You are on page 1of 44

Amazon Virtual Private Cloud

Deep Dive
Steve Seymour, Solutions Architect, Networking Specialist

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved
aws vpc –-expert-mode
Topics today
Virtual networking options

EC2-Classic Default VPC VPC

Simple to get started – The best of both Advanced virtual


all instances have networking services:
Internet connectivity, Get started using the ENIs and multiple IPs
auto-assigned private EC2-Classic routing tables
and public IP addresses experience egress security groups
network ACLs
Inbound security groups If and when needed, private connectivity
begin using any VPC
feature you require Enhanced networking

And more to come...


Virtual networking options

EC2-Classic Default VPC VPC

Simple to get started – The best of both Advanced virtual


all instances have networking services:
Internet connectivity, Get started using the ENIs and multiple IPs
auto-assigned private EC2-Classic routing tables
and public IP addresses experience egress security groups
network ACLs
Inbound security groups
All accounts created after If and when needed, private connectivity
12/4/2013 support VPC begin using any VPC
feature you require Enhanced networking
only and have a default
VPC in each region And more to come...
Confirming your default VPC
describe-account-attributes

VPC only
1. Routing & private connections
Implementing a hybrid architecture

Corporate Data Center


Create VPC

Corporate Data Center

aws ec2 create-vpc --cidr 10.10.0.0/16


aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Create VPN connection

Corporate Data Center

aws ec2 create-vpn-gateway --type ipsec.1


aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Launch instances

Corporate Data Center

aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3


aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Using AWS Direct Connect

Corporate Data Center

aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First


aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
Configuring route table

Corporate Data Center


192.168.0.0/16

Each VPC has a single


routing table at creation time,
used by all subnets

aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7


Remote connectivity best practices

Availability Zone Availability Zone

Each VPN connection


consists of 2 IPSec
tunnels. Use BGP for
failure recovery.

Corporate Data Center


Remote connectivity best practices

Availability Zone Availability Zone

A pair of VPN
BGP

BGP
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway

Corporate Data Center


Remote connectivity best practices

Availability Zone Availability Zone

Redundant AWS Direct


Connect connections
BGP

with VPN backup

Corporate Data Center


VPC with private and public connectivity

Corporate Data Center


192.168.0.0/16

aws ec2 create-internet-gateway


aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
Automatic route propagation from VGW

Corporate Data Center


192.168.0.0/16

Used to automatically update routing


table(s) with routes present in the VGW

aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16


aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Isolating connectivity by subnet

Corporate
192.168.0.0/16
Subnet with connectivity only
to other instances and the
Internet via the IGW

aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b


aws ec2 create-route-table --vpc vpc-c15180a4
aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Software VPN for VPC-to-VPC connectivity

# VPC A
aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check
aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# VPC B
aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check
aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
Software VPN for VPC-to-VPC connectivity

Software VPN
between these
instances
Software VPN for VPC-to-VPC connectivity

Enabling communication
between instances in these
subnets; adding routes to the
default routing table
Software firewall to the Internet

Routing all traffic from subnets


to the Internet via a firewall is
conceptually similar

# Default routing table directs traffic to the NAT/firewall instance


aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Internet


aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Road to Automation - aka CloudFormation

Jackie Wong, Network Manager, Financial Times

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved
Financial Times

•  International Media Company

•  Pioneer of Selling Digital Subscriptions

•  Speed to Market
Repetitive and Manual Deployment

•  Some history …

•  Manual deployment;

•  Time Consuming

•  Inconsistent

•  Human Error

•  Repetitive
CloudFormation – JSON
{ “Recognize Similarity” : [
{ “Key” : “Subnets” },
{ “Key” : “ Security” },
{ “Key” : “ Routing” },
{ “Key” : “ Internet” },
{ “Key” : “ Corporate” },
{ “Key” : “ etc” }
]
}

•  Using Mapping and Parameters within JSON to make it [{“Universal”}]


Outcome - Speed to Market

•  Faster deployment

•  Consistent

•  Accurate Deployment

•  Easy to manage and update

•  Stored Centrally
Give it a Go
It is addictive………..in a good way!
2. VPC peering
Shared services VPC using VPC peering

•  Common/core services
–  Authentication/directory
–  Monitoring
–  Logging
–  Remote administration
–  Scanning
Provides infrastructure zoning
•  Dev: VPC B
•  Test: VPC C
•  Production: VPC D
VPC peering for VPC-to-VPC connectivity

VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16


vpc-c15180a4 vpc-062dfc63

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63


aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC peering across accounts

VPC B - 10.20.0.0/16
VPC A - 10.10.0.0/16 vpc-062dfc63
vpc-c15180a4 Account ID 472752909333

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63


--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC peering – Additional considerations

•  Security groups not supported across peerings


–  Workaround: specify rules by IP prefix
•  No “transit” capability for VPN, AWS Direct
Connect, or 3rd VPCs
–  Example: Cannot access VPC C from VPC A via VPC B
–  Workaround: Create a direct peering from VPC A to VPC C
•  Peer VPC address ranges cannot overlap
–  But, you can peer with 2+ VPCs that themselves overlap
–  Use subnets/routing tables to pick the VPC to use
VPC peering with software firewall

VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16

# Default routing table directs Peer traffic to the NAT/firewall instance


aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Peering


aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC Design for the Enterprise

Eamonn O'Neill, Director, Lemongrass Consulting

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved
Lemongrass Account
VPC Layout

Cloud
Controller
Ireland

Website Workspaces Primary DR

Ireland Tokyo Singapore Singapore

Seaco Main Account Seaco DR Account


User Connections to AWS
VPN

3rd Parties
VPN
Cloud Lemongrass
VPN Controller Support

Remote
Seaco Users Primary

Direct
Connect
(100Mb)

Remote
Desktop
Services
Singapore
3rd Parties Singapore London Livorno Moscow

Shanghai Miami Hamburg India


Remote
Seaco Users Seaco WAN
Subnet Layout
DMZ DMZ DMZ
Remote Remote SAP Web
Active Active Desktop Dispatcher
Desktop
Directory Directory Services
Services
     

VPN VPN
VPN VPN VPN VPN
  Server
  Server   Server

Management & Non-SAP Management & Non-SAP SAP DR


  Domain
SQL System   Domain
SQL
Domain
Server Centre Server
Controller Controller Controller
2012

     

SAP Non-Production VPC


App. Peering
Database
  Servers
App.
Servers
Servers
App.  
Servers

SAP Production
App.
Database Database App
  Servers
App.
Servers
App
Servers
Servers
App. Servers
App
Servers
Servers
Servers

ap-southeast-1a ap-southeast-1b ap-southeast-1b

Primary VPC DR VPC


Lemongrass Consulting

“Transforming the Workplace through Mobile and Cloud”

S24
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices

•  ARC205 – VPC Fundamentals and Connectivity


•  ARC401 – Black Belt Networking for Cloud Ninja
–  Application centric, network monitoring, management, floating IPs
•  ARC403 – From One to Many: Evolving VPC Design
•  SDD302 – A Tale of One Thousand Instances
–  Example of EC2-Classic customer adopting VPC
•  SDD419 – Amazon EC2 Networking Deep Dive
–  Network performance, placement groups, enhanced networking
LONDON

Please complete your session evaluation!