Professional Documents
Culture Documents
London
AWS Networking fundamentals
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introductory - 200
“These sessions provide an overview of AWS services and
features, and they assume that attendees are new to the
topic. These sessions highlight basic use cases, features,
functions, and benefits."
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Default VPC Amazon Virtual Private Cloud (Amazon VPC)
172.31.0.128 172.31.1.24
Connected Internet 54.2.3.4
Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address
range
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16
RFC1918 range: Recommended:
• 10.0.0.0/8
/16
• 172.16.0.0/12
• 192.168.0.0/16 (65,536 addresses)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating subnets in a VPC
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
2600:1f16:14d:6300::/56
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in a VPC
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table
• But, you can create and assign different route tables to different
subnets
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC
stays in my VPC
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But what about the
Internet?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Destination Target
172.31.0.0/16 local
0.0.0.0/0 igw_id
NAT
gateway
Internet
gateway
Destination Target
172.31.0.0/16 local
0.0.0.0/0 Nat_gw_id
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound internet
access
Security groups Network access Flow logs
control list
Network security
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups Network access Flow logs
control list
Network security
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups follow application structure
Allow only
“MyWebServers”
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups Network access Flow logs
control list
Network security
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically Is stateless: return traffic must be explicitly
allowed regardless of any rules allowed by rules
All rules evaluated before deciding whether to Rules evaluated in order when deciding whether
allow traffic to allow traffic
Applies only to instances explicitly associated Automatically applies to all instances launched
with the security group into associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4
addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS
server)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups Network access Flow logs
control list
Network security
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs
• Visibility
• Troubleshooting
• Analyze traffic AZ 1 AZ 2
flow
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs: Setup
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs format
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs format
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC DNS options
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting your VPC
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Peering Transit Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Peering Transit Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering
• Full private IP connectivity
between two VPCs
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate request
Initiate peering
request
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept request
Initiate peering
request
Step 2
Accept peering
request
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create a route
InitiateTraffic
peeringdestined for the peered VPC
should go to the peering
request
Step 2
Accept peering
request
Step 3
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Peering Transit Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before Transit Gateway …
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With Transit Gateway …
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With Transit Gateway …
Traffic destined for any VPC in
172.16.0.0/12 range should go via TGW
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With Transit Gateway …
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering or TGW?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
AWS VPN Direct Connect
Connecting to on-premises
networks:
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend an on-premises network into your VPC
AWS VPN
AWS
Direct Connect
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN basics
192.168.0.0/16 Two IPSec tunnels 172.31.0.0/16
virtual
customer private
gateway gateway
192.168/16
VPN connection
Customer or
partner cage AWS cage
Customer network
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect – Multiple VPCs
192.168.0.0/16
Private virtual interface
(VLAN)
Customer or
partner cage AWS cage AWS Direct Connect
Gateway
AWS Direct Connect location
Customer network
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before Transit Gateway …
Customer
Customer
network
network
Customer
Gateway
Direct Connect
Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With Transit Gateway …
Customer
Customer
network
network
Customer
Gateway
Direct Connect
Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With Transit Gateway …
Route to on-premise via TGW Customer
Customer
network
network
Customer
Gateway Route to on-premise via VPN (or Direct
Direct Connect
Connect) Gateway
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about DNS?
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 Resolver for hybrid clouds
Conditional forwarding
rules
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
…more AWS networking
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing VPC resources
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Sharing – owner account
NACL
NACL
SUMMIT
Infrastructure account © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Sharing – participant account
Account Web
Account DB
Account APP
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why VPC sharing?
VPC endpoints
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC endpoints: Amazon S3 and DynamoDB
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC endpoints
AWS
Services
APIs
Private IP: Private IP:
172.31.1.6 172.31.2.10
*service*.eu-west-1.amazonaws.com
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink: VPC endpoint services
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Global Accelerator
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing AWS Global Accelerator
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing AWS Global Accelerator
Access Application!
Accessing
It can take
your
many
application
networksisto
not
reach
this the
straightforward!
application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Accessing your web applications with
AWS Global Accelerator
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DATACENTER
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Perry Wald
perrwald@amazon.co.uk
Tom Adamski
tomada@amazon.co.uk
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.