another day, another billion packets - toronto
TRANSCRIPT
![Page 1: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shahbaz Alam, AWS Professional Services
September 2016
Another Day, Another Billion
Packets
![Page 2: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/2.jpg)
Deja Vu
![Page 3: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/3.jpg)
We have the cloud
Amazon
EBS
Amazon
RDS
Amazon
ElastiCache
Amazon
Redshift
Amazon EC2 Elastic Load
Balancing
![Page 4: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/4.jpg)
We have customers
![Page 5: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/5.jpg)
Some customers have existing data centers
![Page 6: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/6.jpg)
Customers want to make their datacenters
work with the cloud
???
![Page 7: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/7.jpg)
Whiteboard engineering
Amazon
EBS
Amazon
RDS
Amazon
ElastiCache
Amazon
Redshift
Amazon
EC2
Elastic Load
Balancing
![Page 8: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/8.jpg)
EC2 as it was
10.44.12.4 10.44.12.5
10.44.92.1710.44.12.27
10.108.6.4
![Page 9: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/9.jpg)
Why that doesn’t work
192.168.0.0/16
Routing Table
• 192.168.0.0/16: stay here
• 10.44.12.4/32: AWS
• 10.44.92.17/32: AWS
• 10.108.6.4/32: AWS
10.44.0.0/16
10.44.12.4 10.44.12.5
10.44.92.1710.44.12.27
10.108.6.4
![Page 10: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/10.jpg)
Design Requirements
• Customer selected IP addresses
• Route aggregation for external connectivity
• Conformance with existing network designs
![Page 11: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/11.jpg)
![Page 12: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/12.jpg)
172.31.0.0/18
192.168.0.0/16
Routing Table
• 192.168.0.0/16: stay here
• 172.31.0.0/18: AWS
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
Amazon Virtual Private Cloud (VPC)
![Page 13: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/13.jpg)
This is just virtual networking!
Subnet ~= VLAN
VPC ~= VRF (virtual routing and forwarding)
But…
![Page 14: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/14.jpg)
Scaling challenges
VLAN ID space is constrained
• 12 bits => 4096 total VLANs
VRF support is constrained
• Large routers => 1-2 thousand VRFs
Fixed ratio of VLANs:VRFs
![Page 15: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/15.jpg)
Router and capacity dimensions
Big Router
Data Plane
Control
Plane
Big Router
Data Plane
Control
Plane
![Page 16: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/16.jpg)
An example
Average router configuration line: 50 chars
Config per VPC: 10 lines
Subnets per VPC: 4
Config per subnet: 5 lines
Total VPCs: 2,000
Config size: 3 MB
![Page 17: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/17.jpg)
But…
This doesn’t scale
• 12 bit VLAN ID = 4096 VLANs (not
enough)
• BIG routers support 4,000 VRFs
($200k+)
Large VLANs make Network Engineers cry
Tied to vendor bugfix cycles (6 months +)
BIG virtual routers are built by few
companies
Interoperability of advanced features is
marginal
$$$
![Page 18: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/18.jpg)
Silos of capacity (illustrative)
A
C
B
FE
D
G
A AA
A
B
C
B B
B B
C
D
F FF
D
D
B
G G
/4 /4
/40 /40
0
0
0
0
1324 132
C
G G
3 27
D DD
9910
F F F F F
1815 40
BB B B B
BB B B B
BB B B B
B B
![Page 19: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/19.jpg)
Functional requirements
• Scale to millions of environments the size of
Amazon.com
• Any server, anywhere in a region can host an instance
attached to any subnet in any VPC
![Page 20: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/20.jpg)
Let’s review: L2 – Ethernet
10.0.0.2
10.0.0.3
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
The switch floods the
ARP request out all
ports
Ethernet Switch
L2 Src: MAC(10.0.0.3)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at
MAC(10.0.0.3)
The switch snoops the
ARP response and
learns the port for
MAC(10.0.0.3).
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
![Page 21: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/21.jpg)
Let’s review: L3 – IP routing
10.0.0.2
10.0.1.3
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.1?
Ethernet Switch
L2 Src: MAC(10.0.0.1)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at
MAC(10.0.0.1)
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.1)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
RouterEthernet Switch
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 22: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/22.jpg)
VPC Concepts
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Server:
Physical hypervisor
in an Amazon data
center
Instance:
Amazon EC2
instance owned by a
customer
VPC:
Amazon Virtual
Private Cloud
owned by a
customer
VPC ID:
Identifier for a VPC
such as vpc-
1a2b3c4d
Mapping Service:
Distributed lookup
service. Maps VPC
+ Instance IP to
server
![Page 23: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/23.jpg)
L2 - VPC
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
L2 Src: MAC(10.0.0.3)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at
MAC(10.0.0.3)
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.0.3
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: 192.168.1.4
MAC: MAC(10.0.0.3)
10.0.0.2
![Page 24: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/24.jpg)
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
…
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.2 is at
192.168.0.3
Src: Mapping Service
Dst: 192.168.1.4
Mapping valid:
Blue 10.0.0.2 is at
192.168.0.3
L2 - VPC
…
![Page 25: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/25.jpg)
VPC isolation
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Src: 192.168.0.4
Dst: Mapping Service
Query:
Grey 10.0.0.3
L2 Src: MAC(10.0.0.4)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
![Page 26: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/26.jpg)
VPC isolation
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Src: 192.168.0.4
Dst: Mapping Service
Query:
Blue 10.0.0.3
L2 Src: MAC(10.0.0.4)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
192.168.0.4 is not
hosting any instances
in VPC Blue.
Mapping Denied
Alarm Raised
![Page 27: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/27.jpg)
VPC isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
…
L2 Src: MAC(10.0.0.4)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.4
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.4
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.4 is at
192.168.0.4
Src: Mapping Service
Dst: 192.168.1.4
Mapping invalid!
192.168.1.4 does not
deliver the packet to
the instance.
Alarm Raised.
![Page 28: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/28.jpg)
L3 - VPC
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.1?
L2 Src: MAC(10.0.0.1)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at
MAC(10.0.0.1)
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.0.1
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: Gateway
MAC: MAC(10.0.0.1)
10.0.0.2
![Page 29: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/29.jpg)
L3 - VPC
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.1.3
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: 192.168.1.4
MAC: MAC(10.0.1.3)
10.0.0.2
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.1)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.2 is at
192.168.0.3
Src: Mapping Service
Dst: 192.168.1.4
Mapping valid:
Blue 10.0.0.2 is at
192.168.0.3
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 30: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/30.jpg)
Caching
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 31: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/31.jpg)
10.0.0.0/18
172.16.0.0/16
10.0.0.0/24 10.0.1.0/24
10.0.0.7
10.0.0.8
10.0.0.9
10.0.1.12
10.0.1.51
VPC: Blue
Src: 192.168.0.3
Dst: ???
L3 Src: 10.0.0.7
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Getting home (or anywhere, really)
![Page 32: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/32.jpg)
Edges
Server 192.168.0.3
Server 192.168.0.4
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
Mapping Service
10.0.0.2
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Host 10.0.0.4 192.168.0.4
Host 10.0.1.3 192.168.0.4
…
172.16.0.0/16 Edge 192.168.4.3
…
![Page 33: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/33.jpg)
Edges (three different ones) – VPN
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
![Page 34: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/34.jpg)
Edges (three different ones) – AWS Direct Connect
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
![Page 35: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/35.jpg)
Edges (three different ones) – Internet
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
54.148.157.46
![Page 36: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/36.jpg)
Edges (three different ones)
VPNEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Direct ConnectEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
InternetEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 54.148.157.46
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
![Page 37: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/37.jpg)
Image credit: Wikipedia
https://en.wikipedia.org/wiki/1918_Eighth_Avenue
A brief diversion – Fun Fact
![Page 38: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/38.jpg)
Back to our regularly scheduled program…
![Page 39: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/39.jpg)
Amazon S3
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
![Page 40: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/40.jpg)
Amazon S3 endpoints
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
![Page 41: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/41.jpg)
Server 192.168.0.3
Server 192.168.0.4
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
10.0.0.2
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.4
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
EdgesMapping Service
Host 10.0.0.4 192.168.0.4
Host 10.0.1.3 192.168.0.4
…
172.16.0.0/16 Edge 192.168.4.3
S3.us-east-1 Edge 192.168.4.4
…
![Page 42: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/42.jpg)
A new edge – S3 endpoint
Edge 192.168.4.4VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.4
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
VPC Endpoint 1a2b3c4d
Src: 54.68.100.245
Dst: 54.231.33.89
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
![Page 43: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/43.jpg)
Endpoints and policy
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
{
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
![Page 44: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/44.jpg)
Nov 10, 2010
![Page 45: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/45.jpg)
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.2.12
172.31.2.51
VPC as a platform
![Page 46: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/46.jpg)
Simple Complex
Limited Flexible
EC2 VPC
![Page 47: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/47.jpg)
VPC pricing
Cost per VPC: $0.00
Cost per subnet: $0.00
Upcharge per instance: $0.00
![Page 48: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/48.jpg)
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
Default VPC
![Page 49: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/49.jpg)
Simple Complex
Limited Flexible
EC2 - VPC
![Page 50: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/50.jpg)
VPC CIDR 10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A10.1.1.11 /24
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
And Today…
Public Subnet
![Page 51: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/51.jpg)
![Page 52: Another day, another billion packets - Toronto](https://reader034.vdocuments.mx/reader034/viewer/2022052418/587dc1491a28ab1b498b613b/html5/thumbnails/52.jpg)
Remember to complete
your evaluations!