Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sidhartha Chauhan
Solutions Architect, AWS
SRV323
Planning Advanced AWS Networking
Architectures

AWS

AWS
Core services Compute Storage Database Networking
Infrastructure RegionsAvailability Zones Edge locations
Platform
services
Analytics IoT Deployment Mobile
Virtual
desktops
Collaboration
& sharing
App delivery Email
Access
control
Auditing Monitoring EncryptionSecurity
Applications
A
P
I
&
S
D
K
s

Foundations: Amazon VPC
Your own private, isolated section of the AWS Cloud

VPC CIDR 10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A
10.1.1.11 /24
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Only one internet gateway and
one VGW per VPC

AWS Region - eg: US-WEST1
Our VPC from earlier
AWS Region
AWS Region level services (plus many more)
Amazon VPC internal services (e.g., Amazon EMR,
Elastic Load Balancing, Amazon RDS)
Internet gateway, gateway between AWS
region level services and internal VPC
services
Instance A
10.1.1.11 /24
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3
Amazon Glacier
Amazon DynamoDB
AWS Lambda

Open question and answer

Advanced VPC and other services
Lets add some AWS services outside of VPC

VPC
peering
On premises
VPC
Amazon
CloudWatch
VPN
AWS
Direct Connect
Amazon
EC2
Amazon
VPC
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
Public subnet Public subnet
Private subnet Private subnet
NAT
VGW
IGW
VPC Flow
LogsEIP: 54.1.13.43=10.1.1.11
NAT Gateway
Internet

Inter-region
VPC peering
Internet
On premises
VPC
VPN
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
NAT
VGW
IGW
NAT Gateway
VPC CIDR 10.1.0.0/16, 10.2.0.0/16
Expand your existing VPC
VPN BYO tunnel IP
and custom PSK
Security group rule
descriptions
IPv6 for VPC

Inter-region
VPC peering
On premises
VPC
AWS Direct
Connect
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance B
10.1.2.22/24
Instance D
10.1.4.44/24
NAT
VGW
IGW
NAT Gateway
VPC CIDR 10.1.0.0/16, 10.2.0.0/16
DX Gateway, link aggregation,
new POPs, and global public
access
Security group rule
descriptions
IPv6 for VPC
Internet

Inter-region
VPC peering
On premises
VPC
Instance C
10.1.3.33/24
Instance A
10.1.1.11/24
Instance D
10.1.4.44/24
VGW
IGW
Security group rule
descriptions
VPC CIDR 10.1.0.0/16, 10.2.0.0/16
DX Gateway, link aggregation,
new POPs, and global public
access
Amazon EC2
Elastic Load Balancing
Kinesis Data Streams
AWS Service Catalog
EC2 Systems Manager
PrivateLink for AWS
services and service
providers
CloudWatch metrics
for VPN, DX, and
NATGW
IPv6 for VPC
AWS Direct
Connect
Internet

VPC endpoints
AWS Lambda

VPC endpoints
How it works Without endpoints:
• Instances need public
connectivity
• Security groups
required to block
outside access
• Mindset that
customers are
traversing the public
internet
Enter:
Virtual private endpoint

VPC endpoints
How it works We no longer need the
following for Amazon S3
access:
• Elastic IP addresses
per instance
• Default routes
pointing to an
internet gateway
• NAT instances
• Or even an internet
gateway!

VPC endpoints
How it works After the VPCE is created:
• ”Prefix-list” entries are
needed for each route
table.
• Now all traffic for the PL-
XXX destinations will
traverse the VPCE instead
of the internet gateway.

VPC endpoints
How it works Restricting Access to
Amazon S3:
• IAM policy at VPC
endpoints restricting
access
• IAM policy at S3 bucket
restricting access
IAM policy at VPC endpoint:
Restrict actions of VPC in
Amazon S3
IAM policy at S3 bucket: Make
accessible from VPC endpoint only

Connecting to AWS

On premises
VPN connectivity Provisioning VPN connections
1. Build your AWS infrastructure
2. Create your virtual private gateway (VGW) and attach to your
virtual private cloud (VPC)
3. Define your customer gateway
4. Create your VPN connection between the VGW and customer
gateway
5. Download your template configuration
6. Configure your customer gateway and watch your tunnels come up
and enjoy encrypted connectivity!
Internet access
IPsec tunnel 1 - Primary
IPsec tunnel 2- Secondary
Internet

10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Customer DCColocation Facility - e.g. Equinix SV1
VPC CIDR 10.1.0.0/16
Customer subnet
192.168.0.0/16
DX PoP
Colocation facility
Customer or partner device
AWS Direct Connect
Point of Presence
Customer Gateway
Cross connect
Customer data center
Service provider backhaul
Anatomy of AWS Direct Connect
Private virtual interface
Configure customer gateway
VPC VGW

Standard Interface & BGP configuration
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.807
description "Direct Connect to your Amazon VPC or AWS Cloud"
encapsulation dot1Q 807
ip address 172.16.7.5 255.255.255.252
router bgp 65001
neighbor 172.16.7.6 remote-as 7224
neighbor 172.16.7.6 password 7 $1$zVOvlUSp$UrqWP2awtiG8ZbXo9BwcB
network 0.0.0.0
exit
Physical Interface that fiber is plugged into
Sub-interface (generally matches VLAN)
VLAN association
/30 private P2P address
BGP ASN
Route advertisement to AWS
Just a description
BGP MD5 password
Neighbor peer address

10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Customer subnet
192.168.0.0/16
Customer Gateway
BGP comes up, prefixes are advertised
%BGP-5-ADJCHANGE: neighbor 172.16.6.6 Up
AWS Direct Connect
Point of Presence
Anatomy of DX, continued

10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Customer subnet
172.160.0.0/16
Customer Gateway
AWS Direct Connect
Point of Presence
My private virtual interface is up, now what?
What about my S3 bucket or Amazon DynamoDB? – In comes public virtual interfaces!

10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3 Amazon DynamoDB
AWS LambdaAmazon Glacier
Customer subnet
172.160.0.0/16
Customer Gateway
AWS Regions much larger than just what’s inside a VPC
Create public virtual interface
BGP comes up, prefixes are advertised (public only)
%BGP-5-ADJCHANGE: neighbor 203.50.24.5 Up
AWS Direct Connect
Point of Presence

Anatomy of a redundant DX
Customer subnet
172.160.0.0/16
Double connectivity
The standard connectivity we built earlierVPC VGW
Redundant DX POP locationOther AWS services
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
VPC CIDR 10.1.0.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3 Amazon DynamoDB
AWS LambdaAmazon Glacier

Advanced architectures

What does transitive routing look like?
Can I do anything to make this thing not so strictly coupled?
Using a transitive VPC
Lots of caveats
• ECMP is currently broken
• You can get switched back to VPNv1
(losing VPNv2 capabilities)
• VPN throughputs apply
• We need scaling of the VGW VPN
• NAT needed outbound on FW
• Cross AZ charges may apply
• Statefulness does not work today

Elastic Load Balancing sandwich
Deploying firewalls inline
Elastic Load Balancing sandwich
• Works if we are talking web traffic, and more suited when a WAF is required

Auto Scaling
Group
Auto Scaling the Elastic Load Balancing sandwich
CloudWatch
Custom Metrics
can trigger alarms
Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Launch More
Instances
Amazon CloudWatch

How do you bootstrap a firewall?
Simple Queue
Service
Route 53
Auto Scaling
event
Auto Scaling
group
Worker node puts VPN instance
into service when configured

AWS Direct Connect
Gateway
One private virtual interface can be attached to multiple VGWs
Enter: AWS Direct Connect gateway
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service provider
network
VLAN BPrivate VIF

AWS Direct Connect
Gateway
Note: VPCs must reside in the same
account
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service provider
network
VLAN BPrivate VIF
Account 1

AWS Direct Connect
Gateway
Note: VPCs must have
non-overlapping addresses
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service provider
network
VLAN BPrivate VIF
Account 1
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16

Multiple VIF attachments to a gateway, up to
10
Multiple VGW/VPC attachments to a gateway,
up to 10
VIFs and VGWs can be in any region

Cross-region private VIFs
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service Provider
Network
VLAN BPrivate VIF
AWS Direct Connect
Gateway
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Region 1
Region 2

There are some disallowed data paths
On premises
AWS Direct
Connect POP
Customer or
partner cage
Service Provider
Network
VLAN BPrivate VIF
X
X
AWS Direct Connect
Gateway
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Region 1
Region 2
VPN connection
X
X
Secondary AWS Direct Connect
Private VIF to Private VIF
VGW to VGW
Private VIF to VPN

Follow-ups
AWS re:Invent sessions
Another Day, Another Billion Packets
https://www.youtube.com/watch?v=3qln2u1Vr2E
From One to Many, Evolving VPC Design
https://www.youtube.com/watch?v=3Gv47NASmU4
Creating Your Virtual Data Center, VPC Fundamentals and
Connectivity Options
https://www.youtube.com/watch?v=Ul2NsPNh9Ik

Follow-ups
AWS whitepapers
https://aws.amazon.com/whitepapers/
AWS reference architectures and AWS quick start guides:
https://aws.amazon.com/architecture/

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Submit session feedback
1. Tap the Schedule icon.
2. Select the session you attended.
3. Tap Session Evaluation to submit
your feedback.

Thank you!

Appendix

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Interface VPC endpoint
P o w e r e d b y A W S P r i v a t e L i n k

Interface VPC endpoints
A n e l a s t i c n e t w o r k i n t e r f a c e w i t h a p r i v a t e I P
a d d r e s s t h a t s e r v e s a s a n e n t r y p o i n t f o r t r a f f i c
d e s t i n e d t o a s u p p o r t e d A W S s e r v i c e
AWS public services
Amazon EC2 (API) & EC2 SSM
Amazon Kinesis
AWS Service Catalog
1 0 . 1 . 1 0 . 5 0

How it works AWS public services
Amazon EC2 (API) & EC2 SSM
Amazon Kinesis
AWS Service Catalog
1 0 . 1 . 1 0 . 5 0
S u b n e t - 1 0 . 1 . 1 0 . 4 5
E C 2 f l e e t
h o s t i n g a p p l i c a t i o n
Availability Zone A
M a k e s a r e q u e s t t o
E l a s t i c L o a d B a l a n c i n g
e n d p o i n t n a m e
k i n e s i s . u s - e a s t -
1 . a m a z o n a w s . c o m
R E S O L V E S T O T H E
P R I V A T E I P O F T H E
e l a s t i c n e t w o r k
i n t e r f a c e

Interfac e V PC en d p oints
No routes in your route table
No IAM policy for endpoint
Not accessible via (VGW) VPN
One subnet per AZ per one endpoint
Supports TCP only
aws ec2 create-vpc-endpoint
--vpc-id vpc-ec43eb89
--vpc-endpoint-type Interface
--service-name com.amazonaws.us-east-1.elasticloadbalancing
--subnet-id subnet-abababab subnet-catbatratsat
--security-group-id sg-1a2b3c4d

C r e a t i n g
i n t e r f a c e V P C
e n d p o i n t s
aws ec2 create-vpc-endpoint
--vpc-id vpc-ec43eb89
--vpc-endpoint-type Interface
--service-name com.amazonaws.us-east-1.elasticloadbalancing
--subnet-id subnet-abababab subnet-catbatratsat
--security-group-id sg-1a2b3c4d
S u b n e t
Availability Zone A
S u b n e t
Availability Zone B
S u b n e t
Availability Zone C
v p c - i d v p c - e c 4 3 e b 8 9
Amazon EC2 (API) & EC2 SSMAmazon Kinesis AWS Service CatalogElastic Load Balancing
aws ec2 describe-vpc-endpoints

A c c ess th rou g h
interfac e V PC
en d p oints
I f c r e a t e d i n O r e g o n ,
w h i c h h a s t h r e e A Z S
Endpoint-specific regional DNS hostname
vpce-0fe5b17a0707d6abc-29p5708s.kinesis.us-west-2.vpce.amazonaws.com
Endpoint-specific zonal DNS hostname
vpce-0fe5b17a0707d6abc-29p5708s-us-west-2a.kinesis.us-west-2.vpce.amazonaws.com
vpce-0fe5b17a0707d6abc-29p5708s-us-west-2b.kinesis.us-west-2.vpce.amazonaws.com
vpce-0fe5b17a0707d6abc-29p5708s-us-west-2c.kinesis.us-west-2.vpce.amazonaws.com
Default public DNS hostname
kinesis.us-west-2.amazonaws.com
Private IP address of the endpoint network interface
10.1.10.50 10.1.20.50 10.1.30.50
Submit requests to the supported service
via an endpoint URL

AWS Oregon (us-west-2) Region
CIDR: 10.0.0.0/16
Availability Zone - A
Private subnet: 10.0.1.0/24
Private IP : 10.0.1.7
Amazon Kinesis
EC2
Private IP:
10.0.1.12
Availability Zone - B
Private subnet: 10.0.2.0/24
10.0.2.7
Private IP:
10.0.2.120
VPCE-2222.KINESIS.AMAZON.COM
Private connection over
AWS network
Consider
VPCE-2222.KINESIS.AMAZON.COM
Customer
network
Connecting endpoints in another region
Connecting to endpoints across a VPN
Service provider traffic origination
Advertising with customer DNS name

S e c u r i n g a c c e s s t o A m a z o n i n t e r f a c e V P C e n d p o i n t s
S u b n e t 1 0 . 0 . 1 . 0 / 2 4
Availability Zone A
S u b n e t : 1 0 . 0 . 2 . 0 / 2 4
Availability Zone B
S u b n e t : 1 0 . 0 . 3 . 0 / 2 4
Availability Zone C
S e c u r i t y g r o u p
V P C C I D R : 1 0 . 0 . 0 . 0 / 1 6

Use cases for interface VPC endpoints
• Endpoint consumers can establish private connectivity to Amazon services
• Customers can share internal services between VPCs, both within a single AWS account
and between AWS accounts
• Partners can deliver services to their customers’ VPCs, or on-premises networks via DX

A. You are unable to connect to endpoints in another region
B. Endpoints cannot be accessed across a VPN that uses Amazon VGW
C. Traffic cannot be originated by service providers
D. TCP traffic only
Things to note

Connecting to resources over DX

Connecting to VPC over DX
VPC
VPC
VPC
Customer
router
Production
Test
Development
VPC
VPC
VPC
Non-productionProduction
US West (Oregon)
Switch SUPERNAP 8,
Las Vegas, NV
DX devices

Private VIF
VPC
VPC
VPC
VPC
VPC
VPC
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Production
Test
Development

Private VIF
DX location
VPC
VPC
VPC
VPC
VPC
VPC
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Production
Test
Development

Private VIF
VPC
VPC
VPC
VPC
VPC
VPC
BGP
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Production
Test
Development

VLAN
600
Private VIF – Multiple VPCs
VPC
VPC
VPC
VPC
VPC
VPC
VLAN
500
DX location
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Production
Test
Development

VLAN
600
Private VIF – Multiple VPCs
VPC
VPC
VPC
VPC
VPC
VPC
VLAN
500
DX location
VLAN
400
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
BGP
BGP
US West (Oregon)
BGP
DX devices
Production
Test
Development

Public VIF
VPC
VPC
VPC
VPC
VPC
VPC
DX location
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
DX devices
Production
Test
Development

VPC
VPC
VPC
VPC
VPC
VPC
DX location
Customer
router
Switch SUPERNAP 8,
Las Vegas, NV
US West (Oregon)
Public VIF
VLAN
800
BGP
BGP
DX devices
Production
Test
Development

DX device Customer
router
Colocation
DX location
Region – Asia Pacific (Singapore)
Private VIF
Region – US West (Oregon)
AWSglobalBackbone
Connecting to VPC using DX gateway
VPC
VPCEC2
EC2
DX gateway
VPCEC2
VLAN 100
N E W !
Switch SUPERNAP 8,
Las Vegas, NV
App 1
App 2
App 1 DR

Customer
router
Colocation
DX location
VLAN 100
Private VIF
Connecting to VPC
VPC
VPCEC2
EC2
Direct Connect
Gateway
VPCEC2
VLAN 100
DX device
App 1
App 2
App 1 DR

Customer
router
Colocation
DX location
VLAN 100
Private VIF
AmazonBackbone
Connecting to VPC
VPC
VPCEC2
EC2
DX gateway
VPCEC2
VLAN 100
DX device
App 1
App 2
App 1 DR

Connecting to VPC over DX
AWS region – US West
(Oregon)
Switch SUPERNAP 8,
Las Vegas, NV
Corporate data center
AWS region – Asia Pacific
(Mumbai)
Switch SUPERNAP 8,
Las Vegas, NV
AWS region – U.S West
(Oregon)
AWS region – U.S East
(Virginia)
AWS region – Central
(Canada)
VPC VPC
VPC VPC
VPC Private VIF
Private VIF
VPC

Transit VPC
C o n n e c t i n g t o A W S

Customer concerns
Implement Layer 7 security for all hybrid traffic
VPC subnet
VPC subnet

Customer concerns
Too many VPN tunnels when connecting to VPCs at scale
Overlapping IP addresses between VPC and remote sites

Transit VPC architecture
Transit VPC architecture enables you to connect to any remote network
while transiting all traffic through a pair of EC2 instances
A
B
Transit VPC
Remote customer officeSpoke VPC

Transit VPC architecture
VPC n
VGW
Subnet 1
AZ 1a
Remote office
Customer
gateway
Amazon S3
VGW
….. VGW
VPC BVPC A
Detached
VGW
DX location
Customer
router
VLAN 100
Subnet 2
AZ 1b
Transit hub VPC
DX device

Transit VPC use cases
• Reducing the number of VPN tunnels from on premises required to connect to a
large number of VPCs
• Implementing a security layer at the transit point
• Allow overlapping IP address range between VPC and on-premises/remote networks
• Requiring remote access to Gateway VPC endpoints
• Building a global VPN infrastructure

Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit

Ähnlich wie Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit