Upload
others
View
100
Download
27
Embed Size (px)
Citation preview
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS networking fundamentals
N E T 2 0 1 - R
Alan Halachmi
Director, Public Sector
AWS Solutions Architecture
Amazon Web Services
Steve Seymour
WW Tech Leader, Networking
AWS Solutions Architecture
Amazon Web Services
AWS global infrastructure
AWS Region
US-EAST-1
Availability Zone (AZ)
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Data center
Rack, host, EC2 instance
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
VPC
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
VPC
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Amazon Virtual Private Cloud (Amazon VPC)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Subnets
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
EC2 instances
Instance Instance
Instance Instance
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
Gateways, endpoints & peering
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Example web application
Web Server
Security Group
App Server
Security Group
ELB
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
IP addressing
Private IP address range for your VPC – IPv4
• ”CIDR” Range ?
• Classless Inter-domain Routing
• No more Class A, B, C
• RFC1918
• 192.168.0.0 /16
• 172.16.0.0 /12
• 10.0.0.0 /8
• How much ?
• /16
• /28
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Where to use IPv4 addresses ?
172.31. 172.31.
172.31. 172.31.
IPv6 basicsIPv6: Colon-Separated Hextet Notation + CIDR
2001:0db8:0ec2:0000:0000:0000:0000:0001/64 0000:0000:0000:0000:0000:0000:0000:0001/128
2001:db8:ec2:0:0:0:0:1/64 0:0:0:0:0:0:0:1/128
2001:db8:ec2::1/64 ::1/128
Unicast Addresses
Loopback Address ::1
Link Local Address (LLA) fe80::/10 (fe80::/64 in practice)
Global Unicast Address (GUA) 2600:1f16:14d:6300::/64
Multicast Addresses (ff00::/8)
All Nodes ff02::1
All Routers ff02::2
Solicited Node ff02::1:ff00:0/104
IPv6 on AWS
• /56 VPC
• /64 Subnets
• Dualstack
• Link Local Address and Global Unicast Address requiredIPv4 Private Address
IPv6 Link Local Address (Private)IPv6 Global Unicast Address (Public)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Where to use IPv6 addresses ?
2600:1f16:14d:6300::/56
172.31. 172.31.
172.31. 172.31.
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64
2600:1f16:14d:6328::/64 2600:1f16:14d:6329::/64
The “5 Things” required for Internet traffic
1. Public IP Address
2. Internet Gateway Attached to a VPC
3. Route to an Internet Gateway
4. NACL Allow Rule
5. Security Group Allow Rule
Public IP addresses for your instances
• Auto-assign public IP addresses
• Elastic IP Addresses (EIP)
• Amazon EIP Pool
• Bring Your Own IP (BYOIP) Pool
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Public IP addresses
Gateways, endpoints & peering
Customer Gateway EndpointsInternet GatewayNAT Gateway Peering connectionVPN Gateway AWS Transit Gateway
Internet access
Internet access
Different routes for different subnets
Public subnet
Private subnet
Public & private subnets
Public subnetPrivate subnet
Network Address Translation (NAT) Gateway
Public subnetPrivate subnet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security
• Network ACLs
• Security Groups
• VPC Flow Logs
• Amazon VPC Traffic Mirroring
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Network ACLs
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Security groups – Inbound
Web Server
Security Group
sg-0f004ca5495132527
App Server
Security Group
sg-090a960aee374b3cd
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Security groups – Outbound
Web Server
Security Group
sg-0f004ca5495132527
App Server
Security Group
sg-090a960aee374b3cd
VPC flow logs
• Amazon CloudWatch Logs or Amazon S3
• Does not impact throughput or latency
• Apply to VPC, Subnet, or ENI
• Accepted, Rejected, or All traffic
Amazon VPC traffic mirroring
• Mirror to another ENI or Network Load Balancer with UDP listener
• Packet copy. Shares interface bandwidth.
• Traffic mirror filters to define “interesting traffic”
• Traffic mirror session is the combination of source, target, and filter
Filter 1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Web Server
High availability & scale
Web ServerElastic Load Balancing
Web Server
Web Server
Elastic Load Balancing
Elastic Load Balancing (ELB) distributes incoming application or network
traffic across multiple targets, such as Amazon EC2 instances, containers,
Lambda functions, and IP addresses, in multiple Availability Zones.
ELB: Options
Application Load Balancer Classic Load BalancerNetwork Load Balancer
Web ServerElastic Load Balancing
IP Target
Web Server
ALB: Components
Health check
Health check
Listener
Target
Target Group
default
Forward /img/*
Listener Rule
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Example web application
Web Server
Security Group
App Server
Security Group
ELB
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Example web application – Final
Web Server
Security Group
App Server
Security Group
ELB
Private subnet Private subnet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting between VPCs
VPC
VPC
VPC
AWS Cloud
VPC peering – same region
VPC
VPC
VPC
AWS Cloud
VPC peering – same region
VPC
VPC
VPC
Peering
AWS Cloud
VPC peering – same region
VPC
VPC
Peering
AWS Cloud
VPC peering – same region
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
VPC peering – same region
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
VPC peering – same region
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
VPC peering – same region
VPC
VPC
VPCPeering
Peering
AWS Cloud
VPC peering – same region
VPC
VPC
VPCPeering
Peering
AWS Cloud
VPC peering – different region
VPC peering – different account
VPC peering – things to know
• Can reference security groups from the peer VPC in the same region
• Can enable DNS hostname resolution to return private IP addresses
• Can peer for both IPv4 & IPv6 addresses
• Cannot have overlapping IP addresses
• Cannot have multiple peers between the same pair of VPCs
• Cannot use jumbo frames across inter-region VPC peering
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC 10.0.0.0/16
AWS site-to-site VPN setup – VGW
Corporate Data Center
172.16.0.0/16
Virtual Private
Gateway
VPC 10.0.0.0/16
AWS site-to-site VPN – CGW
Corporate Data Center
172.16.0.0/16
Customer
GatewayVirtual Private
Gateway
IP Address not needed when
Certificate is used
VPC 10.0.0.0/16
AWS site-to-site VPN
Corporate Data Center
172.16.0.0/16
Virtual Private
Gateway
1x VPN Connection = 2x VPN Tunnels
Instance
I know how to get to
172.16.0.0/16
I don’t…
Customer
Gateway
VPC 10.0.0.0/16
AWS site-to-site VPN
Corporate Data Center
172.16.0.0/16
1x VPN Connection = 2x VPN Tunnels
Instance Customer
Gateway
Virtual Private
Gateway172.16.0.0/16
via VGW
VPC 10.0.0.0/16
AWS site-to-site VPN
Corporate Data Center
172.16.0.0/16
Customer
Gateway
Virtual Private
Gateway
1x VPN Connection = 2x VPN Tunnels
Instance
172.16.0.0/16
via VGW
1x VPN Tunnel = 1.25Gbps
1 Tunnel always preferred
AWS Direct Connect – physical connection
Corporate Data Center
172.16.0.0/16
Direct Connect
Location
AWS Global Network
Customer
Router
Direct Connect
Location
AWS
RouterCustomer
Router
AWS Direct Connect – Interface types
• Private VIF – Used to connect to Amazon VPCs using private IP
addresses; directly or via Direct Connect gateway
• Transit VIF – Used to connect to AWS Transit Gateways via Direct
Connect gateway
• Public VIF – Used to access all AWS public services using public IP
addresses
All Virtual Interfaces are 802.1Q VLANs with BGP peering
AWS Direct Connect gateway – Private VIF
Corporate Data Center
172.16.0.0/16
Customer
Router
Direct Connect
Location
AWS
Router
AWS Global Network
Customer
Router
VPC
10.0.0.0/16 Private Virtual
Interface
Direct
Connect
Gateway
VPC
10.1.0.0/16
VPC
10.2.0.0/16
Region
Region
Route propagation
• Enable propagation on the Route Table
• Automatically populates with anything the VGW learns via BGP
VPC 10.0.0.0/16VGW
Corporate Data Center (192.168.0.0/16)
DX or S2S VPN
AWS Direct Connect – Public VIF
Corporate Data Center
172.16.0.0/16
AWS Global Network
Public Virtual
InterfaceAmazon Simple Storage
Service (Amazon S3)
Amazon CloudWatch
Amazon DynamoDB
VPC
10.2.0.0/16
Customer
Router
Direct Connect
Location
AWS
RouterCustomer
Router
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interconnecting VPCs at scale – VPC peering
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
Interconnecting VPCs at scale – VPC peering
Peering
VPC
VPC
VPCPeering
Peering
VPC VPC
Peering
VPC
Peering
Peering
Peering Peering
AWS Cloud
Multiple VPCs access models – AWS Transit Gateway
VPC
VPC
VPC
VPC VPC
VPC
AWS Transit Gateway
AWS Cloud
VPC
AWS Transit Gateway with AWS site-to-site VPN
VPC
VPC
VPC
AWS Transit Gateway
VPN Attachment
VPC Route Table
172.16.0.0/16 via TGW
TGW Route Table
172.16.0.0/16 via VPN
Corporate Data Center
172.16.0.0/16
AWS Transit Gateway with DX gateway
Corporate Data Center
172.16.0.0/16
Customer
Router
Direct Connect
Location
AWS
Router
AWS Global Network
Customer
Router
VPC
10.0.0.0/16 Transit Virtual
Interface
VPC
10.1.0.0/16
VPC
10.2.0.0/16
Region
Region
AWS
Transit
Gateway
AWS
Transit
Gateway
DX
Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 Resolver
• VPC+2 Resolver
• enableDnsHostnames
• enableDnsSupport
• Private Hosted Zones
• Inbound and Outbound Endpoints
VPC 10.0.0.0/16
PRIVATE HOSTED
ZONE: example.aws
Instance
10.0.0.2
Route 53 Resolver
VPC DNS options
Use Amazon DNS serverHave EC2 auto-assign DNS
host names to instances
Amazon Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org →
172.31.0.99
Associating private hosted zones to multiple VPCs
VPC 10.0.0.0/16
PRIVATE HOSTED
ZONE: example.aws
Instance
10.0.0.2
Route 53 Resolver
VPC 10.1.0.0/16
Instance
10.1.0.2
Route 53 Resolver
PRIVATE HOSTED
ZONE: example.aws
Associate
PRIVATE HOSTED
ZONE: example2.aws
PRIVATE HOSTED
ZONE: example2.aws
Resolving AWS domains from on-premises – Route 53 Resolver
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
PRIVATE HOSTED
ZONE: example.aws
10.0.0.2
Route 53 Resolver
Route 53
Resolver
Inbound ENI
Server
Resolving on-premise domains from AWS – Route 53 Resolver
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
PRIVATE ZONE:
example.internal
10.0.0.2
Route 53 Resolver
Route 53
Resolver
Outbound ENI
Server
Instance
RESOLVER RULE:
FORWARD: example.internal
TO: Server
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Other AWS services in your VPC
• Amazon Relational Database Service (Amazon RDS)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Amazon RDS
instance
PAmazon RDS
instance
S
Other AWS services in your VPC
• Amazon Relational Database Service (Amazon RDS)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Amazon RDS
instance
PAmazon RDS
instance
S
Other AWS services in your VPC
• Amazon WorkSpaces
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Streaming
Gateway
Other AWS services in your VPC
• Amazon WorkSpaces
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Streaming
Gateway
WorkSpace WorkSpace WorkSpace WorkSpace
Other AWS services in your VPC
• AWS Lambda
• VPC-2-VPC NAT (V2N)
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
LAMBDA SERVICE VPC V2N
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Internet Gateway
(IGW)
Route Table
(Main)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Private subnet
Private subnet
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway
VPC Endpoint
Private subnet
Private subnet
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Private subnet
Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway VPC endpoints
Private subnet
Private subnet
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue
Service (Amazon SQS)
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
sqs.us-east-1.amazonaws.com ?
52.94.242.77
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
sqs.us-east-1.amazonaws.com ?
52.94.242.77
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
sqs.us-east-1.amazonaws.com ?
172.31.1.5 / 172.31.2.7
Private subnet Private subnet
AWS PrivateLink – your own services
VPC (172.31.0.0/16)
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
VPC (10.50.0.0/16)
Network
Load
Balancer
Private subnet
AWS PrivateLink – Your own services – On-prem
Availability Zone
US-EAST-1B
Instance
Private subnet
VPC (10.50.0.0/16)
Network
Load
Balancer
Corporate Data Center
172.16.0.0/16
DX
or
VPN
Endpoint policies
• A VPC endpoint policy is an AWS Identity and Access Management (IAM) resource policy that you attach to an endpoint
• An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies)
Example for S3
• IAM policy at VPC endpoint: You may only access the “Data” bucket
• IAM policy at S3 bucket: Access to this bucket is only allowed from VPCE-X
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private subnet Private subnet
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
VPC
Public subnet Public subnet
Private subnet Private subnet
Your VPC
P S
AWS Transit Gateway
Amazon SQS
Amazon S3VPCE
IGW
Web Server Web Server
ELB
LAMBDA
VPC
VPC
PEERING
WORKSPACES
ENI’s
Corporate
Data Center
D
X
G
W
VIF
VGW
CGWVPN
NAT-GWNAT-GW
VPN
CGW
VPC+2
Route 53 Resolver
PRIVATE
HOSTED
ZONES
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1BSecurity
App Server
Security Group
Private subnet Private subnet
Application
Server
Application
Server
P S
AWS Transit
Gateway
Amazon SQS
Amazon S3VPCE
Web Server
Security Group
VPC
VPC
PEERING
NAT-GWNAT-GW
Public subnet Public subnet
IGW
ELB
Private subnet Private subnet
Web Server Web Server
EIGW
PrivateLink VPC
VPC Flow Logs
Traffic Mirroring
Related sessions
Tuesday
• NET317-R Connectivity to AWS and hybrid AWS network architectures
• NET320-R1 The right AWS network architecture for the right reason
Wednesday
• NET305-R1 Advanced VPC design and new capabilities for Amazon VPC
• NET203-L Leadership session: Networking
Thursday
• NET339 Innovation and operation of the AWS global network infrastructure
• NET322-R1 Shared VPC: Simplify your AWS Cloud scale network with VPC sharing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Free digital courses cover topics related to networking and content delivery, including Introduction to Amazon CloudFront and Introduction to Amazon VPC
Visit aws.amazon.com/training/paths-specialty
Validate expertise with the AWS Certified Advanced Networking - specialty exam
Learn networking with AWS Training and CertificationResources created by the experts at AWS to help you build and validate networking skills
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alan HalachmiDirector, Public Sector
AWS Solutions Architecture
Amazon Web Services
Steve Seymour
WW Tech Leader, Networking
AWS Solutions Architecture
Amazon Web Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.