SlideShare a Scribd company logo
1 of 83
Download to read offline
From One to Many: Evolving VPC Design
Robert Alexander, AWS Solutions Architect
November 14, 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Disclaimer:

Do Try This at Home!
All these designs are in use
by customers
Build and
Design… deploy virtual datacenters as fast as you
design them
then spend a lot of time building and deploying

version
Get to know AWS CloudFormation
• Source control and version control your datacenter
• Deploy infrastructure with one command

• Reproduce anywhere in the globe in minutes
• Segregation of Duties (SoD) between
infrastructure and application owners
Elements of VPC Design

Amazon VPC

Router

Internet
Gateway

Customer
Gateway

Subnet

Virtual
Private
Gateway

VPN
Connection

Route Table

Elastic Network
Interface
Availability Zone A

Availability Zone B
VPC CIDR: 10.1.0.0 /16

Subnet
Availability Zone A

Subnet
Availability Zone B
Plan your VPC IP space before
creating it
•

Consider future AWS region expansion

•

Consider future connectivity to corporate networks

•

Consider subnet design

•

VPC can be /16 down to /28

•

CIDR cannot be modified once created

•

Overlapping IP spaces = future headache
VPC CIDR: 10.1.0.0 /16

Public Subnet

Public Subnet

Private Subnet

Private Subnet

Availability Zone A

Availability Zone B
VPC CIDR: 10.1.0.0 /16

Instance A
10.1.1.11 /24

Instance B
10.1.2.22 /24

Public Subnet

Public Subnet

Instance C
10.1.3.33 /24
Private Subnet
Availability Zone A

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B
VPC CIDR: 10.1.0.0 /16

Instance A
10.1.1.11 /24
Public Subnet

Instance B
10.1.2.22 /24

.1

.1

.1

.1

Instance C
10.1.3.33 /24
Private Subnet
Availability Zone A

Public Subnet

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B
VPC CIDR: 10.1.0.0 /16

Route Table

Instance A
10.1.1.11 /24

Instance B
10.1.2.22 /24

Public Subnet

Public Subnet

Instance C
10.1.3.33 /24
Private Subnet
Availability Zone A

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B

Destination

Target

10.1.0.0/16

local
Leave the Main Route Table Alone
VPC CIDR: 10.1.0.0 /16

Instance A
10.1.1.11 /24

Instance B
10.1.2.22 /24

Public Subnet

Public Subnet

Instance C
10.1.3.33 /24
Private Subnet

Route Table

Availability Zone A

Destination

Target

10.1.0.0/16

local

10.1.1.0/24

Instance B

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B
Network ACLs vs Security Groups
Elastic Network
Instance
Security Group

NACLs

Security Groups

•
•
•
•

• Applied to instance ENI (up
to 5 per)
• Stateful
• Allow Only (whitelist)
• Rules evaluated as a whole
• SGs can reference other
SGs in same VPC

Applied to subnets (1 per)
Stateless
Allow & Deny (blacklist)
Rules processed in order
Network ACL

VPC Subnet
VPC Network ACLs: What are they good for?
• Enforcing baseline security policy
– Example:
“No TFTP, NetBIOS or SMTP shall egress this
subnet”
Instance

VPC Subnet

• Catch all for holes in instance
security groups
• Segregation of security between
network ops and dev ops
VPC Network ACLs: Best Practices
•
•
•
•

Use sparingly, keep it simple
Egress security policies are best
Create rule #’s with room to grow
Use IAM to tightly control who can alter or delete NACLs
Pushing this will Hurt!
Default Network ACL:
Create an IAM VPC Admin Group
Examples of “High Blast Radius” VPC API calls that should be restricted:

Support
Resource
Permissions

{

AttachInternetGateway
AssociateRouteTable
CreateRoute
DeleteCustomerGateway
DeleteInternetGateway
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteRoute
DeleteRouteTable
DeleteDhcpOptions
ReplaceNetworkAclAssociation
DisassociateRouteTable
Example IAM Policy for NACL Admin
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry"
],
"Resource": "arn:aws:ec2:us-west-2:123456789012:network-acl/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment": "prod"
},
"Null": {
"aws:MultiFactorAuthAge": "false"
}
}
}
]
}
VPC CIDR: 10.1.0.0 /16

Instance A
10.1.1.11 /24

Instance B
10.1.2.22 /24

Public Subnet

Public Subnet

Instance C
10.1.3.33 /24
Private Subnet
Availability Zone A

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B

Creating Ways “Out”
of a VPC
VPC CIDR: 10.1.0.0 /16

Only 1 IGW and 1 VGW
per VPC

Internet
Gateway

Instance A
10.1.1.11 /24

Instance B
10.1.2.22 /24

Public Subnet

Public Subnet

Instance C
10.1.3.33 /24

Instance D
10.1.4.44 /24

Route Table

Direct
Connect

Target
local

Corp CIDR

Private Subnet

Availability Zone A

Customer
Data Center

Destination
10.1.0.0/16

Private Subnet

VGW

Availability Zone B

Virtual
Private
Gateway

VPN
Connection

Customer
Data Center
VPC CIDR: 10.1.0.0 /16
Route
Table

Instance A
10.1.1.11 /24
Public Subnet

Instance C
10.1.3.33 /24
Private Subnet
Availability Zone A

Route Table
Destination

Target

10.1.0.0/16

Instance B
local
10.1.2.22 /24

0.0.0.0/0

Public
IGW Subnet

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B
Ways to Assign Public IPs
Elastic IP (EIP)
•
•
•
•
•
•

Associated with AWS account and not a specific instance
1 Public IP to 1 Private IP static NAT mapping
Instance does not “see” an EIP associated to it
Persists independent of the instance
Can be assigned while instance is stopped or running
Can be moved, reassigned to other ENIs
Ways to Assign Public IPs
Automatic dynamic Public IP assignment
• Done on instance launch into VPC subnet
• Public IP is dynamic and could change if instance is
stopped and restarted
• Does not count against AWS Account EIP limits
• Works only on instances with a single ENI
Internet

AWS outside the VPC

AWS
region
Amazon S3 DynamoDB
Route
Table

Instance A
Public: 54.200.129.18
Private: 10.1.1.11 /24
Public Subnet

Instance C
10.1.3.33 /24
Private Subnet

Availability Zone A

Instance B
10.1.2.22 /24
Public Subnet

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B
Examples of AWS outside the VPC
•

•

•

AWS API Endpoints
– Think about which APIs you might be calling from instances within the
VPC
– Good examples: Amazon EC2, AWS CloudFormation, Auto Scaling,
Amazon SWF, Amazon SQS, Amazon SNS
Regional Services
– Amazon S3
– Amazon Dynamo DB
Software and Patch Repositories
– Amazon Linux repo allows access only from AWS public IP blocks
Internet

AWS
region
Amazon S3 DynamoDB
Route
Table

Instance A
Public: 54.200.129.18
Private: 10.1.1.11 /24
Public Subnet

Instance C
10.1.3.33 /24
Private Subnet

Availability Zone A

Instance B
10.1.2.22 /24
Public Subnet

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B

And what if instance C
in a private subnet
needs to reach outside
the VPC?
It has no route to the
IGW and no public IP.
Internet

AWS
region
Amazon S3 DynamoDB

NAT A
Public: 54.200.129.18
Private: 10.1.1.11 /24
Public Subnet

Deploy an instance that
functions as a
N etwork
A ddress
T ranslat(or)

Instance B
10.1.2.22 /24
Public Subnet

Route Table

Instance C
10.1.3.33 /24

Instance D
10.1.4.44 /24

Availability Zone A

Target

10.1.0.0/16
Private Subnet

Destination

local

0.0.0.0/0

NAT
instanc
e

Private Subnet
Availability Zone B
What makes up the Amazon Linux
NAT AMI?
Not much to it:
1. IP forwarding enabled
2. IP NAT Masquerading enabled in iptables
3. Source / Destination check is turned off on the instance
$echo 1 > /proc/sys/net/ipv4/ip_forward
$echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
$/sbin/iptables -t nat -A POSTROUTING -o eth0 –s 10.1.0.0/16 -j MASQUERADE
$/sbin/iptables-save
$aws ec2 modify-instance-attributes –instance-id i-xxxxxxxx –source-destcheck “{”Value”:false}”
Internet

AWS
region
Amazon S3 DynamoDB

Other private subnets
can share the same
routing table and use
the NAT
But…

NAT A
Public: 54.200.129.18
Private: 10.1.1.11 /24
Public Subnet

Instance C
10.1.3.33 /24
Private Subnet

Availability Zone A

Instance B
10.1.2.22 /24
Public Subnet

Instance D
10.1.4.44 /24
Private Subnet
Availability Zone B
Internet

AWS
region
Amazon S3 DynamoDB

NAT A
Public: 54.200.129.18
Private: 10.1.1.11 /24
Public Subnet

Private Subnet

Availability Zone A

Instance B
10.1.2.22 /24
Public Subnet

Private Subnet
Availability Zone B

… you could reach
a bandwidth bottleneck
if your private instances
grow and their NAT
bound traffic grows with
them.
Scalable and Available NAT
Do bandwidth intensive processes need to be
behind a NAT?
•

Separate out application components with bandwidth needs

•

Run components from public subnet instances

•

Goal is full instance bandwidth out of VPC

•

Auto Scaling with Public IP makes this easy

•

NAT still in place for remaining private instances

•

Most Common use case:
Multi-Gbps streams to Amazon S3
Internet

Customers

• Image processing app with high
outbound network to Amazon
S3

AWS
region
Amazon S3 DynamoDB

Public ELB
ELB Auto scaling Group

Public ELB Subnet

Web
Servers
Public Subnet

• Public ELB receives incoming
customer HTTP/S requests
• Auto Scaling assigns public IP
to new web servers

Public ELB Subnet

NAT

Direct to Amazon S3

Multi AZ Auto scaling Group

Private Subnet

Availability Zone A

Public Subnet

Private Subnet

Availability Zone B

• With public IPs, web servers
initiate outbound requests
directly to Amazon S3
• NAT device still in place for
private subnets
Autoscaling Support for Automatic
Public IP Assignment
Sample Launch Configuration (named “hi-bandwidth-public”):
$aws autoscaling create-launch-configuration --launch-configuration-name hi-bandwidthpublic --image-id ami-xxxxxxxx --instance-type m1.xlarge --associate-public-ip-address
Internet

Autoscale HA NAT
• Use Auto Scaling for NAT
Availability

AWS
Region
Amazon S3 DynamoDB

• Create 1 NAT per AZ
• All private subnet route tables to
point to same AZ NAT
• 1 Auto Scaling group per NAT
with min and max size set to 1

NAT

Public Subnet

NAT

Public Subnet

• Let Auto Scaling monitor the
health and availability of your
NATs
• NAT bootstrap script updates
route tables programmatically

Private Subnet

Availability Zone A

Private Subnet
Availability Zone B
Auto Scaling for Availability
Sample HA NAT Autoscaling group (named “ha-nat-asg”):
$aws autoscaling create-auto-scaling-group --auto-scaling-group-name hanat-asg --launch-configuration-name ha-nat-launch --min-size 1 --max-size
1 --vpc-zone-identifier subnet-xxxxxxxx
HA NAT User Data sample:
PRIVATE_SUBNETS="`aws ec2 describe-subnets --query 'Subnets[*].SubnetId’ --filters Name=availabilityzone,Values=$AVAILABILITY_ZONE Name=vpc-id,Values=$VPC_ID Name=state,Values=available
Name=tag:network,Values=private`”
if [ -z "$PRIVATE_SUBNETS" ]; then
die "No private subnets found to modify for HA NAT."
else log "Modifying Route Tables for following private subnets: $PRIVATE_SUBNETS"
fi
for subnet in $PRIVATE_SUBNETS; do
ROUTE_TABLE_ID=`aws ec2 describe-route-tables --query 'RouteTables[*].RouteTableId’ 
--filters Name=association.subnet-id,Values=$subnet`;
if [ "$ROUTE_TABLE_ID" = "$MAIN_RT" ]; then
log "$subnet is associated with the VPC Main Route Table. HA NAT script will NOT edit Main Route Table.”
elif [ -z "$ROUTE_TABLE_ID" ]; then
log "$subnet is not associated with a Route Table. Skipping this subnet."
else
aws ec2 create-route --route-table-id $ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 
--instance-id $INSTANCE_ID
log "$ROUTE_TABLE_ID associated with $subnet modified to point default route to $INSTANCE_ID."
if [ $? -ne 0 ] ; then
aws ec2 replace-route --route-table-id $ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 
--instance-id $INSTANCE_ID
fi
fi
done
IAM EC2 Role for HA NAT Instance
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:ReplaceRoute"
],
"Resource": "*"
}
]

}
Tag Early, Tag Often!
•

Tagging strategy should be part of early design

•

Project Code, Cost Center, Environment, Team, Business Unit

•

Tag resources right after creation

•

Tags supported for resource permissions

•

AWS Billing also supports tags

•

Tight IAM controls on the creation and editing of tags
Finally, if design requirements keep high
bandwidth streams behind NAT:
• Use the 1 HA NAT per AZ design
• Vertically scale your NAT instance type to one with a High Network
Performance rating
• Keep a close watch on your network metrics

t1.micro
Very Low

m1.small
Low

m1.large
Moderate

m1.xlarge, c1.xlarge
High
One VPC, Two VPC
Considering Multiple VPCs
AWS
region

Public Facing
Web App

Internal
Corporate
App

VPN
Connection

Customer
Data Center

What’s Next?
Common Customer Use Cases:
• Application isolation
• Scope of audit containment
• Risk level separation
• Separate production from non-production

• Multi tenant isolation
• Business unit alignment
Considerations for One or Many VPCs:
• Know your inter-VPC traffic
• Separate AWS accounts
• IAM / resource permissions and controls
• VPC limits:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
There is a whole talk on this one!
CPN208
Selecting the Best VPC Network Architecture
Controlling the Border
Internal Application to VPC
AWS
region

Public Facing
Web App

Internal
Corporate
App

VPN
Connection

Customer
Data Center
Internal Application to VPC

AWS
region

Route Table

Private Subnet
Availability Zone A

Destination

Virtual
Private
Gateway

Availability Zone B

VPN
Connection
Corporate
Data Center

Corporate Internal
Customers

local

Corp CIDR

Private Subnet

Target

10.1.0.0/16

Intranet
App

Intranet
App

VGW
But… app will leverage this for storing
data:

Amazon S3
And you don’t really want to do this:
Amazon
S3

AWS
region

Internet
Intranet
App

Intranet
App
Private Subnet
Availability Zone A

Virtual
Private
Gateway

Private Subnet
Availability Zone B

Corporate Border
Router

Internet
VPN
Connection
Corporate VPN

Corporate
Data Center
Control IGW Access through a Proxy Layer
• Deploy a proxy control layer between application and IGW

• Restrict all outbound HTTP/S access to only approved URL
destinations like Amazon S3
• No route to IGW for private subnets
• Control access to proxy through security groups
• Must configure proxy setting in OS of instances
Controlling the Border

AWS region

• Deploy internal ELB layer
across AZs
• Add all instances allowed
outside access to a security
group

ELB Multi AZ Auto scaling Group

Intranet
App
Private Subnet
Availability Zone A

• Use this security group as the
only source allowed access to
the proxy port in the load
balancer’s security group

ELB Private Subnet

ELB Private Subnet

Internal
ELB

Intranet
App
Private Subnet
Availability Zone B

VPN
Connection
Corporate
Data Center

Corporate Internal
Customers
Put load balancers in their own
subnets
• Elastic Load Balancing is Amazon EC2 in your
subnets
• Elastic Load Balancing is using your private
addresses
• Separate subnets = separate control
• Distinguish LB layer from app layers
Amazon
S3

AWS region

• Squid Proxy layer deployed
between internal load balancer
and the IGW border.

Multi AZ Auto scaling Group

Proxy Public Subnet

Private Subnet (s)

Proxy Public Subnet

• Only proxy subnets have route
to IGW.

ELB Private Subnet

HTTP/S

ELB Private Subnet

Intranet
App

Controlling the Border

• Proxy security group allows
inbound only from Elastic Load
Balancing security group.

Internal
ELB

• Proxy restricts which URLs may
pass. In this example,
s3.amazonaws.com is allowed.

Intranet
App
Private Subnet (s)
Availability Zone B

Availability Zone A

VPN
Connection
Corporate
Data Center

Corporate Internal
Customers

• Egress NACLs on proxy
subnets enforce HTTP/S only.
Squid.conf Sample Config:
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24

# Destination domain for target S3 bucket
acl s3_v2_endpoints dstdomain $bucket_name.s3.amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs s3_v2_endpoints
# Deny everything else
http_access deny all
Using Squid Proxy Instances for Web Service Access
in Amazon VPC:

http://aws.amazon.com/articles/5995712515781075
… and this design could also be an
option to our earlier NAT bandwidth
discussion if outbound traffic
requirements are HTTP only.
Directory and Name Services
in the VPC
…or what do you mean
ip-10-1-1-57.us-west-2.compute.internal isn’t
a “friendly” name?
Active Directory + DNS in the VPC
AWS
region
Domain Join +
DNS Queries

Public Facing
Web App

Domain
Controller
+ DNS

Internal
Corporate
App

New Instance:
friendly-vpc-123.corp.example.com

• Domain Controllers launched in
internal VPC
• Internal VPC instances join
domain upon launch
• Instances use Dynamic DNS to
register both A and PTR records
• Domain controller replicates
with Corporate AD servers
• VPC DNS forwarding to
corporate DNS

VPN
Connection

AD
Replication

corp.example.com
AD Controller
Corporate Data center

DNS
Forward
Requests

example.com
DNS
DNS in the VPC
• Enable automatic DNS hostname creation and
resolution with these 2 options:

• Automatic hostname creation
• Private only instances assigned private hostname
• Public instances assigned public and private
Split DNS Resolution
Example hostnames for Public VPC instance:
ec2-54-200-171-240.us-west-2.compute.amazonaws.com
ip-10-1-1-87.us-west-2.compute.internal
From outside VPC:

From inside VPC:
DHCP Option Sets
•

Customize what VPC
DHCP hands out

•

Default option set only
contains DNS =
“AmazonProvidedDNS”

•

1 option set assigned per
VPC

•

Changing option set
dynamically applies
Domain Join + Dynamic DNS updates
Availability Zone A

New VPC
DC 1
10.1.3.10

New Instance:
friendly-vpc-123.corp.example.com

Private Subnet

Private Subnet

New Instance Domain Registration
Internal
Corporate
App

New VPC
DC 2
10.1.4.10
Private Subnet

Availability Zone B

VPN
Connection

AD + DNS
Replication

corp.example.com
AD Forest
Corporate Data center

Dynamic DNS without Microsoft DHCP:

example.com
DNS
Sample Powershell user-data for AD instance add and
rename:
<powershell>
$secstr = convertto-securestring -string "Password123" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist domain-add, $secstr
$instanceId = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id).Content
$servername = (Get-EC2Tag -Region us-west-2 | Where-Object {$_.ResourceId -eq $instanceId -and $_.Key
-eq "Name"}).Value
Add-Computer -DomainName ”corp.example.com" -NewName $servername -Credential $cred -Restart
</powershell>
DNS Query Path
Availability Zone A

VPC DNS 1
10.1.3.10

DNS query:
www.xyz.com

Private Subnet

Private Subnet

Internal
Corporate
App

VPC DNS 2
10.1.4.10
Private Subnet

Availability Zone B

VPN
Connection

VPC DNS
Forwards to
Example DNS
DNS Forwards on to root
DNS servers if required
corp.example.com
AD Forest

example.com
DNS

Internet
Corporate Data center
For AWS CloudFormation templates and guides to
setting up Microsoft AD domains in VPC, please
see:
Deploy a Microsoft SharePoint 2010 Server Farm in
the AWS Cloud in 6 Simple Steps:
http://aws.amazon.com/articles/9982940049271604
Bringing It All Back Home
AWS region

Public Facing
Web App

Internal
Corporate
App

VPN
Connection

What’s Next
???

AD Domain extended into VPC

example.com
AD Controller
Corporate Data center

example.com
DNS
AWS region

Public Facing
Web App

Internal
Corporate
App #1

Corporate Data center

Internal
Corporate
App #2

HA Pair VPN
Endpoints

Internal
Corporate
App #3

Internal
Corporate
App #4

Customer Gateways (CGW):
• 1 per VPN tunnel
• 1 public IP per CGW
• AWS provides 2 tunnel
destinations per region
VPN Hub and Spoke an option…
AWS
region

• Amazon EC2 VPN instances to
central virtual private gateway
Internal
Corporate
App #2

Internal
Corporate
App #3

• Control VPC contains common
services for all app VPCs

Services
VPC

Public Facing
Web App
Internal
Corporate
App #1

Internal
Corporate
App #4

HA Pair VPN
Endpoints
Corporate Data center

• For HA, 2 Amazon EC2-based
VPN endpoints in each spoke

• Dynamic Routing protocol (BGP,
OSPF) between Spokes and
Hub
… or simplify with AWS Direct Connect
AWS region

Public Facing
Web App

Internal
Corporate
App #1

Internal
Corporate
App #2

Internal
Corporate
App #3

Internal
Corporate
App #4

AWS Direct Connect Private Virtual
Interface (PVI) connects to VGW on
VPC
•
•

1 PVI per VPC
802.1Q VLAN Tags isolate traffic
across AWS Direct Connect

AWS Direct Connect
Location

Private Fiber Connection
One or Multiple
50 – 500 Mbps,
1 Gbps or 10 Gbps pipes

Customer
Data Center
A few bits on AWS Direct Connect…
•

Dedicated, private pipes into AWS

•

Create private (VPC) or public interfaces to AWS

•

Cheaper data out rates than Internet (data in still free)

•

Consistent network performance compared to Internet

•

At Least 1 location to each AWS region (even GovCloud!)

•

Recommend redundant connections

•

Multiple AWS accounts can share a connection
Customer Interface 0/1.104
0/1.103
0/1.102
0/1.101

Private Virtual Interface 4
2
1
3

VLAN Tag

104
103
102
101

VLAN Tag

102
101
103
104

BGP ASN

65004
65003
65002
65001

BGP ASN

7224

BGP Announce

Customer Internal

BGP Announce

10.2.0.0/16
10.1.0.0/16
10.3.0.0/16
10.4.0.0/16

Interface IP

169.254.251.18/30
169.254.251.14/30
169.254.251.10/30
169.254.251.6/30

Interface IP

169.254.251.9/30
169.254.251.5/30
169.254.251.13/30
169.254.251.17/30

Customer Internal
Network

Multiple VPCs Over AWS Direct Connect

VGW 1

VPC 1
10.1.0.0/16
VGW 2

VPC 2
10.2.0.0/16

Route Table

Destination

Target

10.1.0.0/16

PVI 1

10.2.0.0/16

PVI 2

10.3.0.0/16

PVI 3

10.4.0.0/16

PVI 4

VLAN 101
VLAN 102
VGW 3
Customer
Switch + Router

VPC 3

VLAN 103

10.3.0.0/16

VLAN 104

VGW 4

VPC 4
10.4.0.0/16
Know Your Routing Database
Before:

After:

Enable:
Customer Interface 0/1.501

Public Virtual Interface 1

VLAN Tag

501

VLAN Tag

501

BGP ASN

65501 (or Public)

BGP ASN

7224

BGP Announce

Customer Public

BGP Announce

AWS Regional
Public CIDRs

Interface IP

Public /30 Provided

Interface IP

Public /30 Provided

Customer Internal
Network

Public AWS + VPCs Over AWS Direct Connect

VGW 1

VPC 1
10.1.0.0/16
VGW 2

VPC 2
10.2.0.0/16

Route Table
Destination

Target

VLAN 101

10.1.0.0/16

PVI 1

VLAN 102

10.2.0.0/16

PVI 2

10.3.0.0/16

PVI 3

10.4.0.0/16

PVI 4

Public AWS

PVI 5

VGW 3

VLAN 103
Customer
Switch + Router

VLAN 501

VPC 3
10.3.0.0/16

NAT / PAT
Security Layer

Public AWS
Region
AWS Direct Connect
Location
Customer Routers

AWS DX Routers

AWS
region

Customer Internal
Network

•
•
•
•

Multiple Physical connections:
Active / Active links via BGP multi-pathing
Active / Passive also an option
BGP MEDs or local preference can influence
route
Bidirectional Forwarding Detection (BFD)
supported
AWS Direct Connect
Location:
Virginia or NYC

Going Global

US-East-1
AWS
region
Customer
Routers

Customer Global
MPLS Backbone
Network

AWS Direct Connect
Routers

AWS Direct Connect
Location:
Ireland or London

EU-West-1
AWS
region
Customer
Routers

AWS DX
Routers
With AWS regions just another spoke on your global network,
it’s easy to bring the cloud down to you as you expand around the world.
US-East-1 region

AWS Direct
Connect PoP
Virginia or NYC

EU-West-1 region

US Corporate
Data Center

Corporate MPLS
Backbone

EU Corporate
Data Center

AWS Direct
Connect PoP
Ireland or London
Evolving VPC Design: Recap
•
•
•
•
•
•

Elements of VPC Design
Scalable and Available NAT
One VPC, Two VPC
Controlling the Border
Directory and Name Services in the VPC
Bringing It All Back Home
Related re:Invent Sessions:
ARC202 High Availability Application Architectures in
Amazon VPC
ARC304 Cloud Architectures with AWS Direct Connect
CPN205 Securing Your Amazon EC2 Environment with
AWS IAM Roles and Resource-Based Permissions
CPN208 Selecting the Best VPC Network Architecture
DMG201 Zero to Sixty: AWS CloudFormation
DMG303 AWS CloudFormation under the Hood
Please give us your feedback on this
presentation

ARC401
As a thank you, we will select prize
winners daily for completed surveys!

More Related Content

What's hot

(NET201) Creating Your Virtual Data Center: VPC Fundamentals
(NET201) Creating Your Virtual Data Center: VPC Fundamentals(NET201) Creating Your Virtual Data Center: VPC Fundamentals
(NET201) Creating Your Virtual Data Center: VPC FundamentalsAmazon Web Services
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014Amazon Web Services
 
From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignAmazon Web Services
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)Amazon Web Services
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...Amazon Web Services
 
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYCSecuring your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYCAmazon Web Services
 
AWS Network Topology/Architecture
AWS Network Topology/ArchitectureAWS Network Topology/Architecture
AWS Network Topology/Architecturewlscaudill
 
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovBogdan Naydenov
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Amazon Web Services
 
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...Amazon Web Services
 
An Introduction to Amazon VPC
An Introduction to Amazon VPCAn Introduction to Amazon VPC
An Introduction to Amazon VPCSarah Z
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNsAmazon Web Services
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Julien SIMON
 
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAmazon Web Services
 

What's hot (20)

(NET201) Creating Your Virtual Data Center: VPC Fundamentals
(NET201) Creating Your Virtual Data Center: VPC Fundamentals(NET201) Creating Your Virtual Data Center: VPC Fundamentals
(NET201) Creating Your Virtual Data Center: VPC Fundamentals
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
 
From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC Design
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
 
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYCSecuring your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
 
AWS Network Topology/Architecture
AWS Network Topology/ArchitectureAWS Network Topology/Architecture
AWS Network Topology/Architecture
 
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
 
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
 
Bct Aws-VPC-Training
Bct Aws-VPC-TrainingBct Aws-VPC-Training
Bct Aws-VPC-Training
 
An Introduction to Amazon VPC
An Introduction to Amazon VPCAn Introduction to Amazon VPC
An Introduction to Amazon VPC
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)
 
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
 

Viewers also liked

From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignAmazon Web Services
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014Amazon Web Services
 
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessThe Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessAmazon Web Services
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
AWS Cloud Kata | Bangkok - Getting to Profitability
AWS Cloud Kata | Bangkok - Getting to ProfitabilityAWS Cloud Kata | Bangkok - Getting to Profitability
AWS Cloud Kata | Bangkok - Getting to ProfitabilityAmazon Web Services
 
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Amazon Web Services
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Amazon Web Services
 
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Amazon Web Services
 
Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...
Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...
Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...Amazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013Amazon Web Services
 
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS VideoAWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS VideoAmazon Web Services
 
Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...
Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...
Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...Amazon Web Services
 
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Amazon Web Services
 
Criando o seu datacenter virtual vpc e conectividade
Criando o seu datacenter virtual  vpc e conectividadeCriando o seu datacenter virtual  vpc e conectividade
Criando o seu datacenter virtual vpc e conectividadeAmazon Web Services LATAM
 
(BDT313) Amazon DynamoDB For Big Data
(BDT313) Amazon DynamoDB For Big Data(BDT313) Amazon DynamoDB For Big Data
(BDT313) Amazon DynamoDB For Big DataAmazon Web Services
 
Beyond the Fridge, The World of Connected Data - Dr Werner Vogels
Beyond the Fridge, The World of Connected Data - Dr Werner VogelsBeyond the Fridge, The World of Connected Data - Dr Werner Vogels
Beyond the Fridge, The World of Connected Data - Dr Werner VogelsAmazon Web Services
 
Activity Ranking in LinkedIn Feed
Activity Ranking in LinkedIn FeedActivity Ranking in LinkedIn Feed
Activity Ranking in LinkedIn FeedBodla Kumar
 
Webinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDBWebinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDBAmazon Web Services
 

Viewers also liked (20)

From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC Design
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
 
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessThe Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
AWS Cloud Kata | Bangkok - Getting to Profitability
AWS Cloud Kata | Bangkok - Getting to ProfitabilityAWS Cloud Kata | Bangkok - Getting to Profitability
AWS Cloud Kata | Bangkok - Getting to Profitability
 
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
 
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
 
Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...
Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...
Bringing Governance to an Existing Cloud at NASA's JPL (ENT201) | AWS re:Inve...
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013
 
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS VideoAWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
AWS Webcast - Using JW Player and Amazon CloudFront to Stream HLS Video
 
Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...
Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...
Netflix: Amazon S3 & Amazon Elastic MapReduce to Monitor at Gigascale (BDT302...
 
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...Scale Your Application while Improving Performance and Lowering Costs (SVC203...
Scale Your Application while Improving Performance and Lowering Costs (SVC203...
 
Criando o seu datacenter virtual vpc e conectividade
Criando o seu datacenter virtual  vpc e conectividadeCriando o seu datacenter virtual  vpc e conectividade
Criando o seu datacenter virtual vpc e conectividade
 
(BDT313) Amazon DynamoDB For Big Data
(BDT313) Amazon DynamoDB For Big Data(BDT313) Amazon DynamoDB For Big Data
(BDT313) Amazon DynamoDB For Big Data
 
Beyond the Fridge, The World of Connected Data - Dr Werner Vogels
Beyond the Fridge, The World of Connected Data - Dr Werner VogelsBeyond the Fridge, The World of Connected Data - Dr Werner Vogels
Beyond the Fridge, The World of Connected Data - Dr Werner Vogels
 
Activity Ranking in LinkedIn Feed
Activity Ranking in LinkedIn FeedActivity Ranking in LinkedIn Feed
Activity Ranking in LinkedIn Feed
 
Webinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDBWebinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDB
 

Similar to From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013

AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)Amazon Web Services
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft WorkloadsAmazon Web Services
 
Network & Connectivity Fundamentals
Network & Connectivity FundamentalsNetwork & Connectivity Fundamentals
Network & Connectivity FundamentalsAmazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSAmazon Web Services
 
Your First Hour on AWS presented by Chris Hampartsoumian
Your First Hour on AWS presented by Chris HampartsoumianYour First Hour on AWS presented by Chris Hampartsoumian
Your First Hour on AWS presented by Chris HampartsoumianAmazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSAmazon Web Services
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft WorkloadsAmazon Web Services
 
Best Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSBest Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSAmazon Web Services
 
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and EasilyAWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easilyakramemohemat
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data CenterMonica Trantow
 
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017Amazon Web Services
 
AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...Amazon Web Services
 
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...Amazon Web Services
 

Similar to From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013 (20)

AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft Workloads
 
Network & Connectivity Fundamentals
Network & Connectivity FundamentalsNetwork & Connectivity Fundamentals
Network & Connectivity Fundamentals
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
 
Getting Started on AWS
Getting Started on AWS Getting Started on AWS
Getting Started on AWS
 
Your First Hour on AWS presented by Chris Hampartsoumian
Your First Hour on AWS presented by Chris HampartsoumianYour First Hour on AWS presented by Chris Hampartsoumian
Your First Hour on AWS presented by Chris Hampartsoumian
 
How Easy to Automate Application Deployment on AWS
How Easy to Automate Application Deployment on AWSHow Easy to Automate Application Deployment on AWS
How Easy to Automate Application Deployment on AWS
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft Workloads
 
Enterprise Workloads on AWS
Enterprise Workloads on AWSEnterprise Workloads on AWS
Enterprise Workloads on AWS
 
Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
 
Best Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSBest Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWS
 
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and EasilyAWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
 
AWS VPC
AWS VPCAWS VPC
AWS VPC
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
 
Creating a Virtual Data Center
Creating a Virtual Data CenterCreating a Virtual Data Center
Creating a Virtual Data Center
 
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
 
AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...
 
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 

Recently uploaded (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 

From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013

  • 1. From One to Many: Evolving VPC Design Robert Alexander, AWS Solutions Architect November 14, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Disclaimer: Do Try This at Home! All these designs are in use by customers
  • 3. Build and Design… deploy virtual datacenters as fast as you design them then spend a lot of time building and deploying version
  • 4. Get to know AWS CloudFormation • Source control and version control your datacenter • Deploy infrastructure with one command • Reproduce anywhere in the globe in minutes • Segregation of Duties (SoD) between infrastructure and application owners
  • 5. Elements of VPC Design Amazon VPC Router Internet Gateway Customer Gateway Subnet Virtual Private Gateway VPN Connection Route Table Elastic Network Interface
  • 7. VPC CIDR: 10.1.0.0 /16 Subnet Availability Zone A Subnet Availability Zone B
  • 8. Plan your VPC IP space before creating it • Consider future AWS region expansion • Consider future connectivity to corporate networks • Consider subnet design • VPC can be /16 down to /28 • CIDR cannot be modified once created • Overlapping IP spaces = future headache
  • 9. VPC CIDR: 10.1.0.0 /16 Public Subnet Public Subnet Private Subnet Private Subnet Availability Zone A Availability Zone B
  • 10. VPC CIDR: 10.1.0.0 /16 Instance A 10.1.1.11 /24 Instance B 10.1.2.22 /24 Public Subnet Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance D 10.1.4.44 /24 Private Subnet Availability Zone B
  • 11. VPC CIDR: 10.1.0.0 /16 Instance A 10.1.1.11 /24 Public Subnet Instance B 10.1.2.22 /24 .1 .1 .1 .1 Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Public Subnet Instance D 10.1.4.44 /24 Private Subnet Availability Zone B
  • 12. VPC CIDR: 10.1.0.0 /16 Route Table Instance A 10.1.1.11 /24 Instance B 10.1.2.22 /24 Public Subnet Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance D 10.1.4.44 /24 Private Subnet Availability Zone B Destination Target 10.1.0.0/16 local
  • 13. Leave the Main Route Table Alone
  • 14. VPC CIDR: 10.1.0.0 /16 Instance A 10.1.1.11 /24 Instance B 10.1.2.22 /24 Public Subnet Public Subnet Instance C 10.1.3.33 /24 Private Subnet Route Table Availability Zone A Destination Target 10.1.0.0/16 local 10.1.1.0/24 Instance B Instance D 10.1.4.44 /24 Private Subnet Availability Zone B
  • 15. Network ACLs vs Security Groups Elastic Network Instance Security Group NACLs Security Groups • • • • • Applied to instance ENI (up to 5 per) • Stateful • Allow Only (whitelist) • Rules evaluated as a whole • SGs can reference other SGs in same VPC Applied to subnets (1 per) Stateless Allow & Deny (blacklist) Rules processed in order Network ACL VPC Subnet
  • 16. VPC Network ACLs: What are they good for? • Enforcing baseline security policy – Example: “No TFTP, NetBIOS or SMTP shall egress this subnet” Instance VPC Subnet • Catch all for holes in instance security groups • Segregation of security between network ops and dev ops
  • 17. VPC Network ACLs: Best Practices • • • • Use sparingly, keep it simple Egress security policies are best Create rule #’s with room to grow Use IAM to tightly control who can alter or delete NACLs Pushing this will Hurt! Default Network ACL:
  • 18. Create an IAM VPC Admin Group Examples of “High Blast Radius” VPC API calls that should be restricted: Support Resource Permissions { AttachInternetGateway AssociateRouteTable CreateRoute DeleteCustomerGateway DeleteInternetGateway DeleteNetworkAcl DeleteNetworkAclEntry DeleteRoute DeleteRouteTable DeleteDhcpOptions ReplaceNetworkAclAssociation DisassociateRouteTable
  • 19. Example IAM Policy for NACL Admin { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry" ], "Resource": "arn:aws:ec2:us-west-2:123456789012:network-acl/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Environment": "prod" }, "Null": { "aws:MultiFactorAuthAge": "false" } } } ] }
  • 20. VPC CIDR: 10.1.0.0 /16 Instance A 10.1.1.11 /24 Instance B 10.1.2.22 /24 Public Subnet Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance D 10.1.4.44 /24 Private Subnet Availability Zone B Creating Ways “Out” of a VPC
  • 21. VPC CIDR: 10.1.0.0 /16 Only 1 IGW and 1 VGW per VPC Internet Gateway Instance A 10.1.1.11 /24 Instance B 10.1.2.22 /24 Public Subnet Public Subnet Instance C 10.1.3.33 /24 Instance D 10.1.4.44 /24 Route Table Direct Connect Target local Corp CIDR Private Subnet Availability Zone A Customer Data Center Destination 10.1.0.0/16 Private Subnet VGW Availability Zone B Virtual Private Gateway VPN Connection Customer Data Center
  • 22. VPC CIDR: 10.1.0.0 /16 Route Table Instance A 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Route Table Destination Target 10.1.0.0/16 Instance B local 10.1.2.22 /24 0.0.0.0/0 Public IGW Subnet Instance D 10.1.4.44 /24 Private Subnet Availability Zone B
  • 23. Ways to Assign Public IPs Elastic IP (EIP) • • • • • • Associated with AWS account and not a specific instance 1 Public IP to 1 Private IP static NAT mapping Instance does not “see” an EIP associated to it Persists independent of the instance Can be assigned while instance is stopped or running Can be moved, reassigned to other ENIs
  • 24. Ways to Assign Public IPs Automatic dynamic Public IP assignment • Done on instance launch into VPC subnet • Public IP is dynamic and could change if instance is stopped and restarted • Does not count against AWS Account EIP limits • Works only on instances with a single ENI
  • 25. Internet AWS outside the VPC AWS region Amazon S3 DynamoDB Route Table Instance A Public: 54.200.129.18 Private: 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet Availability Zone B
  • 26. Examples of AWS outside the VPC • • • AWS API Endpoints – Think about which APIs you might be calling from instances within the VPC – Good examples: Amazon EC2, AWS CloudFormation, Auto Scaling, Amazon SWF, Amazon SQS, Amazon SNS Regional Services – Amazon S3 – Amazon Dynamo DB Software and Patch Repositories – Amazon Linux repo allows access only from AWS public IP blocks
  • 27. Internet AWS region Amazon S3 DynamoDB Route Table Instance A Public: 54.200.129.18 Private: 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet Availability Zone B And what if instance C in a private subnet needs to reach outside the VPC? It has no route to the IGW and no public IP.
  • 28. Internet AWS region Amazon S3 DynamoDB NAT A Public: 54.200.129.18 Private: 10.1.1.11 /24 Public Subnet Deploy an instance that functions as a N etwork A ddress T ranslat(or) Instance B 10.1.2.22 /24 Public Subnet Route Table Instance C 10.1.3.33 /24 Instance D 10.1.4.44 /24 Availability Zone A Target 10.1.0.0/16 Private Subnet Destination local 0.0.0.0/0 NAT instanc e Private Subnet Availability Zone B
  • 29. What makes up the Amazon Linux NAT AMI? Not much to it: 1. IP forwarding enabled 2. IP NAT Masquerading enabled in iptables 3. Source / Destination check is turned off on the instance $echo 1 > /proc/sys/net/ipv4/ip_forward $echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects $/sbin/iptables -t nat -A POSTROUTING -o eth0 –s 10.1.0.0/16 -j MASQUERADE $/sbin/iptables-save $aws ec2 modify-instance-attributes –instance-id i-xxxxxxxx –source-destcheck “{”Value”:false}”
  • 30. Internet AWS region Amazon S3 DynamoDB Other private subnets can share the same routing table and use the NAT But… NAT A Public: 54.200.129.18 Private: 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet Availability Zone B
  • 31. Internet AWS region Amazon S3 DynamoDB NAT A Public: 54.200.129.18 Private: 10.1.1.11 /24 Public Subnet Private Subnet Availability Zone A Instance B 10.1.2.22 /24 Public Subnet Private Subnet Availability Zone B … you could reach a bandwidth bottleneck if your private instances grow and their NAT bound traffic grows with them.
  • 33. Do bandwidth intensive processes need to be behind a NAT? • Separate out application components with bandwidth needs • Run components from public subnet instances • Goal is full instance bandwidth out of VPC • Auto Scaling with Public IP makes this easy • NAT still in place for remaining private instances • Most Common use case: Multi-Gbps streams to Amazon S3
  • 34. Internet Customers • Image processing app with high outbound network to Amazon S3 AWS region Amazon S3 DynamoDB Public ELB ELB Auto scaling Group Public ELB Subnet Web Servers Public Subnet • Public ELB receives incoming customer HTTP/S requests • Auto Scaling assigns public IP to new web servers Public ELB Subnet NAT Direct to Amazon S3 Multi AZ Auto scaling Group Private Subnet Availability Zone A Public Subnet Private Subnet Availability Zone B • With public IPs, web servers initiate outbound requests directly to Amazon S3 • NAT device still in place for private subnets
  • 35. Autoscaling Support for Automatic Public IP Assignment Sample Launch Configuration (named “hi-bandwidth-public”): $aws autoscaling create-launch-configuration --launch-configuration-name hi-bandwidthpublic --image-id ami-xxxxxxxx --instance-type m1.xlarge --associate-public-ip-address
  • 36. Internet Autoscale HA NAT • Use Auto Scaling for NAT Availability AWS Region Amazon S3 DynamoDB • Create 1 NAT per AZ • All private subnet route tables to point to same AZ NAT • 1 Auto Scaling group per NAT with min and max size set to 1 NAT Public Subnet NAT Public Subnet • Let Auto Scaling monitor the health and availability of your NATs • NAT bootstrap script updates route tables programmatically Private Subnet Availability Zone A Private Subnet Availability Zone B
  • 37. Auto Scaling for Availability Sample HA NAT Autoscaling group (named “ha-nat-asg”): $aws autoscaling create-auto-scaling-group --auto-scaling-group-name hanat-asg --launch-configuration-name ha-nat-launch --min-size 1 --max-size 1 --vpc-zone-identifier subnet-xxxxxxxx
  • 38. HA NAT User Data sample: PRIVATE_SUBNETS="`aws ec2 describe-subnets --query 'Subnets[*].SubnetId’ --filters Name=availabilityzone,Values=$AVAILABILITY_ZONE Name=vpc-id,Values=$VPC_ID Name=state,Values=available Name=tag:network,Values=private`” if [ -z "$PRIVATE_SUBNETS" ]; then die "No private subnets found to modify for HA NAT." else log "Modifying Route Tables for following private subnets: $PRIVATE_SUBNETS" fi for subnet in $PRIVATE_SUBNETS; do ROUTE_TABLE_ID=`aws ec2 describe-route-tables --query 'RouteTables[*].RouteTableId’ --filters Name=association.subnet-id,Values=$subnet`; if [ "$ROUTE_TABLE_ID" = "$MAIN_RT" ]; then log "$subnet is associated with the VPC Main Route Table. HA NAT script will NOT edit Main Route Table.” elif [ -z "$ROUTE_TABLE_ID" ]; then log "$subnet is not associated with a Route Table. Skipping this subnet." else aws ec2 create-route --route-table-id $ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --instance-id $INSTANCE_ID log "$ROUTE_TABLE_ID associated with $subnet modified to point default route to $INSTANCE_ID." if [ $? -ne 0 ] ; then aws ec2 replace-route --route-table-id $ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --instance-id $INSTANCE_ID fi fi done
  • 39. IAM EC2 Role for HA NAT Instance { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:ReplaceRoute" ], "Resource": "*" } ] }
  • 40. Tag Early, Tag Often! • Tagging strategy should be part of early design • Project Code, Cost Center, Environment, Team, Business Unit • Tag resources right after creation • Tags supported for resource permissions • AWS Billing also supports tags • Tight IAM controls on the creation and editing of tags
  • 41. Finally, if design requirements keep high bandwidth streams behind NAT: • Use the 1 HA NAT per AZ design • Vertically scale your NAT instance type to one with a High Network Performance rating • Keep a close watch on your network metrics t1.micro Very Low m1.small Low m1.large Moderate m1.xlarge, c1.xlarge High
  • 43. Considering Multiple VPCs AWS region Public Facing Web App Internal Corporate App VPN Connection Customer Data Center What’s Next?
  • 44. Common Customer Use Cases: • Application isolation • Scope of audit containment • Risk level separation • Separate production from non-production • Multi tenant isolation • Business unit alignment
  • 45. Considerations for One or Many VPCs: • Know your inter-VPC traffic • Separate AWS accounts • IAM / resource permissions and controls • VPC limits: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
  • 46. There is a whole talk on this one! CPN208 Selecting the Best VPC Network Architecture
  • 48. Internal Application to VPC AWS region Public Facing Web App Internal Corporate App VPN Connection Customer Data Center
  • 49. Internal Application to VPC AWS region Route Table Private Subnet Availability Zone A Destination Virtual Private Gateway Availability Zone B VPN Connection Corporate Data Center Corporate Internal Customers local Corp CIDR Private Subnet Target 10.1.0.0/16 Intranet App Intranet App VGW
  • 50. But… app will leverage this for storing data: Amazon S3
  • 51. And you don’t really want to do this: Amazon S3 AWS region Internet Intranet App Intranet App Private Subnet Availability Zone A Virtual Private Gateway Private Subnet Availability Zone B Corporate Border Router Internet VPN Connection Corporate VPN Corporate Data Center
  • 52. Control IGW Access through a Proxy Layer • Deploy a proxy control layer between application and IGW • Restrict all outbound HTTP/S access to only approved URL destinations like Amazon S3 • No route to IGW for private subnets • Control access to proxy through security groups • Must configure proxy setting in OS of instances
  • 53. Controlling the Border AWS region • Deploy internal ELB layer across AZs • Add all instances allowed outside access to a security group ELB Multi AZ Auto scaling Group Intranet App Private Subnet Availability Zone A • Use this security group as the only source allowed access to the proxy port in the load balancer’s security group ELB Private Subnet ELB Private Subnet Internal ELB Intranet App Private Subnet Availability Zone B VPN Connection Corporate Data Center Corporate Internal Customers
  • 54. Put load balancers in their own subnets • Elastic Load Balancing is Amazon EC2 in your subnets • Elastic Load Balancing is using your private addresses • Separate subnets = separate control • Distinguish LB layer from app layers
  • 55. Amazon S3 AWS region • Squid Proxy layer deployed between internal load balancer and the IGW border. Multi AZ Auto scaling Group Proxy Public Subnet Private Subnet (s) Proxy Public Subnet • Only proxy subnets have route to IGW. ELB Private Subnet HTTP/S ELB Private Subnet Intranet App Controlling the Border • Proxy security group allows inbound only from Elastic Load Balancing security group. Internal ELB • Proxy restricts which URLs may pass. In this example, s3.amazonaws.com is allowed. Intranet App Private Subnet (s) Availability Zone B Availability Zone A VPN Connection Corporate Data Center Corporate Internal Customers • Egress NACLs on proxy subnets enforce HTTP/S only.
  • 56. Squid.conf Sample Config: # CIDR AND Destination Domain based Allow # CIDR Subnet blocks for Internal ELBs acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24 # Destination domain for target S3 bucket acl s3_v2_endpoints dstdomain $bucket_name.s3.amazonaws.com # Squid does AND on both ACLs for allow match http_access allow int_elb_cidrs s3_v2_endpoints # Deny everything else http_access deny all
  • 57. Using Squid Proxy Instances for Web Service Access in Amazon VPC: http://aws.amazon.com/articles/5995712515781075
  • 58. … and this design could also be an option to our earlier NAT bandwidth discussion if outbound traffic requirements are HTTP only.
  • 59. Directory and Name Services in the VPC
  • 60. …or what do you mean ip-10-1-1-57.us-west-2.compute.internal isn’t a “friendly” name?
  • 61. Active Directory + DNS in the VPC AWS region Domain Join + DNS Queries Public Facing Web App Domain Controller + DNS Internal Corporate App New Instance: friendly-vpc-123.corp.example.com • Domain Controllers launched in internal VPC • Internal VPC instances join domain upon launch • Instances use Dynamic DNS to register both A and PTR records • Domain controller replicates with Corporate AD servers • VPC DNS forwarding to corporate DNS VPN Connection AD Replication corp.example.com AD Controller Corporate Data center DNS Forward Requests example.com DNS
  • 62. DNS in the VPC • Enable automatic DNS hostname creation and resolution with these 2 options: • Automatic hostname creation • Private only instances assigned private hostname • Public instances assigned public and private
  • 63. Split DNS Resolution Example hostnames for Public VPC instance: ec2-54-200-171-240.us-west-2.compute.amazonaws.com ip-10-1-1-87.us-west-2.compute.internal From outside VPC: From inside VPC:
  • 64. DHCP Option Sets • Customize what VPC DHCP hands out • Default option set only contains DNS = “AmazonProvidedDNS” • 1 option set assigned per VPC • Changing option set dynamically applies
  • 65. Domain Join + Dynamic DNS updates Availability Zone A New VPC DC 1 10.1.3.10 New Instance: friendly-vpc-123.corp.example.com Private Subnet Private Subnet New Instance Domain Registration Internal Corporate App New VPC DC 2 10.1.4.10 Private Subnet Availability Zone B VPN Connection AD + DNS Replication corp.example.com AD Forest Corporate Data center Dynamic DNS without Microsoft DHCP: example.com DNS
  • 66. Sample Powershell user-data for AD instance add and rename: <powershell> $secstr = convertto-securestring -string "Password123" -AsPlainText -Force $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist domain-add, $secstr $instanceId = (Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id).Content $servername = (Get-EC2Tag -Region us-west-2 | Where-Object {$_.ResourceId -eq $instanceId -and $_.Key -eq "Name"}).Value Add-Computer -DomainName ”corp.example.com" -NewName $servername -Credential $cred -Restart </powershell>
  • 67. DNS Query Path Availability Zone A VPC DNS 1 10.1.3.10 DNS query: www.xyz.com Private Subnet Private Subnet Internal Corporate App VPC DNS 2 10.1.4.10 Private Subnet Availability Zone B VPN Connection VPC DNS Forwards to Example DNS DNS Forwards on to root DNS servers if required corp.example.com AD Forest example.com DNS Internet Corporate Data center
  • 68. For AWS CloudFormation templates and guides to setting up Microsoft AD domains in VPC, please see: Deploy a Microsoft SharePoint 2010 Server Farm in the AWS Cloud in 6 Simple Steps: http://aws.amazon.com/articles/9982940049271604
  • 69. Bringing It All Back Home
  • 70. AWS region Public Facing Web App Internal Corporate App VPN Connection What’s Next ??? AD Domain extended into VPC example.com AD Controller Corporate Data center example.com DNS
  • 71. AWS region Public Facing Web App Internal Corporate App #1 Corporate Data center Internal Corporate App #2 HA Pair VPN Endpoints Internal Corporate App #3 Internal Corporate App #4 Customer Gateways (CGW): • 1 per VPN tunnel • 1 public IP per CGW • AWS provides 2 tunnel destinations per region
  • 72. VPN Hub and Spoke an option… AWS region • Amazon EC2 VPN instances to central virtual private gateway Internal Corporate App #2 Internal Corporate App #3 • Control VPC contains common services for all app VPCs Services VPC Public Facing Web App Internal Corporate App #1 Internal Corporate App #4 HA Pair VPN Endpoints Corporate Data center • For HA, 2 Amazon EC2-based VPN endpoints in each spoke • Dynamic Routing protocol (BGP, OSPF) between Spokes and Hub
  • 73. … or simplify with AWS Direct Connect AWS region Public Facing Web App Internal Corporate App #1 Internal Corporate App #2 Internal Corporate App #3 Internal Corporate App #4 AWS Direct Connect Private Virtual Interface (PVI) connects to VGW on VPC • • 1 PVI per VPC 802.1Q VLAN Tags isolate traffic across AWS Direct Connect AWS Direct Connect Location Private Fiber Connection One or Multiple 50 – 500 Mbps, 1 Gbps or 10 Gbps pipes Customer Data Center
  • 74. A few bits on AWS Direct Connect… • Dedicated, private pipes into AWS • Create private (VPC) or public interfaces to AWS • Cheaper data out rates than Internet (data in still free) • Consistent network performance compared to Internet • At Least 1 location to each AWS region (even GovCloud!) • Recommend redundant connections • Multiple AWS accounts can share a connection
  • 75. Customer Interface 0/1.104 0/1.103 0/1.102 0/1.101 Private Virtual Interface 4 2 1 3 VLAN Tag 104 103 102 101 VLAN Tag 102 101 103 104 BGP ASN 65004 65003 65002 65001 BGP ASN 7224 BGP Announce Customer Internal BGP Announce 10.2.0.0/16 10.1.0.0/16 10.3.0.0/16 10.4.0.0/16 Interface IP 169.254.251.18/30 169.254.251.14/30 169.254.251.10/30 169.254.251.6/30 Interface IP 169.254.251.9/30 169.254.251.5/30 169.254.251.13/30 169.254.251.17/30 Customer Internal Network Multiple VPCs Over AWS Direct Connect VGW 1 VPC 1 10.1.0.0/16 VGW 2 VPC 2 10.2.0.0/16 Route Table Destination Target 10.1.0.0/16 PVI 1 10.2.0.0/16 PVI 2 10.3.0.0/16 PVI 3 10.4.0.0/16 PVI 4 VLAN 101 VLAN 102 VGW 3 Customer Switch + Router VPC 3 VLAN 103 10.3.0.0/16 VLAN 104 VGW 4 VPC 4 10.4.0.0/16
  • 76. Know Your Routing Database Before: After: Enable:
  • 77. Customer Interface 0/1.501 Public Virtual Interface 1 VLAN Tag 501 VLAN Tag 501 BGP ASN 65501 (or Public) BGP ASN 7224 BGP Announce Customer Public BGP Announce AWS Regional Public CIDRs Interface IP Public /30 Provided Interface IP Public /30 Provided Customer Internal Network Public AWS + VPCs Over AWS Direct Connect VGW 1 VPC 1 10.1.0.0/16 VGW 2 VPC 2 10.2.0.0/16 Route Table Destination Target VLAN 101 10.1.0.0/16 PVI 1 VLAN 102 10.2.0.0/16 PVI 2 10.3.0.0/16 PVI 3 10.4.0.0/16 PVI 4 Public AWS PVI 5 VGW 3 VLAN 103 Customer Switch + Router VLAN 501 VPC 3 10.3.0.0/16 NAT / PAT Security Layer Public AWS Region
  • 78. AWS Direct Connect Location Customer Routers AWS DX Routers AWS region Customer Internal Network • • • • Multiple Physical connections: Active / Active links via BGP multi-pathing Active / Passive also an option BGP MEDs or local preference can influence route Bidirectional Forwarding Detection (BFD) supported
  • 79. AWS Direct Connect Location: Virginia or NYC Going Global US-East-1 AWS region Customer Routers Customer Global MPLS Backbone Network AWS Direct Connect Routers AWS Direct Connect Location: Ireland or London EU-West-1 AWS region Customer Routers AWS DX Routers
  • 80. With AWS regions just another spoke on your global network, it’s easy to bring the cloud down to you as you expand around the world. US-East-1 region AWS Direct Connect PoP Virginia or NYC EU-West-1 region US Corporate Data Center Corporate MPLS Backbone EU Corporate Data Center AWS Direct Connect PoP Ireland or London
  • 81. Evolving VPC Design: Recap • • • • • • Elements of VPC Design Scalable and Available NAT One VPC, Two VPC Controlling the Border Directory and Name Services in the VPC Bringing It All Back Home
  • 82. Related re:Invent Sessions: ARC202 High Availability Application Architectures in Amazon VPC ARC304 Cloud Architectures with AWS Direct Connect CPN205 Securing Your Amazon EC2 Environment with AWS IAM Roles and Resource-Based Permissions CPN208 Selecting the Best VPC Network Architecture DMG201 Zero to Sixty: AWS CloudFormation DMG303 AWS CloudFormation under the Hood
  • 83. Please give us your feedback on this presentation ARC401 As a thank you, we will select prize winners daily for completed surveys!