC

30. Drupal
Server$
Availability Zone A Availability Zone B
Router /
VPN GW$
Workstation
Our Office - Tokyo$
Our VPC
Singapore$

31. Demo continues

32. Thank$you$
Markku$Lepistö$B$Technology$Evangelist$
@markkulepisto$

33. Your$feedback$is$important$
Let’s$have$a$Poll!$
Let$us$know$what$you$want$to$see$next$

34. Your$feedback$is$important$
Please$complete$the$
Survey!$
What’s$good,$what’s$not$
What$you$want$to$see$at$these$events$
What$you$want$AWS$to$deliver$for$you$

35. Q&A