Aws Networking Fundamentals 1645349307 190513134233 PDF

SUMMIT
London
AWS Networking fundamentals
Perry Wald & Tom Adamski

AWS Solutions Architects
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introductory - 200
“These sessions provide an overview of AWS services and
features, and they assume that attendees are new to the
topic. These sessions highlight basic use cases, features,
functions, and benefits."
Default VPC Amazon Virtual Private Cloud (Amazon VPC)
/16 IPv4 CIDR block

(172.31.0.0/16). 54.4.5.6
/20 default subnet
172.31.0.128 172.31.1.24
Connected Internet 54.2.3.4
Gateway
Security Group (SG)

172.31.0.129 172.31.1.27
Network Access Control
List (NACL)
Subnet in availability zone Subnet in availability zone
(AZ) 1 (AZ) 2
VPC concepts & fundamentals
IP Creating Routing in a Security

addressing subnets VPC
Choosing an IP address
range
Choosing an IP address range for your VPC
Avoid ranges that overlap with

other networks to which you
might connect
172.31.0.0/16
RFC1918 range: Recommended:
• 10.0.0.0/8
/16
• 172.16.0.0/12
• 192.168.0.0/16 (65,536 addresses)
Creating subnets in a VPC
VPC subnets and Availability Zones
172.31.0.0/16
eu-west-1a eu-west-1b eu-west-1c
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
VPC subnet VPC subnet VPC subnet
Availability Zone Availability Zone Availability Zone
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)
VPC subnets and Availability Zones
172.31.0.0/16
2600:1f16:14d:6300::/56
eu-west-1a eu-west-1b eu-west-1c
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
VPC subnet VPC subnet VPC subnet
Availability Zone Availability Zone Availability Zone
Routing in a VPC
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table
• But, you can create and assign different route tables to different
subnets
Traffic destined for my VPC
stays in my VPC
But what about the
Internet?
Destination Target
172.31.0.0/16 local
0.0.0.0/0 igw_id
198.51.100.3 Inbound internet

access
198.51.100.4
NAT
gateway
Internet
gateway
Destination Target
172.31.0.0/16 local
0.0.0.0/0 Nat_gw_id
Outbound internet
access
Security groups Network access Flow logs
control list
Network security
control list
Network security
Security groups follow application structure
“MyWebServers” security group
Allow only
“MyWebServers”
“MyBackends” security group
Security groups example: Web servers
Allow HTTP traffic from anywhere
Security groups example: Backends
Allow application traffic

from web servers only
control list
Network security
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically Is stateless: return traffic must be explicitly
allowed regardless of any rules allowed by rules
All rules evaluated before deciding whether to Rules evaluated in order when deciding whether
allow traffic to allow traffic
Applies only to instances explicitly associated Automatically applies to all instances launched
with the security group into associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4
addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS
server)
control list
Network security
VPC flow logs
• Visibility
• Troubleshooting
• Analyze traffic AZ 1 AZ 2
flow
VPC flow logs: Setup
VPC traffic metadata

captured in Amazon S3
or Amazon CloudWatch Logs
VPC flow logs format
VPC flow logs format
Accept ssh from public address 210.21.226.2

DNS in a VPC
VPC DNS options
Have EC2 auto-assign DNS

host names to instances Use Amazon DNS server
Connecting your VPC
Connecting to Connecting to your

other VPCs on-premises network
VPC Peering Transit Gateway
Connecting to other VPCs
VPC peering
VPC peering
• Full private IP connectivity
between two VPCs
• Can peer VPCs across regions
• VPCs can be in different

accounts
• VPC CIDR ranges must not

overlap
Establish a VPC peering: Initiate request
172.31.0.0/16 Step 1 10.55.0.0/16
Initiate peering
request
Establish a VPC peering: Accept request
172.31.0.0/16 Step 1 10.55.0.0/16
Initiate peering
request
Step 2
Accept peering
request
Establish a VPC peering: Create a route
172.31.0.0/16 Step 1 10.55.0.0/16
InitiateTraffic
peeringdestined for the peered VPC
should go to the peering
request
Step 2
Accept peering
request
Step 3
Before Transit Gateway …
With Transit Gateway …
Traffic destined for any VPC in
172.16.0.0/12 range should go via TGW
Route back to our VPC
Centralized private IP connectivity

between multiple VPCs
VPCs must be in the same region as

Transit Gateway
VPCs can be in different accounts
VPC peering or TGW?

VPC LIMIT 125 peerings 5,000 attachments
BANDWIDTH LIMIT N/A (intra-region) 50Gbps per VPC attachment
MANAGEMENT Decentralised Centralised
COST DIMENSIONS Data Transfer Data Transfer & Attachment
AWS
AWS VPN Direct Connect
Connecting to on-premises
networks:
Extend an on-premises network into your VPC
AWS VPN
AWS
Direct Connect
AWS VPN basics
192.168.0.0/16 Two IPSec tunnels 172.31.0.0/16
virtual
customer private
gateway gateway
192.168/16
VPN connection
Your networking device

AWS Direct Connect basics
192.168.0.0/16 172.31.0.0/16
Private virtual interface
(VLAN)
virtual
private
gateway
Customer or
partner cage AWS cage
AWS Direct Connect location

Public virtual interface
(VLAN)
AWS services
Customer network
AWS Direct Connect – Multiple VPCs
192.168.0.0/16
Private virtual interface
(VLAN)
Customer or
partner cage AWS cage AWS Direct Connect
Gateway
AWS Direct Connect location
Customer network
Before Transit Gateway …
Customer
Customer
network
network
Customer
Gateway
Direct Connect
Gateway
Customer
Customer
network
network
Customer
Gateway
Direct Connect
Gateway
Route to on-premise via TGW Customer
Customer
network
network
Customer
Gateway Route to on-premise via VPN (or Direct
Direct Connect
Connect) Gateway
What about DNS?
Amazon Route 53 Resolver for hybrid clouds
Conditional forwarding
rules
…more AWS networking
VPC Sharing VPC endpoints and Amazon Global

AWS PrivateLink Accelerator
Sharing VPC resources
VPC Sharing – owner account
NACL
NACL
SUMMIT
Infrastructure account © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Sharing – participant account
Account Web
Account DB
Account APP
Why VPC sharing?
Preserve IP space Interconnectivity

Use fewer IPv4 CIDRs No VPC Peering required
Separation of duties Billing and Security

A central team can create and Continue to enjoy segregation
manage your Amazon VPC with multiple accounts
Same AZ cost for data transfer is nil!
Gateway VPC Interface VPC PrivateLink
endpoints endpoints
VPC endpoints
Gateway VPC endpoints: Amazon S3 and DynamoDB
Route S3-bound traffic

to the VPC endpoint
S3 bucket
Interface VPC endpoints
AWS
Services
APIs
Private IP: Private IP:
172.31.1.6 172.31.2.10
*service*.eu-west-1.amazonaws.com
AWS PrivateLink: VPC endpoint services
Private IP: Endpoint

10.10.1.6 vpce-1234
Amazon Global Accelerator
Introducing AWS Global Accelerator
Client Global AWS Applications

Accelerator
Introducing AWS Global Accelerator
Access Application!
Local ISP Network A B C D E F
Accessing
It can take
your
many
application
networksisto
not
reach
this the
straightforward!
application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Accessing your web applications with
AWS Global Accelerator
Local ISP AWS Network
Adding AWS Global Accelerator removes these inefficiencies

Leverages the Global AWS Network
Resulting in improved performance
DATACENTER
Thank you!
Perry Wald
perrwald@amazon.co.uk
Tom Adamski
tomada@amazon.co.uk

Aws Networking Fundamentals 1645349307 190513134233 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aws Networking Fundamentals 1645349307 190513134233 PDF

Uploaded by

Copyright:

Available Formats

SUMMIT

Perry Wald & Tom Adamski

/16 IPv4 CIDR block

/20 default subnet

Security Group (SG)

IP Creating Routing in a Security

Avoid ranges that overlap with

eu-west-1a eu-west-1b eu-west-1c

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

VPC subnet VPC subnet VPC subnet

Availability Zone Availability Zone Availability Zone

• /64 subnets (18,446,744,073,709,551,616 addresses)

eu-west-1a eu-west-1b eu-west-1c

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

VPC subnet VPC subnet VPC subnet

Availability Zone Availability Zone Availability Zone

198.51.100.3 Inbound internet

“MyWebServers” security group

“MyBackends” security group

Allow HTTP traffic from anywhere

Allow application traffic

VPC traffic metadata

or Amazon CloudWatch Logs

Accept ssh from public address 210.21.226.2

Have EC2 auto-assign DNS

Connecting to Connecting to your

Connecting to other VPCs

Connecting to other VPCs

• Can peer VPCs across regions

• VPCs can be in different

• VPC CIDR ranges must not

172.31.0.0/16 Step 1 10.55.0.0/16

172.31.0.0/16 Step 1 10.55.0.0/16

172.31.0.0/16 Step 1 10.55.0.0/16

Connecting to other VPCs

Route back to our VPC

Centralized private IP connectivity

VPCs must be in the same region as

VPCs can be in different accounts

VPC Peering Transit Gateway

Your networking device

AWS Direct Connect location

VPC Sharing VPC endpoints and Amazon Global

Preserve IP space Interconnectivity

Separation of duties Billing and Security

Route S3-bound traffic

Private IP: Endpoint

Client Global AWS Applications

Local ISP Network A B C D E F

Local ISP AWS Network

Adding AWS Global Accelerator removes these inefficiencies

You might also like