Networking in AWS

©2017AmazonWebServices,Inc.anditsaffiliates.Allrightsserved.Maynotbecopied,modified,ordistributedinwholeorinpartwithouttheexpressconsentofAmazonWebServices,Inc.

Overview

• AWS networking services including:

VPC – Extend your network into a virtual private cloud

Direct Connect – Physical cross connect into AWS

ELB – Managed load balancer service

Route53 – Managed DNS service

EIP – Elastic IP

1Amazon VPC

Amazon VPC

• Virtual network topology that you define• Your own logically isolated section of AWS• Complete control of your networking environment

– IP ranges– Subnets– Routing tables– Gateways

• Multiple Connectivity Options• Advanced Security Features

Networking Building Blocks

Your network goes here

• Bring your own network

Networking Building Blocks

VPC Subnet 1 VPC Subnet 2 VPC Subnet ‘n’

…

Networking Building Blocks

VPC Subnet 1 VPC Subnet 2

• Configure custom routing rules

Plan your VPC IP space before creating it

• Consider future AWS region expansion• Consider future connectivity to corporate networks• Consider subnet design• VPC can be /16 between and /28• CIDR cannot be modified once created• Overlapping IP spaces = future headache

Network Building Blocks

Security Group Firewall

Load Balancer

Security Group Firewall

Security Group Firewall

DB Server

Web(HTTP)

8080Web

ServerWeb

Server

Network Building Blocks

Availability Zone ‘A’ Availability Zone ‘B’

Network Building Blocks

• Routing rules

Availability Zone ‘A’ Availability Zone ‘B’

Network Building Blocks

Customer Network

Network Building Blocks

Customer NetworkAWS Direct

Connect Location

Customer WAN

Network Building Blocks

Customer Network

Network Building Blocks

Customer Network

Network Building Blocks

• Load Balancer• Internet Elastic Load Balancing• Mid-tier Elastic Load Balancing

Customer Network

VPC NAT Gateway

NatGateway

• High availability – built-in redundancy• High bandwidth – up to 10Gbps• Fully Managed by AWS• Assign an EIP to each NAT Gateway• View NAT gateways’ traffic using Flow

Logs• NAT gateways support TCP, UDP, and

ICMP protocols• Network ACLs apply to NAT gateway’s

traffic• CloudTrail Support

Private Route Table

Destination Target

10.0.0.0/16 Local

0.0.0.0/0 IGW

Private Route Table

Destination Target

10.0.0.0/16 Local

0.0.0.0/0 NGW

VPC Endpoints: Amazon S3 access without an Internet Gateway

• No IGW• No NAT• No public IPs• Free • Robust access control

Amazon S3

Connecting to other VPCs - VPC peering

VPC Peering

172.31.0.0/16 10.55.0.0/1610.0.0.0/16

Private Route Table

Destination Target

10.0.0.0/16 Local

172.31.0.0/16 VPC Peer

Private Route Table

Destination Target

171.31.0.0/16 Local

10.0.0.0/16 VPC Peer

2Direct Connect

AWS Direct Connect

AWS Direct Connect Cont’d

3ELB

Elastic Load Balancing• Elastic Load Balancing automatically distributes incoming

application traffic across multiple Amazon EC2 instances.• Two Types: Classic & Application Load Balancer

Elastic Load Balancing

• In-Region Load Balancing Service

• Distributes traffic across multiple Availability Zones – HTTP/S, TCP/S

• Built-in Health Check

• Fully fault-tolerant – Can span multiple AZs

Web Server

AZ-3

Web Server

Web Server

AZ-2

Web Server

Region

Elastic LoadBalancer

Web Server

AZ-1

Web Server

Classic Load Balancer Features:

• High Availability• Health Checks• Security Features• SSL Offloading• Sticky Sessions• IPv6 Support• Layer 4 or 7 Load Balancing• Operational Monitoring• Logging

Application Load Balancer Features:

• Content-Based Routing• Containerized Application Support• HTTP/2 Support• WebSockets Support• Layer-7 Load Balancing• Delete Protection• Request Tracing• Web Application Firewall (WAF)

4Route53

Route53

Route53

Global Traffic Management Example:

Route53 Pricing Dimensions

Route53

Any Questions?