VPC and DX PoP @ HKG

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC and DX PoP @ HKG
Ken Chan
Product Business Development Manager
Greater China
kenchan@amazon.com

Customers have Data Centers
Depl
oyDeploy

DEVELOPMENT
& TEST
ALL TOGETHER NEW
APPLICATIONS
DIGITAL
ANALYTICS
BIG DATA
MOBILE
DC MIGRATION
MISSION
CRITICAL APPS
ALL IN
1 2 3 4
The journey to AWS is a well-trodden path
HYBIRD

Integrated
networking
Integrated
access control
and VDI
Integrated
storage and
backups and
DR
Integrated
Management
# 10.0.100.0
# 10.0.200.0
Microsoft Active
Directory
Custom
LDAP
App 1
AWS Storage
Gateway
Integrating AWS with existing On-Premises
Infrastructure
Amazon
Workspaces
Amazon
S3
11’s 9
durability
AWS Directory
Service

Create VPC
aws ec2 create-vpc --cidr 10.10.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Launch EC2 Instances
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3
aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Establish Public Connectivity
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Your default VPC is already
configured this way

I love VPC what about … ?
Security ?
Connectivity Option?
DMZ / No Internet ?
??

VPC Endpoints for Amazon S3:
Getting to Amazon S3 without the Internet

Amazon S3 without an Internet Gateway

Setting up an Amazon S3 endpoint
vpc-c15180a4
rtb-ef36e58a

Routes: Amazon S3 Connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|
||| Routes |||
||+-----------------------+-----------------------------------------+||
||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||
||+-----------------------+-------------------------+----------------||
||| 10.10.0.0/16 | | local ||
||| | pl-68a54001 | vpce-a610f4cf ||
+-------------------------+-------------------------+---------------+||

Managed NAT Gateways
Network Address Translation Gateway for AWS

Managed NAT Gateways
• 1 managed NAT per AZ
• No down time in case of failure –
AWS managed availability
Note:
• NAT Gateways Exist within a
public subnet (OR rather their
ENI’s do)

VPC Peering:
Getting between VPCs without the Internet

Shared Services VPC using VPC peering
• Common/Core Services
– Authentication/directory
– Monitoring
– Logging
– Remote administration
– Scanning

VPC peering for VPC-to-VPC Connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63

VPC peering Across Accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333

VPN and AWS Direct Connect:
Getting between VPC and your data center

Customer
data center
AWS Direct Connect
location
AWS Direct Connect Private Virtual
Interface (PVI) connects to VGW on
VPC
• 1 PVI per VPC
• 802.1Q VLAN Tags isolate traffic
across AWS Direct Connect
Private fiber connection
One or multiple
50 – 500 Mbps,
1 Gbps or 10 Gbps pipes
Simplify with AWS Direct Connect
Public-facing
web app
AWS
region
Prod QA Dev

CORP
AWS Direct
Connect Routers
Customer
Router
Colocation
DX Location
Customer
network
`
AWS backbone
network
Cross-
connect
Customer
router
Customer’s network
Demarcation

CORP
AWS Direct
Connect Routers
Colocation
DX Location
Partner network
AWS backbone
network
Cross-
connect
Customer
router
Partner
network
Access
circuit
Demarcation
Partner
equipment

VPC 1
Private Virtual Interface 1
VLAN Tag 101
BGP ASN 7224
BGP Announce 10.1.0.0/16
Interface IP 169.254.251.5/30 10.1.0.0/16
VGW 1
Multiple VPCs over AWS Direct Connect
Customer
Switch + Router
Customer Interface 0/1.101
VLAN Tag 101
BGP ASN 65001
BGP Announce Customer Internal
Interface IP 169.254.251.6/30
VLAN 101
VLAN 102
VLAN 103
VPC 2
10.2.0.0/16
VGW 2
VPC 3
10.3.0.0/16
VGW 3
VLAN Tag 102
BGP ASN 7224
Interface IP 169.254.251.9/30
VLAN Tag 102
BGP ASN 65002
Interface IP 169.254.251.10/30
VLAN Tag 103
BGP ASN 65003
Interface IP 169.254.251.14/30
VLAN Tag 103
BGP ASN 7224
Interface IP 169.254.251.13/30
Route Table
Destination Target
10.1.0.0/16 PVI 1
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
Customer Internal
Network

Customer internal
network
VPC 1
Public Virtual Interface 1
VLAN Tag 501
BGP ASN 7224
BGP Announce AWS Regional
Public CIDRs
Interface IP Public /30 Provided
10.1.0.0/16
VGW 1
Public AWS + VPCs over AWS Direct Connect
VLAN Tag 501
BGP ASN 65501 (or Public)
BGP
Announce
Customer Public
Interface IP Public /30 Provided
VLAN 101
VLAN 102
VLAN 103
VLAN 501
VPC 2
10.2.0.0/16
VGW 2
VPC 3
10.3.0.0/16
VGW 3
Public AWS
Regions for S3
Route Table
Destination Target
10.1.0.0/16 PVI 1
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
Public AWS PVI 5

Dedicated 1G or 10G port

AWS Direct Connect Requirements
• 1 Gbps: 1000BASE-LX (1310nm) over single-mode fiber (SMF)
• 10 Gbps: 10GBASE-LR (1310nm) over single-mode fiber (SMF)
• Single Connector (SC)
• 802.1Q VLAN Tags
• Auto-negotiation is off
• Full Duplex. Speed is 1Gbps
• Cannot downgrade to 100Mbps
• Private
• AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP
session and will advertise the VPC CIDR block over BGP
• Public
• A public or private ASN. If you are using a public ASN, you must own
it. If you are using a private ASN, it must be in the 65000 range
• Public IPs (/30) allocated by you for the BGP session

Create Connection to issue LOA

Pass this LOA to our DX partner to get cross connection setup

VPN Connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Using AWS Direct Connect
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
Redundant VPN connection

Remote Connectivity Best Practices
Availability Zone Availability Zone
Each VPN connection consists of
2 IPSec tunnels.
Use Border Gateway Protocol
(BGP) for failure recovery.

A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway

Redundant AWS Direct
Connect connections
with VPN backup

Putting it All together, what does VPC look like for
Typical Enterprise Hybrid Architecture ?

Availability Zone 1b
Availability Zone 1a
DX
Connection
Internal customers On-Premise
HKG
Symantec DPM
Internet
AWS API
VPC
Peering
Share
Services
AD, DNS
Monitoring
Logging
VPC
Peering
Private Subnet
Apps 1
VPC CIDR: 10.1.0.0/16
Private Subnet
Apps 3
VPC CIDR: 10.3.0.0/16
Private Subnet
Apps 2
VPC CIDR: 10.2.0.0/16
VLAN 101 VLAN 102
VLAN 103
VPC CIDR: 172.1.0.0/16
VPC CIDR: 172.2.0.0/16

I love AWS what about … ?
??
Hybrid
Management ?
Migration ?
Reliability ?
Scalability
Availability ?
Performance ?
Support ?
Skills to adopt
quickly ?
Security ?
Compliance and Audit
?

Certifications and accreditations for
workloads that matter
AWS CloudTrail - AWS API call logging for
governance & compliance
Stores data in S3, or
archive to Glacier
Log and review user
activity
Architected for Enterprise Security Requirements

You are making
API calls...
On a growing set
of services around
the world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
AWS CloudTrail

Store/
archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On a growing set
of AWS services
around the world..
CloudTrail is
continuously
recording API
calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket
Using CloudWatch and AWS CloudTrail for Real-time Alert

Amazon
SNS
CloudWatch
Logs
Private subnet
Compliance
app
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network Interface
Metric filter
Filter on all SSH
REJECTFlow Log group
CloudWatch
alarm
Source IP
Using CloudWatch and VPC Log for Realtime Alert

AWS Config is a fully managed service that provides you with an
inventory of your AWS resources, lets you audit the resource
configuration history and notifies you of resource configuration
changes.
AWS Config

• VPC Security Groups (mandatory)
– Instance level, stateful
– Supports ALLOW rules only
– Default deny inbound, allow outbound
• VPC NACLs (optional)
– Subnet level, stateless
– Supports ALLOW and DENY
– Default allow all
– Use as guard rails (port 135, 21, 23…)
• EC2 dedicated instance also available
• No Additional cost for SGs/NACLs: $0
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n
…
…
Virtual Interfaces
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
Security Group Functional Diagram
Built-In Firewall: Security Groups and NACLs
Amazon VPC

Dedicated Host also Available too !

World Class Storage Systems Amazon EBS
• Increases Performance and Capacity of General Purpose (SSD) and
Provisioned IOPS (SSD) volumes + Encryption using AWS KMS
AWS EBS Volume Types Capacity IOPS Throughput
Amazon EBS General Purpose (SSD) 16 TB
(up from 1TB)
10000 IOPS
(up from 3000 IOPS)
160 MB/s *
Amazon EBS Provisioned IOPS (SSD) 16 TB
(up from 1TB)
20000 IOPS
(up from 4000 IOPS)
320 MB/s *
EBS

Tamper-resistant customer controlled hardware security
modules within your VPC
• Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified
• No access from Amazon administrators who manage and
maintain the appliance
• High availability and replication with on-premise HSMs
Reliable & Durable Key Storage
• Use for transparent data encryption on self-managed
databases and natively with AWS Redshift
• Integrate with applications using Java APIs and AWS SDKs
• Integration with marketplace disk-encryption and SSL
You can store your encryption keys in AWS CloudHSM

AWS IAM (Identity and Access Management)
• Various authentication token issued for each user
 Access key and Secret key for authentication upon use of SDKs
 Security Certificate (X.509)
 Login password for AWS management console
 Multi-Factor Authentication (MFA) device
 For providing additional level of security for management console
AWSDevelopers O&M

AWS IAM (Identity and Access Management) Continue…
Authorizes every request from API
and Management Console
All
operations
granted
All S3
operations
granted
S3 Read-only
access
granted
Administrator group
Developer group
O&M group

New directory in AWS Connect existing directory to AWS
Simple AD AD Connector
Based on Samba 4 Custom federation proxy
On-premises
AWS Directory Services
Directory
Connect
DX

p2.16xlarge
vCPU = 16
732GB RAM
x1.32xlarge
vCPU = 128
2TB RAM
X1 Memory Optimized Instances
Intel® Xeon E7-8880 v3 (Haswell) Processors
This custom processor, designed specifically for EC2
Support Enhanced Networking (SRIOV)
I/O Performance: Very High (20 Gigabit Ethernet) via ENA
Broad Set of Compute Instance Types …
P2 GPU Instances
Intel® Xeon® E5-2686 v4 (Broadwell) processors
NVIDIA K80 GPU
Support Enhanced Networking (SRIOV)
I/O Performance: Very High (20 Gigabit Ethernet) via ENA
16 x NVIDIA GPUs
2496 Cores
12GB Memory
GPU P2P

Availability Zone A
Region
Availability Zone B
High Availability across data centers Multi AZ
Amazon EC2 SLA 99.95%
Amazon RDS SLA 99.95% for
Multi-AZ

AWS Services Health Dashboard Reliability Track Record
• Real time update
– http://status.aws.amazon.com/

AWS Management Portal for vCenter
VM Import/Export also available
for vmdk, vhd and ova

AWS Application Discovery Services

Customer
premises
Application users
AWS
• Start a replication instance
• Connect to source and target
databases
• Select tables, schemas, or
databases
 Let AWS DMS create tables,
load data, and keep them in
sync
 Switch applications over to the
target at your convenience
AWS
DMS
AWS DX
Amazon Database Migration Services (DMS)

Amazon Server Migration Services (SMS)

Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,
and Administer
Track and
Update
Shared
Capabilities
Amazon EC2 System Manager (Manage Hybrid Environment)

Support for many language stacks and tools
Android iOS Java nodeJS .NET PHP Python Ruby
and specialized cloud tools integrated in your development environment
Eclipse Visual Studio CLI Powershell
AWS provide Rich set of APIs for programming platform or language

AWS Hong Kong CustomersAWS Customers in Hong Kong

AWS Instructor-Led
Training Courses
24x7 AWS Business
and Enterprise
Support
AWS
Professional
Services
AWS are ready to serve you !
• Cloud Adoption Framework
• Architecture Jumpstart
• Application Portfolio Assessment
• Security Operations Playbook
• Resident Architect

Remember to complete your
evaluations!

Thankyou
Ken Chan
Product Business Development Manager
Greater China
kenchan@amazon.com

VPC and DX PoP @ HKG

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to VPC and DX PoP @ HKG

Similar to VPC and DX PoP @ HKG (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

VPC and DX PoP @ HKG

Editor's Notes