(sdd422) amazon vpc deep dive | aws re:invent 2014
DESCRIPTION
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this talk, we discuss advanced tasks in Amazon VPC, including the implementation of VPC peering, the creation of multiple network zones, the establishment of private connections, and the use of multiple routing tables. We also provide information for current EC2-Classic network customers and help you prepare to adopt Amazon VPC.TRANSCRIPT
November 14, 2014 | Las Vegas, NV
Kevin Miller, Sr. Manager, AWS EC2 Networking
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced Networking
And more to come...
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced Networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region
describe-account-attributes
VPC only
Corporate Data Center
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets
corporate data center
Availability Zone Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.
corporate data center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway.
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update
routing table(s) with routes
present in the VGW
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2baws ec2 create-route-table --vpc vpc-c15180a4aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW
# VPC Aaws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-checkaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc# VPC Baws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-checkaws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
Software VPN
between these
instances
Enabling communication
between instances in these
subnets; adding routes to the
default routing table
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internetaws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333
# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peeringaws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
Classic environment: 2 security
groups, a load balancer,
and instances.
ELB
ELB
ELB
AMI
EBS
Snapshot
ELB
AMI
EBS
Snapshot
AMI
EBS
Snapshot
Pros Cons
One time move Requires (longer) maintenance
window
Easy back-out plan Test up-front
Easier for smaller deployments Harder for larger deployments
You can dry-run this whole
sequence without turning
off the Classic instances
ELB
Pros Cons
Shorter, per-component
maintenance windows
Requires maintenance windows
Per component back-out plans Takes longer to complete migration
Easier for larger deployments Per component integration
(EIPs/Elastic Load Balancing,
CIDR-based security group rules)
RDS DB
Instance
Amazon
Route 53
ELB
RDS DB
Instance
ELB
Amazon
Route 53
RDS DB
Instance
ELB
Amazon
Route 53
RDS DB
Instance
ELB
Amazon
Route 53
RDS DB
Instance
ELB
Amazon
Route 53
Amazon
Route 53
RDS DB
Instance
Amazon
Route 53
RDS DB
Instance
Pros Cons
(Potentially) No maintenance window Additional complexity during migration
Direct private IP connectivity and security group
integration
Still need to replace EC2-Classic
instances with new VPC instances
Designed for the largest deployments
EC2-Classic
ClassicLink
RDS DB
InstanceElastiCache
Cache NodeElastic Load
Balancing
RDS DB
InstanceElastiCache
Cache NodeElastic Load
Balancing
vpc-4325f426
To use ClassicLink, the VPC
must have this feature enabled.
Can be restricted with IAM policy.
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link this specific instance to
the VPC using the specified
VPC security groups.
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link required after Run (new
instance launch) or Start
(stopped instance)
