This document provides an overview of new and advanced capabilities for Amazon VPC including AWS PrivateLink, VPC sharing, Global Accelerator, Client VPN, and BYOIP. Key points include: - AWS PrivateLink allows access to additional AWS services privately from a VPC without an internet gateway. It now supports 18 services. - VPC sharing allows multiple AWS accounts to share a single VPC configuration with separate resource ownership and billing. - Global Accelerator improves application availability and performance by routing traffic to optimal endpoints across AWS regions. - Client VPN allows client-based access to VPC resources through OpenVPN clients instead of just site-to-site VPN. - BYOIP allows use of existing IP addresses on AWS

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advanced VPC Design and New
Capabilities for Amazon VPC
Matt Lehwess
Principal Solutions Architect
Amazon Web Services
N E T 3 0 3

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
336402
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
4.9
T h ank y o u
35
H o w o l d H o w m a n y
a n i mations
403404405406

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Previously, from AWS
AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet Public subnet
VPC CIDR 10.1.0.0/16 + Expand + IPv6

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Lambda
Previously, from AWS
AWS Region
Availability zone 2Availability zone 1
Private subnet
VGW
VPC
Peering
VPC
Flow Logs
VPN
AWS Direct
Connect
The
Internet
Private subnet
Public subnet
Instance A
Public subnet
AWS IoTAmazon
DynamoDB
Amazon S3 Amazon SQS Amazon SNS
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target Intra or
Inter
region
10.1.0.0/16 Local
0.0.0.0/0 Instance B
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
AWS
PrivateLink
NAT
On-Premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
NAT-GW
NAT-GW

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Previously, from AWS
AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet
Instance A
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Instance B
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
AWS
PrivateLink
NAT NAT-GW
NAT-GW
• API Endpoints for Amazon EC2
and Elastic Load Balancing (ELB)
• Amazon Kinesis Data Streams
• AWS Service Catalog
• Amazon EC2 Systems Manager

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink:
• PrivateLink is a way to
reach additional public
services, privately from
your Amazon Virtual
Private Cloud (Amazon
VPC)
• Each PrivateLink is
represented by a private
IP from the subnet
assigned
• API Endpoints for Amazon EC2
and Elastic Load Balancing (ELB)
• Amazon Kinesis Streams
• AWS Service Catalog
• Amazon EC2 Systems Manager• No Route Table
update required
Amazon S3
Amazon DynamoDB
After: VPC Endpoints for Amazon Simple
Storage Service (Amazon S3) and Amazon
DynamoDB
Before:

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet
Instance A
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
NAT NAT-GW
AmazonAPIGateway
AWSCloudFormation
AmazonCloudWatch
AmazonCloudWatchEvents
AmazonCloudWatchLogs
AWSCodeBuild
AWSConfig
AmazonEC2API
ElasticLoadBalancingAPI
AWSKeyManagementService
AmazonKinesisDataStreams
AmazonSageMakerRuntime
AWSSecretsManager
AWSSecurityTokenService
AWSServiceCatalog
AmazonSNS
AWSSystemsManager
+More
After: 18 services now supported over
AWS PrivateLink

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink (additional endpoints):
https://amzn.to/2TTHxXh

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bonus: AWS PrivateLink now supports access
over AWS VPN and Inter-region Peering
V P N: h t t ps :// amz n.to /2Iv0U Ao
I n t er - re gio n P e e r i ng:
h t t ps:// am z n.to /2NB TFI0

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Sharing
Before

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Sharing
After

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
L l a m aP e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n aS t e v eS u e
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC owners are responsible for creating, managing
and deleting all VPC level entities.
Amazon VPC owners cannot modify or delete participant
resources.
Amazon VPC Owner

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Participants that are in a shared Amazon VPC are responsible for the creation,
management and deletion of their resources including Amazon Elastic Compute
Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon
RDS) databases, and load balancers.
However, they cannot modify any Amazon VPC-level entities including route
tables, network ACLs or subnets (Or view / modify resources belonging to other
participants).
Amazon VPC Participant

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use multiple accounts?

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use Amazon VPC sharing?
P r e s erve I P s p a c e
U s e f e w e r I P v 4 C I D Rs
I n t erc onnec tiv ity
N o V P C P e e r i ng r e quired
B i l l i n g a n d S e c u r i t y
C o n t i n u e t o e n j o y s e g r e g a t i o n
w i t h m u l t i p l e a c c o u n t s
S e p a r a t i o n o f d u t i e s
A c e n t r a l t e a m c a n c r e a t e a n d
m a n a g e y o u r A m a z o n V P C
S a m e A Z c o s t f o r d a t a t r a n s f e r i s n i l !

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Sharing details:
https://amzn.to/2Aovw2Z

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region 1 AWS Region 2

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
After

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Client StateAWS’s Global
Network
Static Anycast
IP’s
Applications can keep state,
with connections routed to
the same endpoint, after
initial connection.
Traffic routed through
Accelerator traverses AWS
global network (instead of
the public internet).
Global Accelerator uses
Static IP addresses are a
fixed entry point to your
applications. These IP
addresses are anycast from
AWS edge locations

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Accelerator
https://amzn.to/2FI3y89

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 Resolver for
Hybrid Clouds
https://amzn.to/2ByEw7s
Bonus!

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-Premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
Virtual private
gateway
VGW
IPSEC tunnel over
the internet
Customer
gateway
CGW
The Internet

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before AWS Client VPN
VPC VPN connections were site-to-site only

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How does this change my
architecture?

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
After AWS Client VPN
AWS now supports client-to-site VPN termination
with Open VPN clients through the Client VPN
Endpoint

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
Client VPN
Endpoint
Client
The
InternetAmazon
DynamoDB
Amazon S3
On-Premises

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Secure Connect
Friday, November 30th
NET304 - AWS VPN Solutions
10:45 AM - 11:45 AM | Venetian, Level 2, Venetian F

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where do you use public IP’s in
AWS?

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Lambda
AWS Region
Availability zone 2Availability zone 1
Private subnet Private subnet
Public subnet
Instance A
Public subnet
AWS IoTAmazon
DynamoDB
Amazon S3 Amazon SQS Amazon SNS
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance B
10.1.1.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
IGW
NAT
10.1.0.11 : 54.23.12.43
10.1.1.11 : 54.19.12.23
NAT-GW
The
Internet

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why bring your own?
IP Reputation, Whitelisting, Migration,
Redundancy,

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How does BYOIP it work?

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Load
Balancer
The Internet
IGW
On-Premises
130.137.182.0/24130.137.182.0/24IP Pool
130.137.182.4 : 10.0.0.15
130.137.182.5 : 10.0.0.16
130.137.182.6 : 10.0.0.17
NAT GW
10.0.0.15 10.0.0.16 10.0.0.17
BYOIP

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authorization and
Authentication
5 s t e p s
Provisioning your IP
range
T h r o u g h t h e A m a z o n C L I

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advertising your IP
range
T h r o u g h t h e A m a z o n C L I
Creation and use of
Elastic IPs
F r o m y o u r I P p o o l

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
130.137.182.166

54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
BYOIP Detailed Instructions:
https://amzn.to/2qZeyE3

56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the most specific prefix I can bring via BYOIP?
/24
Can I move a CIDR between regions?
Yes – with de-provisioning and re-provisioning
IPv6? Not yet 

57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before: All public IP addresses used in AWS came
from Amazon’s IP ranges
After: You can now bring the IP ranges you know
and love to AWS.

58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway (TGW)

60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1
3
2 4
B Local
A
C PCX-2
D PCX-3
E PCX-4
Destination Target
A B
C
D E
PCX-1
Before: V PC Peering

61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full mesh: How many Amazon VPC Peering
connections do I need (full mesh)?
n(n-1)
2
VPC x 10

62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full mesh: How many Amazon VPC Peering
connections do I need (full mesh)?
10(10-1)
2
VPC x 10

63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full mesh: How many Amazon VPC Peering
connections do I need (full mesh)?
VPC x 10
45

64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full mesh: How many Amazon VPC Peering
connections do I need (full mesh)?
100(100-1)
2
VPC x 100

65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full mesh: How many Amazon VPC Peering
connections do I need (full mesh)?
VPC x 100
4500

66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Static routes per
Amazon VPC route table
100
Amazon VPC Peering
connections per Amazon VPC
125

67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
B Local
0.0.0.0/0
Destination Target
A B
D E
VGW
Before: Transit V PC with IPSec
I P S e c b e t w e e n V P C s ( l i m i t s a p p l y )

68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A
B
C
On-Premises
Before: V PN Connection per V PC
I P S e c b e t w e e n V P C s ( l i m i t s a p p l y )

69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
After: AWS Tra n sit Ga t ewa y (TGW)
AWS Transit Gateway
(TGW)

70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
B Local
0.0.0.0/0
Destination Target
A B
TGW
After: AWS Tra n sit Ga t ewa y (TGW)
C
TGW
1 2
3 4
TGW Route Table(s)
VPC A : Attachment 1
VPC B : Attachment 2
VPC C : Attachment 3
On-prem : VPN 4
RT1
RT2
On-Premises

71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attachment
The connection from a
Amazon VPC and VPN to
a TGW
Association
The route table used to
route packets coming from
an attachment (from an
Amazon VPC and VPN)
Propagation
The route table where the
attachment’s routes are
installed

72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.1.0.0/16 Local
0.0.0.0/0 TGW
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/8 TGW

73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X

74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
Propagation turned off, you can still
statically configure routes

75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem from Q
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q

76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem from Q
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCLlama
DSTOn-prem

77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem from Q
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCLlama
DSTOn-prem

78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem from Q
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRC:Barry
DSTOn-prem

79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Llama
After: AWS Tra n sit Ga t ewa y (TGW)
TGW
X
Y
TGW Route Table(s)
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n - P r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
On-prem from Q
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
On-prem from Q
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
On-prem from Q
Llama from X
On-prem from Q
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCBarry
DSTOn-prem

80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aft er: AWS Transit Gateway (TGW) – The console

81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unicorn TGW
This TGW is Awesome
Aft er: AWS Transit Gateway (TGW) – The console

82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aft er: AWS Transit Gateway (TGW) – The console

83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TGWs per account / TGW
attachments per Amazon VPC
5
Maximum burstable
bandwidth per attachment
50Gbps*
*Per availability zone

84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Maximum bandwidth per VPN
connection
1.25Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g. 8 tunnels = 10Gbps
*

85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routes per TGW
5,000
Number of TGW attachments
per region per account
1,000
!!!

86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross region connectivity?
TGW is a region-level construct
today

87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before TGW

88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Peering for
full mesh connectivity
VPC
VPC
VPC
A
B
C
On-Premises
I P S e c b e t w e e n V P C s ( l i m i t s a p p l y )
Instance based
Transit Amazon VPC
VPN Connection
per Amazon VPC

89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
After TGW
Up to 5000 Amazon VPC
attachments per TGW
1.25Gbps per VPN Connection
with ECMP
10,000 routes per TGW
Multiple TGW route tables for
finer routing control
50 Gbps of bandwidth per
attachment per availability zone
Centralized hub for routing between
Amazon VPCs and on-premises to AWS

90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TGW Detailed Instructions:
https://amzn.to/2SkI4zV

91. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

92. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network performance improvements for
Amazon EC2
https://amzn.to/2DL0qG6

93. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Logical redundancy over a single
private virtual interface
https://amzn.to/2E0DgfA

94. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Jumbo frame support
https://amzn.to/2q04aew

95. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Flow Logs can now be delivered to
Amazon s3
https://amzn.to/2nt36yV

96. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Matt Lehwess
mattyloo@amazon.com

97. Time: 15 minutes after this session
Location: Speaker Lounge (ARIA East, Level 1, Willow Lounge)
Duration: 30 min.

98. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.