©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Amazon Virtual Private Cloud Deep Dive

Steve Seymour, Solutions Architect, Networking Specialist

aws vpc –-expert-mode

Topics today

Virtual networking options

EC2-Classic

Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups

Default VPC

The best of both

Get started using the EC2-Classic experience

If and when needed, begin using any VPC feature you require

VPC

Advanced virtual networking services: ENIs and multiple IPs

routing tables egress security groups

network ACLs private connectivity

Enhanced networking

And more to come...

Virtual networking options

EC2-Classic

Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups

Default VPC

The best of both

Get started using the EC2-Classic experience

If and when needed, begin using any VPC feature you require

VPC

Advanced virtual networking services: ENIs and multiple IPs

routing tables egress security groups

network ACLs private connectivity

Enhanced networking

And more to come...

All accounts created after 12/4/2013 support VPC only and have a default

VPC in each region

Confirming your default VPC describe-account-attributes

VPC only

1. Routing & private connections

Implementing a hybrid architecture

Corporate Data Center

Create VPC

Corporate Data Center

aws ec2 create-vpc --cidr 10.10.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Create VPN connection

Corporate Data Center

aws ec2 create-vpn-gateway --type ipsec.1 aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4 aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500 aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Launch instances

Corporate Data Center

aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3 aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Using AWS Direct Connect

Corporate Data Center

aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24, virtualGatewayId=vgw-f9da06e7

Configuring route table

Corporate Data Center 192.168.0.0/16

aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7

Each VPC has a single routing table at creation time,

used by all subnets

Remote connectivity best practices

Corporate Data Center

Availability Zone Availability Zone

Each VPN connection consists of 2 IPSec

tunnels. Use BGP for failure recovery.

Remote connectivity best practices

Corporate Data Center

Availability Zone Availability Zone

BGP

A pair of VPN connections (4 IPSec tunnels total) protects against failure of your

customer gateway BG

P

Remote connectivity best practices

Corporate Data Center

Availability Zone Availability Zone

BGP

Redundant AWS Direct Connect connections

with VPN backup

VPC with private and public connectivity

Corporate Data Center 192.168.0.0/16

aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7

Automatic route propagation from VGW

Corporate Data Center 192.168.0.0/16

aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16 aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7

Used to automatically update routing table(s) with routes present in the VGW

Isolating connectivity by subnet

Corporate 192.168.0.0/16

aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b aws ec2 create-route-table --vpc vpc-c15180a4 aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

Subnet with connectivity only to other instances and the

Internet via the IGW

Software VPN for VPC-to-VPC connectivity

# VPC A aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc

# VPC B aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a

Software VPN for VPC-to-VPC connectivity

Software VPN between these

instances

Software VPN for VPC-to-VPC connectivity

Enabling communication between instances in these

subnets; adding routes to the default routing table

Software firewall to the Internet

Routing all traffic from subnets to the Internet via a firewall is

conceptually similar

# Default routing table directs traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc # Routing table for 10.10.3.0/24 directs to the Internet aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Road to Automation - aka CloudFormation

Jackie Wong, Network Manager, Financial Times

Financial Times

•  International Media Company

•  Pioneer of Selling Digital Subscriptions •  Speed to Market

Repetitive and Manual Deployment •  Some history …

•  Manual deployment;

•  Time Consuming

•  Inconsistent

•  Human Error

•  Repetitive

CloudFormation – JSON { “Recognize Similarity” : [

{ “Key” : “Subnets” }, { “Key” : “ Security” }, { “Key” : “ Routing” }, { “Key” : “ Internet” }, { “Key” : “ Corporate” }, { “Key” : “ etc” } ]

}

•  Using Mapping and Parameters within JSON to make it [{“Universal”}]

Outcome - Speed to Market

•  Faster deployment •  Consistent

•  Accurate Deployment

•  Easy to manage and update

•  Stored Centrally

Give it a Go It is addictive………..in a good way!

2. VPC peering

Shared services VPC using VPC peering

•  Common/core services –  Authentication/directory –  Monitoring –  Logging –  Remote administration –  Scanning

Provides infrastructure zoning •  Dev: VPC B •  Test: VPC C •  Production: VPC D

VPC peering for VPC-to-VPC connectivity

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87

VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16 vpc-c15180a4

VPC B - 10.20.0.0/16 vpc-062dfc63

VPC peering across accounts

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333 # In owner account 472752909333 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16 vpc-c15180a4

VPC B - 10.20.0.0/16 vpc-062dfc63 Account ID 472752909333

VPC peering – Additional considerations

•  Security groups not supported across peerings –  Workaround: specify rules by IP prefix

•  No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs –  Example: Cannot access VPC C from VPC A via VPC B –  Workaround: Create a direct peering from VPC A to VPC C

•  Peer VPC address ranges cannot overlap –  But, you can peer with 2+ VPCs that themselves overlap –  Use subnets/routing tables to pick the VPC to use

VPC peering with software firewall

VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16

# Default routing table directs Peer traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Peering aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

VPC Design for the Enterprise

Eamonn O'Neill, Director, Lemongrass Consulting

VPC Layout

Singapore Singapore

Cloud Controller

Ireland

Website Primary DR

Tokyo

Workspaces

Ireland

Seaco Main Account Seaco DR Account

Lemongrass Account

User Connections to AWS

Singapore

Primary

Seaco WAN

Direct Connect (100Mb)

Cloud Controller

Lemongrass Support

3rd Parties

Remote Seaco Users

Miami Shanghai Hamburg

VPN

VPN

VPN

Singapore

India

London Livorno Moscow 3rd Parties

Remote Seaco Users

Remote Desktop Services

 

SAP DR

App Servers

App Servers

App. Servers

App. Servers

Subnet Layout

 

ap-southeast-1b

 

ap-southeast-1a

 

DMZ

 

Management & Non-SAP

 

ap-southeast-1b

  VPN VPN

Server

Active Directory

Domain Controller

Remote Desktop Services  

DMZ

  VPN VPN

Server

Active Directory

Remote Desktop Services

SQL Server

 

Management & Non-SAP

Domain Controller

SQL Server

System Centre 2012

 

SAP Production

Database Servers

App. Servers

App. Servers

App. Servers

 

SAP Non-Production

Database Servers

App. Servers

Primary VPC

VPC Peering

 

DMZ

  VPN VPN

Server

Database Servers

App Servers

SAP Web Dispatcher

Domain Controller

DR VPC

Lemongrass Consulting

“Transforming the Workplace through Mobile and Cloud”

S24

Related Presentations – Videos online

https://www.youtube.com/user/AmazonWebServices •  ARC205 – VPC Fundamentals and Connectivity •  ARC401 – Black Belt Networking for Cloud Ninja

–  Application centric, network monitoring, management, floating IPs

•  ARC403 – From One to Many: Evolving VPC Design •  SDD302 – A Tale of One Thousand Instances

–  Example of EC2-Classic customer adopting VPC •  SDD419 – Amazon EC2 Networking Deep Dive

–  Network performance, placement groups, enhanced networking

LONDON

Please complete your session evaluation!