Weitere ähnliche Inhalte Ähnlich wie Delivering applications securely with AWS - SVC303 - Chicago AWS Summit (20) Mehr von Amazon Web Services (20) Delivering applications securely with AWS - SVC303 - Chicago AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Delivering applications securely
with AWS
Miguel Cervantes
Partner Solutions Architect
AWS
S V C 3 0 3
Tino Tran
Edge Solutions Architect
AWS
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
Delivering…
SaaS applications & Global applications
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
But first…
Let’s level set and start with some foundations
4. NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
Peering
VPC
Flow Logs
VPN
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
Intra or
inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IOT
Amazon
CloudWatch
AWS
PrivateLink
Transit GW
Onpremises
AWS PrivateLink-
enabled services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator
5. NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
Peering
VPC
Flow Logs
VPN
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
Intra or
inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
service provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IOT
Amazon
CloudWatch
AWS
PrivateLink
Transit GW
Onpremises
AWS PrivateLink-
enabled services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is it and how do I use it?
AWS PrivateLink
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon API Gateway
AWS CloudFormation
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS Config
Amazon EC2 API
Elastic Load Balancing API
AWS Key Management Service
Amazon Kinesis Data Streams
Amazon SageMaker Runtime
AWS Secrets Manager
AWS Security Token Service
AWS Service Catalog
Amazon SNS
AWS Systems Manager
NAT
InstanceB
10.1.1.11/24
NAT-GW
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet
InstanceA
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
22+ services now
supported over AWS
PrivateLink
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
AWS PrivateLink can
reach public services,
privately from your VPC
No routes needed!
(almost)
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
+ More
VPC endpoints
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Type: Gateway
Type: Interface
VPC endpoints
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS PrivateLink for service providers
Customer VPC
Service provider VPC
Application, e.g., SaaS
NLB
AWS
PrivateLink
VPC endpoint: vpce-2222.foo.amazon.com
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS PrivateLink details
https://amzn.to/2Wf755U
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Let’s take a look at the AWS Global Network
Before we go further…
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Global Network
Redundant 100 GbE network
Private network capacity between
all AWS Regions, except China
The AWS Cloud spans:
180 Points of Presence
66 Availability zones
21 geographic regions around the world*
*with announced plans for 12 more availability zones and four more regions in Bahrain, Cape
Town, Jakarta, and Milan
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is it and how do I use it?
AWS Global Accelerator
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Before…
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Region 1 AWS Region 2
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Local ISP Network A B C D E F
Access application!
Accessing your application is not this straightforward!It can take many networks to reach the application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Before Global Accelerator…
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
After…
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Local ISP AWS network
With Global Accelerator…
Adding AWS Global Accelerator removes these inefficiencies
Leverages the global AWS network
Resulting in improved performance
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Global Accelerator details
https://amzn.to/2zPFDOJ
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is it and how do I use it?
Amazon CloudFront
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon CloudFront
Local edge
locations Regional edge
cache Application
origin
Users
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Additional integrated AWS Services
AWS Shield Advanced
AWS DDoS Response Team to assistance,
advanced protections, including WAF, attack
visibility, cost protection
AWS WAF
SQLi, XSS, rate limiting, geoblocking rules,
string/regex matching, IP rules
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon CloudFront details
https://amzn.to/1MUXDUY
25. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Miguel Cervantes
miguelaws@amazon.com
Tino Tran tinot@amazon.com