AWS networking fundamentals

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

AWS networking fundamentals

N E T 2 0 1 - R

Alan Halachmi

Director, Public Sector

AWS Solutions Architecture

Amazon Web Services

Steve Seymour

WW Tech Leader, Networking


Amazon Web Services

AWS global infrastructure

AWS Region

US-EAST-1

Availability Zone (AZ)

US-EAST-1

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Data center

Rack, host, EC2 instance

US-EAST-1

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance

VPC

US-EAST-1

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance

VPC

US-EAST-1

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Amazon Virtual Private Cloud (Amazon VPC)

Public subnet Public subnet

Private subnet Private subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Subnets



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

EC2 instances

Instance Instance

Instance Instance

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance



Gateways, endpoints & peering



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Web Server Web Server

Application

Server

Application

Server

Example web application

Web Server

Security Group

App Server

Security Group

ELB



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

IP addressing

Private IP address range for your VPC – IPv4

• ”CIDR” Range ?

• Classless Inter-domain Routing

• No more Class A, B, C

• RFC1918

• 192.168.0.0 /16

• 172.16.0.0 /12

• 10.0.0.0 /8

• How much ?

• /16

• /28

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Where to use IPv4 addresses ?

172.31. 172.31.

172.31. 172.31.

IPv6 basicsIPv6: Colon-Separated Hextet Notation + CIDR

2001:0db8:0ec2:0000:0000:0000:0000:0001/64 0000:0000:0000:0000:0000:0000:0000:0001/128

2001:db8:ec2:0:0:0:0:1/64 0:0:0:0:0:0:0:1/128

2001:db8:ec2::1/64 ::1/128

Unicast Addresses

Loopback Address ::1

Link Local Address (LLA) fe80::/10 (fe80::/64 in practice)

Global Unicast Address (GUA) 2600:1f16:14d:6300::/64

Multicast Addresses (ff00::/8)

All Nodes ff02::1

All Routers ff02::2

Solicited Node ff02::1:ff00:0/104

IPv6 on AWS

• /56 VPC

• /64 Subnets

• Dualstack

• Link Local Address and Global Unicast Address requiredIPv4 Private Address

IPv6 Link Local Address (Private)IPv6 Global Unicast Address (Public)

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Where to use IPv6 addresses ?

2600:1f16:14d:6300::/56

172.31. 172.31.

172.31. 172.31.

2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64

2600:1f16:14d:6328::/64 2600:1f16:14d:6329::/64

The “5 Things” required for Internet traffic

1. Public IP Address

2. Internet Gateway Attached to a VPC

3. Route to an Internet Gateway

4. NACL Allow Rule

5. Security Group Allow Rule

Public IP addresses for your instances

• Auto-assign public IP addresses

• Elastic IP Addresses (EIP)

• Amazon EIP Pool

• Bring Your Own IP (BYOIP) Pool

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Public IP addresses

Gateways, endpoints & peering

Customer Gateway EndpointsInternet GatewayNAT Gateway Peering connectionVPN Gateway AWS Transit Gateway

Internet access

Internet access

Different routes for different subnets

Public subnet

Private subnet

Public & private subnets

Public subnetPrivate subnet

Network Address Translation (NAT) Gateway

Public subnetPrivate subnet


Network security

• Network ACLs

• Security Groups

• VPC Flow Logs

• Amazon VPC Traffic Mirroring



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B


Application

Server

Application

Server

Network ACLs



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B


Application

Server

Application

Server

Security groups – Inbound

Web Server

Security Group

sg-0f004ca5495132527

App Server

Security Group

sg-090a960aee374b3cd



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B


Application

Server

Application

Server

Security groups – Outbound

Web Server

Security Group

sg-0f004ca5495132527

App Server

Security Group

sg-090a960aee374b3cd

VPC flow logs

• Amazon CloudWatch Logs or Amazon S3

• Does not impact throughput or latency

• Apply to VPC, Subnet, or ENI

• Accepted, Rejected, or All traffic

Amazon VPC traffic mirroring

• Mirror to another ENI or Network Load Balancer with UDP listener

• Packet copy. Shares interface bandwidth.

• Traffic mirror filters to define “interesting traffic”

• Traffic mirror session is the combination of source, target, and filter

Filter 1


Web Server

High availability & scale

Web ServerElastic Load Balancing

Web Server

Web Server

Elastic Load Balancing

Elastic Load Balancing (ELB) distributes incoming application or network

traffic across multiple targets, such as Amazon EC2 instances, containers,

Lambda functions, and IP addresses, in multiple Availability Zones.

ELB: Options

Application Load Balancer Classic Load BalancerNetwork Load Balancer

Web ServerElastic Load Balancing

IP Target

Web Server

ALB: Components

Health check

Health check

Listener

Target

Target Group

default

Forward /img/*

Listener Rule



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B


Application

Server

Application

Server

Example web application

Web Server

Security Group

App Server

Security Group

ELB



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B


Application

Server

Application

Server

Example web application – Final

Web Server

Security Group

App Server

Security Group

ELB



Connecting between VPCs

VPC

VPC

VPC

AWS Cloud

VPC peering – same region

VPC

VPC

VPC

AWS Cloud


VPC

VPC

VPC

Peering

AWS Cloud


VPC

VPC

Peering

AWS Cloud


Peering

VPC

VPC

VPCPeering

Peering

AWS Cloud


Peering

VPC

VPC

VPCPeering

Peering

AWS Cloud


Peering

VPC

VPC

VPCPeering

Peering

AWS Cloud


VPC

VPC

VPCPeering

Peering

AWS Cloud


VPC

VPC

VPCPeering

Peering

AWS Cloud

VPC peering – different region

VPC peering – different account

VPC peering – things to know

• Can reference security groups from the peer VPC in the same region

• Can enable DNS hostname resolution to return private IP addresses

• Can peer for both IPv4 & IPv6 addresses

• Cannot have overlapping IP addresses

• Cannot have multiple peers between the same pair of VPCs

• Cannot use jumbo frames across inter-region VPC peering


VPC 10.0.0.0/16

AWS site-to-site VPN setup – VGW

Corporate Data Center

172.16.0.0/16

Virtual Private

Gateway

VPC 10.0.0.0/16

AWS site-to-site VPN – CGW


172.16.0.0/16

Customer

GatewayVirtual Private

Gateway

IP Address not needed when

Certificate is used

VPC 10.0.0.0/16

AWS site-to-site VPN


172.16.0.0/16

Virtual Private

Gateway

1x VPN Connection = 2x VPN Tunnels

Instance

I know how to get to

172.16.0.0/16

I don’t…

Customer

Gateway

VPC 10.0.0.0/16



172.16.0.0/16


Instance Customer

Gateway

Virtual Private

Gateway172.16.0.0/16

via VGW

VPC 10.0.0.0/16



172.16.0.0/16

Customer

Gateway

Virtual Private

Gateway


Instance

172.16.0.0/16

via VGW

1x VPN Tunnel = 1.25Gbps

1 Tunnel always preferred

AWS Direct Connect – physical connection


172.16.0.0/16

Direct Connect

Location

AWS Global Network

Customer

Router

Direct Connect

Location

AWS

RouterCustomer

Router

AWS Direct Connect – Interface types

• Private VIF – Used to connect to Amazon VPCs using private IP

addresses; directly or via Direct Connect gateway

• Transit VIF – Used to connect to AWS Transit Gateways via Direct

Connect gateway

• Public VIF – Used to access all AWS public services using public IP

addresses

All Virtual Interfaces are 802.1Q VLANs with BGP peering

AWS Direct Connect gateway – Private VIF


172.16.0.0/16

Customer

Router

Direct Connect

Location

AWS

Router

AWS Global Network

Customer

Router

VPC

10.0.0.0/16 Private Virtual

Interface

Direct

Connect

Gateway

VPC

10.1.0.0/16

VPC

10.2.0.0/16

Region

Region

Route propagation

• Enable propagation on the Route Table

• Automatically populates with anything the VGW learns via BGP

VPC 10.0.0.0/16VGW

Corporate Data Center (192.168.0.0/16)

DX or S2S VPN

AWS Direct Connect – Public VIF


172.16.0.0/16

AWS Global Network

Public Virtual

InterfaceAmazon Simple Storage

Service (Amazon S3)

Amazon CloudWatch

Amazon DynamoDB

VPC

10.2.0.0/16

Customer

Router

Direct Connect

Location

AWS

RouterCustomer

Router


Interconnecting VPCs at scale – VPC peering

Peering

VPC

VPC

VPCPeering

Peering

AWS Cloud

Interconnecting VPCs at scale – VPC peering

Peering

VPC

VPC

VPCPeering

Peering

VPC VPC

Peering

VPC

Peering

Peering

Peering Peering

AWS Cloud

Multiple VPCs access models – AWS Transit Gateway

VPC

VPC

VPC

VPC VPC

VPC

AWS Transit Gateway

AWS Cloud

VPC

AWS Transit Gateway with AWS site-to-site VPN

VPC

VPC

VPC

AWS Transit Gateway

VPN Attachment

VPC Route Table

172.16.0.0/16 via TGW

TGW Route Table

172.16.0.0/16 via VPN


172.16.0.0/16

AWS Transit Gateway with DX gateway


172.16.0.0/16

Customer

Router

Direct Connect

Location

AWS

Router

AWS Global Network

Customer

Router

VPC

10.0.0.0/16 Transit Virtual

Interface

VPC

10.1.0.0/16

VPC

10.2.0.0/16

Region

Region

AWS

Transit

Gateway

AWS

Transit

Gateway

DX

Gateway


Amazon Route 53 Resolver

• VPC+2 Resolver

• enableDnsHostnames

• enableDnsSupport

• Private Hosted Zones

• Inbound and Outbound Endpoints

VPC 10.0.0.0/16

PRIVATE HOSTED

ZONE: example.aws

Instance

10.0.0.2

Route 53 Resolver

VPC DNS options

Use Amazon DNS serverHave EC2 auto-assign DNS

host names to instances

Amazon Route 53 private hosted zones

Private Hosted

Zone

example.demohostedzone.org →

172.31.0.99

Associating private hosted zones to multiple VPCs

VPC 10.0.0.0/16

PRIVATE HOSTED

ZONE: example.aws

Instance

10.0.0.2

Route 53 Resolver

VPC 10.1.0.0/16

Instance

10.1.0.2

Route 53 Resolver

PRIVATE HOSTED

ZONE: example.aws

Associate

PRIVATE HOSTED

ZONE: example2.aws

PRIVATE HOSTED

ZONE: example2.aws

Resolving AWS domains from on-premises – Route 53 Resolver

VPC 10.0.0.0/16


172.16.0.0/16

PRIVATE HOSTED

ZONE: example.aws

10.0.0.2

Route 53 Resolver

Route 53

Resolver

Inbound ENI

Server

Resolving on-premise domains from AWS – Route 53 Resolver

VPC 10.0.0.0/16


172.16.0.0/16

PRIVATE ZONE:

example.internal

10.0.0.2

Route 53 Resolver

Route 53

Resolver

Outbound ENI

Server

Instance

RESOLVER RULE:

FORWARD: example.internal

TO: Server


Other AWS services in your VPC

• Amazon Relational Database Service (Amazon RDS)

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

SERVICE VPC

Amazon RDS

instance

PAmazon RDS

instance

S


• Amazon Relational Database Service (Amazon RDS)

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

SERVICE VPC

Amazon RDS

instance

PAmazon RDS

instance

S


• Amazon WorkSpaces

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

SERVICE VPC

Streaming

Gateway


• Amazon WorkSpaces

Subnet Subnet

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

SERVICE VPC

Streaming

Gateway

WorkSpace WorkSpace WorkSpace WorkSpace


• AWS Lambda

• VPC-2-VPC NAT (V2N)

Subnet Subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

LAMBDA SERVICE VPC V2N


Gateway VPC endpoints

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance



US-EAST-1

Amazon S3

DynamoDB

Internet Gateway

(IGW)

Route Table

(Main)


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance



US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance



US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance



US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

Instance Instance



US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)

Private subnet

Private subnet


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance

Instance

Private subnet

Private subnet

US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)

Gateway

VPC Endpoint

Private subnet

Private subnet


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance

Instance

Private subnet

Private subnet

US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)

Private subnet

Private subnet

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance

Instance

Private subnet

Private subnet

US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)


Private subnet

Private subnet


VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance

Instance

Private subnet

Private subnet

US-EAST-1

Amazon S3

DynamoDB

Route Table

(Main)


Interface VPC endpoints (AWS PrivateLink)

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

US-EAST-1


Amazon API Gateway

Amazon CloudWatch

AWS CodeCommit

Amazon Simple Queue

Service (Amazon SQS)

AWS Systems Manager

AWS Transfer for SFTP

Amazon Kinesis

Data Streams



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

US-EAST-1


Amazon API Gateway

Amazon CloudWatch

AWS CodeCommit

Amazon Simple Queue Service

AWS Systems Manager


Amazon Kinesis

Data Streams

sqs.us-east-1.amazonaws.com ?

52.94.242.77



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

US-EAST-1


Amazon API Gateway

Amazon CloudWatch

AWS CodeCommit


AWS Systems Manager


Amazon Kinesis

Data Streams


52.94.242.77



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

US-EAST-1


Amazon API Gateway

Amazon CloudWatch

AWS CodeCommit


AWS Systems Manager


Amazon Kinesis

Data Streams



VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

US-EAST-1


Amazon API Gateway

Amazon CloudWatch

AWS CodeCommit


AWS Systems Manager


Amazon Kinesis

Data Streams


172.31.1.5 / 172.31.2.7


AWS PrivateLink – your own services

VPC (172.31.0.0/16)

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

Instance Instance

US-EAST-1


VPC (10.50.0.0/16)

Network

Load

Balancer

Private subnet

AWS PrivateLink – Your own services – On-prem

Availability Zone

US-EAST-1B

Instance

Private subnet

VPC (10.50.0.0/16)

Network

Load

Balancer


172.16.0.0/16

DX

or

VPN

Endpoint policies

• A VPC endpoint policy is an AWS Identity and Access Management (IAM) resource policy that you attach to an endpoint

• An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies)

Example for S3

• IAM policy at VPC endpoint: You may only access the “Data” bucket

• IAM policy at S3 bucket: Access to this bucket is only allowed from VPCE-X



Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1B

VPC



Your VPC

P S

AWS Transit Gateway

Amazon SQS

Amazon S3VPCE

IGW


ELB

LAMBDA

VPC

VPC

PEERING

WORKSPACES

ENI’s

Corporate

Data Center

D

X

G

W

VIF

VGW

CGWVPN

NAT-GWNAT-GW

VPN

CGW

VPC+2

Route 53 Resolver

PRIVATE

HOSTED

ZONES

VPC

Availability Zone

US-EAST-1A

Availability Zone

US-EAST-1BSecurity

App Server

Security Group


Application

Server

Application

Server

P S

AWS Transit

Gateway

Amazon SQS

Amazon S3VPCE

Web Server

Security Group

VPC

VPC

PEERING

NAT-GWNAT-GW


IGW

ELB



EIGW

PrivateLink VPC

VPC Flow Logs

Traffic Mirroring

Related sessions

Tuesday

• NET317-R Connectivity to AWS and hybrid AWS network architectures

• NET320-R1 The right AWS network architecture for the right reason

Wednesday

• NET305-R1 Advanced VPC design and new capabilities for Amazon VPC

• NET203-L Leadership session: Networking

Thursday

• NET339 Innovation and operation of the AWS global network infrastructure

• NET322-R1 Shared VPC: Simplify your AWS Cloud scale network with VPC sharing


Free digital courses cover topics related to networking and content delivery, including Introduction to Amazon CloudFront and Introduction to Amazon VPC

Visit aws.amazon.com/training/paths-specialty

Validate expertise with the AWS Certified Advanced Networking - specialty exam

Learn networking with AWS Training and CertificationResources created by the experts at AWS to help you build and validate networking skills

Thank you!


Alan HalachmiDirector, Public Sector


Amazon Web Services

Steve Seymour

WW Tech Leader, Networking


Amazon Web Services


Documents

AWS networking fundamentals