Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

20190130 AWS Shared VPCを前提としたネットワークとセキュリティの設計

6,696 views

Published on

2019年1月30日 AWS Expert Online for JAWS-UG でのセッション内容です。

共有VPC (Shared VPC)と、同時に出たVPC関連の新機能によってセキュリティ面での省力化が可能になりました。「ベストプラクティス」を作っていきましょう。

Published in: Technology
  • Login to see the comments

20190130 AWS Shared VPCを前提としたネットワークとセキュリティの設計

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Yasuhiro Araki AWS Solution Architecture, Practice and Guide Lead, Japan. 2019/01/30
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 東京リージョン • • • 仮想プライベートクラウドサービス VPC ( 172.16.0.0/16) 既存システム プライベート サブネット パブリック サブネット インターネット VPN or 専用線 ネットワークを 要件に応じて設定 インターネット ゲートウェイ
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • • • • • • • • • •
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • • • • • • • • • •
  6. 6. Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available Q1 2019
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account strategy VPN WAN AW S Direct Connect Transit VPC Network services Connectivity W AN Shared services Multi-region options Segmentation model
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • •
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • •
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  12. 12. Account Account Account Account Resource Share Resource Share Infrastructure account
  13. 13. Account Account
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Account Account Account Resource share Resource share Inbound network ACL # Source Action 100 10.0.1.0/24 ALLOW 101 10.0.101.0/24 ALLOW 200 10.0.0.0/16 DENY 300 0.0.0.0/0 ALLOW
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • •
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • • • • • Security groups IAM
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC peering • 1vs1の関係 • 100 VPCまで • VPC間のSecurity groups • Inter-region peering Transit VPC • スポークの1つに配置 • 帯域の制限 • 制御が複雑 • インスタンスとライセンス費用 VPN WAN AW S Direct Connect Transit VPC Shared Services AWS Transit Gateway • 1vs1でも1vsNでもroute table次第 • スケーラブル • AZごとのエンドポイント費用 Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Ro ute Tab les Ro ute Tab les Transit Gateway AWS PrivateLink • 1 vs Nの関係 • スケーラブル • IPアドレス重複でもOK • NLBとエンドポイント費用
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC peering • 1vs1の関係 • 100 VPCまで • VPC間のSecurity groups • Inter-region peering Transit VPC • スポークの1つに配置 • 帯域の制限 • 制御が複雑 • インスタンスとライセンス費用 VPN WAN AW S Direct Connect Transit VPC Shared Services ✓ AWS Transit Gateway • 1vs1でも1vsNでもroute table次第 • スケーラブル • AZごとのエンドポイント費用 Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Ro ute Tab les Ro ute Tab les Transit Gateway ✓ AWS PrivateLink • 1 vs Nの関係 • スケーラブル • IPアドレス重複でもOK • NLBとエンドポイント費用
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Transit Gateway Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Ro ute Tab les Ro ute Tab les Transit Gateway Scope Trust model Dependencies Scale Scope Trust model Dependencies Scale AWS PrivateLink • 1 vs Nの関係 • スケーラブル • IPアドレス重複で もOK • NLBとエンドポイ ント費用 • 1vs1でも1vsNでもroute table次第 • スケーラブル • AZごとのエンドポイント費 用
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • •
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Security groups Account Account Account Account Account Account Account Account VPC ACLs Route tables Network ACLs Separate VPCs
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Account Account Account VPN AWS Direct Connect * Route tables Route tables Transit Gateway Transit Gateway Security services VPC Account Account Account Account Available Q1 2019
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN Default routing domain
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gateway Shared services VPN VPC Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Route Destination 10.0.0.0/8 VPN 10.4.0.0/16 vpc-att-4xxxx VPCs attach to a route table with routes to shared resources Shared resources attach to a route table with routes to all resources Shared service VPN VPC
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • Account strategy VPN WAN AW S Direct Connect Transit VPC Network services Connectivity W AN Shared services Multi-region options Segmentation model
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

×