Amazon Virtual Private Cloud
Deep Dive
Steve Seymour, Solutions Architect, Networking Specialist
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
aws vpc –-expert-mode
Topics today
Virtual networking options
EC2-Classic
Default VPC
VPC
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
The best of both
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Inbound security groups
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
Enhanced networking
And more to come...
Virtual networking options
EC2-Classic
Default VPC
VPC
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
The best of both
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Inbound
security groups
All accounts
created after
12/4/2013 support VPC
only and have a default
VPC in each region
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
Enhanced networking
And more to come...
Confirming your default VPC
describe-account-attributes
VPC only
1. Routing & private connections
Implementing a hybrid architecture
Corporate Data Center
Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Create VPN connection
Corporate Data Center
aws
aws
aws
aws
ec2
ec2
ec2
ec2
create-vpn-gateway --type ipsec.1
attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3
aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
Configuring route table
Corporate Data Center
192.168.0.0/16
Each VPC has a single
routing table at creation time,
used by all subnets
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Remote connectivity best practices
Availability Zone
Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.
Corporate Data Center
Remote connectivity best practices
Availability Zone
BGP
Corporate Data Center
BGP
Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
Remote connectivity best practices
Availability Zone
Availability Zone
BGP
Redundant AWS Direct
Connect connections
with VPN backup
Corporate Data Center
VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws
aws
aws
aws
aws
ec2
ec2
ec2
ec2
ec2
create-internet-gateway
attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
Used to automatically update routing
table(s) with routes present in the VGW
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Isolating connectivity by subnet
Corporate
192.168.0.0/16
Subnet with connectivity only
to other instances and the
Internet via the IGW
aws
aws
aws
aws
ec2
ec2
ec2
ec2
create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b
create-route-table --vpc vpc-c15180a4
associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17
create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Software VPN for VPC-to-VPC connectivity
# VPC A
aws ec2
aws ec2
# VPC B
aws ec2
aws ec2
modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check
create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check
create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances
Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
default routing table
Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internet
aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Road to Automation - aka CloudFormation
Jackie Wong, Network Manager, Financial Times
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Financial Times
•
International Media Company
•
Pioneer of Selling Digital Subscriptions
•
Speed to Market
Repetitive and Manual Deployment
•
Some history …
•
Manual deployment;
•
Time Consuming
•
Inconsistent
•
Human Error
•
Repetitive
CloudFormation – JSON
{ “Recognize Similarity” : [
{ “Key” : “Subnets” },
{ “Key” : “ Security” },
{ “Key” : “ Routing” },
{ “Key” : “ Internet” },
{ “Key” : “ Corporate” },
{ “Key” : “ etc” }
]
}
•
Using Mapping and Parameters within JSON to make it [{“Universal”}]
Outcome - Speed to Market
•
Faster deployment
•
Consistent
•
Accurate Deployment
•
Easy to manage and update
•
Stored Centrally
Give it a Go
It is addictive………..in a good way!
2. VPC peering
Shared services VPC using VPC peering
•  Common/core services
–  Authentication/directory
–  Monitoring
–  Logging
–  Remote administration
–  Scanning
Provides infrastructure zoning
•  Dev: VPC B
•  Test: VPC C
•  Production: VPC D
VPC peering for VPC-to-VPC connectivity
VPC A - 10.10.0.0/16
vpc-c15180a4
aws
aws
VPC
VPC
VPC B - 10.20.0.0/16
vpc-062dfc63
ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC peering across accounts
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC peering – Additional considerations
•  Security groups not supported across peerings
–  Workaround: specify rules by IP prefix
•  No “transit” capability for VPN, AWS Direct
Connect, or 3rd VPCs
–  Example: Cannot access VPC C from VPC A via VPC B
–  Workaround: Create a direct peering from VPC A to VPC C
•  Peer VPC address ranges cannot overlap
–  But, you can peer with 2+ VPCs that themselves overlap
–  Use subnets/routing tables to pick the VPC to use
VPC peering with software firewall
VPC A - 10.10.0.0/16
VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peering
aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC Design for the Enterprise
Eamonn O'Neill, Director, Lemongrass Consulting
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Lemongrass Account
VPC Layout
Cloud
Controller
Ireland
Website
Workspaces
Primary
DR
Ireland
Tokyo
Singapore
Singapore
Seaco Main Account
Seaco DR Account
User Connections to AWS
VPN
VPN
3rd Parties
VPN
Remote
Seaco Users
3rd Parties
Remote
Seaco Users
Cloud
Controller
Lemongrass
Support
Primary
Remote
Desktop
Services
Direct
Connect
(100Mb)
Singapore
Singapore
London
Livorno
Moscow
Shanghai
Miami
Hamburg
India
Seaco WAN
Subnet Layout
DMZ
DMZ
Active
Directory
VPN
Remote
Desktop
Services
Domain
Controller
SQL
Server
Active
Directory
VPN
VPN
Server
SAP Web
Dispatcher
Remote
Desktop
Services
VPN
VPN
Server
System
Centre
2012
Domain
Controller
VPN
Server
Management & Non-SAP
Management & Non-SAP
DMZ
SAP DR
SQL
Server
Domain
Controller
SAP Non-Production
Database
Servers
App.
App.
Servers
Servers
App.
Servers
VPC
Peering
SAP Production
Database
Servers
App.
App.
Servers
Servers
App.
Servers
Database
Servers
ap-southeast-1a
ap-southeast-1b
Primary VPC
App
App
Servers
App
Servers
Servers
ap-southeast-1b
DR VPC
Lemongrass Consulting
“Transforming the Workplace through Mobile and Cloud”
S24
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
•  ARC205 – VPC Fundamentals and Connectivity
•  ARC401 – Black Belt Networking for Cloud Ninja
–  Application centric, network monitoring, management, floating IPs
•  ARC403 – From One to Many: Evolving VPC Design
•  SDD302 – A Tale of One Thousand Instances
–  Example of EC2-Classic customer adopting VPC
•  SDD419 – Amazon EC2 Networking Deep Dive
–  Network performance, placement groups, enhanced networking
LONDON
Please complete your session evaluation!