Professional Documents
Culture Documents
T-Shirt Selling
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Multi-account environments – benefits & characteristics
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an AWS account? AWS Cloud
Account A
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With one account…
AWS account
VPC 1 VPC 3
VPC 2
Public subnet
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an organization?
• Organizations contain a root, a management account,
organizational units (OUs), and member accounts
Root
• The organization root is the top-most node
Root
of the organization and defines the boundaries of Management account
the organization
• The management account is used to manage the
organization
OU OU
§ Activate cross-account services and delegate
administration to member accounts
Nested OUs
§ Limited access to management account
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of a multi-account environment
Benefits Use cases
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting your
environment
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting your environment
START SMALL
Security OU
Sandbox OU Workloads OU
Test OU Production OU
Infrastructure OU
Foundational
OUs
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Structure
EXAMPLE STRUCTURE OF ACCOUNTS IN AWS ORGANIZATION
Foundation Workloads
Prod
Security
Workload 1 Prod
Logs Archive
Workload 2 Prod
Security-Toolings
Infrastructure
Test
OU
Shared-Infra Workload 2 Test
Account
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Management account
CENTRALIZE ACCESS, CONTROL, AND RESOURCE MANAGEMENT
AWS account
Management account
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Management account
CENTRALIZE ACCESS, CONTROL, AND RESOURCE MANAGEMENT
AWS account
Management account
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security organizational unit
Security OU
AWS Security Hub Amazon GuardDuty AWS Config Access DNS Flow AWS CloudTrail
logs logs Logs events
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security organizational unit
Security OU
AWS Security Hub Amazon GuardDuty AWS Config Access DNS Flow AWS CloudTrail
logs logs Logs events
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security organizational unit
Security OU
AWS Security Hub Amazon GuardDuty AWS Config Access DNS Flow AWS CloudTrail
logs logs Logs events
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure organizational unit
Infrastructure OU
AWS Transit Gateway Amazon Virtual Private AWS Service Catalog AWS AWS CloudFormation
Cloud (Amazon VPC) Systems Manager
Explorer
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure organizational unit
Infrastructure OU
AWS Transit Gateway Amazon Virtual Private AWS Service Catalog AWS AWS CloudFormation
Cloud (Amazon VPC) Systems Manager
Explorer
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Separating workloads in the workload OU
Workloads OU
Infrastructure OU
AWS account AWS account
Foundational
OUs Prod OU Test OU Workload B prod Workload B test
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Control Tower
Using AWS Control Tower to govern multi-
account AWS environments at scale
Enable AWS
Control
AWS
Organizations
AWS
Budgets
AWS
License Manager
AWS Well-
Architected Tool
Tower
Operate Amazon AWS AWS AWS Systems AWS Cost and AWS
CloudWatch CloudTrail Config Manager Usage Report Cost Explorer
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Business agility and governance control
Governance Agility
— —
Self-service access
Experiment fast
Respond quickly
to change
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable governance
Manage
continuously
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing Zone provisioned by AWS Control Tower
Management
Account
AWS CloudFormation AWS Service Catalog Core OU Custom OU AWS SSO directory
StackSets (Account Factory)
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish guardrails
Organizational
Preventive guardrail
units
Detective/remediable Organizational
guardrails units
Output Compliant
Enable
Granular AWS Config Accounts Output
AWS policies rules Non-
compliant
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guardrail Examples
Guardrail Type Requirement
Disallow Amazon S3 Buckets That Are Not Versioning Enabled Detective Elective
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate Compliant Account Provisioning
AWS Control Tower
Applied Guardrails
Network Account
baseline baseline
OU Account
baseline
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralize identity and access
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboard
for
oversight
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call to action
WHAT’S NEXT
• Attend the AWS sessions related to multi-account if you want to learn more!
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to On-Premises
Networks
Tran Tuan Anh – Viet-AWS
Static Dynamic
• Policy- or route-based • Route-based only
VPC
VPC
Corporate data center
172.16.0.0/16
VPC
VP
Ca
tta
ch
me
nt
VPC VPC a
ttac hm VPN attachment Corporate data center
ent 172.16.0.0/16
en t
VPC V P C attac hm
e nt
h m AWS Transit Gateway
t t ac
C a
VP
Vpc TGW route table
172.16.0.0/16 via VPN
VPC route table
172.16.0.0/16 via TGW
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Direct Connect
Region
Direct Connect
VPC
10.2.0.0/16 location
Direct Connect
gateway
Region
Direct Connect
VPC
10.2.0.0/16 location
AWS Transit
Gateway
Direct Connect
gateway
Amazon DynamoDB
Corporate data center
Amazon Simple Storage Public virtual 172.16.0.0/16
Service (S3)
Amazon CloudWatch
interface
Amazon VPC
Site-to-site
1
VPN
Cross-
region Transit virtual interface
peering
Amazon VPC
1 On-Premises
Customer or
2
AWS cage partner cage
AWS Direct
2 Connect gateway
AWS Direct Connect location
TGW Connect attachment
N AWS
Amazon VPC Transit
AWS Direct
Gateway Connect gateway On-Premises
N TGW Connect
attachment
AWS cage
Customer or
partner cage
(5,000)
AWS Direct Connect location GRE tunnel
(BGP sessions)
Amazon VPC
GRE tunnel
© 2020, Amazon Web Services, Inc. or its Affiliates. (BGP sessions)
DNS Resolution in a Hybrid-
Cloud
Amazon Route 53
• AWS DNS service Yes Main No
Site
• Domain Registration Healthy
• DNS Failover
• Latency Based Routing
• Geo Based Routing Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer
Outbound resolver
endpoints
VPC 10.0.0.0/16
Q: www.aws.example.internal
Instance
A: www.aws.example.internal
1.2.3.4 10.0.0.2
Amazon R53 resolver
VPC 10.0.0.0/16
Instance
A: www.aws.example.internal
Q: www.aws.example.internal Server
10.2.0.3.0
.4.2
Amazon R53 resolver
VPC 10.0.0.0/16
Q: www.dc.example.internal
Corporate data center
R53 Resolver 172.16.0.0/16
outbound
endpoint
Instance
A: www.dc.example.internal
172.16.0.150 DNS server
10.0.0.2 172.16.0.10
Amazon R53 resolver
Private zone:
dc.example.internal
Nguyen Quang Hieu Tung NX Hung Vu Hoang Manh Tung Hai Nguyen Nguyen Ba Thanh
github.com/hieuchaya4 github.com/hiimtung github.com/hungran github.com/kerashanog github.com/haicasgox github.com/lacoski
Agenda
1. Networking Basic on AWS
2. Multi-VPC & Account on AWS
3. AWS Transit Gateway (TGW)
4. Hub & Spoke Architecture
5. Applying GitOps with Multi-VPC/Account with Network
Firewall & OpenSource Tools
Networking Basic on AWS
Back to old school
VPC
Subnet Subnet
VPC A
10.0.0.0/16
Peering
VPC C
172.31.0.0/16
AWS Cloud
X
Peering
VPC C
VPC Peering
AWS Cloud
Peering VPC B
VPC A
10.0.0.0/16 192.168.0.0/16
Peering Peering
VPC C
172.31.0.0/16
Full mesh:
n(n-1)
2
Transit Gateway
DX
gateway
AWS Transit
Gateway
Amazon VPC Amazon VPC
VPN
connection
Customer
gateway
AWS Cloud Corporate Network
DX
or
VPN
Attachment
Attachment Attachment
Attachment Attachment
AWS Transit Gateway
VPC A VPC B
Attachment
VPC C VPC D
Single attachment can span multiple Availability Zones
AWS Region
AWS Cloud
VPC
X
packets from the attachments for another isolated router. ;
Coporate
network
It mean for example: Packets from one VPC that have a
destination of a subnet in another VPC, for example from
10.100.0.0/16 - Prod to 10.102.0.0/16, route through the
transit gateway, where they are blocked because there is no
route for them in the transit gateway route table. The traffic
between Azure and AWS still through to 2 route table
Transit Gateway Route Table
• TGW can have many Route Tables
• Similar to virtual routing and forwarding (VRFs)
• Can build complex network topologies, e.g. Hub & Spoke
• Route distribution between to tables can be controlled
via Propagations
• Can define static and blackhole routes
Transit Gateway Route Table
Attachment
VPC Dev
Attachment AWS Transit Gateway
10.x.0.0/16 VPC
Route
Table
DX Gateway attachment
192.168.x.x/y
VPC Prd
Attachment
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Associate Attachment to TGW Rtb
VPC Dev AWS Transit Gateway
Attachment
10.x.0.0/16 VPC
Route
Table Tgw route table
association
Spoke association DX GW Attachment
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Associate Attachment to TGW Rtb
VPC Dev AWS Transit Gateway
Attachment
10.x.0.0/16 VPC
Route
Table Tgw route table
association
Spoke VPN Attachment
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Associate Attachment to TGW Rtb
VPC Dev AWS Transit Gateway
Attachment
10.x.0.0/16 VPC
Route
Table Tgw route table
Tgw route table
association Hub
Spoke VPNAttachment
DX Attachment
association 192.168.x.x/y
VPC Prd Attachment
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Propagation
VPC Dev AWS Transit Gateway
Attachment
Propagation
10.x.0.0/16 Propagation
VPC
Route
Table Tgw route table
Spoke DX Attachment
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Propagation
VPC Dev AWS Transit Gateway
Attachment
Propagation
10.x.0.0/16 VPC
Route
Table Tgw route table
Spoke DX Attachment
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Attachment
VPC Dev
AWS Transit Gateway
10.x.0.0/16 Subnet
Route
Table
DX Attachment
Coporate Network
VPC Prd
192.168.x.x/y
10.x.0.0/16 Subnet
Route
Table
Transit Gateway Route Table
Traffic Flow D: 10.1.0.10 S: 10.0.0.10 Payload
10.x.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Traffic Flow D: 10.101.0.10 S: 10.0.0.10 Payload
10.100.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Traffic Flow Payload S: 10.101.0.10 D: 192.168.x.x
10.101.0.0/16 Propagation
VPC
Route
Table
association
DX GW Attachment
10.100.0.0/16 VPC
Route
Table
Transit Gateway Route Table
Traffic Flow
VPC Dev
Payload S: 10.101.0.10 D: 10.100.0.10
10.101.0.0/16 Propagation
VPC
Route
Table
association
X
DX GW Attachment
10.100.0.0/16 VPC
Route
Table
What is AWS Network Firewall
Types of threats that exist today
Firewall RuleGroup
FirewallPolicy
How AWS Network Firewall protects resources
Deployment model
Reference Architectures:
https://aws.amazon.com/vi/blogs/networking-and-content-delivery/deployment-
models-for-aws-network-firewall
AWS Network Firewall partners
Operation
On-premise Firewall vs AWS Network Firewall
VS
On-premise Firewall