Weitere ähnliche Inhalte Ähnlich wie Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Invent 2018 (20) Mehr von Amazon Web Services (20) Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting Many VPCs:
Network Designs that Scale
Nick Matthews
Principal Solutions Architect
AWS
A R C 4 0 5
nickpowpow
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecture walk-through
Account
strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
services
Connectivity
WAN
Shared
services
Multi-Region
options
Segmentation
model
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
(IAM)
Strict security groups and routing
Identifying resources with tags
Smaller VPCs or accountsLarger VPCs or accounts
Account and VPC segmentation
Infrastructure and
networkingPolicy and IAM
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
both?
Provide granular account control
with centralized infrastructure
7. VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource share
Resource share
Infrastructure
account
8. VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account
9. VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing Domain
Routing Domain
AWS Direct
Connect *
Regional router
Scalable
Flexible routing
Available Q1 2019
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS HyperPlane and AWS Transit Gateway
AWS Region
VPC A VPC B VPC A VPC B VPC A VPC B
AWS HyperPlane
Attachments
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Flat: Transit Gateway Route Domains (Route tables)
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
Routing Domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Isolated: Transit Gateway Route Domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
VPN Routing
Domain
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
VPC Routing Domain
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation options: Layers
Account Account
Account Account
VPN
AWS Direct
Connect *
Route
Tables
Route
Tables
Transit Gateway
Transit Gateway
Security services
Inside the account
At the VPC
Account Account
Account Account
Available Q1 2019
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared services connectivity options
VPC peering
• 1-to-1 connectivity
• Scales to 100 VPCs
• Security groups across VPCs
• Inter-region peering
• Data transfer costs
Transit VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per AZ endpoint costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• 1:Many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises
Virtual private gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct
Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect and Transit Gateway
Use an edge services VPC in front of
a private virtual interface (VIF) Transit VPC
Private virtual
interface
AWS Direct
Connect
Tunnels
VPN
10.1.0.0/16 10.2.0.0/16
VPC A VPC B
AWS Transit
Gateway
• More detail in the Network Services section
• Also how used to migrate or extend existing
Transit VPCs
• Helpful for single-VIF (<1 Gbps) Direct Connect
• Can be used for North-South inspection use-
cases
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
100.64.0.0/16
Outbound VPC
SNAT
SNAT
Outbound services VPC
Transit Gateway
VPC Route Domain
10.1.0.0/16 10.2.0.0/16
Outbound Route Domain
Spoke route table Outbound VPC route table
VPC A VPC B
ECMP
VPN
BGP advertisement
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
0.0.0.0/0 Local IP
0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
outbound to the
internet
SNAT
Use cases:
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
100.64.0.0/16
Outbound VPC
SNAT
SNAT
Outbound services VPC: Interface
Transit Gateway
VPC Route Domain
10.1.0.0/16 10.2.0.0/16
Outbound Route Domain
Spoke route table Outbound VPC route table
VPC A VPC B
VPC attachment route table, per AZ
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
Route Destination
0.0.0.0/0 eni-xxxxxxx
0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
outbound to the
internet
SNAT
21. Time: 15 minutes after this session
Location: Speaker Lounge (ARIA East, Level 1, Willow Lounge)
Duration: 30 min.
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.