From the APAC Webinar 201 Series

1. APAC Webinar Series | AWS 201
Using Virtual Private Cloud
VPC
Joseph Ziegler
Technical Evangelist
zieglerj@amazon.com
@jiyosub

2. Before we Start

9. What if you could extend into the
cloud easily and securely?

10. You Can!
Corporate Amazon VPC
Data Center

11. Agenda
• What is Virtual Private Cloud (VPC)
• Common VPC Patterns
• Case Study
• Demos
• VPC by Default

12. 2 Questions

13. What is VPC?

14. Making the Connection…

15. Introducing AWS Virtual Private Cloud
User-defined virtual IP networking for EC2
Private or mixed private/public addressing and
secured ingress/egress
Re-use of proven and well-understood
networking concepts and technologies

16. Benefits of Using VPC
Assign static private IP addresses to your instances that persist across
starts and stops
Assign multiple IP addresses to your instances
Define network interfaces, and attach one or more network interfaces to
your instances
Change security group membership for your instances while they're running
Control the outbound traffic from your instances (egress filtering) in addition
to controlling the inbound traffic to them (ingress filtering)
Add an additional layer of access control to your instances in the form of
network access control lists (ACL)
Run your instances on single-tenant hardware

17. Corporate
Data
Center
Availability Zone 1
DirectConnect
Location
10G
Private Subnet
Router
Customer VPN Gateway
Gateway
(BGP/NoBGP)
Corporate
Headquarters
Public Subnet
Internet
Gateway
Amazon VPC
Availability Zone 2
Branch Offices
S3 SQS/SNS/SES SWF Elastic SimpleDB DynamoD
New Enterprise IT Beanstalk
AWS Region
B
Network Architecture

18. VPC Capabilities in a Nutshell
User-defined address space up to /16
• 65,536 addresses
Up to 200 user-defined subnets up to /16
User-defined:
• Virtual routing, DHCP servers, and NAT instances
• Internet gateways, ACLs, ingress/egress security groups and
VPN tunnels
Private IPs stable once assigned
Elastic Network Interfaces

19. Internet
VPC customers can launch instances in their own isolated network
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5
10.141.9.8
10.99.42.97
10.155.6.7
10.16.22.33 10.131.7.28
10.6.78.201
Availability Zone a Availability Zone b
Customer 1 Customer 2 Customer 3 VPC Customer

20. Internet
VPCcan assign your launch instances thetheir own isolated network
You customers can own IP range to in VPC network
10.0.1.6
10.0.0.5 10.0.1.5
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone a Availability Zone b
VPC Customer

21. Rich Capabilities in VPC
Elastic Load Balancer, AutoScaling, CloudWatch, Alarms
Relational Database Service
Elastic MapReduce
CloudFormation
Cluster Compute
ElastiCache
Elastic Beanstalk
And more

22. VPN Connectivity Options
Hardware VPN - $0.05 per VPN Connection
Hour
• $36 per month
• Cisco, Juniper, Yamaha, Astaro, Fortinet, Vyatta,
etc (even Windows 2008 R2 instance) Internet
Now supports both BPG & static-routing
Setup via the console
Runs two VPN tunnels by default from your
router to cater for routine maintenance
Up to 10 VPNs per VPC

23. DirectConnect: Private X-Connect to AWS
Dedicated bandwidth to AWS border
network in 1Gbps or 10Gbps chunks
Full access to public endpoints, EC2 Internet
standard & VPCs
• VLAN tagging maps to public side or VPCs
Benefits:
• Faster / more consistent throughput
• Increased isolation and control
Great companion technology to VPC

24. Dedicated Instances
Option to ensure physical hosts are not
shared with other customers Single Tenant
Compute Instance
$10/hr flat fee per Region + small hourly
charge
Can identify specific Instances as
dedicated
Optionally configure entire VPC as
dedicated

25. Common VPC Patterns

26. Models of Data Centre Extension
Isolated project
Expand existing systems into the cloud –
no public exposure
Expose systems to the public - hosted in
the cloud
Branch office access

27. Isolated Project
Dev/Test
Corporate
Proof of Concept Users
“Fail Fast” projects
Time bound/ephemeral
No need for internal system access of Router & Firewall
resources
AWS

28. Extending Existing Systems
Into The Cloud
• Leverage additional processing nodes Corporate
data centre Corporate
Users
• Host entire stack in the cloud with
secure LAN/WAN access.
– E.g. Sharepoint, CMS, CRM, etc Router & Firewall
• Dev/Test VPN Connection
• Disaster Recovery
• Big Data analysis
• Use existing management tools AWS
• No Internet access to systems

29. Expanding Systems Into The Cloud,
with Public Internet Access
• Enable access by Corporate
data centre Corporate
Users
customers/partners to systems
• Enable internal systems to be Router & Firewall
involved and accessed by
applications VPN Connection
Customers/
Partners
• Secure segregation of
components and network access
AWS

30. Branch Office Access
• Enabling remote users & Branch Office Users
offices to have secure Router & Firewall
access to resources
• Centralised systems with
VPN Connection
minimal infrastructure
AWS
VPN Connection VPN Connection
Router & Firewall
Router & Firewall
Branch Office Users Branch Office Users

31. Case Study

32. 15 Daily Newspapers
50 Web Sites
62 MM unique users per month
Over 1 Billion page views per month

33. NYTimes EC2 Expansion (April 2011)
Amazon EC2
Courtesy NYTimes

34. NYTimes EC2 Expansion (April 2011)
Amazon EC2
Courtesy NYTimes

35. Demos & Examples

36. Example: SharePoint with On-Premises Active Directory

37. Extra Good Technical Stuff!
Elastic Network Interfaces
• Maintain the state of a network interface separately from the
lifecycle of an instance
• Enable same instance to be part of multiple subnets
• Static MAC address, etc
• Up to 8 ENIs depending on instance size
Multi-IP
• Relies on ENI
• Up to 30 addresses per ENI
• Private & Public addresses
DHCP Option Sets
• Specify your own domain name for instances
• Specify your own DNS & NTP
And lots more!!

38. VPC by Default

39. VPC Platforms
EC2-Classic
Nondefault VPC
Default VPC

40. Existing Customers

41. New Customers

42. Characteristic EC2-Classic Default VPC Nondefault VPC
Public IP address Your instance receives a Your instance launched in a default Your instance doesn't receive a
public IP address. subnet receives a public IP public IP address.
address.
Private IP address Your instance receives a Your instance receives a static Your instance receives a static
private IP address from the private IP address from the address private IP address from the
EC2-Classic, default VPC range of your default VPC. address range of your VPC.
range each time it's started.
Multiple IP You can assign a single IP You can assign multiple IP You can assign multiple IP
addresses address to your instance. addresses to your instance. addresses to your instance.
Elastic IP address An EIP is disassociated An EIP remains associated with An EIP remains associated with
from your instance when your instance when you stop it. your instance when you stop it.
you stop it.
DNS hostnames DNS hostnames are DNS hostnames are enabled by DNS hostnames are disabled by
enabled by default. default. default.
Security group A security group can A security group can reference A security group can reference
reference security groups security groups for your VPC only. security groups for your VPC only.
that belong to other AWS
accounts.
Security group You must terminate your You can change the security group You can change the security group
association instance to change its of your running instance. of your running instance.
security group.
Security group rules You can add rules for You can add rules for inbound and You can add rules for inbound and
inbound traffic only. outbound traffic. outbound traffic.
Tenancy Your instance runs on You can run your instance on You can run your instance on
shared hardware. shared hardware or single-tenant shared hardware or single-tenant
hardware. hardware.

43. Default VPC
• Create a default subnet in each Availability Zone.
• Create an Internet gateway and connect it to your default VPC.
• Create a main route table for your default VPC with a rule that sends all
traffic destined for the Internet to the Internet gateway.
• Create a default security group and associate it with your default VPC.
• Create a default network access control list (ACL) and associate it with
your default VPC.
• Associate the default DHCP options set for your AWS account with
your default VPC.

45. Next Steps
• http://aws.amazon.com/vpc/
• http://aws.amazon.com/free/
• http://docs.aws.amazon.com/
AmazonVPC/latest/UserGuide/

46. AWS Summits
Sydney | April 24
Mumbai | June 25
Delhi | June 27
Bangalore | July 5
Singapore | July 18
http://amzn.to/UIdArf

47. AWS Summits
Canberra | May 23
Auckland | May 30
http://amzn.to/ZWjox2

48. Survey
Please fill out the survey at the end
for
$25 USD in AWS Credits

49. Thank you
aws.amazon.com/vpc
Joseph Ziegler
Technical Evangelist
zieglerj@amazon.com
@jiyosub