Deep Dive - Amazon Virtual Private Cloud (VPC)

©2015, Amazon Web Services, Inc. or its aﬃliates. All rights reserved
Amazon Virtual Private Cloud
Deep Dive
Steve Seymour, Solutions Architect, Networking Specialist

Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...

Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region

Confirming your default VPC
describe-account-attributes
VPC only

1. Routing & private connections

Implementing a hybrid architecture
Corporate Data Center

Create VPC
aws ec2 create-vpc --cidr 10.10.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Create VPN connection
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Launch instances
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3
aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Using AWS Direct Connect
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7

Configuring route table
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets

Remote connectivity best practices
Availability Zone
Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.

Availability Zone
Availability Zone
BGP
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
BGP

Availability Zone
Availability Zone
BGP
Redundant AWS Direct
Connect connections
with VPN backup

VPC with private and public connectivity
192.168.0.0/16
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7

Automatic route propagation from VGW
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing
table(s) with routes present in the VGW

Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b
aws ec2 create-route-table --vpc vpc-c15180a4
aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW

Software VPN for VPC-to-VPC connectivity
# VPC A
aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check
aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# VPC B
aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check
aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a

Software VPN
between these
instances

Enabling communication
between instances in these
subnets; adding routes to the
default routing table

Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instance
# Routing table for 10.10.3.0/24 directs to the Internet
aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

Road to Automation - aka CloudFormation
Jackie Wong, Network Manager, Financial Times

Financial Times
•  International Media Company
•  Pioneer of Selling Digital Subscriptions
•  Speed to Market

Repetitive and Manual Deployment
•  Some history …
•  Manual deployment;
•  Time Consuming
•  Inconsistent
•  Human Error
•  Repetitive

CloudFormation – JSON
{ “Recognize Similarity” : [
{ “Key” : “Subnets” },
{ “Key” : “ Security” },
{ “Key” : “ Routing” },
{ “Key” : “ Internet” },
{ “Key” : “ Corporate” },
{ “Key” : “ etc” }
]
}
•  Using Mapping and Parameters within JSON to make it [{“Universal”}]

Outcome - Speed to Market
•  Faster deployment
•  Consistent
•  Accurate Deployment
•  Easy to manage and update
•  Stored Centrally

Give it a Go
It is addictive………..in a good way!

Shared services VPC using VPC peering
•  Common/core services
–  Authentication/directory
–  Monitoring
–  Logging
–  Remote administration
–  Scanning

Provides infrastructure zoning
•  Dev: VPC B
•  Test: VPC C
•  Production: VPC D

VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87
VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63

VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333

VPC peering – Additional considerations
•  Security groups not supported across peerings
–  Workaround: specify rules by IP prefix
•  No “transit” capability for VPN, AWS Direct
Connect, or 3rd VPCs
–  Example: Cannot access VPC C from VPC A via VPC B
–  Workaround: Create a direct peering from VPC A to VPC C
•  Peer VPC address ranges cannot overlap
–  But, you can peer with 2+ VPCs that themselves overlap
–  Use subnets/routing tables to pick the VPC to use

VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instance
# Routing table for 10.10.3.0/24 directs to the Peering
aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87

VPC Design for the Enterprise
Eamonn O'Neill, Director, Lemongrass Consulting

VPC Layout
Singapore Singapore
Cloud
Controller
Ireland
Website Primary DR
Tokyo
Workspaces
Ireland
Seaco Main Account Seaco DR Account
Lemongrass Account

User Connections to AWS
Singapore
Primary
Seaco WAN
Direct
Connect
(100Mb)

Cloud
Controller
Lemongrass
Support
3rd Parties
Remote
Seaco Users
MiamiShanghai Hamburg
VPN
VPN
VPN
Singapore
India
London Livorno Moscow3rd Parties
Remote
Seaco Users
Remote
Desktop
Services

SAP DR
App
Servers
App
Servers
App.
Servers
App.
Servers
Subnet Layout

ap-southeast-1b

ap-southeast-1a

DMZ

Management & Non-SAP

ap-southeast-1b

VPN VPN
Server
Active
Directory
Domain
Controller
Remote
Desktop
Services

DMZ

VPN VPN
Server
Active
Directory
Remote
Desktop
Services
SQL
Server

Management & Non-SAP
Domain
Controller
SQL
Server
System
Centre
2012

SAP Production
Database
Servers
App.
Servers
App.
Servers
App.
Servers

SAP Non-Production
Database
Servers
App.
Servers
Primary VPC
VPC
Peering

DMZ

VPN VPN
Server
Database
Servers
App
Servers
SAP Web
Dispatcher
Domain
Controller
DR VPC

Lemongrass Consulting
“Transforming the Workplace through Mobile and Cloud”
S24

Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
•  ARC205 – VPC Fundamentals and Connectivity
•  ARC401 – Black Belt Networking for Cloud Ninja
–  Application centric, network monitoring, management, floating IPs
•  ARC403 – From One to Many: Evolving VPC Design
•  SDD302 – A Tale of One Thousand Instances
–  Example of EC2-Classic customer adopting VPC
•  SDD419 – Amazon EC2 Networking Deep Dive
–  Network performance, placement groups, enhanced networking

LONDON
Please complete your session evaluation!

Deep Dive - Amazon Virtual Private Cloud (VPC)

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Deep Dive - Amazon Virtual Private Cloud (VPC)

Similar to Deep Dive - Amazon Virtual Private Cloud (VPC) (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Deep Dive - Amazon Virtual Private Cloud (VPC)