The AWS Virtual Private Cloud platform provides a mature network topology for your ec2 resources. It enables you to restrict access to resources in much finer grained ways than possible in ec2. Additionally, VPC allows site to site VPN; allowing you to extend your non-ec2 networks to ec2. In this presentation, we explore an actual migration from ec2-classic to VPC, with lessons learned along the way.
10. What we hate about ec2-classic
● inflexible security groups
● per-IP maintenance of SG’s across regions
● ALLOW TCP 22 FROM 0.0.0.0/0
● no edge
● no edge
● no edge
● no edge
12. routing
Private subnets can only route traffic destined for the internet to a
NAT instance (eni-0…). Public subnets route to the IGW. Routes
can be automatically propagated from VPN connections.
14. Site to Site VPN
● AWS docs on this are perfect - check if your firewall is on the supported
list. If so, one click configuration for your firewall
● A VPN connection - includes two tunnels, connected to two different IP’s
at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER
22. ACL’s ARE NOT STATEFUL
ALLOW tcp 80 src 10.85.0.0/16
ALLOW tcp 443 src 10.85.1.0/24
ALLOW tcp established any
DENY ALL
23. SNS, Redshift, Route53, RDS
SNS - has no legs in VPC. Systems subscribing to SNS topics from private
subnets need an HTTP proxy in a public subnet for SNS to reach them.
Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to
VPC (yay!)
Route53 - no support for “views” in VPC.
24. migration time best time
- use AWS support or account teams
- start with subnets and basic nat, vpn
- dev environments, soak
- preprod, soak