Upload
amazon-web-services
View
603
Download
3
Tags:
Embed Size (px)
Citation preview
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Amazon Virtual Private Cloud Deep Dive
Steve Seymour, Solutions Architect, Networking Specialist
Virtual networking options
EC2-Classic
Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups
Default VPC
The best of both
Get started using the EC2-Classic experience
If and when needed, begin using any VPC feature you require
VPC
Advanced virtual networking services: ENIs and multiple IPs
routing tables egress security groups
network ACLs private connectivity
Enhanced networking
And more to come...
Virtual networking options
EC2-Classic
Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups
Default VPC
The best of both
Get started using the EC2-Classic experience
If and when needed, begin using any VPC feature you require
VPC
Advanced virtual networking services: ENIs and multiple IPs
routing tables egress security groups
network ACLs private connectivity
Enhanced networking
And more to come...
All accounts created after 12/4/2013 support VPC only and have a default
VPC in each region
Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Create VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1 aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4 aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500 aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3 aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24, virtualGatewayId=vgw-f9da06e7
Configuring route table
Corporate Data Center 192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single routing table at creation time,
used by all subnets
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection consists of 2 IPSec
tunnels. Use BGP for failure recovery.
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
BGP
A pair of VPN connections (4 IPSec tunnels total) protects against failure of your
customer gateway BG
P
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
BGP
Redundant AWS Direct Connect connections
with VPN backup
VPC with private and public connectivity
Corporate Data Center 192.168.0.0/16
aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
Automatic route propagation from VGW
Corporate Data Center 192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16 aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing table(s) with routes present in the VGW
Isolating connectivity by subnet
Corporate 192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b aws ec2 create-route-table --vpc vpc-c15180a4 aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only to other instances and the
Internet via the IGW
Software VPN for VPC-to-VPC connectivity
# VPC A aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# VPC B aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
Software VPN for VPC-to-VPC connectivity
Enabling communication between instances in these
subnets; adding routes to the default routing table
Software firewall to the Internet
Routing all traffic from subnets to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc # Routing table for 10.10.3.0/24 directs to the Internet aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Road to Automation - aka CloudFormation
Jackie Wong, Network Manager, Financial Times
Financial Times
• International Media Company
• Pioneer of Selling Digital Subscriptions • Speed to Market
Repetitive and Manual Deployment • Some history …
• Manual deployment;
• Time Consuming
• Inconsistent
• Human Error
• Repetitive
CloudFormation – JSON { “Recognize Similarity” : [
{ “Key” : “Subnets” }, { “Key” : “ Security” }, { “Key” : “ Routing” }, { “Key” : “ Internet” }, { “Key” : “ Corporate” }, { “Key” : “ etc” } ]
}
• Using Mapping and Parameters within JSON to make it [{“Universal”}]
Outcome - Speed to Market
• Faster deployment • Consistent
• Accurate Deployment
• Easy to manage and update
• Stored Centrally
Shared services VPC using VPC peering
• Common/core services – Authentication/directory – Monitoring – Logging – Remote administration – Scanning
VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16 vpc-c15180a4
VPC B - 10.20.0.0/16 vpc-062dfc63
VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333 # In owner account 472752909333 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16 vpc-c15180a4
VPC B - 10.20.0.0/16 vpc-062dfc63 Account ID 472752909333
VPC peering – Additional considerations
• Security groups not supported across peerings – Workaround: specify rules by IP prefix
• No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs – Example: Cannot access VPC C from VPC A via VPC B – Workaround: Create a direct peering from VPC A to VPC C
• Peer VPC address ranges cannot overlap – But, you can peer with 2+ VPCs that themselves overlap – Use subnets/routing tables to pick the VPC to use
VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peering aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
VPC Design for the Enterprise
Eamonn O'Neill, Director, Lemongrass Consulting
VPC Layout
Singapore Singapore
Cloud Controller
Ireland
Website Primary DR
Tokyo
Workspaces
Ireland
Seaco Main Account Seaco DR Account
Lemongrass Account
User Connections to AWS
Singapore
Primary
Seaco WAN
Direct Connect (100Mb)
Cloud Controller
Lemongrass Support
3rd Parties
Remote Seaco Users
Miami Shanghai Hamburg
VPN
VPN
VPN
Singapore
India
London Livorno Moscow 3rd Parties
Remote Seaco Users
Remote Desktop Services
SAP DR
App Servers
App Servers
App. Servers
App. Servers
Subnet Layout
ap-southeast-1b
ap-southeast-1a
DMZ
Management & Non-SAP
ap-southeast-1b
VPN VPN
Server
Active Directory
Domain Controller
Remote Desktop Services
DMZ
VPN VPN
Server
Active Directory
Remote Desktop Services
SQL Server
Management & Non-SAP
Domain Controller
SQL Server
System Centre 2012
SAP Production
Database Servers
App. Servers
App. Servers
App. Servers
SAP Non-Production
Database Servers
App. Servers
Primary VPC
VPC Peering
DMZ
VPN VPN
Server
Database Servers
App Servers
SAP Web Dispatcher
Domain Controller
DR VPC
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices • ARC205 – VPC Fundamentals and Connectivity • ARC401 – Black Belt Networking for Cloud Ninja
– Application centric, network monitoring, management, floating IPs
• ARC403 – From One to Many: Evolving VPC Design • SDD302 – A Tale of One Thousand Instances
– Example of EC2-Classic customer adopting VPC • SDD419 – Amazon EC2 Networking Deep Dive
– Network performance, placement groups, enhanced networking