Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

20190417 AWS Black Belt Online Seminar Amazon VPC Advanced

4.410 Aufrufe

Veröffentlicht am

AWS公式オンラインセミナー: https://amzn.to/JPWebinar
過去資料: https://amzn.to/JPArchive

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

20190417 AWS Black Belt Online Seminar Amazon VPC Advanced

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Webinar https://amzn.to/JPWebinar https://amzn.to/JPArchive Solutions Architect 2019/4/17 Amazon VPC Advanced [AWS Black Belt Online Seminar]
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 2
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Black Belt Online Seminar • • ① 吹き出しをクリック ② 質問を入力 ③ Sendをクリック Twitter #awsblackbelt 3
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • 2019 4 17 AWS (http://aws.amazon.com) • AWS AWS • • AWS does not offer binding price quotes. AWS pricing is publicly available and is subject to change in accordance with the AWS Customer Agreement available at http://aws.amazon.com/agreement/. Any pricing information included in this document is provided only as an estimate of usage charges for AWS services based on certain information that you have provided. Monthly charges will be based on your actual use of AWS services, and may vary from the estimates provided. 4
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • VPC Sharing • Transit Gateway • PrivateLink 5
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 6
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 東京リージョン Amazon Virtual Private Cloud (VPC) (http://aws.amazon.com/jp/vpc/) • AWS • AWS • 仮想プライベートクラウドサービス VPC ( 172.16.0.0/16) 既存システム プライベート サブネット パブリック サブネット インターネット VPN or 専用線 ネットワークを 要件に応じて設定 インターネット ゲートウェイ 7
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC • 2009-8 Limited Beta • 2009-12 Unlimited Beta • 2010-2 EBS Support • 2010-9 (MC) • 2011-3 IGW, EIP, NAT instance, NACL, SG • 2011-8 Multi-AZ • 2011-9 DirectConnect(DX) • 2012-6 Multiple IP • 2012-7 Internal ELB • 2013-10 DX MC • 2013-12 Default VPC • 2014-3 VPC peering • 2014-9 R53 Private host zone 8
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC • 2015-6 VPC flow logs • 2015-12 NAT gateway • 2016-7 DNS for VPC peering • 2016-8 RDS in your VPC • 2016-12 IPv6 • 2017-8 Add CIDRs • 2017-11 PrivateLink • 2017-11 Inter-Region VPC Peering • 2018-10 BYOIP • 2018-11 Agentless network assessments • 2018-11 Transit Gateway • 2018-12 VPC Sharing • 2018-12 ClientVPN 9
  10. 10. 2019.4のReference Network Architecture Internet Account Account Account Account Account Account Account Account Account Account Account Account VP N AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available Q1 2019 10
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 東京リージョン Amazon Virtual Private Cloud (VPC) 特徴 (http://aws.amazon.com/jp/vpc/) • AWS上にプライベートネットワークを構築 • AWSと既存環境のハイブリッド構成を実現 • きめ細かいネットワーク設定が可能 仮想プライベートクラウドサービス VPC ( 172.16.0.0/16) 既存システム プライベート サブネット パブリック サブネット インターネット VPN or 専用線 ネットワークを 要件に応じて設定 インターネット ゲートウェイ ここが歴史です 11
  12. 12. 2019.4のReference Network Architecture Internet Account Account Account Account Account Account Account Account Account Account Account Account VP N AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available Q1 2019 12
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Sharing 13
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Mini-Agenda VPC – VPC 14
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. なぜマルチアカウントか? 15
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Answers AWS Multiple Account Security Strategy 16
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Multi-Account view Production Account Test/UAT Account Development Account Master Account 17
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 18
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Production Account Test/UAT Account Development Account Master Account VPC VPC VPC 10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 PeeringPeering Private VIF Private VIF Private VIF NAT gateway NAT gateway NAT gateway 19
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark App A Production Account App A Test/UAT Account App A Development Account Master Account App B Production Account App B Test/UAT Account App B Development Account Business Unit A Business Unit B VPC VPC VPC VPC VPCVPC VPC VPC VPC VPC VPC VPC NAT gateway NAT gateway NAT gateway NAT gateway NAT gateway PeeringPeeringPeeringPeering Private VIF Private VIFPrivate VIF Private VIF 20
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • • • • • • • • • • • 21
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 22
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC App A Production Account App A Test/UAT Account App A Development Account Master Account App B Production Account App B Test/UAT Account App B Development Account Business Unit A Business Unit B Prod VPC VPC VPC Dev/Test VPCNAT gateway NAT gateway Private VIF Private VIF 23
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC VPC • IPv4 • • AWS • AWS 24
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IP IPv4 CIDR VPC peering, Transit VPC • VPC 25
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Admin Users Account A (VPC Owner) Account B (Participant) Common VPC Same AWS Organization AWS Resource Access Manager Shared Subnet Share subnet with Resource Share EC2 Instance owned by Account A RDS Instance owned by Account B Traffic 26
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC Sharing VPC • VPC • VPC Sharing • VPC • VPC, 27
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 28
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark to VPC VPN 29
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Transit Gateway 1000以上のVPCとオンプレミス間の相互接続を簡単 に オンプレミス データセンター AWS VPC AWS Transit Gateway 30
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Transit Gateway: AWS Transit Gateway VPCとオンプレミス間のルーティングポリシーを集中管理 マルチアカウント間での1000を超えるVPC間接続をサポート 柔軟なルーティングテーブルの分割とルーティングルール スケーラブル マルチVPNコネクションのスループット向上 運用の単純化 31
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • アカウント間の複数VPC間の相互接続の集中管理 • VPNとDirect Connectの接続点を集中化 • ピアツーピアネットワークが必要であった構成の削減、または 廃止が可能 • ECMPルーティングによるVPNスループットの向上(50 Gbps+) • AWS Transit Gatewayによりリージョン間のピアリングが可能 • AWSグローバルネットワークを活用して、低遅延のクロスリー ジョン接続を実現 • Regional construct reduces blast radius • AWSとオンプレミス間の設定時間を削減 • 1カ所で管理および監視が簡単に可能 • CloudWatchとVPC Flow Logsとの統合 • 既存のVPCセキュリティグループとネットワークアクセスコン トロールリストを利用可能 ネットワーク構成 の単純化 Global Connectivity AWS Transit Gateway: 32
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 33
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – VPC • 複数のVPCを使用しているお客様 • 多数のVPCにまたがるアプリケーションを構 築するお客様 • ネットワークサービスの共有が可能 (DNS, Active Directory, ファイアーウォール, IDS) • 管理のオーバーヘッドを削減 34
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark – • すべてのVPCで共通のVPNまたはDirect Connect Gateway(DXGW)を共有 • 複数のVPCにオンプレミスネットワークを接 続する時間を短縮 • AWS Transit GatewayにVPCを追加する際、 追加する顧客ネットワークに変更は不要 35
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Use Case – • 共有のVPCホストセキュリティツール • Firewall as a service • Webアプリケーションファイアウォール (WAF)、データ損失防止(DLP)、侵入検 知/保護(IDS / IPS) • ネイティブAWSサービスでスケールアウト 36
  37. 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 37
  38. 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Internet Account Account Account Account 開発環境 Account Account Account Account テスト環境 Account Account Account Account 本番環境 アウトバウンド URL filtering NAT gateway DLP / Proxy エッジサービス WAF / ADC SD-WAN VPN / Firewall IDS / IPS Firewall / NGFW インラインサービス 共有サービス Authentication, Monitoring VPN AWS Direct Connect * Account Account Account Account 管理アカウント (logging, AWS Organizations, billing, landing zone) IAM, Cross-account roles Route tables Route tables Transit Gateway East-West + North-South Available 1H 2019 AWS Transit Gateway 38
  39. 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production 共有サービス Authentication, monitoring Route tables Route tables Transit Gateway VRF) Account Account Account Account Acquisition Example applications • 認証 • ロギング • DevOps ツール • セキュリティリソース AWS Transit Gateway 39
  40. 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Transit Gateway PrivateLink AWS Transit Gateway • 多対多、1対多でルーティング テーブルを利用するもの • Highly scalable • 1時間当たりのAZエンドポイン トコスト Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Authentication, Monitoring R o u t e T a b l e s R o u t e T a b l e s Transit Gateway 適用範囲:アプリケーション共有サービス 信頼モデル:VPC間に相互信頼をもたない 依存関係:ロードバランサとアプリケーションアーキテクチャ 規模:数千のスポークVPC 対象範囲:多数のVPCへのネットワーク共有サービス 信頼モデル:VPC単位の信頼、集中管理 依存関係:Transit Gatewayによる集中管理 規模:数千のスポークVPC AWS PrivateLink • 1対多のコネクティビティ • Highly scalable • IPアドレス重複のサポート • Elastic Load Balancingの使用 • ロードバランサと1時間当たり のエンドポイントコスト 40
  41. 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Transit Gateway VPN VPN Route tables Route tables Transit Gateway Customer Gateway Transit Gateway (TGW)によるVPNの統合 • VPNはVirtual Private Gateway (VGW)に接続しているように 動作 • 帯域、設定、API,コストおよびエクスペリエンスは従 来通り • VPNはVGWではなくTGWに接続 • VGW同様トンネルあたり1.25 gbpsの帯域幅を適用 多数のVPCのエッジへの暗号化 • トラフィックはVPC内に入るまで暗号化 • VPC間の通信は自動では暗号化されない • インターリージョンVPCはデフォルト暗号化 41
  42. 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Transit Gateway VPN: VPN VPN Route tables Route tables Transit Gateway Customer Gateway 複数トンネルによるトラフィックの分散サポート • BGPマルチパスによるEqual Cost Multi Path(ECMP)の サポート • 最大50 Gbpsの帯域までテスト済み • トラフィックの小さな複数のフローへの分割, マルチパー トアップロード, etc. オンプレミス環境側の設定確認事項 • マルチパスBGPサポート • ECMPサポート, ECMPのパスの最大数, reverse-path forwarding/spoofing機能の有無 • BGP、スタティックルートサポート 42
  43. 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Direct Connect Transit Gateway Direct Connect VPC Public接続を利用したDirect Connect上にVPNを張る暗号化 Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared VPN AWS Direct Connect Route Tables Route Tables Transit Gateway virtual interfaces VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Public virtual interface AWS Cloud Receive AWS public IP addresses 20191Hサポート予定 43
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 構成例 44
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gatewayで自由に通信させる route domains Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN Default routing domain ルートテーブルは1つ 45
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gatewayで通信制限する route domains Transit Gateway Shared services VP N VPC Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Route Destination 10.0.0.0/8 VPN 10.4.0.0/16 vpc-att-4xxxx VPCs attach to a route table with routes to shared resources Shared resources attach to a route table with routes to all resources Shared serviceと VPN向けのみの経路 それぞれのVPC向け の経路 46
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. インターネットに抜けるOutbound Route Domains Transit Gateway VP N Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN 0.0.0.0/0 vpc-att-4xxxxxx Default routing domain インターネットVPC向 けの経路 47
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. インターネットに抜けるOutbound Route Domains Transit Gateway VP N Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN 0.0.0.0/0 vpc-att-4xxxxxx Default routing domain インターネットVPC向 けの経路 48
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PrivateLink 49
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS PrivateLink • https://aws.amazon.com/jp/about-aws/whats- new/2017/11/introducing-aws-privatelink-for-aws-services/ • パブリック IP を使用することなく、またインターネット全体を横断するトラ フィックを必要とすることなく、Amazon Virtual Private Cloud (VPC) か ら AWS のサービスにプライベートにアクセスできます。 • 対応サービス • https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html • 最近ではECR,ECS,Fargateも 50
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PrivateLink • 別の AWS アカウントでホストされるサービス、AWS Marketplace のサードパーティサービスにセキュアに接続 • お客様の VPC とこうしたいずれかのサービス間のトラフィックは Amazon のネットワークの外に出ない • サービスと通信するためにインターネットゲートウェイ、NAT デバイス、パブリック IP アドレス、VPN 接続は不要 51
  52. 52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Transit Gateway PrivateLink AWS Transit Gateway • 多対多、1対多でルーティング テーブルを利用するもの • Highly scalable • 1時間当たりのAZエンドポイン トコスト Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Authentication, Monitoring R o u t e T a b l e s R o u t e T a b l e s Transit Gateway 適用範囲:アプリケーション共有サービス 信頼モデル:VPC間に相互信頼をもたない 依存関係:ロードバランサとアプリケーションアーキテクチャ 規模:数千のスポークVPC 対象範囲:多数のVPCへのネットワーク共有サービス 信頼モデル:VPC単位の信頼、集中管理 依存関係:Transit Gatewayによる集中管理 規模:数千のスポークVPC AWS PrivateLink • 1対多のコネクティビティ • Highly scalable • IPアドレス重複のサポート • Elastic Load Balancingの使用 • ロードバランサと1時間当たり のエンドポイントコスト 52
  53. 53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • VPC Sharing • Transit Gateway • PrivateLink 3 Transit Gateway AWS Summit Tokyo Dive Deep 53
  54. 54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Q&A AWS Japan Blog https://aws.amazon.com/jp/blogs/news/ 54
  55. 55. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS AWS https://amzn.to/JPArchive 55
  56. 56. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • •
  57. 57. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Webinar https://amzn.to/JPWebinar https://amzn.to/JPArchive

×