Weitere ähnliche Inhalte Ähnlich wie Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit (20) Mehr von Amazon Web Services (20) Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Exploring the fundamentals of AWS
networking
Sid Chauhan
Solutions architect
Amazon Web Services
S V C 2 1 0
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
peering
VPC
Flow Logs
VPN
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
Intra or
inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
service provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IoT
Amazon
CloudWatch
AWS
PrivateLink
Transit GW
On premises
AWS PrivateLink-
enabled services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
That was the agenda
for this session
5. S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
What is a VPC ?
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IP addressing Creating
subnets
Routing in a
VPC
Security
VPC concepts and fundamentals
DNS in-VPC
with Amazon
Route 53
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Choosing an
IP address range
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918
range
Avoid ranges that overlap with
other networks to which you might
connect
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Creating subnets in a VPC
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
2600:1f16:14d:6300::/56
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
+ Expand
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routing in a VPC
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Route tables
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Traffic destined for my VPC
stays in my VPC
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
DNS in a VPC
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
host names to instances
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon Route 53 private hosted zones
Private Hosted Zoneexample.demohostedzone.org → 172.31.0.99
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon Route 53 Resolver for hybrid clouds
Route 53 Resolver
endpoints
Conditional forwarding
rules
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Flow logsNetwork access
control list
Security groups
Network security
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
“MyWebServers” security group
“MyBackends” security group
Allow only “MyWebServers”
Security groups follow application structure
Web Web Web Web
App App App
Internet gateway
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups example: Web servers
Allow HTTP traffic
from anywhere
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups example: Backends
Allow application traffic
from web servers only
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Network security
Flow logsNetwork access
control list
Security groups
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically allowed
regardless of any rules
Is stateless: return traffic must be explicitly allowed
by rules
All rules evaluated before deciding whether to allow
traffic
Rules evaluated in order when deciding whether to
allow traffic
Applies only to instances explicitly associated with the
security group
Automatically applies to all instances launched into
associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these
are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Network security
Flow logsNetwork access
control list
Security groups
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs
AZ 2AZ 1
• Visibility
• Troubleshooting
• Analyze traffic
Amazon S3 Amazon CloudWatch Logs
VPC Flow Logs
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs: Setup
VPC traffic metadata
captured in Amazon S3
or Amazon CloudWatch Logs
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs format
31. S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Internet
connectivity Connecting to other
VPCs
Connecting to your
on-premises network
Connecting your VPC
or not
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Internet connectivity or not
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
Internet gateway
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.1.0.0/16 Local
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Let’s take a closer look
Amazon
DynamoDB
AWS Lambda Amazon SQS Amazon SNS
AWS IoT
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to other VPCs
VPC peering Transit Gateway
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC peering
• Full private IP connectivity between
two VPCs
• Can peer VPCs across regions
• VPCs can be in different accounts
• VPC CIDR ranges must not overlap
10.0.0.0/16
10.2.0.0/16
10.1.0.0/16
10.3.0.0/16
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish a VPC peering: Initiate request
Step 1
Initiate peering
request
172.31.0.0/16 10.55.0.0/16
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish a VPC peering: Accept request
Step 1
Initiate peering
request
Step 2
Accept peering
request
172.31.0.0/16 10.55.0.0/16
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish a VPC peering: Create routes
Step 1
Initiate peering
request
Step 2
Accept peering
request
Step 3, 4
172.31.0.0/16 10.55.0.0/16
Traffic destined for the peered VPC should go to the
peering, repeat for other VPC
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC peering Transit Gateway
and beyond…
Connecting to other VPCs
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPN connectionCustomer
gateway
Amazon VPC Amazon VPC
AWS Direct Connect
gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN
connection
VPN connection
VPC peering
Before Transit Gateway …
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Transit
Gateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
VPN
connection
AWS Direct
Connect Gateway
(NEW)
With Transit Gateway . . .
43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
B Local
0.0.0.0/0
Destination Target
A B
TGW
C
Transit
Gateway
1 2
3 4
TGW route table (s)
VPC A : Attachment 1
VPC B : Attachment 2
VPC C : Attachment 3
On prem : VPN 4
RT1
RT2
On premises
With Transit Gateway . . .
44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Attachment
The connection from an
Amazon VPC, VPN, and DX GW
to a Transit Gateway
Association
The route table used to route
packets coming from an
attachment
Propagation
The route table where the
attachment’s routes are installed
45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Transit Gateway route table
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.1.0.0/16 Local
0.0.0.0/0 TGW
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/8 TGW
Transit
Gateway
(s)
46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Transit Gateway route table (s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via XTransit
Gateway
47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Transit Gateway route table (s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
Propagation turned off, you can still statically
configure routes
Transit
Gateway
48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After: AWS Transit Gateway (TGW) – The console
49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Unicorn TGW
This TGW is `Awesome
After: AWS Transit Gateway – The console
50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After: AWS Transit Gateway – The console
51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Transit Gateways per account /
Transit Gateway attachments per
Amazon VPC
5
Maximum burstable
bandwidth per attachment
50 Gbps
52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Maximum bandwidth per VPN
connection
1.25 Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g., 8 tunnels = 10 Gbps
*
53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routes per AWS Transit
Gateway
10,000
Number of AWS Transit Gateway
attachments per region per account
5,000
!!!
54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Cross-region connectivity?
TGW is a region-level construct today
55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Transit Gateway detailed instructions:
https://amzn.to/2SkI4zV
56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to
on-premises networks
AWS VPN AWS Direct Connect
57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec tunnel 1 - primary
IPsec tunnel 2- secondary
Virtual private
gateway
IPsec tunnel over
the internet
Customer gateway
The internet
58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec tunnel 1 - primary
IPsec tunnel 2- secondary
IPsec tunnel over
the internet
The internet
Transit
Gateway
Customer gateway
59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Migrate site-to-site VPN to Transit Gateway
https://amzn.to/2vwPcj7
NEW
60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Attachment
to Amazon
VPC
TLS-based tunnel
over the internet
User with
OpenVPN client
Client VPN
endpoint
Client
The
internet
On premises
Amazon S3 Amazon
DynamoDB
61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to
on-premises networks
AWS VPN AWS Direct Connect
62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect: What’s that?
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
VGW
63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect: What’s that?
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF
64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect gateway
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
One private VIF → many VPCs
AWS Direct
Connect gateway
65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect gateway
AWS Region 1
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
One private VIF → many VPCs across regions
AWS Region 2
AWS Direct
Connect gateway
66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect gateway
AWS Account 1
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
One private VIF → many VPCs across accounts
AWS Account 2
AWS Direct
Connect gateway
Multi-account DX gateway
New
67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect gateway
AWS Account 1
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Transit VIF
10.2.0.0/16
One transit VIF → many VPCs
AWS Account 2
AWS Direct
Connect gateway
Transit VIF with DX gateway
New
AWS Transit
Gateway
68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Transit Gateway with AWS Direct Connect
https://amzn.to/2VDnnEt
New
69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
New partner connection speeds
1, 2, 5, or 10 Gbps of capacity
https://amzn.to/2YtGNue
Also new
70. S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC sharing VPC endpoints and
AWS PrivateLink
…more AWS networking
AWS Global
Accelerator
72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing
Before
73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
10.3.0.0/16
Pegasus
10.2.0.0/16
Barry
10.1.0.0/16
Iguana
10.6.0.0/16
Steve
10.5.0.0/16
Sue
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
74. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing
After
75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant
Llama
10.3.0.0/16
Pegasus
10.2.0.0/16
Barry
10.1.0.0/16
Iguana
10.6.0.0/16
Steve
10.5.0.0/16
Sue
10.4.0.0/16
76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Responsible for creating, managing, and
deleting all VPC-level entities.
Amazon VPC owners cannot modify or
delete participant resources.
Amazon VPC owner
Responsible for the creation, management, and
deletion of their resources, including Amazon
Elastic Compute Cloud (Amazon EC2) instances,
Amazon Relational Database Service (Amazon
RDS) databases, and load balancers.
However, they cannot modify any Amazon VPC-
level entities, including route tables, network
ACLs, or subnets (or view/modify resources
belonging to other participants).
Amazon VPC participant
77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Why use Amazon VPC sharing?
Preserve IP space
Use fewer IPv4 CIDRs
Interconnectivity
No VPC peering required
Billing and security
Continue to enjoy segregation with multiple accounts
Separation of duties
A central team can create and
manage your Amazon VPC
Same AZ cost for data transfer is nil!
78. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing details
https://amzn.to/2Aovw2Z
79. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS PrivateLink
80. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
Internet gatewayVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
Destination Target
10.1.0.0/16 Local
DDB.prefix.list VPCE-123
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
VPCE =
Virtual private endpoint
(Type: Gateway)
81. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS PrivateLink
82. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon API Gateway
AWS CloudFormation
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS Config
Amazon EC2 API
Elastic Load Balancing API
AWS Key Management Service
Amazon Kinesis Data Streams
Amazon SageMaker Runtime
AWS Secrets Manager
AWS Security Token Service
AWS Service Catalog
Amazon SNS
AWS Systems Manager
NAT
InstanceB
10.1.1.11/24
NAT-GW
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet
InstanceA
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
22+ services now
supported over AWS
PrivateLink
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
AWS PrivateLink can
reach public services,
privately from your VPC
No routes needed!
(almost)
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
+ More
83. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Type: Gateway
Type: Interface
84. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS PrivateLink
85. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
And now AWS PrivateLink
for service providers
Customer VPC
Service provider VPC
Application, e.g., SaaS
NLB
AWS
PrivateLink
VPC endpoint: vpce-2222.foo.amazon.com
86. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Global Accelerator
87. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Before
88. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Region 1 AWS Region 2
89. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After
90. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
91. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Client stateAWS global network Static anycast IPs
Applications can keep state, with
connections routed to the same
endpoint, after initial connection
Traffic routed through Global
Accelerator traverses AWS global
network (instead of the public
internet)
Global Accelerator uses static IP
addresses as a fixed entry point to
your applications, which are anycast
from AWS edge locations
92. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Global Accelerator
https://amzn.to/2FI3y89
93. S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
94. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
peering
VPC
Flow Logs
VPN
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
Internet gatewayVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
Intra or
inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
service provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IoT
Amazon
CloudWatch
AWS
PrivateLink
Transit GW
On premises
AWS PrivateLink-
enabled services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator
95. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Awesome
Networking study guide
https://amzn.to/2U9TczL
96. Thank you!
S U M M I T
© 2019, Amazo n Web Services, Inc. or its affiliates. All rights reserved.
Sid Chauhan
@sidhartc