15. Introducing AWS Virtual Private Cloud
User-defined virtual IP networking for EC2
Private or mixed private/public addressing and
secured ingress/egress
Re-use of proven and well-understood
networking concepts and technologies
16. Benefits of Using VPC
Assign static private IP addresses to your instances that persist across
starts and stops
Assign multiple IP addresses to your instances
Define network interfaces, and attach one or more network interfaces to
your instances
Change security group membership for your instances while they're running
Control the outbound traffic from your instances (egress filtering) in addition
to controlling the inbound traffic to them (ingress filtering)
Add an additional layer of access control to your instances in the form of
network access control lists (ACL)
Run your instances on single-tenant hardware
17. Corporate
Data
Center
Availability Zone 1
DirectConnect
Location
10G
Private Subnet
Router
Customer VPN Gateway
Gateway
(BGP/NoBGP)
Corporate
Headquarters
Public Subnet
Internet
Gateway
Amazon VPC
Availability Zone 2
Branch Offices
S3 SQS/SNS/SES SWF Elastic SimpleDB DynamoD
New Enterprise IT Beanstalk
AWS Region
B
Network Architecture
18. VPC Capabilities in a Nutshell
User-defined address space up to /16
• 65,536 addresses
Up to 200 user-defined subnets up to /16
User-defined:
• Virtual routing, DHCP servers, and NAT instances
• Internet gateways, ACLs, ingress/egress security groups and
VPN tunnels
Private IPs stable once assigned
Elastic Network Interfaces
19. Internet
VPC customers can launch instances in their own isolated network
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5
10.141.9.8
10.99.42.97
10.155.6.7
10.16.22.33 10.131.7.28
10.6.78.201
Availability Zone a Availability Zone b
Customer 1 Customer 2 Customer 3 VPC Customer
20. Internet
VPCcan assign your launch instances thetheir own isolated network
You customers can own IP range to in VPC network
10.0.1.6
10.0.0.5 10.0.1.5
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone a Availability Zone b
VPC Customer
21. Rich Capabilities in VPC
Elastic Load Balancer, AutoScaling, CloudWatch, Alarms
Relational Database Service
Elastic MapReduce
CloudFormation
Cluster Compute
ElastiCache
Elastic Beanstalk
And more
22. VPN Connectivity Options
Hardware VPN - $0.05 per VPN Connection
Hour
• $36 per month
• Cisco, Juniper, Yamaha, Astaro, Fortinet, Vyatta,
etc (even Windows 2008 R2 instance) Internet
Now supports both BPG & static-routing
Setup via the console
Runs two VPN tunnels by default from your
router to cater for routine maintenance
Up to 10 VPNs per VPC
23. DirectConnect: Private X-Connect to AWS
Dedicated bandwidth to AWS border
network in 1Gbps or 10Gbps chunks
Full access to public endpoints, EC2 Internet
standard & VPCs
• VLAN tagging maps to public side or VPCs
Benefits:
• Faster / more consistent throughput
• Increased isolation and control
Great companion technology to VPC
24. Dedicated Instances
Option to ensure physical hosts are not
shared with other customers Single Tenant
Compute Instance
$10/hr flat fee per Region + small hourly
charge
Can identify specific Instances as
dedicated
Optionally configure entire VPC as
dedicated
26. Models of Data Centre Extension
Isolated project
Expand existing systems into the cloud –
no public exposure
Expose systems to the public - hosted in
the cloud
Branch office access
27. Isolated Project
Dev/Test
Corporate
Proof of Concept Users
“Fail Fast” projects
Time bound/ephemeral
No need for internal system access of Router & Firewall
resources
AWS
28. Extending Existing Systems
Into The Cloud
• Leverage additional processing nodes Corporate
data centre Corporate
Users
• Host entire stack in the cloud with
secure LAN/WAN access.
– E.g. Sharepoint, CMS, CRM, etc Router & Firewall
• Dev/Test VPN Connection
• Disaster Recovery
• Big Data analysis
• Use existing management tools AWS
• No Internet access to systems
29. Expanding Systems Into The Cloud,
with Public Internet Access
• Enable access by Corporate
data centre Corporate
Users
customers/partners to systems
• Enable internal systems to be Router & Firewall
involved and accessed by
applications VPN Connection
Customers/
Partners
• Secure segregation of
components and network access
AWS
30. Branch Office Access
• Enabling remote users & Branch Office Users
offices to have secure Router & Firewall
access to resources
• Centralised systems with
VPN Connection
minimal infrastructure
AWS
VPN Connection VPN Connection
Router & Firewall
Router & Firewall
Branch Office Users Branch Office Users
37. Extra Good Technical Stuff!
Elastic Network Interfaces
• Maintain the state of a network interface separately from the
lifecycle of an instance
• Enable same instance to be part of multiple subnets
• Static MAC address, etc
• Up to 8 ENIs depending on instance size
Multi-IP
• Relies on ENI
• Up to 30 addresses per ENI
• Private & Public addresses
DHCP Option Sets
• Specify your own domain name for instances
• Specify your own DNS & NTP
And lots more!!
42. Characteristic EC2-Classic Default VPC Nondefault VPC
Public IP address Your instance receives a Your instance launched in a default Your instance doesn't receive a
public IP address. subnet receives a public IP public IP address.
address.
Private IP address Your instance receives a Your instance receives a static Your instance receives a static
private IP address from the private IP address from the address private IP address from the
EC2-Classic, default VPC range of your default VPC. address range of your VPC.
range each time it's started.
Multiple IP You can assign a single IP You can assign multiple IP You can assign multiple IP
addresses address to your instance. addresses to your instance. addresses to your instance.
Elastic IP address An EIP is disassociated An EIP remains associated with An EIP remains associated with
from your instance when your instance when you stop it. your instance when you stop it.
you stop it.
DNS hostnames DNS hostnames are DNS hostnames are enabled by DNS hostnames are disabled by
enabled by default. default. default.
Security group A security group can A security group can reference A security group can reference
reference security groups security groups for your VPC only. security groups for your VPC only.
that belong to other AWS
accounts.
Security group You must terminate your You can change the security group You can change the security group
association instance to change its of your running instance. of your running instance.
security group.
Security group rules You can add rules for You can add rules for inbound and You can add rules for inbound and
inbound traffic only. outbound traffic. outbound traffic.
Tenancy Your instance runs on You can run your instance on You can run your instance on
shared hardware. shared hardware or single-tenant shared hardware or single-tenant
hardware. hardware.
43. Default VPC
• Create a default subnet in each Availability Zone.
• Create an Internet gateway and connect it to your default VPC.
• Create a main route table for your default VPC with a rule that sends all
traffic destined for the Internet to the Internet gateway.
• Create a default security group and associate it with your default VPC.
• Create a default network access control list (ACL) and associate it with
your default VPC.
• Associate the default DHCP options set for your AWS account with
your default VPC.
Are you currently using AWS VPCWhat are you using or planning on using AWS VPC Services For?Public Facing ApplicationInternal Facing ApplicationBoth
“User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
“User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
65,536Slide 18: Should be 65,536 IP addresses (256 X 256) We reserve the first 4 and last 1 in each range.
Each instance that you launch into a default VPC receives both a public IP address and a private IP address. Each instance also receives both public and private DNS hostnames.A default VPC is like any other VPC; you can add subnets, modify the main route table, add additional route tables, associate additional security groups, update the rules of the default security group, and add VPN connections. You can also create additional VPCs.A default subnet is like any other subnet; you can add custom route tables and set network ACLs. You can also specify a default subnet when you launch an EC2 instance.Default SubnetsThe CIDR block for a default VPC is always 172.31.0.0/16. This provides up to 65,536 private IP addresses. The netmask for a default subnet is always /20, which provides up to 4,096 addresses per subnet, a few of which are reserved for our use.By default, a default subnet is a public subnet, because the main route table sends the subnet's traffic that is destined for the Internet to the Internet gateway. You can make a default subnet a private subnet by removing the route from the destination 0.0.0.0/0 to the Internet gateway. However, if you do this, any EC2 instance running in that subnet can't access the Internet or other AWS products, such as Amazon Simple Storage Service (Amazon S3)