SlideShare ist ein Scribd-Unternehmen logo

Vpc aws meetup

‱Als PPTX, PDF herunterladen‱
‱
Matthew Boeckman
Matthew Boeckman

a modification of my original gluecon presentation for the AWS denver/boulder meetup

Technologie
1 von 33
VPC - Flying Blind on a Rocket Cycle Matthew Boeckman - VP of DevOps at Craftsy.com @matthewboeckman http://enginerds.craftsy.com
Who is Craftsy ● Instructor led training videos for passionate hobbyists ● #19 on Forbes’ Most Promising Companies 2014
Three things Keep it simple Get there now Be flexible
*disclaimer
VPC - Why VPC is mature network topology for AWS
VPC - Why Network ACL’s allow for true edge blocking
VPC - Why Instances can be members of multiple Security Groups SG membership can change post-instance launch
VPC - Why VPN connectivity enables extension of your corporate or facilities network to AWS
Our stack in ec2-classic
What we hate about ec2-classic ● inflexible security groups ● per-IP maintenance of SG’s across regions ● ALLOW TCP 22 FROM 0.0.0.0/0 ● no edge ● no edge ● no edge ● no edge
Our stack in VPC
VPC - flying blind
netcat, tcpdump and patience
be the packet host a host b SG SG ACL ACL out out,in out,in out,in in out out,in out,in out,in in
flexible security groups! Office tomcat SG - applies to all tomcat instances environment specific tomcat SG - only applied for a specific environment
LIMITS http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
LIMITS 100 SG’s per VPC 50 Rules per SG (including inherited rules by referencing other SG’s) 5 SG’s per network interface (VPC hosts can have multiple network interfaces) HARD LIMIT 250 rules per interface 40 ACL’s per subnet (in + out <= 40)
routing Private subnets can only route traffic destined for the internet to a NAT instance (eni-0
). Public subnets route to the IGW. Routes can be automatically propagated from VPN connections.
NAT instances HOW BIG?! ● we chose m1-medium
 because
. it seems big enough? sure. ● we were wrong ● upgrading NAT instances - easy, anytime, no interruption (m3.xl)
Connecting to your HQ with a VPN ● AWS docs on this are perfect - check if your firewall is on the supported list. If so, one click configuration for your firewall ● A VPN connection - includes two tunnels, connected to two different IP’s at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER
Cross region VPN http://aws.amazon.com/articles/5472675506466066 http://fortycloud.com/interconnecting-two-aws-vpc-regions/ AWS has no product offering here. You can easily VPN two VPC’s in the same region but not, you know, in different regions. Tunnel MTU size is a thing iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
seriously?
ACL’s ARE NOT STATEFUL ALLOW tcp 80 src 10.85.0.0/16 ALLOW tcp 443 src 10.85.1.0/24 ALLOW tcp established any DENY ALL
SNS, Redshift, Route53, RDS SNS - has no legs in VPC. Systems subscribing to SNS topics from private subnets need an HTTP proxy in a public subnet for SNS to reach them. Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to VPC (yay!) Route53 - no support for “views” in VPC.
reservations! Instance reservations purchased in EC2 classic DO NOT MAGICALLY MOVE TO VPC Do. Not. Forget. This. Step.
migration time best time - use AWS support or account teams - start with subnets and basic nat, vpn - dev environments, soak - preprod, soak
cloned production
shut it down
thank you QUESTIONS! Matthew Boeckman @matthewboeckman
thank you QUESTIONS! Matthew Boeckman @matthewboeckman http://enginerds.craftsy.com (deck will be there)
thank you QUESTIONS! Matthew Boeckman @matthewboeckman http://enginerds.craftsy.com (deck will be there)
public subnet routing In VPC you define a route table, and associate it with subnet(s). This example sends all traffic for the defined CIDR block to local, and all other traffic (0.0.0.0/0) to the internet gateway (igw). Traffic can also be routed to Elastic Network Interfaces (eni) or VPN gateways (vgw)
Lasciate ogne speranza, voi ch'intrate tcp4 0 0 192.168.1.24.59021 www.pandora.com.http ESTABLISHED TCP connections originate on the sending side from ports 1025- 65535, they arrive at the port you specified (http 80, https 443, dns 53, etc). Return to your request comes back from that socket with some exceptions (ftp). ACL’s inbound/outbound are the inverse of your thinking. OUT from your ec2 instance is IN to the ACL, then OUT to the destination host. Destination hosts’ reply is IN to the ACL (yep!) and OUT to your ec2 instance. My advice? Punt. Leave ACL’s as ALLOW ALL, and add DENY statements against specific CIDR blocks or IP addys. Security Groups are stateful. Use them.

Empfohlen

Ops, DevOps, NoOps and AWS Lambda
Ops, DevOps, NoOps and AWS LambdaOps, DevOps, NoOps and AWS Lambda
Ops, DevOps, NoOps and AWS LambdaMatthew Boeckman
 
The promise of NoOps
The promise of NoOpsThe promise of NoOps
The promise of NoOpsMatthew Boeckman
 
Kotlin for backend using serverless + aws lambda
Kotlin for backend using serverless + aws lambdaKotlin for backend using serverless + aws lambda
Kotlin for backend using serverless + aws lambdaBert Añasco
 
Operationnal challenges behind Serverless architectures by Laurent Bernaille
Operationnal challenges behind Serverless architectures by Laurent BernailleOperationnal challenges behind Serverless architectures by Laurent Bernaille
Operationnal challenges behind Serverless architectures by Laurent BernailleThe Incredible Automation Day
 
Keynote TIAD Camp Serverless
Keynote TIAD Camp ServerlessKeynote TIAD Camp Serverless
Keynote TIAD Camp ServerlessThe Incredible Automation Day
 
BBC's GraphDB (formerly Owlim) AWS Cloud Migration
BBC's GraphDB (formerly Owlim) AWS Cloud MigrationBBC's GraphDB (formerly Owlim) AWS Cloud Migration
BBC's GraphDB (formerly Owlim) AWS Cloud Migrationlogomachy
 
Introduction to the Serverless paradigm
Introduction to the Serverless paradigmIntroduction to the Serverless paradigm
Introduction to the Serverless paradigmAlex Casalboni
 
Cloud Academy's AWS Hands on-labs
Cloud Academy's AWS Hands on-labsCloud Academy's AWS Hands on-labs
Cloud Academy's AWS Hands on-labsAlex Casalboni
 

Empfohlen

Ops, DevOps, NoOps and AWS Lambda
Ops, DevOps, NoOps and AWS LambdaOps, DevOps, NoOps and AWS Lambda
Ops, DevOps, NoOps and AWS LambdaMatthew Boeckman
 
The promise of NoOps
The promise of NoOpsThe promise of NoOps
The promise of NoOpsMatthew Boeckman
 
Kotlin for backend using serverless + aws lambda
Kotlin for backend using serverless + aws lambdaKotlin for backend using serverless + aws lambda
Kotlin for backend using serverless + aws lambdaBert Añasco
 
Operationnal challenges behind Serverless architectures by Laurent Bernaille
Operationnal challenges behind Serverless architectures by Laurent BernailleOperationnal challenges behind Serverless architectures by Laurent Bernaille
Operationnal challenges behind Serverless architectures by Laurent BernailleThe Incredible Automation Day
 
Keynote TIAD Camp Serverless
Keynote TIAD Camp ServerlessKeynote TIAD Camp Serverless
Keynote TIAD Camp ServerlessThe Incredible Automation Day
 
BBC's GraphDB (formerly Owlim) AWS Cloud Migration
BBC's GraphDB (formerly Owlim) AWS Cloud MigrationBBC's GraphDB (formerly Owlim) AWS Cloud Migration
BBC's GraphDB (formerly Owlim) AWS Cloud Migrationlogomachy
 
Introduction to the Serverless paradigm
Introduction to the Serverless paradigmIntroduction to the Serverless paradigm
Introduction to the Serverless paradigmAlex Casalboni
 
Cloud Academy's AWS Hands on-labs
Cloud Academy's AWS Hands on-labsCloud Academy's AWS Hands on-labs
Cloud Academy's AWS Hands on-labsAlex Casalboni
 
Docker in der Cloud
Docker in der CloudDocker in der Cloud
Docker in der CloudSascha Möllering
 
The Mission Critical Cloud
The Mission Critical CloudThe Mission Critical Cloud
The Mission Critical CloudRemi Bergsma
 
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017Quentin Adam
 
Docker in der AWS Cloud
Docker in der AWS CloudDocker in der AWS Cloud
Docker in der AWS CloudSascha Möllering
 
Surge openstack
Surge openstackSurge openstack
Surge openstackKomei Shimamura
 
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...Codemotion
 
Introduction to scaling your WordPress site past a single node using AWS
Introduction to scaling your WordPress site past a single node using AWSIntroduction to scaling your WordPress site past a single node using AWS
Introduction to scaling your WordPress site past a single node using AWSWP Engine
 
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Quentin Adam
 
NTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do ItNTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do ItOpenNebula Project
 
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017Quentin Adam
 
Docker on AWS
Docker on AWSDocker on AWS
Docker on AWSSascha Möllering
 
Technology | Serverless
Technology | ServerlessTechnology | Serverless
Technology | ServerlessAni Sinanaj
 
GreenButton-201502
GreenButton-201502GreenButton-201502
GreenButton-201502Jonathan Kalbfeld, MBA
 
JUST EAT: Tools we use to enable our culture
JUST EAT: Tools we use to enable our cultureJUST EAT: Tools we use to enable our culture
JUST EAT: Tools we use to enable our culturePeter Mounce
 
Experiences sharing about Lambda, Kinesis, and Postgresql
Experiences sharing about Lambda, Kinesis, and PostgresqlExperiences sharing about Lambda, Kinesis, and Postgresql
Experiences sharing about Lambda, Kinesis, and PostgresqlOkis Chuang
 
Devops with ansible
Devops with ansibleDevops with ansible
Devops with ansibleEdwin Cruz
 
Configure Grafana Chat Bot with GitHub Hubot and SLACK.
Configure Grafana Chat Bot with GitHub Hubot and SLACK.Configure Grafana Chat Bot with GitHub Hubot and SLACK.
Configure Grafana Chat Bot with GitHub Hubot and SLACK.Ishan Bhawantha Hewanayake
 
Deploying Rails on EC2 using Rubber (Slides Only)
Deploying Rails on EC2 using Rubber (Slides Only)Deploying Rails on EC2 using Rubber (Slides Only)
Deploying Rails on EC2 using Rubber (Slides Only)wr0ngway
 
Universal Serverless with AWS Fargate
Universal Serverless with AWS FargateUniversal Serverless with AWS Fargate
Universal Serverless with AWS FargateEka Cahya Pratama
 
NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10OpenNebula Project
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016AWSBulgaria
 

Weitere Àhnliche Inhalte

Was ist angesagt?

The Mission Critical Cloud
The Mission Critical CloudThe Mission Critical Cloud
The Mission Critical CloudRemi Bergsma
 
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017Quentin Adam
 
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...Codemotion
 
Introduction to scaling your WordPress site past a single node using AWS
Introduction to scaling your WordPress site past a single node using AWSIntroduction to scaling your WordPress site past a single node using AWS
Introduction to scaling your WordPress site past a single node using AWSWP Engine
 
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Quentin Adam
 
NTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do ItNTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do ItOpenNebula Project
 
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017Quentin Adam
 
Technology | Serverless
Technology | ServerlessTechnology | Serverless
Technology | ServerlessAni Sinanaj
 
JUST EAT: Tools we use to enable our culture
JUST EAT: Tools we use to enable our cultureJUST EAT: Tools we use to enable our culture
JUST EAT: Tools we use to enable our culturePeter Mounce
 
Experiences sharing about Lambda, Kinesis, and Postgresql
Experiences sharing about Lambda, Kinesis, and PostgresqlExperiences sharing about Lambda, Kinesis, and Postgresql
Experiences sharing about Lambda, Kinesis, and PostgresqlOkis Chuang
 
Devops with ansible
Devops with ansibleDevops with ansible
Devops with ansibleEdwin Cruz
 
Configure Grafana Chat Bot with GitHub Hubot and SLACK.
Configure Grafana Chat Bot with GitHub Hubot and SLACK.Configure Grafana Chat Bot with GitHub Hubot and SLACK.
Configure Grafana Chat Bot with GitHub Hubot and SLACK.Ishan Bhawantha Hewanayake
 
Deploying Rails on EC2 using Rubber (Slides Only)
Deploying Rails on EC2 using Rubber (Slides Only)Deploying Rails on EC2 using Rubber (Slides Only)
Deploying Rails on EC2 using Rubber (Slides Only)wr0ngway
 
Universal Serverless with AWS Fargate
Universal Serverless with AWS FargateUniversal Serverless with AWS Fargate
Universal Serverless with AWS FargateEka Cahya Pratama
 
NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10OpenNebula Project
 

Was ist angesagt? (20)

Docker in der Cloud
Docker in der CloudDocker in der Cloud
Docker in der Cloud
 
The Mission Critical Cloud
The Mission Critical CloudThe Mission Critical Cloud
The Mission Critical Cloud
 
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
MONITORING THE UNKNOWN, 1000*100 SERIES A DAY - DEVOXX MOROCCO 2017
 
Docker in der AWS Cloud
Docker in der AWS CloudDocker in der AWS Cloud
Docker in der AWS Cloud
 
Surge openstack
Surge openstackSurge openstack
Surge openstack
 
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
Microservices: 5 things I wish I'd known - Vincent Kok - Codemotion Amsterdam...
 
Introduction to scaling your WordPress site past a single node using AWS
Introduction to scaling your WordPress site past a single node using AWSIntroduction to scaling your WordPress site past a single node using AWS
Introduction to scaling your WordPress site past a single node using AWS
 
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
 
NTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do ItNTS: What We Do With OpenNebula - and Why We Do It
NTS: What We Do With OpenNebula - and Why We Do It
 
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
Monitoring the unknown, 1000*100 series a day - Big Data Vilnius 2017
 
Docker on AWS
Docker on AWSDocker on AWS
Docker on AWS
 
Technology | Serverless
Technology | ServerlessTechnology | Serverless
Technology | Serverless
 
GreenButton-201502
GreenButton-201502GreenButton-201502
GreenButton-201502
 
JUST EAT: Tools we use to enable our culture
JUST EAT: Tools we use to enable our cultureJUST EAT: Tools we use to enable our culture
JUST EAT: Tools we use to enable our culture
 
Experiences sharing about Lambda, Kinesis, and Postgresql
Experiences sharing about Lambda, Kinesis, and PostgresqlExperiences sharing about Lambda, Kinesis, and Postgresql
Experiences sharing about Lambda, Kinesis, and Postgresql
 
Devops with ansible
Devops with ansibleDevops with ansible
Devops with ansible
 
Configure Grafana Chat Bot with GitHub Hubot and SLACK.
Configure Grafana Chat Bot with GitHub Hubot and SLACK.Configure Grafana Chat Bot with GitHub Hubot and SLACK.
Configure Grafana Chat Bot with GitHub Hubot and SLACK.
 
Deploying Rails on EC2 using Rubber (Slides Only)
Deploying Rails on EC2 using Rubber (Slides Only)Deploying Rails on EC2 using Rubber (Slides Only)
Deploying Rails on EC2 using Rubber (Slides Only)
 
Universal Serverless with AWS Fargate
Universal Serverless with AWS FargateUniversal Serverless with AWS Fargate
Universal Serverless with AWS Fargate
 
NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10NSX with OpenNebula - upcoming 5.10
NSX with OpenNebula - upcoming 5.10
 

Ähnlich wie Vpc aws meetup

Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016AWSBulgaria
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovBogdan Naydenov
 
Virtual private cloud fundamentals
Virtual private cloud fundamentalsVirtual private cloud fundamentals
Virtual private cloud fundamentalsSai Viswanath
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Julien SIMON
 
Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017Amazon Web Services
 
Nested CloudStack with VMware
Nested CloudStack with VMwareNested CloudStack with VMware
Nested CloudStack with VMwareShapeBlue
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...Amazon Web Services
 
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...Amazon Web Services
 
Reach: Solving AWS Networking Problems Faster
Reach: Solving AWS Networking Problems FasterReach: Solving AWS Networking Problems Faster
Reach: Solving AWS Networking Problems FasterDanLuhring
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudAmazon Web Services
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...Amazon Web Services
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data CenterAmazon Web Services
 
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayArchitecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayCynthia Hsieh
 
Securing your vpc in aws
Securing your vpc in awsSecuring your vpc in aws
Securing your vpc in awsvinoth kumar
 
Scalable Enterprise Ready Neutron Networking with Nuage Networks
Scalable Enterprise Ready Neutron Networking with Nuage NetworksScalable Enterprise Ready Neutron Networking with Nuage Networks
Scalable Enterprise Ready Neutron Networking with Nuage NetworksScott Sneddon
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014Amazon Web Services
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 

Ähnlich wie Vpc aws meetup (20)

Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
 
Virtual private cloud fundamentals
Virtual private cloud fundamentalsVirtual private cloud fundamentals
Virtual private cloud fundamentals
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)
 
Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017
 
Nested CloudStack with VMware
Nested CloudStack with VMwareNested CloudStack with VMware
Nested CloudStack with VMware
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
 
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
 
Reach: Solving AWS Networking Problems Faster
Reach: Solving AWS Networking Problems FasterReach: Solving AWS Networking Problems Faster
Reach: Solving AWS Networking Problems Faster
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the Cloud
 
VPC and DX PoP @ HKG
VPC and DX PoP @ HKGVPC and DX PoP @ HKG
VPC and DX PoP @ HKG
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
 
AWS Network Architecture Rework
AWS Network Architecture ReworkAWS Network Architecture Rework
AWS Network Architecture Rework
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
 
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayArchitecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
 
Securing your vpc in aws
Securing your vpc in awsSecuring your vpc in aws
Securing your vpc in aws
 
Scalable Enterprise Ready Neutron Networking with Nuage Networks
Scalable Enterprise Ready Neutron Networking with Nuage NetworksScalable Enterprise Ready Neutron Networking with Nuage Networks
Scalable Enterprise Ready Neutron Networking with Nuage Networks
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
 

Mehr von Matthew Boeckman

Useful flakes - The Value of Common Tools
Useful flakes - The Value of Common ToolsUseful flakes - The Value of Common Tools
Useful flakes - The Value of Common ToolsMatthew Boeckman
 
All Day DevOps 2017 - There is No Root Cause
All Day DevOps 2017 - There is No Root CauseAll Day DevOps 2017 - There is No Root Cause
All Day DevOps 2017 - There is No Root CauseMatthew Boeckman
 
Rewriting DevOps - Lessons from a 15 month software rewrite
Rewriting DevOps - Lessons from a 15 month software rewriteRewriting DevOps - Lessons from a 15 month software rewrite
Rewriting DevOps - Lessons from a 15 month software rewriteMatthew Boeckman
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsMatthew Boeckman
 
Many hands make light work
Many hands make light workMany hands make light work
Many hands make light workMatthew Boeckman
 
Sandstorm or Significant? The evolving role of situational context in inciden...
Sandstorm or Significant? The evolving role of situational context in inciden...Sandstorm or Significant? The evolving role of situational context in inciden...
Sandstorm or Significant? The evolving role of situational context in inciden...Matthew Boeckman
 
Go Rin no Show - DevOpsDays Rockies
Go Rin no Show - DevOpsDays RockiesGo Rin no Show - DevOpsDays Rockies
Go Rin no Show - DevOpsDays RockiesMatthew Boeckman
 
S3 & Glacier - The only backup solution you'll ever need
S3 & Glacier - The only backup solution you'll ever needS3 & Glacier - The only backup solution you'll ever need
S3 & Glacier - The only backup solution you'll ever needMatthew Boeckman
 

Mehr von Matthew Boeckman (9)

Useful flakes - The Value of Common Tools
Useful flakes - The Value of Common ToolsUseful flakes - The Value of Common Tools
Useful flakes - The Value of Common Tools
 
All Day DevOps 2017 - There is No Root Cause
All Day DevOps 2017 - There is No Root CauseAll Day DevOps 2017 - There is No Root Cause
All Day DevOps 2017 - There is No Root Cause
 
Rewriting DevOps - Lessons from a 15 month software rewrite
Rewriting DevOps - Lessons from a 15 month software rewriteRewriting DevOps - Lessons from a 15 month software rewrite
Rewriting DevOps - Lessons from a 15 month software rewrite
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
Many hands make light work
Many hands make light workMany hands make light work
Many hands make light work
 
Sandstorm or Significant? The evolving role of situational context in inciden...
Sandstorm or Significant? The evolving role of situational context in inciden...Sandstorm or Significant? The evolving role of situational context in inciden...
Sandstorm or Significant? The evolving role of situational context in inciden...
 
Rewriting DevOps
Rewriting DevOpsRewriting DevOps
Rewriting DevOps
 
Go Rin no Show - DevOpsDays Rockies
Go Rin no Show - DevOpsDays RockiesGo Rin no Show - DevOpsDays Rockies
Go Rin no Show - DevOpsDays Rockies
 
S3 & Glacier - The only backup solution you'll ever need
S3 & Glacier - The only backup solution you'll ever needS3 & Glacier - The only backup solution you'll ever need
S3 & Glacier - The only backup solution you'll ever need
 

KĂŒrzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂșjo
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

KĂŒrzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Vpc aws meetup

  • 1. VPC - Flying Blind on a Rocket Cycle Matthew Boeckman - VP of DevOps at Craftsy.com @matthewboeckman http://enginerds.craftsy.com
  • 2. Who is Craftsy ● Instructor led training videos for passionate hobbyists ● #19 on Forbes’ Most Promising Companies 2014
  • 3. Three things Keep it simple Get there now Be flexible
  • 5. VPC - Why VPC is mature network topology for AWS
  • 6. VPC - Why Network ACL’s allow for true edge blocking
  • 7. VPC - Why Instances can be members of multiple Security Groups SG membership can change post-instance launch
  • 8. VPC - Why VPN connectivity enables extension of your corporate or facilities network to AWS
  • 9. Our stack in ec2-classic
  • 10. What we hate about ec2-classic ● inflexible security groups ● per-IP maintenance of SG’s across regions ● ALLOW TCP 22 FROM 0.0.0.0/0 ● no edge ● no edge ● no edge ● no edge
  • 12. VPC - flying blind
  • 14. be the packet host a host b SG SG ACL ACL out out,in out,in out,in in out out,in out,in out,in in
  • 15. flexible security groups! Office tomcat SG - applies to all tomcat instances environment specific tomcat SG - only applied for a specific environment
  • 17. LIMITS 100 SG’s per VPC 50 Rules per SG (including inherited rules by referencing other SG’s) 5 SG’s per network interface (VPC hosts can have multiple network interfaces) HARD LIMIT 250 rules per interface 40 ACL’s per subnet (in + out <= 40)
  • 18. routing Private subnets can only route traffic destined for the internet to a NAT instance (eni-0
). Public subnets route to the IGW. Routes can be automatically propagated from VPN connections.
  • 19. NAT instances HOW BIG?! ● we chose m1-medium
 because
. it seems big enough? sure. ● we were wrong ● upgrading NAT instances - easy, anytime, no interruption (m3.xl)
  • 20. Connecting to your HQ with a VPN ● AWS docs on this are perfect - check if your firewall is on the supported list. If so, one click configuration for your firewall ● A VPN connection - includes two tunnels, connected to two different IP’s at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER
  • 21. Cross region VPN http://aws.amazon.com/articles/5472675506466066 http://fortycloud.com/interconnecting-two-aws-vpc-regions/ AWS has no product offering here. You can easily VPN two VPC’s in the same region but not, you know, in different regions. Tunnel MTU size is a thing iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
  • 23. ACL’s ARE NOT STATEFUL ALLOW tcp 80 src 10.85.0.0/16 ALLOW tcp 443 src 10.85.1.0/24 ALLOW tcp established any DENY ALL
  • 24. SNS, Redshift, Route53, RDS SNS - has no legs in VPC. Systems subscribing to SNS topics from private subnets need an HTTP proxy in a public subnet for SNS to reach them. Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to VPC (yay!) Route53 - no support for “views” in VPC.
  • 25. reservations! Instance reservations purchased in EC2 classic DO NOT MAGICALLY MOVE TO VPC Do. Not. Forget. This. Step.
  • 26. migration time best time - use AWS support or account teams - start with subnets and basic nat, vpn - dev environments, soak - preprod, soak
  • 29. thank you QUESTIONS! Matthew Boeckman @matthewboeckman
  • 30. thank you QUESTIONS! Matthew Boeckman @matthewboeckman http://enginerds.craftsy.com (deck will be there)
  • 31. thank you QUESTIONS! Matthew Boeckman @matthewboeckman http://enginerds.craftsy.com (deck will be there)
  • 32. public subnet routing In VPC you define a route table, and associate it with subnet(s). This example sends all traffic for the defined CIDR block to local, and all other traffic (0.0.0.0/0) to the internet gateway (igw). Traffic can also be routed to Elastic Network Interfaces (eni) or VPN gateways (vgw)
  • 33. Lasciate ogne speranza, voi ch'intrate tcp4 0 0 192.168.1.24.59021 www.pandora.com.http ESTABLISHED TCP connections originate on the sending side from ports 1025- 65535, they arrive at the port you specified (http 80, https 443, dns 53, etc). Return to your request comes back from that socket with some exceptions (ftp). ACL’s inbound/outbound are the inverse of your thinking. OUT from your ec2 instance is IN to the ACL, then OUT to the destination host. Destination hosts’ reply is IN to the ACL (yep!) and OUT to your ec2 instance. My advice? Punt. Leave ACL’s as ALLOW ALL, and add DENY statements against specific CIDR blocks or IP addys. Security Groups are stateful. Use them.