AWS公式オンラインセミナー: https://amzn.to/JPWebinar 過去資料: https://amzn.to/JPArchive

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Webinar
https://amzn.to/JPWebinar https://amzn.to/JPArchive
Solutions Architect
2019/4/17
Amazon VPC Advanced
[AWS Black Belt Online Seminar]

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
2

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Black Belt Online Seminar
•
•
① 吹き出しをクリック
② 質問を入力
③ Sendをクリック
Twitter
#awsblackbelt
3

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• 2019 4 17
AWS (http://aws.amazon.com)
• AWS
AWS
•
• AWS does not offer binding price quotes. AWS pricing is publicly available and is subject to
change in accordance with the AWS Customer Agreement available at
http://aws.amazon.com/agreement/. Any pricing information included in this document is provided
only as an estimate of usage charges for AWS services based on certain information that you
have provided. Monthly charges will be based on your actual use of AWS services, and may vary
from the estimates provided.
4

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• VPC Sharing
• Transit Gateway
• PrivateLink
5

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
6

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
東京リージョン
Amazon Virtual Private Cloud (VPC)
(http://aws.amazon.com/jp/vpc/)
• AWS
• AWS
•
仮想プライベートクラウドサービス
VPC ( 172.16.0.0/16)
既存システム
プライベート
サブネット
パブリック
サブネット
インターネット
VPN
or
専用線
ネットワークを
要件に応じて設定
インターネット
ゲートウェイ
7

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC
• 2009-8 Limited Beta
• 2009-12 Unlimited Beta
• 2010-2 EBS Support
• 2010-9
(MC)
• 2011-3 IGW, EIP, NAT
instance, NACL, SG
• 2011-8 Multi-AZ
• 2011-9 DirectConnect(DX)
• 2012-6 Multiple IP
• 2012-7 Internal ELB
• 2013-10 DX MC
• 2013-12 Default VPC
• 2014-3 VPC peering
• 2014-9 R53 Private host zone
8

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC
• 2015-6 VPC flow logs
• 2015-12 NAT gateway
• 2016-7 DNS for VPC peering
• 2016-8 RDS in your VPC
• 2016-12 IPv6
• 2017-8 Add CIDRs
• 2017-11 PrivateLink
• 2017-11 Inter-Region VPC
Peering
• 2018-10 BYOIP
• 2018-11 Agentless network
assessments
• 2018-11 Transit Gateway
• 2018-12 VPC Sharing
• 2018-12 ClientVPN
9

10. 2019.4のReference
Network Architecture
Internet
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VP
N
AWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1
2019 10

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
東京リージョン
Amazon Virtual Private Cloud (VPC)
特徴 (http://aws.amazon.com/jp/vpc/)
• AWS上にプライベートネットワークを構築
• AWSと既存環境のハイブリッド構成を実現
• きめ細かいネットワーク設定が可能
仮想プライベートクラウドサービス
VPC ( 172.16.0.0/16)
既存システム
プライベート
サブネット
パブリック
サブネット
インターネット
VPN
or
専用線
ネットワークを
要件に応じて設定
インターネット
ゲートウェイ
ここが歴史です
11

12. 2019.4のReference
Network Architecture
Internet
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VP
N
AWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1
2019 12

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Sharing
13

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Mini-Agenda
VPC
– VPC
14

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
なぜマルチアカウントか？
15

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Answers
AWS Multiple Account Security Strategy
16

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Multi-Account view
Production Account Test/UAT Account Development Account
Master Account
17

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
18

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Production Account Test/UAT Account Development Account
Master Account
VPC VPC VPC
10.1.0.0/16 10.2.0.0/16 10.3.0.0/16
PeeringPeering
Private VIF Private VIF
Private VIF
NAT
gateway
NAT
gateway
NAT
gateway
19

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
App A Production Account App A Test/UAT Account App A Development Account
Master Account
App B Production Account App B Test/UAT Account App B Development Account
Business Unit A
Business Unit B
VPC VPC VPC
VPC VPCVPC
VPC VPC VPC VPC
VPC VPC
NAT gateway NAT gateway NAT gateway
NAT gateway
NAT gateway
PeeringPeeringPeeringPeering
Private VIF
Private VIFPrivate VIF
Private VIF
20

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
•
•
•
•
•
•
•
•
•
•
•
21

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
22

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC
App A Production Account App A Test/UAT Account App A Development Account
Master Account
App B Production Account App B Test/UAT Account App B Development Account
Business Unit A
Business Unit B
Prod VPC VPC
VPC
Dev/Test VPCNAT gateway NAT gateway
Private VIF Private VIF
23

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC
VPC
• IPv4
•
• AWS
• AWS
24

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
IP
IPv4 CIDR
VPC peering, Transit VPC
•
VPC
25

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Admin
Users
Account A (VPC Owner) Account B (Participant)
Common VPC
Same AWS Organization
AWS Resource
Access Manager
Shared Subnet
Share subnet
with Resource
Share
EC2
Instance
owned by
Account A
RDS
Instance
owned by
Account B
Traffic
26

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC Sharing
VPC
• VPC
•
VPC Sharing
• VPC
• VPC,
27

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
28

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
to
VPC
VPN
29

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Transit Gateway
1000以上のVPCとオンプレミス間の相互接続を簡単
に
オンプレミス
データセンター
AWS VPC
AWS Transit
Gateway
30

31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Transit Gateway:
AWS Transit
Gateway
VPCとオンプレミス間のルーティングポリシーを集中管理
マルチアカウント間での1000を超えるVPC間接続をサポート
柔軟なルーティングテーブルの分割とルーティングルール
スケーラブル
マルチVPNコネクションのスループット向上
運用の単純化
31

32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• アカウント間の複数VPC間の相互接続の集中管理
• VPNとDirect Connectの接続点を集中化
• ピアツーピアネットワークが必要であった構成の削減、または
廃止が可能
• ECMPルーティングによるVPNスループットの向上(50 Gbps+)
• AWS Transit Gatewayによりリージョン間のピアリングが可能
• AWSグローバルネットワークを活用して、低遅延のクロスリー
ジョン接続を実現
• Regional construct reduces blast radius
• AWSとオンプレミス間の設定時間を削減
• 1カ所で管理および監視が簡単に可能
• CloudWatchとVPC Flow Logsとの統合
• 既存のVPCセキュリティグループとネットワークアクセスコン
トロールリストを利用可能
ネットワーク構成
の単純化
Global
Connectivity
AWS Transit Gateway:
32

33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
33

34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
–
VPC
• 複数のVPCを使用しているお客様
• 多数のVPCにまたがるアプリケーションを構
築するお客様
• ネットワークサービスの共有が可能 (DNS,
Active Directory, ファイアーウォール, IDS)
• 管理のオーバーヘッドを削減
34

35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
–
• すべてのVPCで共通のVPNまたはDirect
Connect Gateway（DXGW）を共有
• 複数のVPCにオンプレミスネットワークを接
続する時間を短縮
• AWS Transit GatewayにVPCを追加する際、
追加する顧客ネットワークに変更は不要
35

36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Use Case –
• 共有のVPCホストセキュリティツール
• Firewall as a service
• Webアプリケーションファイアウォール
（WAF）、データ損失防止（DLP）、侵入検
知/保護（IDS / IPS）
• ネイティブAWSサービスでスケールアウト
36

37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
37

38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Internet
Account Account
Account Account
開発環境
Account Account
Account Account
テスト環境
Account Account
Account Account
本番環境
アウトバウンド
URL filtering
NAT gateway
DLP / Proxy
エッジサービス
WAF / ADC
SD-WAN
VPN / Firewall
IDS / IPS
Firewall / NGFW
インラインサービス
共有サービス
Authentication, Monitoring
VPN
AWS Direct
Connect *
Account Account Account Account
管理アカウント (logging, AWS Organizations, billing, landing zone)
IAM, Cross-account roles
Route
tables
Route
tables
Transit Gateway East-West +
North-South
Available 1H
2019
AWS Transit Gateway
38

39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production 共有サービス
Authentication, monitoring
Route
tables
Route
tables
Transit Gateway
VRF)
Account Account
Account Account
Acquisition
Example applications
• 認証
• ロギング
• DevOps ツール
• セキュリティリソース
AWS Transit Gateway
39

40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Transit Gateway PrivateLink
AWS Transit Gateway
• 多対多、1対多でルーティング
テーブルを利用するもの
• Highly scalable
• 1時間当たりのAZエンドポイン
トコスト
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production
Shared Services
Authentication, Monitoring
R
o
u
t
e
T
a
b
l
e
s
R
o
u
t
e
T
a
b
l
e
s
Transit Gateway
適用範囲：アプリケーション共有サービス
信頼モデル：VPC間に相互信頼をもたない
依存関係：ロードバランサとアプリケーションアーキテクチャ
規模：数千のスポークVPC
対象範囲：多数のVPCへのネットワーク共有サービス
信頼モデル：VPC単位の信頼、集中管理
依存関係：Transit Gatewayによる集中管理
規模：数千のスポークVPC
AWS PrivateLink
• 1対多のコネクティビティ
• Highly scalable
• IPアドレス重複のサポート
• Elastic Load Balancingの使用
• ロードバランサと1時間当たり
のエンドポイントコスト
40

41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Transit Gateway VPN
VPN
Route
tables
Route
tables
Transit Gateway
Customer
Gateway
Transit Gateway (TGW)によるVPNの統合
• VPNはVirtual Private Gateway (VGW)に接続しているように
動作
• 帯域、設定、API,コストおよびエクスペリエンスは従
来通り
• VPNはVGWではなくTGWに接続
• VGW同様トンネルあたり1.25 gbpsの帯域幅を適用
多数のVPCのエッジへの暗号化
• トラフィックはVPC内に入るまで暗号化
• VPC間の通信は自動では暗号化されない
• インターリージョンVPCはデフォルト暗号化
41

42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Transit Gateway VPN: VPN
VPN
Route
tables
Route
tables
Transit Gateway
Customer
Gateway
複数トンネルによるトラフィックの分散サポート
• BGPマルチパスによるEqual Cost Multi Path（ECMP）の
サポート
• 最大50 Gbpsの帯域までテスト済み
• トラフィックの小さな複数のフローへの分割, マルチパー
トアップロード, etc.
オンプレミス環境側の設定確認事項
• マルチパスBGPサポート
• ECMPサポート, ECMPのパスの最大数, reverse-path
forwarding/spoofing機能の有無
• BGP、スタティックルートサポート
42

43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Direct Connect Transit Gateway
Direct Connect VPC Public接続を利用したDirect
Connect上にVPNを張る暗号化
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared
VPN AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
virtual
interfaces
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public virtual
interface
AWS Cloud
Receive AWS
public IP
addresses
20191Hサポート予定
43

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
構成例
44

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transit Gatewayで自由に通信させる route domains
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.0.0.0/8 VPN
Default
routing domain
ルートテーブルは１つ
45

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transit Gatewayで通信制限する route domains
Transit Gateway
Shared
services
VP
N
VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Route Destination
10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
VPCs attach to a route table with
routes to shared resources
Shared resources attach to a route
table with routes to all resources
Shared serviceと
VPN向けのみの経路
それぞれのVPC向け
の経路
46

47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
インターネットに抜けるOutbound Route Domains
Transit Gateway
VP
N
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.0.0.0/8 VPN
0.0.0.0/0 vpc-att-4xxxxxx
Default
routing domain
インターネットVPC向
けの経路
47

48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
インターネットに抜けるOutbound Route Domains
Transit Gateway
VP
N
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.0.0.0/8 VPN
0.0.0.0/0 vpc-att-4xxxxxx
Default
routing domain
インターネットVPC向
けの経路
48

49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PrivateLink
49

50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS PrivateLink
• https://aws.amazon.com/jp/about-aws/whats-
new/2017/11/introducing-aws-privatelink-for-aws-services/
• パブリック IP を使用することなく、またインターネット全体を横断するトラ
フィックを必要とすることなく、Amazon Virtual Private Cloud (VPC) か
ら AWS のサービスにプライベートにアクセスできます。
• 対応サービス
• https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html
• 最近ではECR,ECS,Fargateも
50

51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PrivateLink
• 別の AWS アカウントでホストされるサービス、AWS Marketplace のサードパーティサービスにセキュアに接続
• お客様の VPC とこうしたいずれかのサービス間のトラフィックは Amazon のネットワークの外に出ない
• サービスと通信するためにインターネットゲートウェイ、NAT デバイス、パブリック IP アドレス、VPN 接続は不要
51

52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Transit Gateway PrivateLink
AWS Transit Gateway
• 多対多、1対多でルーティング
テーブルを利用するもの
• Highly scalable
• 1時間当たりのAZエンドポイン
トコスト
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production
Shared Services
Authentication, Monitoring
R
o
u
t
e
T
a
b
l
e
s
R
o
u
t
e
T
a
b
l
e
s
Transit Gateway
適用範囲：アプリケーション共有サービス
信頼モデル：VPC間に相互信頼をもたない
依存関係：ロードバランサとアプリケーションアーキテクチャ
規模：数千のスポークVPC
対象範囲：多数のVPCへのネットワーク共有サービス
信頼モデル：VPC単位の信頼、集中管理
依存関係：Transit Gatewayによる集中管理
規模：数千のスポークVPC
AWS PrivateLink
• 1対多のコネクティビティ
• Highly scalable
• IPアドレス重複のサポート
• Elastic Load Balancingの使用
• ロードバランサと1時間当たり
のエンドポイントコスト
52

53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• VPC Sharing
• Transit Gateway
• PrivateLink
3
Transit Gateway AWS Summit Tokyo
Dive Deep
53

54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Q&A
AWS Japan Blog https://aws.amazon.com/jp/blogs/news/
54

55. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS AWS
https://amzn.to/JPArchive
55

56. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
•
•

57. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Webinar
https://amzn.to/JPWebinar https://amzn.to/JPArchive