Deep Dive: Amazon Virtual Private Cloud

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud
Deep Dive
Kevin Miller, Sr. Manager - Amazon EC2 Networking

Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
• ARC205 – VPC Fundamentals and Connectivity
• ARC401 – Black Belt Networking for Cloud Ninja
– Application centric, network monitoring, management, floating IPs
• ARC403 – From One to Many: Evolving VPC Design
• SDD302 – A Tale of One Thousand Instances
– Example of EC2-Classic customer adopting VPC
• SDD419 – Amazon EC2 Networking Deep Dive
– Network performance, placement groups, enhanced networking

Elastic
Network
Interface
Subnet A
us-west-2a
172.31.0.0/20
172.31.0.5
Subnet B
us-west-2b
172.31.16.0/20
Subnet C
us-west-2c
172.31.32.0/20
EC2
Instance
Virtual Private Cloud
172.31.32.8
EC2
Instance

VPC connectivity: TL;DR
• Most common case: Internet
connectivity
– Automatically enabled for default VPCs: You do
nothing
– Easy to enable for non-default VPCs: You do a little
bit
• There are many options, but they are
optional!

Create VPC
aws ec2 create-vpc --cidr 10.10.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Launch instances
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3
aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Routes: Local connectivity
aws ec2 describe-route-tables --route-
table-ids rtb-c9d737ad
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||+-----------------------+------------+-------------+||
Traffic to the VPC’s range
stays in the VPC

Establish public connectivity
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Your default VPC is already
configured this way

Routes: Internet connectivity
aws ec2 describe-route-tables --route-
table-ids rtb-ef36e58a
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||| 0.0.0.0/0 | igw-5a1ae13f | active ||
+----------------------------------------------------+||
Everything not destined for my
VPC goes to the Internet

Confirming your default VPC
describe-account-attributes
VPC only

VPC Endpoints for Amazon S3:
Getting to Amazon S3 without the Internet

Amazon S3 without an Internet Gateway

Setting up an Amazon S3 endpoint
vpc-c15180a4
rtb-ef36e58a

Routes: Amazon S3 connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|
||| Routes |||
||+-----------------------+-----------------------------------------+||
||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||
||+-----------------------+-------------------------+----------------||
||| 10.10.0.0/16 | | local ||
||| | pl-68a54001 | vpce-a610f4cf ||
+-------------------------+-------------------------+---------------+||

The Amazon S3 Prefix List
--------------------------------------------------
| DescribePrefixLists |
+------------------------------------------------+
|| PrefixLists ||
|+---------------+------------------------------+|
|| PrefixListId | PrefixListName ||
|+---------------+------------------------------+|
|| pl-68a54001 | com.amazonaws.us-west-2.s3 ||
|+---------------+------------------------------+|
||| Cidrs |||
||+--------------------------------------------+||
||| 54.231.160.0/19 |||
||+--------------------------------------------+||
IP range for Amazon S3
Changes over time & managed by AWS

IAM policy: Amazon S3 bucket
{ "Version": "2012-10-17",
"Statement": [ {
"Sid": "Only my VPC Endpoint can access this bucket",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::bucket-of-awesome",
"arn:aws:s3:::bucket-of-awesome/*"],
"Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf" } }
}
]
}
aws s3api put-bucket-policy --bucket bucket-of-awesome --
policy file:///tmp/bucket_policy_for_vpce.json
In English:
Deny access to this bucket to
all but this VPC endpoint

IAM policy: VPC endpoint
{
"Statement": [ {
"Sid": "Access to bucket-of-awesome",
"Principal": "*",
"Action": [ "s3:GetObject", "s3:PutObject" ],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket-of-awesome",
"arn:aws:s3:::bucket-of-awesome/*"]
}
]
}
vpc-c15180a4
rtb-ef36e58a
--policy-document file:///tmp/vpce_policy_document.json
In English:
This VPC endpoint is allowed only to
Get/Put to bucket-of-awesome
VPC Endpoint IAM policy can be
modified after the fact.

VPC Peering:
Getting between VPCs without the Internet

Shared services VPC using VPC peering
• Common/core services
– Authentication/directory
– Monitoring
– Logging
– Remote administration
– Scanning

VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63

VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333

VPC peering – Additional considerations
• Security groups not supported across
peerings
• Data transfer between VPCs metered at
inter-AZ rate
• No “transit” capability for VPN, AWS Direct
Connect, or third-party VPCs
• Peer VPC address ranges cannot overlap

VPN and AWS Direct Connect:
Getting between VPC and your data center

VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Using AWS Direct Connect
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
Redundant VPN connection

Automatic route propagation from VGW
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing table(s) with
routes present in the virtual private gateway (VGW)

Configuring route table
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7

VPC with private and public connectivity
192.168.0.0/16
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7

Remote connectivity best practices
Availability Zone Availability Zone
Each VPN connection consists of
2 IPSec tunnels.
Use Border Gateway Protocol
(BGP) for failure recovery.

A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway

Redundant AWS Direct
Connect connections
with VPN backup

ClassicLink
Getting between VPC and EC2-Classic

ClassicLink is relevant to you if:
• You have a significant
deployment on EC2-Classic
• You want a phased migration to
VPC to take advantage of:
– New instance types
– Enhanced networking
– VPC security benefits (Amazon S3
endpoints, etc.)
– Features (VPC Flow Logs, etc.)

What ClassicLink does: words
• Connectivity over private IP
address between linked
instances in EC2-Classic and
VPC
• Classic instances can take
membership in VPC Security
Groups

What ClassicLink does: pictures
Security Group:
MyWebServers
Security Group:
MyBackends
VPC Security Group:
MyWebServers
VPC Security Group:
MyBackends

Enabling ClassicLink
vpc-4325f426
To use ClassicLink the VPC must
have this feature enabled. Can be
restricted with IAM policy.

Attaching a EC2-Classic instance to a VPC
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link this specific instance to
the VPC using the specified
VPC security groups

Migration VPC: Keep it simple
• Internet connectivity
• One subnet per AZ
• Similar Security Groups

Elastic Load Balancing (ELB) supports ClassicLink
Security Group:
MyWebServers
VPC Security Group:
MyWebServers

ClassicLink – Component stages
• Start with AWS-managed
infrastructure
– RDS, ElastiCache, Redshift
• Next ELB
• Then instances
EC2-Classic
ClassicLink
RDS DB
Instance
ElastiCache
Cache Node
Elastic Load
Balancer
RDS DB
Instance
ElastiCache
Cache Node
Elastic Load
Balancer

ClassicLink
RDS DB
Instance
Route53
ELB

ClassicLink
RDS DB
Instance
ELB
Route53

ClassicLink
RDS DB
Instance
Route53

ClassicLink – Additional considerations
• VPC address ranges for use with ClassicLink
– 10.0.0.0/15, or any other range outside 10.0.0.0/8
– Why? EC2-Classic instance private IP addresses are in 10.2.0.0 – 10.255.255.255
• VPC also can’t have extra route table entries to 10.0.0.0/8
• ClassicLink instances use EC2-Classic for all Internet traffic. No
access from VPN/Direct Connect or a VPC peer to a ClassicLink
instance.
• ClassicLink must be enabled after instance launch (Run) or Start
• VPC instance DNS names do not resolve from EC2-Classic, and vice-
versa

VPC Flow Logs:
What’s going on inside my VPC?

See all of the traffic at your instances
• Visibility into effects of
Security Group rules
• Troubleshooting
network connectivity
• Ability to analyze
traffic

Getting set up: CloudWatch Logs
MyVPCFlowLogs
Your VPC Flow Logs
will go here

Getting set up: IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
VpcFlowLogsRole
VPC Flow Logs has permission to
assume this role

Getting set up: IAM Role, continued
{
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
aws iam put-role-policy --role-name VpcFlowLogsRole --policy-name
AccessToCloudWatchLogs --policy-document file:///tmp/inline_policy_document.json
Grant VPC Flow Logs access to
your CloudWatch Logs

Getting set up: VPC Flow Logs
MyVPCFlowLogs
111122223333:role/VpcFlowLogsRole
-----------------------------------------------------------------
| CreateFlowLogs |
+-------------+-------------------------------------------------+
| ClientToken| 2VVt8sDNhVI3ZXy32ICeCU7MGykMPkQ5kzsdzHcXnk4= |
+-------------+-------------------------------------------------+
|| FlowLogIds ||
|+-------------------------------------------------------------+|
|| fl-ea995892 ||
|+-------------------------------------------------------------+|
Can be VPC, Subnet, or
NetworkInterface
Can be ACCEPT,
REJECT, or ALL

Reading your VPC Flow Logs
MyVpcFlowLogs
------------------------------------------------------------------------------------------------------------
| DescribeLogStreams |
+--------------------------------------------------------------------------------------------------------- +
|| logStreams ||
|+---------------------+----------------------------------------------------------------------------------+|
|| arn | arn:aws:logs:us-east-1:111122223333:log-group:MyVPCFlowLogs:log-stream:eni-97ee1c31-
accept ||
|| creationTime | 1434203061652 ||
|| firstEventTimestamp| 1434202443000 ||
|| lastEventTimestamp | 1434202917000 ||
|| lastIngestionTime | 1434203662454 ||
|| logStreamName | eni-97ee1c31-accept ||
|| storedBytes | 0 ||
|| uploadSequenceToken| 49540113925456550918981667094152056847848616976877379954 ||
|+---------------------+----------------------------------------------------------------------------------+|
ACCEPT logs for my
Network Interface

Interpreting your VPC Flow Logs
eni-97ee1c31-accept
...
2 111122223333 eni-97ee1c31 132.163.4.101 10.0.1.95 123
123 17 9 684 1434202443 1434203036 ACCEPT OK
2 111122223333 eni-97ee1c31 10.0.1.95 218.65.30.217 22
40534 6 13 3201 1434202567 1434202615 ACCEPT OK
2 111122223333 eni-97ee1c31 10.0.1.95 12.130.116.82 80
28110 6 5 343 1434203039 1434203096 ACCEPT OK
Source IP address,
Dest IP address
Source port, dest port
Packets, Bytes

Your Feedback is Important to AWS
Please complete the session evaluation. Tell us what you think!

Deep Dive: Amazon Virtual Private Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Deep Dive: Amazon Virtual Private Cloud

Similar to Deep Dive: Amazon Virtual Private Cloud (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Deep Dive: Amazon Virtual Private Cloud