The AWS Virtual Private Cloud platform provides a mature network topology for your ec2 resources. It enables you to restrict access to resources in much finer grained ways than possible in ec2. Additionally, VPC allows site to site VPN; allowing you to extend your non-ec2 networks to ec2. In this presentation, we explore an actual migration from ec2-classic to VPC, with lessons learned along the way.

1. VPC - Flying Blind on a Rocket Cycle
Matthew Boeckman - VP of DevOps at Craftsy.com
@matthewboeckman
http://enginerds.craftsy.com

2. Who is Craftsy
● Instructor led training videos for passionate hobbyists
● #19 on Forbes’ Most Promising Companies 2014

3. VPC - Why
VPC is mature network
topology for AWS

4. VPC - Why
Network ACL’s allow for true
edge blocking

5. VPC - Why
Instances can be members of
multiple Security Groups
SG membership can change
post-instance launch

6. Site to Site VPN connectivity
enables extension of your
network to AWS
VPC - Why

7. Three things
Keep it simple
Get there now
Keep it simple

8. *disclaimer

9. Our stack in ec2-classic

10. What we hate about ec2-classic
● inflexible security groups
● per-IP maintenance of SG’s across regions
● ALLOW TCP 22 FROM 0.0.0.0/0
● no edge
● no edge
● no edge
● no edge

11. Our stack in VPC

12. routing
Private subnets can only route traffic destined for the internet to a
NAT instance (eni-0…). Public subnets route to the IGW. Routes
can be automatically propagated from VPN connections.

13. NAT instances
HOW BIG?!
● we chose m1-medium… because…. it seems big enough?
sure.
● failover

14. Site to Site VPN
● AWS docs on this are perfect - check if your firewall is on the supported
list. If so, one click configuration for your firewall
● A VPN connection - includes two tunnels, connected to two different IP’s
at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER

15. Cross region VPN
http://aws.amazon.com/articles/5472675506466066
http://fortycloud.com/interconnecting-two-aws-vpc-regions/
AWS has no product offering here. You can easily VPN two VPC’s in
the same region but not, you know, in different regions.

16. reservations!
Instance reservations purchased in EC2
classic DO NOT MAGICALLY MOVE TO
VPC
Do. Not. Forget. This. Step.

17. seriously?

18. VPC - flying blind

19. netcat, tcpdump and patience

20. be the packet
host a
host b
SG
SG
ACL
ACL
out
out,in
out,in
out,in
in
out
out,in
out,in
out,in
in

21. LIMITS
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

22. ACL’s ARE NOT STATEFUL
ALLOW tcp 80 src 10.85.0.0/16
ALLOW tcp 443 src 10.85.1.0/24
ALLOW tcp established any
DENY ALL

23. SNS, Redshift, Route53, RDS
SNS - has no legs in VPC. Systems subscribing to SNS topics from private
subnets need an HTTP proxy in a public subnet for SNS to reach them.
Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to
VPC (yay!)
Route53 - no support for “views” in VPC.

24. migration time best time
- use AWS support or account teams
- start with subnets and basic nat, vpn
- dev environments, soak
- preprod, soak

25. cloned production

26. shut it down

27. thank you
QUESTIONS!
Matthew Boeckman
@matthewboeckman
http://enginerds.craftsy.com
(deck will be there & slideshare)