Learning Objectives: - Introduction to new AWS networking features - PrivateLink, Direct Connect gateway, and more - How the new features, PrivateLink and Direct Connect gateways, work together - Best practices for deploying these new features

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s New
Deep dive on new AWS networking
features
N i c k M a t t h e w s , P r i n c i p a l S o l u t i o n s A r c h i t e c t
M a r c h 2 0 1 8
@nickpowpow

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“A virtual network that
closely resembles a
traditional network that
you'd operate in your own
data center”
What is an Amazon Virtual Private Cloud (VPC)?
Instance
Availability Zone
Instance
Availability Zone

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Traditional Network
VPN VPN
WAN
Fiber
Applications Applications

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Network

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT’S NEW:
INTER-REGION PEERING

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inter-Region VPC Peering
AWS Region AWS Region
VPC
Peering

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Inter-Region Peering
A fter: A mazon V PCs in d ifferent reg ion s can h ave p rivate
connectivity with VPC peering.
W h a t d o e s t h i s c h a n g e ?
Before: Private connectivity between multiple regions
req u ired comp licated V PN con n ec tivity.
Note: Inter -Region peering is not currently available in China
or S eou l. S ec u rity g rou ps can n ot b e referen c ed b etween AWS
Reg ion s.

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT’S NEW:
SECURITY GROUP RULE DESCRIPTIONS

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public Subnet Public Subnet
Private Subnet Private Subnet
VGW
IGW

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public Subnet Public Subnet
Private Subnet Private Subnet
VGW
IGW
In English: Descriptions can now be
added to security groups

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Group Rule Descriptions
After: You can now add descriptive text to each of your
sec u rity g rou p ru les!
W h a t d o e s t h i s c h a n g e ?
Before: Security groups could be unwieldy when used in
large n u mb ers or man aged by mu ltip le p arties

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT’S NEW:
EXPAND YOUR EXISTING VPC

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public Subnet Public Subnet
Private Subnet Private Subnet
VGW
IGW VPC CIDR 10.1.0.0/16
10.1.0.0/16

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public Subnet Public Subnet
Private Subnet Private Subnet
VGW
IGW
Availability Zone C
Instance E
10.2.1.11/24
Instance F
10.2.2.22/24
Public Subnet
Private Subnet
VPC CIDR 10.1.0.0/16,
10.1.0.0/16
10.2.0.0/16
10.2.0.0/16

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A fter: You can n ow ad d ad d ition al ( u p to 5 ) CID R ran ges to
you r V PC ( with some restric tion s)
Before: V PC CIDR size was con stant, d elete an d rec reate

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
We allocate th ese ran ges b ased on you r in itial V PC
CIDR ran ge
W hy ? We u se R FC1 9 18 ran ges for AWS -man aged p rod u c ts
contain ed in you r V PC, like Worksp ac es

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT’S NEW:
DIRECT CONNECT GATEWAY

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Direct Connect for Private Access
AWS Region
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
Location
Private Virtual Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
AWS Direct Connect
Location 2

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Direct Connect: Link Aggregation
AWS Region
10.1.0.0/16
WAN
On-premises
Link Aggregation
(LAG)
Private Virtual Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
AWS Direct Connect
Location 2

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Direct Connect Gateway
AWS Region
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
Location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
AWS Direct Connect
Location 2
Direct
connect
gateway
Account

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Global Connectivity
WAN
On-premises
AWS Direct Connect
Location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Region
AWS Direct Connect
Location 2
Direct
connect
gateway
Account
AWS Region

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Direct Connect Gateway
A fter: AWS Direc t Con n ec t p orts can reac h p rivate an d p u b lic
resources across the world over the AWS backbone. Each
virtu al interfac e can reac h mu ltip le V PCs in th e same ac cou nt
( 1 0 ) .
W h a t d o e s t h i s c h a n g e ?
Before: AWS Direc t Con n ec t on ly worked from ‘local’ p oints
of p resen c e, req u irin g g lob al p resen c e. Eac h virtu al
interfac e was limited to on e V PC.

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT’S NEW:
NETWORK LOAD BALANCER

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TheElasticLoadBalancingFamily
Application Load Balancer Network Load Balancer Classic Load Balancer
TCP workloads (VPC)
Previous generation
for HTTP, HTTPS, TCP (Classic
Network)
HTTP and HTTPS (VPC)

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
New, layer 4 load-balancing platform
Connection-based load balancing
TCP protocol
High performance
Can handle millions of requests per sec
Static IP Support
Ideal for applications with long running
connections
NetworkLoadBalancer

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Extremely low latencies
Preserves Source IP
Same API as Application Load Balancer
Load Balancer API Deletion Protection
NetworkLoadBalancer

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MigratingtoNetworkLoadBalancer
Migration is as simple as creating a new Network Load Balancer,
registering targets, and updating DNS to point at the new CNAME
Classic Load Balancer to Network Load Balancer migration utility:
https://github.com/aws/elastic-load-balancing-tools
NLB hourly costs are currently 10% cheaper than the CLB
NLB data transfer costs are 25% cheaper than CLB and ALB

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT’S NEW:
AWS PRIVATELINK

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Services VPC
• Authentication
• Logging
• DevOps tools
• Security resources
• Deployed in each AWS Region

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Peering
Challenges
VPN
WAN
AWS Direct
Connect
Shared Services
VPC Peering
Full VPC connectivity
172.16.0.0/16 172.16.0.0/16
No overlapping addresses
…125
Scale

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing: PrivateLink
Shared Service
10.1.0.0/16
10.1.1.0/24
Availability Zone
10.1.1.127
10.1.2.0/24
Availability Zone
10.1.2.35
172.16.0.0/16
172.16.1.0/24
Availability Zone
172.16.2.0/24
Availability Zone
Network Load
Balancer
API API
One IP Address for each
Availability Zone
The endpoint is a local IP address
Access is unidirectional
172.16.1.9 172.16.2.41

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing: PrivateLink
Shared Service
10.1.0.0/16
10.1.1.0/24
Availability Zone
10.1.1.127
10.1.2.0/24
Availability Zone
10.1.2.35
172.16.0.0/16
172.16.1.0/24
Availability Zone
172.16.2.0/24
Availability Zone
172.16.1.9 172.16.2.41
API API
10.1.0.0/16
10.1.1.0/24
Availability Zone
10.1.1.162
10.1.2.0/24
Availability Zone
10.1.2.22
Support for overlapping
IP address ranges
…thousands

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Without PrivateLink
Amazon EC2 API
AWS Direct Connect
Shared Services
Partner Services
VPC Peering
Internet
Gateway
Internet
Customer Account
Application
Firewall
Shared Services:
• Security Services
• Logging
• Monitoring
• DevOps tools
• Authentication
Amazon Services:
• Amazon EC2
• Amazon S3
• Amazon Elastic
Load Balancing
• Amazon SSM
• Amazon KMS
Partner Services:
• SaaS
• API services
• Managed services
• Marketplace
offerings

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
With PrivateLink
Amazon EC2 API
AWS Direct Connect
Shared Services
Partner Services
Customer Account
Application
Shared Services:
• Security Services
• Logging
• Monitoring
• DevOps tools
• Authentication
Amazon Services:
• Amazon EC2
• Amazon S3
• Amazon Elastic
Load Balancing
• Amazon SSM
• Amazon KMS
Partner Services:
• SaaS
• API services
• Managed services
• Marketplace
offerings
Endpoint VPC
PrivateLink
PrivateLink
Network
Interfaces
Network
Interfaces

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Integration
Discoverability of the services when
customers purchase SaaS on AWS
Marketplace

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it works
Private Link
And more to come…

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS PrivateLink—Use Cases
Centralized internal services such as
logging, monitoring workloads serving
various VPCs
Anything behind a Network Load
Balancer
Microservice implementation
SaaS serving your customers’
applications in other VPCs and on-
premises networks
Your services, AWS services, and
third-party services

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS PrivateLink
A fter: PrivateLin k allows you to con n ec t p rivately to a
sp ec ific ser vic e su c h as AWS K M S with ou t config u rin g
internet access. You can also reach your own private ser vices
or AWS Marketp lac e S aaS offers.
W h a t d o e s t h i s c h a n g e ?
Before: AWS ser vic es an d oth er c u stomer own ed or th ird p arty
ser vic es req u ired intern et rou tin g or V PC p eerin g

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
• Inter-Region peering for Disaster Recovery and Active-Active applications
• Security Group rules descriptions for easier security management
• Re-size your VPC for more flexible CIDR allocations and growing VPCs
• Direct Connect Gateway to access services globally and to many VPCs
• PrivateLink to access AWS services privately
• PrivateLink to access your own services and partner services privately

42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!