Weitere ähnliche Inhalte Ähnlich wie AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv 2019 (20) Mehr von AWS Summits (20) AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv 20192. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Networking – Advanced
Concepts and New Capabilities
Steve Seymour
Principal Solutions Architect
Amazon Web Services
N E T 4 0 1
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
Connectivity
WAN
Shared
Services
Multi-Region
Options
VGW
VGW
VGW
VGW
VGW
VGW
VGW
VGW
4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
Strict security groups and routing
Identifying resources with tags
S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s
Account and VPC segmentation
Infrastructure and
NetworkingPolicy and IAM
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation: Decision inputs
Relationship between accounts, VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or a VPC level
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Baseline security
IAM
Security groups
Segmentation options: Layers
VPC VPC
Application Application
Application Application
VPC
Application
Application
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs
VPC
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
both?
Provide granular account control
with centralized infrastructure
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC sharing
Easily share VPC networks between AWS accounts, providing
central oversight and control for networking engineers
10. S U M M I T
VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
VPC
Account
Account
Account
Account
172.16.0.0
172.16.1.0
172.16.2.0
172.16.0.0
172.16.1.0
172.16.2.0
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account
11. S U M M I T
VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account
12. S U M M I T
VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation in a Shared VPC with network ACLs
VPC
Account
Account
Account
Account
Public subnet
Private subnet Private subnet
Resource share
• Public subnets
• Private subnets
Resource share
• Public subnets
• Private subnets
Public subnet
10.0.1.0/24 10.0.2.0/24
10.0.101.0/24 10.0.102.0/24
Inbound network ACL
# Source Action
100 10.0.1.0/24 ALLOW
101 10.0.101.0/24 ALLOW
200 10.0.0.0/16 DENY
300 0.0.0.0/0 ALLOW
Mimic behavior of a single VPC:
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Sharing benefits
Less unused resources
• Higher density subnets, add up
to 5 additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and VPC
structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid VPC peering charges
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation considerations: Where to start
Separate VPCs
• Often the best security decision is the simplest.
Separate VPCs are simple.
• Use separate VPCs for strong network segmentation
and resource isolation
• Transit Gateway removes the scaling issues with many VPCs
(peering, VPN, routes)
Transit Gateway route tables define multi-VPC policy
• Consider isolating environments (dev and prod) and allow access to
shared resources
16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared services connectivity options
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Priced Hourly per Attachment
and data processing
VPC
Account Account
Account Account
Development
VPC
Account Account
Account Account
Testing
VPC
Account Account
Account Account
Production
VPC
Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is the AWS
Transit Gateway?
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Quick comparison: Transit Gateway and Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Transit VPC Transit Gateway
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Transit Gateway
AWS Transit Gateway radically evolved and simplified cloud networking. Using Transit Gateway,
we reduced the time to interconnect new VPCs and on-premise networks from weeks to
minutes while attaining consistent and more reliable network performance!
Khoder Shamy, Director, Cloud Platform and Infrastructure, Fuze
“
”
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing domain
Routing domain
AWS Direct
Connect *
Regional service
Scalable
Flexible routing
VPC VPC VPC VPC
Available Q1 2019
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Flat: Transit Gateway route domains (route tables)
Transit Gateway
VPC VPC VPC VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Flat: Transit Gateway route domains (route tables)
Transit Gateway
VPC VPC VPC VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC VPC
Route Destination
0.0.0.0/0 VPN
Routing domain
for VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Routing domain for VPCs
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC VPC
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Associate
go
Propagate routes
can reach
Routing domain
for VPN
Routing domain for VPCs
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC VPC
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Routing domain
for VPN
Routing domain for VPCs
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC
Shared
services
VPN
VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Route Destination
10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
VPC
VPCs associate to a route table
with routes to shared resources
Shared resources attach to a
route table with routes to all
resources
28. S U M M I T
Reference Network
Architecture
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
VPC
VPC
VPC
VPN
AWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1 2019
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN with Transit Gateway
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Consolidate VPN at the Transit Gateway (TGW)
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a TGW instead of a VGW
• Same 1.25 gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs
• Traffic is encrypted until it’s inside the VPC
• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN with Transit Gateway: Add more bandwidth
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal Cost Multi-Path (ECMP) support with BGP multi-
path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Using Transit Gateway and PrivateLink
AWS Transit Gateway
• Many-to-Many or one-to-many
with route tables
• Highly scalable
• Hourly per AZ endpoint costs
VPC
Account Account
Account Account
Development
VPC
Account Account
Account Account
Testing
VPC
Account Account
Account Account
Production
VPC
Shared Services
Route
Tables
Route
Tables
Transit Gateway
Scope
Trust model
Dependencies
Scale
Scope
Trust model
Dependencies
Scale
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs
32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Global Network
• Redundant 100 GbE network
• Private network capacity between
all AWS region, except China
Global Network
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain,
Cape Town, Hong Kong SAR,
and second USA GovCloud
160 Points of Presence (PoPs)
• 149 Edge Locations
• 11 Regional Edge Caches
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why we have a backbone network?
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multiple services traverse the backbone
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS Global Accelerator
1
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Local ISP Network A B C D E F
Access Application!
Accessing your application is not this straightforward!It can take many networks to reach the application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Introducing AWS Global Accelerator
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Local ISP AWS Network
Accessing your web applications with
AWS Global Accelerator
Adding AWS Global Accelerator removes these inefficiencies
Leverages the Global AWS Network
Resulting in improved performance
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPCVPC
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
40. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to on-premises
Virtual Private Gateway VPN AWS Direct Connect
VGW
VGW
VPN
VGW
VGW
WAN
• Per VPC
• 1.25 Gbps bandwidth
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct
Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to On-premises at Scale
Virtual Private Gateway VPN AWS Direct Connect
VPN
VGW
VGW
WAN
• Per VPC
• 1.25 gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct
Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity
43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Private connectivity with AWS Direct Connect
Dedicated private connection
from on-premised to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services
44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect to Many VPCs
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private virtual interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
VGW
VGW
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
location 2
45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect: Link Aggregation
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
Link aggregation
(LAG)
Private virtual interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
VGW
VGW
10.2.0.0/16
Up to 4 ports in a LAG,
each with 50 VIFs
AWS Direct Connect
location 2
46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Direct Connect gateway
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private virtual
interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
VGW
VGW
10.2.0.0/16
Up to 10 VGWs per
direct connect gateway
AWS Direct Connect
location 2
Direct
connect
gateway
Account
47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect and Transit Gateway
Use Direct Connect in parallel Use VPN over a Direct Connect
public virtual interface (VIF)
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Private virtual
interfaces
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public virtual
interface
AWS Region
Receive AWS
public IP addresses
Native Direct Connect support
planned for Q1 2019
48. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Route 53 Resolver
Managed DNS Resolver
service from Route 53
Create conditional
forwarding rules to re-direct
query traffic
Enables hybrid connectivity
over AWS Direct Connect
and Managed VPN
50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
X
52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
X
53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Route 53 Resolver
59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Reduced Complexity
60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Availability
• Use AWS high availability architecture
• Create additional redundancy by provisioning more ENIs in different
AZs
VPC
61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC
62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC
63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Client VPN
Support for OpenVPN clients
Available in 4 regions at
launch; others coming soon
Connected users charged
per user per hour
64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
VPC
Client VPN
Endpoint
Client
The
InternetAmazon
DynamoDB
Amazon S3
On-Premises
VPC
65. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Private connectivity with Inter-region Peering
Private connectivity for two
or more VPCs between regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized
67. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Takeaways
We have tools and architectures that horizontally scale to many VPCs
There’s wiggle room for your specific use cases
Use services in combination to meet scale and security requirements
69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Advice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test
70. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please provide your feedback!
Steve Seymour
Principal Solutions Architect
Amazon Web Services