Scribd Logo
Upload

Welcome to Scribd!

  • 1.1 VPC - Course - Slides

    Uploaded by

    Ngọc Duy Võ
    37 views89 pages

    Original Title

    1.1 VPC_course_slides

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    37 views89 pages

    1.1 VPC - Course - Slides

    Uploaded by

    Ngọc Duy Võ

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 89

    AWS Virtual Private Cloud

    Introduction
    1 Overview
    VPC Definition
    AWS Cloud
    ⬥ the AWS Cloud is a shared network
    ⬦ WAN/LAN
    ⬦ Hardware (Nodes, Storage etc.)
    ⬥ VPC
    ⬦ private network inside the shared cloud

    4
    AWS Cloud
    AWS Cloud

    VPC VPC

    S3

    Customer A Customer B

    SQS

    DynamoDB

    5
    AWS Cloud

    AWS Cloud

    Region 1 Region 2

    VPC VPC

    Availability Zone A Availability Zone A


    Region = Geographic Area

    Availability Zone B Availability Zone B AZ = Datacenter

    Availability Zone C Availability Zone C

    Subnet Subnet

    6
    Manage resources
    Manage resources

    AWS Management AWS Command Line AWS Tools


    Console Interface (AWS CLI) and SDKs

    ● https://us-east-1.console.aws.amazon.com
    ● https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
    ● https://aws.amazon.com/tools/?nc1=h_ls

    8
    Pricing
    Pricing
    In principle, there are no additional costs for the
    VPC. However, you should check the pricing again
    for the following services:
    ⬥ Control / Monitoring
    ⬥ Connectivity / Data Transmission
    ⬥ Security

    10
    Prepare
    2 Prerequisites the AWS Account
    Create an IAM User
    Assign IAM Permissions
    AWS Command Line
    Interface (CLI)
    3 Default VPC
    Default VPC
    ⬥ there is one VPC per region by default
    ⬥ each VPC has a public subnet in each AZ
    ⬥ Purpose
    ⬦ fast launching of public components like e.g.
    a website

    16
    Helicopter View
    Default VPC - Übersicht

    AWS Cloud

    VPC 10.0.0.0/16 DHCP option set

    Availability Zone

    Public subnet
    10.0.0.0/24
    NACL

    Internet
    Router
    Instance gateway

    Route table

    18
    Overview of automatically
    created components
    Limits of the Default VPC
    Limits of the Default VPC
    ⬥ little control over networking settings
    ⬥ CIDR blocks not adjustable / IP range predefined
    ⬥ no private subnet by default
    ⬥ no easy replication of environments possible

    21
    4 Non-Default VPC
    Advantages of the
    Non-Default VPC
    Advantages of the Non-Default VPC
    ⬥ full control over the networking settings
    ⬥ VPC size and CIDR block size are adjustable
    ⬥ creation of a private subnet possible
    ⬥ easy replication of environments possible, e.g.
    dev, staging, prod

    24
    Classless Inter-Domain
    Routing (CIDR)
    CIDR Blocks

    CIDR Subnetmask (binary) Subnetmask max. addresses


    (decimal)

    /0 00000000.00000000.00000000.00000000 0.0.0.0 4.294.967.296 232

    /1 10000000.00000000.00000000.00000000 128.0.0.0 2.147.483.648

    /16 11111111.11111111.00000000.00000000 255.255.0.0 65.536 216

    /32 11111111.11111111.11111111.11111111 255.255.255.255 1 20

    26
    Specify network size
    CIDR Block range

    ⬥ min. size: /28 → 16 addresses


    ⬥ max. size: /16 → 65536 addresses
    Source: https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html

    28
    CIDR Rules
    ⬥ multiple CIDR blocks can be assigned to one VPC
    ⬥ CIDR blocks in a VPC cannot overlap each other
    ⬥ the size of an existing CIDR block cannot be
    changed

    29
    Create a Non-Default VPC
    5 Subnets I - Public
    Overview
    Overview
    AWS Cloud

    Public subnet Private subnet VPN-only subnet

    Public access Only private Only VPN


    access connections

    ● IPv4-only
    ● IPv6-only
    ● Dual-stack (IPv4 und IPv6)

    33
    Public IP Addresses
    Public IP Addresses
    ⬥ AWS provides a pool of public IP addresses
    ⬥ the public IP addresses are not associated with the
    respective AWS account → e.g. when an EC2 instance is
    terminated, it is released to the global pool again
    ⬥ you can set a flag on each subnet whether to assign a
    public IPv4 address or not

    35
    Elastic IP Addresses
    Elastic IP Addresses
    ⬥ AWS provides a pool of public EIP addresses
    ⬥ these static IP addresses can be mapped to your VPC
    ⬥ you can map multiple private IP addresses to one EIP
    ⬥ if the EIP is no longer needed, it can be returned to the
    pool

    37
    Create Public Subnets
    Create Public Subnets
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (public)

    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    39
    EC2 instances in the public
    subnet
    Overview
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (public)

    prod-ec2-1 prod-ec2-2

    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    41
    Internet Gateway (IGW)
    Internet Gateway (IGW)
    ⬥ is a horizontally scalable, redundant and highly available VPC component
    ⬥ connects to and from the Internet when the requesting resource has a
    public IP address assigned to it
    ⬥ does not cause any risks in terms of availability or bandwidth limitations
    ⬥ no additional costs
    ⬥ Purpose
    ⬦ Destination in the routing table for traffic from the Internet
    ⬦ Network Address Translation for instances with a public IP address

    43
    Internet Gateway
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (public)

    IGW

    Router

    prod-ec2-1 prod-ec2-2

    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    44
    Route Tables
    Route Tables
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (public)

    IGW

    Router

    Route prod-ec2-1 prod-ec2-2


    table

    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    46
    Route Tables
    ● each VPC has a router which can be configured with route tables
    ● a route table consists of routes that define where the network traffic is routed in
    the VPC/subnet

    Rules
    ● each subnet is assigned to exactly one route table
    Destination Target ● you can assign the same route table to multiple
    subnets
    ● the Main route table is created with the VPC and can
    0.0.0.0/0 igw-XYZ be used for all subnets
    ● with Custom route tables you can make more detailed
    settings

    47
    Establish internet access
    Overview
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (public)

    IGW

    Router

    Route prod-ec2-1 prod-ec2-2


    table
    Destination Target Destination Target

    10.0.0.0/16 Local 10.0.0.0/16 Local

    0.0.0.0/0 igw-XYZ 0.0.0.0/0 igw-XYZ


    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    49
    6 Subnets II - Private
    Overview
    Overview
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (public)

    IGW

    Router

    Route prod-ec2-1 prod-ec2-2


    table
    Destination Target Destination Target

    10.0.0.0/16 Local 10.0.0.0/16 Local

    0.0.0.0/0 igw-XYZ 0.0.0.0/0 igw-XYZ


    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    52
    Private IP Addresses
    Private IP Addresses
    ⬥ are not accessible via the Internet
    ⬥ for communication of instances within the VPC
    ⬥ if no private IP is specified when starting an EC2 instance,
    AWS automatically assigns an available IP address in the
    subnet range
    ⬥ multiple private IPs can also be assigned to an instance

    54
    Basics NAT Gateway
    Basics NAT Gateway
    ⬥ NAT = Network Address Translation, i.e. the source IP address of the instance is replaced by
    the IP address of the NAT gateway.
    ⬥ for response traffic the IP of the NAT GW is translated back to the original source IP address
    ⬥ For HA (High Availability) a separate NAT GW should be created in each AZ
    ⬥ Public NAT GW
    ⬦ allows outgoing traffic + associated replies for resources in a private subnet,
    prevents incoming traffic
    ⬦ private IP addresses are translated to a public IP address (Elastic IP assigned to the
    NAT GW)
    ⬥ Private NAT GW
    ⬦ private connections to other VPCs or on-premises networks can be established
    ⬦ the private IP addresses of the instances are replaced by the private IP address of the
    NAT GW (no Elastic IP at the private NAT GW)

    56
    Create a NAT Gateway
    Public vs. Private Subnet
    Public vs. Private Subnet
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (private)

    IGW

    Router

    Route prod-ec2-1 prod-ec2-2


    table
    Destination Target

    10.0.0.0/16 Local Destination Target

    0.0.0.0/0 igw-XYZ 10.0.0.0/16 Local


    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    59
    Public vs. Private Subnet
    AWS Cloud

    VPC
    Availability Zone

    prod-sub1 (public) prod-sub2 (private)

    IGW

    NAT gateway

    Router

    prod-ec2-1 Route prod-ec2-2


    table
    Destination Target Destination Target

    10.0.0.0/16 Local 10.0.0.0/16 Local

    0.0.0.0/0 igw-XYZ 0.0.0.0/0 nat-gw


    10.0.0.0/24 10.0.1.0/24

    10.0.0.0/16

    60
    Bastion Host
    Bastion Host

    ssh -L 2222:<PRIVATE_RESOURCE_IP>:22 ubuntu@<BASTION_HOST_IP> \


    -o UserKnownHostsFile=/dev/null

    62
    7 Security
    Security
    Hint: Assign a high priority to security right from the start

    Security of the Cloud → AWS


    Security in the Cloud → User

    You can increase the security level with the help of:
    ● Access Control Lists (ACLs)
    ● Security Groups
    ● Firewalls
    ● Subnets / Route Tables
    ● Monitoring
    ● IAM Permissions
    ● Encryption

    64
    Network Access Control
    List (NACL)
    NACL
    ● is an additional security layer
    ● works as a firewall on subnet level
    ● by default every VPC has a NACL which allows all traffic
    ● you can assign custom NACLs to a subnet, where traffic must be explicitly
    allowed
    ● NACLs are stateless (rules for return traffic must be mapped separately)
    ● rules are evaluated in order from 1 to 32766 (recommendation: create rules
    in increments of 10)
    ● a rule can allow or deny traffic

    66
    Security Group
    Security Group
    ● virtual firewall on resource level
    ● each VPC has a default security group
    ● security groups are stateful (the response of a network request is
    allowed)
    ● there are only Allow assignments

    68
    Security Group vs. ACL

    Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

    69
    Network Firewall
    Network Firewall
    ● stateful
    ● can filter traffic in the VPC, e.g. traffic to/from an IGW, NAT GW, VPN
    ● uses the open source intrusion prevention system (IPS) Suricata for
    stateful inspection
    ● comes with additional costs

    71
    8 Monitoring
    Flow Logs
    Flow Logs
    ● Logs of incoming and outgoing traffic
    Elastic network
    (to/from network interfaces in the VPC) are interface
    recorded
    ● Flow logs can help in diagnosing and
    monitoring the traffic
    ● The logging does not affect the bandwidth or
    latency of the traffic Flow logs
    ● Flow logs can be created for entire VPCs,
    subnets or individual network interfaces
    ● Flow logs do not act in real time
    ● Flow logs can be stored in either S3 or Amazon Simple Storage Amazon CloudWatch
    CloudWatch Service (Amazon S3)

    74
    Flow Logs
    IAM Role for CloudWatch:

    https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html

    75
    9 Connectivity I - Endpoints
    Endpoints

    VPC endpoints allow global AWS services and resources to be connected in a


    VPC without the need to route traffic out of the AWS cloud. No IGW or NAT GW
    is required for this. The AWS service for this is called AWS Private Link.

    77
    Interface Endpoints
    Interface Endpoints

    ● Elastic Network Interface with a private IP-address in the subnet


    ● Pricing: https://aws.amazon.com/privatelink/pricing/?nc1=h_ls

    79
    Gateway Endpoints
    Gateway Endpoints
    ● target in a route table
    ● currently only available for AWS S3 and AWS DynamoDB
    ● without additional costs

    DynamoDB
    Amazon Simple Storage
    Service (Amazon S3)

    81
    10 Connectivity II - Advanced
    VPC Peering
    VPC Peering
    ● Goal: Connect VPCs
    ● no additional hardware resources
    ● each VPC must be connected directly
    ● Route tables must be adapted

    Source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

    84
    VPC Transit Gateway
    VPC Transit Gateway
    ● is an additional resource in the VPC
    ● VPCs, VPN gateways and AWS Direct
    Connect endpoints can be connected
    ● Is an additional transitive router, i.e. a
    hub-and-spoke topology can be set up
    where each VPC does not need to be
    directly connected to the other one

    Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-centralized-router.html

    86
    VPN
    VPN
    VPC On-Premises Network

    VPN gateway VPN connection Customer gateway

    88
    Outro
    11 tear down

    You might also like