In this session, we will walk through the fundamentals of Amazon Virtual Private Cloud (VPC). We will discuss core VPC concepts including picking your IP space, subnetting, routing, security, NAT and VPC Endpoints.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Seymour
Principal Solutions Architect
18th September 2017
Amazon Virtual Private Cloud (VPC)
Networking Fundamentals and Connectivity Options
@sseymour
Steve Seymour
Principal Solutions Architect

2. EC2 Instance

3. 172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
VPC

4. VPC: your private network in AWS

5. Walkthrough: setting up an
Internet-connected VPC

6. Creating an Internet-connected VPC: steps
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC

7. Choosing an IP address range

8. CIDR notation review
CIDR range example:
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000

9. Choosing an IPv4 address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16
(64K addresses)

10. Adding a secondary IPv4 address range
Primary CIDR
Secondary
CIDR
172.31.0.0/20
172.31.16.0/20

11. Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
172.31.32.0/20

12. Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
172.31.32.0/20
172.31.112.0/20

13. IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
Amazon Global Unicast
Addresses (GUA) –
Internet Routable
Associate an /56 IPv6 CIDR
(Automatically allocated)
2001:db8:1234:1a00::/56

14. Subnets

15. VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c

16. VPC subnets and Availability Zones – IPv6
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
2001:db8:1234:1200::/64 2001:db8:1234:1201::/64 2001:db8:1234:1a02::/64
Choose the hexadecimal
pair value
2001:db8:1234:1a00::/56

17. VPC subnet recommendations
• /16 VPC (64K IPv4 addresses)
• /24 subnets (251 IPv4 addresses)
• One subnet per Availability Zone

18. VPC subnet recommendations
• /16 VPC (64K IPv4 addresses)
• /24 subnets (251 IPv4 addresses)
• One subnet per Availability Zone
For IPv6 -
• /56 Allocated per VPC (Lots of addresses)
• /64 subnets (256 Subnets)

19. Route to the Internet

20. Routing in your VPC
• Route tables contain rules for which
packets go where
• Your VPC has a default route table
• … but you can assign different route
tables to different subnets

21. Traffic destined for my VPC
stays in my VPC

22. Internet Gateway
Send packets here if you want
them to reach the Internet

23. Everything that isn’t destined for the VPC:
Send to the Internet

24. Network security in VPC:
Network ACLs / Security Groups

25. Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis

26. “MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security groups follow application structure

27. Security groups example: web servers
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)

28. Security groups example: backends
In English: Only instances in the MyWebServers
Security Group can reach instances in this
Security Group

29. Security groups in VPC: additional notes
• Follow the Principle of Least Privilege
• VPC allows creation of egress as well as ingress
Security Group rules
• Many application architectures lend themselves to a 1:1
relationship between security groups (who can reach
me) and IAM roles (what I can do).

30. Connectivity options for VPCs

31. Beyond Internet connectivity
Restricting Internet access
Connecting to your
corporate network
Connecting to other
VPCs

32. Restricting Internet access:
Routing by subnet

33. Routing by subnet
VPC subnet
VPC subnet
Has route to Internet
Has no route to Internet

34. Outbound-only Internet access: NAT gateway
VPC subnet VPC subnet
0.0.0.0/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway

35. IPv6 GUAs
• For IPv6, Amazon VPC instances receive Global Unicast
Addresses (GUA), which are Internet routable
• GUAs directly assigned to instances; there is no 1:1 NAT
in the case of Internet access
• Using GUAs does not mean losing security or privacy—to
have Internet access, you also need to have proper route
tables, security groups, and gateways

36. EIGW X
10.0.3.3 - 54.0.0.3
Instance
2001:db8::3
Subnet
IPv6 Egress-only Internet Gateway
• A new virtual device that
provides egress-only Internet
access over IPv6
• No middle box to perform
NAT, and no additional cost
• No performance/availability/
connection limits

37. Inter-VPC connectivity:
VPC peering

38. Example VPC peering use:
shared services VPC
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning

39. Security groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW

40. Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request

41. Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2
Accept peering request

42. Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the
peered VPC should go to the peering

43. Connecting to on-premises networks:
Virtual Private Network & Direct Connect

44. Extend an on-premises network into your VPC
VPN
Direct Connect

45. AWS VPN basics
Customer
Gateway
Virtual
Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device

46. VPN and AWS Direct Connect
• Both allow secure connections
between your network and your VPC
• VPN is a pair of IPSec tunnels over
the Internet
• DirectConnect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both

47. VPC and the rest of AWS

48. VPC and the rest of AWS
AWS Services in
Your VPC
VPC Endpoints for
Amazon S3 &
DynamoDB
DNS in-VPC with
Amazon Route 53
Logging VPC Traffic
with VPC Flow Logs

49. AWS services in your VPC

50. Example: Amazon RDS database in your VPC
Reachable via DNS Name: mydb-cluster-1
….us-west-2.rds.amazonaws.com

51. Example: AWS Lambda function in your VPC

52. Best practices for in-VPC AWS services
• Many AWS services support running in-VPC.
• Use security groups for Least-Privilege network access.
• For best availability, use multiple Availability Zones.
Examples:
• Multi-zone RDS deployments
• Use a zonal mount point for EFS access

53. VPC Endpoints for DynamoDB
VPC Endpoints for Amazon S3

54. S3, DynamoDB and your VPC
S3 Bucket
Your applications
Your data
DynamoDB
Table

55. AWS VPC endpoints
S3 BucketDynamoDB
Table

56. S3
S3 Bucket
Route S3-bound
traffic to the VPCE

57. DynamoDB
DynamoDB
Table

58. IAM policy for VPC endpoints
S3 Bucket
IAM Policy at VPC Endpoint:
Restrict actions of VPC in S3
IAM Policy at S3 Bucket:
Make accessible from
VPC Endpoint only

59. VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
hostnames to instances

60. Amazon Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org à
172.31.0.99

61. VPC Flow Logs:
VPC traffic metadata in Amazon
CloudWatch Logs

62. VPC Flow Logs
Visibility into effects of security
group rules
Troubleshooting network
connectivity
Ability to analyze traffic

63. VPC Flow Logs: setup
VPC traffic metadata captured in
CloudWatch Logs

64. VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
REJECT
UDP Port 53 = DNS

65. VPC: your private network in AWS

66. The VPC network

67. VPC network security

68. VPC connectivity

69. Thank you!
@sseymour
Steve Seymour
Principal Solutions Architect