SlideShare a Scribd company logo

AWS Connectivity, VPC Design and Security Pro Tips

Shiva Narayanaswamy
Shiva Narayanaswamy

AWS Connectivity, VPC Design and Security Pro Tips

Internet
1 of 100
Download to read offline
Agenda
Agenda •  AWS Connectivity –  Direct Connect
What isAWS Direct Connect… •  Dedicated, private pipes into AWS •  Create private (VPC) or public interfaces to AWS •  Cheaper data-out rates than Internet (data-in still free) •  Consistent network performance compared to Internet •  Multiple AWS accounts can share a connection
Why useAWS Direct Connect? $0.000 $0.050 $0.100 $0.150 First 10TB Next 40TB Next 100TB Next 350TB Direct Connect Internet
Public Subnet Availability Zone A Private Subnet Public Subnet Availability Zone B Private Subnet Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24 VPC CIDR: 10.1.0.0 /16 Virtual Private Gateway (VGW) Internet Gateway (IGW) Only 1 IGW and 1 VGW per VPC VPN connection Customer data center Customer data center AWS Direct Connect Route Table Destination Target 10.1.0.0/16 local Internal CIDR VGW
Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` VGW AWS Network DX POP Location Cross Connect Customer Gateway Router Circuit to Customers Network Customers Network Backbone Circuit to Customers Site Customer Provider Edge Router Customers Local Network Demarcation
Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` From - To CGW to VGW VGW to CGW Route 172.16.0.0/16 10.1.0.0/16 Metric - - eBGP From - To Customer to CGW CGW to Customer Route 172.16.0.0/16 10.1.0.0/16 Routing – Probably eBGP Layer 2 VLAN Connectivity BGP is a requirement for Direct Connect: http://aws.amazon.com/directconnect/faqs/
VLAN Y VLAN X VIFs virtual private cloud 1 virtual private cloud 2 virtual private cloud N … public endpoints Region Direct Connect Location private VIF 1 public virtual interface (VIF) private VIF 2 VLAN Z VLAN N AWS DX Router Customer Router Each interface can be associated with a different AWS Account. (Hosted Virtual Interfaces)
Public Virtual Interfaces (VIFs)
Private Virtual Interfaces (VIFs)
Agenda •  AWS Connectivity –  VPN –  Design Patterns
Customer Network Only 1 IGW and 1 VGW per VPC
Customer Network
Customer Network
Agenda •  AWS Connectivity –  VPN –  Design Patterns
Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` With IPSEC Failover
Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network `` IPSEC over The Internet From - To CGW to VGW VGW to CGW Route 172.16.0.0/16 10.1.0.0/16 Metric - - eBGP With IPSEC Failover
Direct Connect – Dual Links, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` `
Direct Connect – Dual Links, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` `
Direct Connect – Dual Links, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` From - To CGW to VGW VGW to CGW Route 172.16.0.0/16 10.1.0.0/16 Metric LP 150 eBGP From - To CGW to VGW VGW to CGW Route 172.16.0.0/17 10.1.0.0/16 Metric LP 90 eBGP -  You can split your route advertisements to the VGW -  Instead of using AS Path Prepend CGW to VGW172.16.128.0/1 7
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` `
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` Service Provider Network `
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet `` ` Service Provider Network
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network `
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network ` BGP AS - Y BGP AS - X iBGP between RoutersiBGP between Routers
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network ` - So far so good? - What’s wrong with this topology? - SPoF!
Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customer s Subnet ` ` Service Provider Network `
Direct Connect – Dual Locations, Dual Links VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location - 1 Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network ` AWS Direct Connect Customer Gateway Colocation ` DX Location - 2
VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location - 1 Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` ` AWS Direct Connect Customer Gateway Colocation ` DX Location - 2 DirectConnect – Dual Locations, Dual Links, Dual Routers Service Provider Network
Multi Account DX VPC 1 10.1.0.0/16 Customer Gateway VLAN320Private VI AWS Direct Connect Ethernet Trunk SVI/Sub 320 IP 169.x.x.2IP 169.x.x.1 BGP AS 65xxxBGP AS 17493 VLAN 320 Colocation
Multi-Account Direct Connect Customer Gateway VLAN320 Ethernet Trunk SVI/Sub 320 IP 169.x.x.2 BGP AS 65xxx VPC 1 10.1.0.0/16 Private VI IP 169.x.x.1 BGP AS 17493 VLAN 320 Colocation VPC 2 10.2.0.0/16 IP 169.y.y.1 BGP AS 17493 VLAN 330 VLAN330 SVI/Sub 330 IP 169.y.y.2 BGP AS 65xxx Private VI AWS Direct Connect AWS Account 1
Multi-Account Direct Connect Customer Gateway VLAN320 Ethernet Trunk SVI/Sub 320 IP 169.x.x.2 BGP AS 65xxx VPC 1 10.1.0.0/16 Private VI IP 169.x.x.1 BGP AS 17493 VLAN 320 Colocation VPC 2 10.2.0.0/16 IP 169.y.y.1 BGP AS 17493 VLAN 330 VLAN330 SVI/Sub 330 IP 169.y.y.2 BGP AS 65xxx Private VI AWS Direct Connect AWS Account 1 AWS Account 2
How to Delegate VI to Another Account. Step 1.
Delegate Virtual Interface to Another Account. Step 2.
Agenda –  VPN –  Design Patterns •  VPC Design –  Concepts
AvailabilityZoneA AvailabilityZoneB
AvailabilityZoneA AvailabilityZoneB
VPC A - 10.0.0.0/16 AvailabilityZoneA AvailabilityZoneB Choose your VPC address range •  Your own private, isolated section of the AWS cloud •  Every VPC has a private IP address space •  That maximum CIDR block you can allocate is /16 •  For example 10.0.0.0/16 – this allows 256*256 = 65,536 IP addresses Select IP addressing strategy •  You can’t change the VPC address space once it’s created •  Think about overlaps with other VPCs or existing corporate networks •  Don’t waste address space, but don’t’ constrain your growth either
VPC A - 10.0.0.0/16 AvailabilityZoneA
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.5.0/2410.0.4.0/24
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 App “Web servers can connect to app servers on port 8080” Log EC 2 Web Bastion
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 Ap p “Web servers can connect to app servers on port 8080” “Allow outbound connections to the log server” Log EC 2 Web Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Bastio n 10.0.4.0/24 EC 2 Ap p “Web servers can connect to app servers on port 8080” “Allow outbound connections to the log server” “Allow SSH and ICMP from instances in the Bastion security group” Log EC 2 Web
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Security groups •  Operate at the instance level •  Supports ALLOW rules only •  Are stateful •  Max 50 rules per security group •  Max 5 groups per instance Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web “Deny all traffic between the web server subnet and the database server subnet” Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Bastio n NACLs are optional •  Applied at subnet level •  Stateless and permit all by default •  ALLOW and DENY •  Applies to all instances in the subnet •  Use as guard rails (port 21, 135,…)
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 WebEC 2 Web Elastic Load Balancer Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 WebEC 2 Web Elastic Load Balancer Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 WebEC 2 WebEC 2 EC 2 Web Elastic load balancers •  Instances can automatically be added and removed from the balancing pool using rules •  You can add instances into security groups at launch time Elastic Load Balancer Auto scalin g Bastio n
VPC A - 10.0.0.0/16 AvailabilityZoneA EC 2 EC 2 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway VPC Router
VPC A - 10.0.0.0/16 AvailabilityZoneA EC 2 EC 2 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway VPC Router Internet routing •  Add route tables to subnets to control Internet traffic flows – these become Public subnets •  Internet Gateway routing allows you to allocate a static Elastic IP address or use AWS-managed public IP addresses to your instance
VPC A - 10.0.0.0/16 AvailabilityZoneA EC 2 EC 2 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway VPC Router Internet routing •  Use a NAT instance to provide Internet connectivity for private subnets - required to access AWS update repositories •  This will also allow back-end servers to route to AWS APIs – for example storing logs on S3, or using Dynamo, SQS, SNS and SWS NA T
VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 NA T 10.0.4.0/24 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web VPC Router Amazon S3 DynamoDB Amazon SNS Amazon SQS Internet Gateway NA T
Agenda –  VPN –  Design Patterns •  VPC Design –  Concepts –  Design Patterns
To NACL or not to NACL? Pros Another layer of defense Can speed up deals •  Fits legacy IT models •  Network/FW Engineer’s friend Can help with networking compliance •  Separate groups for SGs/NALCs Explicit deny rules Apply to an entire subnet Cons Adds complexity Can slow down adoption •  Fits legacy IT processes •  DevOps Enemy Potentially not necessary for compliance •  Third-party proactive controls •  SG audits (programmable infra) Stateless FW rules Apply only to subnets/CIDR addresses
NACL Best Practices
Routing Instances Love Them NAT instances VPN tunnels (between VPCs) Data loss prevention Intrusion detection Hate Them Single point of failure Extra costs (EC2, third-party licenses) More for customer to manage Potential network bottleneck
Routing Instance Best Practices
AWS region Public-facing web app Internal company app What’s next? VPN connection Customer data center Multiple VPCs
Multiple VPCs use case
Multiple VPCs tips and tricks
Public-facing web app Internal company app #2 HA pair VPN endpointsCustomer data center Internal company app #3 Internal company app #4 Internal company app #1 Internal company Dev Internal company QA AWS region BackupAD, DNS Monitoring Logging Multiple VPCs over IPSEC VPN
About IPSEC and multiple VPCs
Public-facing web app Internal company app #2 HA pair VPN endpointsCustomer data center Internal company app #3 Internal company app #4 Internal company app #1 Internal company Dev Internal company QA AWS region BackupAD, DNS Monitoring Logging Multiple VPCs over AWS Direct Connect Direct Connect Facility Customer Data Center Physical Connection Logical Connections VLANs Logical Connections VLANs
About AWS Direct Connect and multiple VPCs
•  Security groups and NACLs still apply AWS region Public-facing web app Internal company app #1 HA pair VPN endpoints company data center Internal company app #2 Internal company app #3 Internal company app #4 Services VPC Internal company Dev Internal company QA AD, DNS Monitoring Logging •  Security groups still bound to single VPC Multiple VPCs over VPC Peering
VPC peering use cases
10.1.0.0/16 10.0.0.0/16 •  VPCs within same region Peer Request Peer Accept •  Same or different accounts •  IP space cannot overlap •  Only 1 between any 2 VPCs VPC peering configuration
10.1.0.0/16 10.0.0.0/16 10.0.0.0/16 ✔ Overlapping IP is not a dead end
10.0.0.0/16 10.0.0.0/16 PCX-1 PCX-2 Subnet 1 10.1.1.0/24 Subnet 2 10.1.2.0/24 10.1.0.0/16 Route Table Subnet 1 Destination Target 10.1.0.0/16 local 10.0.0.0/16 PCX-1 Route Table Subnet 2 Destination Target 10.1.0.0/16 local 10.0.0.0/16 PCX-2 A B C
10.1.0.0/16 10.4.0.0/16 10.0.0.0/16 10.3.0.0/16 172.16.0.0/16 192.168.0.0/16 10.2.0.0/16 172.17.0.0/16 CA
10.1.0.0/16 10.4.0.0/16 10.0.0.0/16 10.3.0.0/16 172.16.0.0/16 192.168.0.0/16 10.2.0.0/16 172.17.0.0/16 company data center 10.10.0.0/16
10.1.0.0/16 10.4.0.0/16 10.0.0.0/16 10.3.0.0/16 172.16.0.0/16 192.168.0.0/16 10.2.0.0/16 172.17.0.0/16 company data center 10.10.0.0/16
10.4.0.0/16 10.0.0.0/16 172.16.0.0/16 192.168.0.0/16 172.17.0.0/16 10.1.0.0/16 10.2.0.0/1610.3.0.0/16
Peer review •  Shared infrastructure services moved to VPC •  1 to 1 peering = app isolation •  Security groups and NACLs still apply AWS region Public-facing web app Internal company app #1 HA pair VPN endpoints company data center Internal company app #2 Internal company app #3 Internal company app #4 Services VPC Internal company Dev Internal company QA AD, DNS Monitoring Logging •  Security groups still bound to single VPC Multiple accounts
About VPC peering and multiple VPCs
Model 1: “Lollipop”
Model 2: “Shared Services Model”
Model 3: “HIPS Model”
Scenario #4 – “Threat Layer Model”
Model 5: “NIDS Model”
Model 6: “Hybrid Model”
S3 VPC endpoint
Agenda –  VPN –  Design Patterns •  VPC Design –  Concepts –  Design Patterns •  Security Pro Tips
MFA
IAM Best Practices
AWS Trusted Advisor
CloudTrail – Log & monitor these! •  API actions with potential impact –  Internet Gateway –  Routes and Route Tables –  Network ACLs –  EC2 instances (run/create/launch/terminate) –  Security Groups –  CloudTrail (stop/delete/update) –  Put[Group/Role/User]Policy –  ModifyAccount –  ModifyBilling, ModifyPaymentMethods –  "Type":"Root" –  Create[User/Role/Group] –  CreateAccessKey
Continuous Change Recording Changing Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
ENCRYPT YOUR SENSITIVE DATA
segregate duties With  AWS  IAM  you  get  to  control  who  can  do   what  in  your  AWS  environment  and  from  where     Fine-­‐grained  control  of  your  AWS  cloud  with  two-­‐ factor  authen;ca;on     Integrated  with  your  exis;ng  corporate  directory   using  SAML  2.0  and  single  sign-­‐on   AWS account owner Network management Security management Server management Storage management
DDoS Protection Inbound HTTP CloudFront Amazon S3 WAFDynamic App App AppPeering DDoS users
Instance patching and upgrades
VPC Flow Logs
Discussion…

Recommended

Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Edureka!
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 

Recommended

Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Edureka!
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
AWS EC2
AWS EC2AWS EC2
AWS EC2Mahesh Raj
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...Amazon Web Services
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovBogdan Naydenov
 

More Related Content

What's hot

Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 

What's hot (20)

IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
AWS EC2
AWS EC2AWS EC2
AWS EC2
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS 101
AWS 101AWS 101
AWS 101
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 

Viewers also liked

ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...Amazon Web Services
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovBogdan Naydenov
 
DevOps, Common use cases, Architectures, Best Practices
DevOps, Common use cases, Architectures, Best PracticesDevOps, Common use cases, Architectures, Best Practices
DevOps, Common use cases, Architectures, Best PracticesShiva Narayanaswamy
 
AWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best Practices
AWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best PracticesAWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best Practices
AWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best PracticesAmazon Web Services
 
Migrate Enterprise Applications Framework and Guiding Principles.pdf
Migrate Enterprise Applications Framework and Guiding Principles.pdfMigrate Enterprise Applications Framework and Guiding Principles.pdf
Migrate Enterprise Applications Framework and Guiding Principles.pdfAmazon Web Services
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...Amazon Web Services
 
Planning the Migration to the Cloud - AWS India Summit 2012
Planning the Migration to the Cloud - AWS India Summit 2012Planning the Migration to the Cloud - AWS India Summit 2012
Planning the Migration to the Cloud - AWS India Summit 2012Amazon Web Services
 
Accelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdfAccelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdfAmazon Web Services
 
(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers
(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers
(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data CentersAmazon Web Services
 
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017Amazon Web Services
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudTom Laszewski
 

Viewers also liked (12)

ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
ARC206 Extend your Existing Data Center to the cloud with Amazon VPC - AWS re...
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
 
DevOps, Common use cases, Architectures, Best Practices
DevOps, Common use cases, Architectures, Best PracticesDevOps, Common use cases, Architectures, Best Practices
DevOps, Common use cases, Architectures, Best Practices
 
AWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best Practices
AWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best PracticesAWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best Practices
AWS FSI Symposium 2017 NYC- CTP & Cloud Migration Best Practices
 
Migrate Enterprise Applications Framework and Guiding Principles.pdf
Migrate Enterprise Applications Framework and Guiding Principles.pdfMigrate Enterprise Applications Framework and Guiding Principles.pdf
Migrate Enterprise Applications Framework and Guiding Principles.pdf
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
 
Planning the Migration to the Cloud - AWS India Summit 2012
Planning the Migration to the Cloud - AWS India Summit 2012Planning the Migration to the Cloud - AWS India Summit 2012
Planning the Migration to the Cloud - AWS India Summit 2012
 
Accelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdfAccelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdf
 
(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers
(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers
(ISM201) Migrating to AWS: 7,700 Systems & 5 Global Data Centers
 
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS Cloud
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 

Similar to AWS Connectivity, VPC Design and Security Pro Tips

打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載Amazon Web Services
 
打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載Amazon Web Services
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitAmazon Web Services
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...Amazon Web Services
 
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...Amazon Web Services
 
(ARC402) Double Redundancy With AWS Direct Connect
(ARC402) Double Redundancy With AWS Direct Connect(ARC402) Double Redundancy With AWS Direct Connect
(ARC402) Double Redundancy With AWS Direct ConnectAmazon Web Services
 
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessThe Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessAmazon Web Services
 
AWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAmazon Web Services
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data CenterMonica Trantow
 
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...Amazon Web Services
 
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and EasilyAWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easilyakramemohemat
 
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013Amazon Web Services
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...Amazon Web Services
 
AWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsAWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsKent Plummer
 
A day in the life of a billion packets - AWS Summit Cape Town 2017
A day in the life of a billion packets - AWS Summit Cape Town 2017A day in the life of a billion packets - AWS Summit Cape Town 2017
A day in the life of a billion packets - AWS Summit Cape Town 2017Amazon Web Services
 
From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignAmazon Web Services
 

Similar to AWS Connectivity, VPC Design and Security Pro Tips (20)

VPC and DX PoP @ HKG
VPC and DX PoP @ HKGVPC and DX PoP @ HKG
VPC and DX PoP @ HKG
 
打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載
 
打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
 
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
 
(ARC402) Double Redundancy With AWS Direct Connect
(ARC402) Double Redundancy With AWS Direct Connect(ARC402) Double Redundancy With AWS Direct Connect
(ARC402) Double Redundancy With AWS Direct Connect
 
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessThe Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
 
AWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWS
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
 
Creating a Virtual Data Center
Creating a Virtual Data CenterCreating a Virtual Data Center
Creating a Virtual Data Center
 
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
 
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and EasilyAWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
AWS VPC NOTES _ LEARN AWS EFFECTIVELY and Easily
 
AWS VPC
AWS VPCAWS VPC
AWS VPC
 
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
 
AWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsAWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN Solutions
 
A day in the life of a billion packets - AWS Summit Cape Town 2017
A day in the life of a billion packets - AWS Summit Cape Town 2017A day in the life of a billion packets - AWS Summit Cape Town 2017
A day in the life of a billion packets - AWS Summit Cape Town 2017
 
From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC Design
 

More from Shiva Narayanaswamy

Pets, Cattle, Rabbits and Microbes
Pets, Cattle, Rabbits and Microbes Pets, Cattle, Rabbits and Microbes
Pets, Cattle, Rabbits and Microbes Shiva Narayanaswamy
 
Leveraging Elastic Web Scale Computing with AWS
Leveraging Elastic Web Scale Computing with AWS Leveraging Elastic Web Scale Computing with AWS
Leveraging Elastic Web Scale Computing with AWSShiva Narayanaswamy
 
Build high performing mobile apps, faster with AWS
Build high performing mobile apps, faster with AWSBuild high performing mobile apps, faster with AWS
Build high performing mobile apps, faster with AWSShiva Narayanaswamy
 
Your APIs can be soft and fluffy
Your APIs can be soft and fluffyYour APIs can be soft and fluffy
Your APIs can be soft and fluffyShiva Narayanaswamy
 
Innovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startInnovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startShiva Narayanaswamy
 
Dev/Test Environment Provisioning and Management on AWS
Dev/Test Environment Provisioning and Management on AWSDev/Test Environment Provisioning and Management on AWS
Dev/Test Environment Provisioning and Management on AWSShiva Narayanaswamy
 
Application Lifecycle Management and Event Driven Programming on AWS
Application Lifecycle Management and Event Driven Programming on AWSApplication Lifecycle Management and Event Driven Programming on AWS
Application Lifecycle Management and Event Driven Programming on AWSShiva Narayanaswamy
 
Leveraging elastic web scale computing with AWS
Leveraging elastic web scale computing with AWS Leveraging elastic web scale computing with AWS
Leveraging elastic web scale computing with AWSShiva Narayanaswamy
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSShiva Narayanaswamy
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWSShiva Narayanaswamy
 

More from Shiva Narayanaswamy (20)

State of Union - Containerz
State of Union - ContainerzState of Union - Containerz
State of Union - Containerz
 
Pets, Cattle, Rabbits and Microbes
Pets, Cattle, Rabbits and Microbes Pets, Cattle, Rabbits and Microbes
Pets, Cattle, Rabbits and Microbes
 
Leveraging Elastic Web Scale Computing with AWS
Leveraging Elastic Web Scale Computing with AWS Leveraging Elastic Web Scale Computing with AWS
Leveraging Elastic Web Scale Computing with AWS
 
Platform for Innovation - AWS
Platform for Innovation - AWSPlatform for Innovation - AWS
Platform for Innovation - AWS
 
Application Delivery Patterns
Application Delivery PatternsApplication Delivery Patterns
Application Delivery Patterns
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
ECS and ECR deep dive
ECS and ECR deep diveECS and ECR deep dive
ECS and ECR deep dive
 
AWS Tagging Strategy
AWS Tagging StrategyAWS Tagging Strategy
AWS Tagging Strategy
 
AWS + Puppet = Dynamic Scale
AWS + Puppet = Dynamic ScaleAWS + Puppet = Dynamic Scale
AWS + Puppet = Dynamic Scale
 
Build high performing mobile apps, faster with AWS
Build high performing mobile apps, faster with AWSBuild high performing mobile apps, faster with AWS
Build high performing mobile apps, faster with AWS
 
Your APIs can be soft and fluffy
Your APIs can be soft and fluffyYour APIs can be soft and fluffy
Your APIs can be soft and fluffy
 
Innovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startInnovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you start
 
DevOps and AWS
DevOps and AWSDevOps and AWS
DevOps and AWS
 
Event driven infrastructure
Event driven infrastructureEvent driven infrastructure
Event driven infrastructure
 
Dev/Test Environment Provisioning and Management on AWS
Dev/Test Environment Provisioning and Management on AWSDev/Test Environment Provisioning and Management on AWS
Dev/Test Environment Provisioning and Management on AWS
 
Application Lifecycle Management and Event Driven Programming on AWS
Application Lifecycle Management and Event Driven Programming on AWSApplication Lifecycle Management and Event Driven Programming on AWS
Application Lifecycle Management and Event Driven Programming on AWS
 
Leveraging elastic web scale computing with AWS
Leveraging elastic web scale computing with AWS Leveraging elastic web scale computing with AWS
Leveraging elastic web scale computing with AWS
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWS
 
AWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshootingAWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshooting
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWS
 

Recently uploaded

Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.soniya singh
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...SUHANI PANDEY
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 

Recently uploaded (20)

Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 

AWS Connectivity, VPC Design and Security Pro Tips

  • 1.
  • 4. What isAWS Direct Connect… •  Dedicated, private pipes into AWS •  Create private (VPC) or public interfaces to AWS •  Cheaper data-out rates than Internet (data-in still free) •  Consistent network performance compared to Internet •  Multiple AWS accounts can share a connection
  • 5. Why useAWS Direct Connect? $0.000 $0.050 $0.100 $0.150 First 10TB Next 40TB Next 100TB Next 350TB Direct Connect Internet
  • 6. Public Subnet Availability Zone A Private Subnet Public Subnet Availability Zone B Private Subnet Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24 VPC CIDR: 10.1.0.0 /16 Virtual Private Gateway (VGW) Internet Gateway (IGW) Only 1 IGW and 1 VGW per VPC VPN connection Customer data center Customer data center AWS Direct Connect Route Table Destination Target 10.1.0.0/16 local Internal CIDR VGW
  • 7. Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` VGW AWS Network DX POP Location Cross Connect Customer Gateway Router Circuit to Customers Network Customers Network Backbone Circuit to Customers Site Customer Provider Edge Router Customers Local Network Demarcation
  • 8. Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` From - To CGW to VGW VGW to CGW Route 172.16.0.0/16 10.1.0.0/16 Metric - - eBGP From - To Customer to CGW CGW to Customer Route 172.16.0.0/16 10.1.0.0/16 Routing – Probably eBGP Layer 2 VLAN Connectivity BGP is a requirement for Direct Connect: http://aws.amazon.com/directconnect/faqs/
  • 9. VLAN Y VLAN X VIFs virtual private cloud 1 virtual private cloud 2 virtual private cloud N … public endpoints Region Direct Connect Location private VIF 1 public virtual interface (VIF) private VIF 2 VLAN Z VLAN N AWS DX Router Customer Router Each interface can be associated with a different AWS Account. (Hosted Virtual Interfaces)
  • 11.
  • 13.
  • 14. Agenda •  AWS Connectivity –  VPN –  Design Patterns
  • 15. Customer Network Only 1 IGW and 1 VGW per VPC
  • 18. Agenda •  AWS Connectivity –  VPN –  Design Patterns
  • 19. Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` With IPSEC Failover
  • 20. Direct Connect – Single Link, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network `` IPSEC over The Internet From - To CGW to VGW VGW to CGW Route 172.16.0.0/16 10.1.0.0/16 Metric - - eBGP With IPSEC Failover
  • 21. Direct Connect – Dual Links, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` `
  • 22. Direct Connect – Dual Links, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` `
  • 23. Direct Connect – Dual Links, Single CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` ` From - To CGW to VGW VGW to CGW Route 172.16.0.0/16 10.1.0.0/16 Metric LP 150 eBGP From - To CGW to VGW VGW to CGW Route 172.16.0.0/17 10.1.0.0/16 Metric LP 90 eBGP -  You can split your route advertisements to the VGW -  Instead of using AS Path Prepend CGW to VGW172.16.128.0/1 7
  • 24. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet Service Provider Network ` `
  • 25. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` Service Provider Network `
  • 26. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet `` ` Service Provider Network
  • 27. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network `
  • 28. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network ` BGP AS - Y BGP AS - X iBGP between RoutersiBGP between Routers
  • 29. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network ` - So far so good? - What’s wrong with this topology? - SPoF!
  • 30. Direct Connect – Dual Links, Dual CGW VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location Customer Edge Router 172.16.0.0/16 Customers DC Customer s Subnet ` ` Service Provider Network `
  • 31. Direct Connect – Dual Locations, Dual Links VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location - 1 Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` Service Provider Network ` AWS Direct Connect Customer Gateway Colocation ` DX Location - 2
  • 32. VPC 1 10.1.0.0/16 AWS Direct Connect Customer Gateway Colocation DX Location - 1 Customer Edge Router 172.16.0.0/16 Customers DC Customers Subnet ` ` ` AWS Direct Connect Customer Gateway Colocation ` DX Location - 2 DirectConnect – Dual Locations, Dual Links, Dual Routers Service Provider Network
  • 33. Multi Account DX VPC 1 10.1.0.0/16 Customer Gateway VLAN320Private VI AWS Direct Connect Ethernet Trunk SVI/Sub 320 IP 169.x.x.2IP 169.x.x.1 BGP AS 65xxxBGP AS 17493 VLAN 320 Colocation
  • 34. Multi-Account Direct Connect Customer Gateway VLAN320 Ethernet Trunk SVI/Sub 320 IP 169.x.x.2 BGP AS 65xxx VPC 1 10.1.0.0/16 Private VI IP 169.x.x.1 BGP AS 17493 VLAN 320 Colocation VPC 2 10.2.0.0/16 IP 169.y.y.1 BGP AS 17493 VLAN 330 VLAN330 SVI/Sub 330 IP 169.y.y.2 BGP AS 65xxx Private VI AWS Direct Connect AWS Account 1
  • 35. Multi-Account Direct Connect Customer Gateway VLAN320 Ethernet Trunk SVI/Sub 320 IP 169.x.x.2 BGP AS 65xxx VPC 1 10.1.0.0/16 Private VI IP 169.x.x.1 BGP AS 17493 VLAN 320 Colocation VPC 2 10.2.0.0/16 IP 169.y.y.1 BGP AS 17493 VLAN 330 VLAN330 SVI/Sub 330 IP 169.y.y.2 BGP AS 65xxx Private VI AWS Direct Connect AWS Account 1 AWS Account 2
  • 36. How to Delegate VI to Another Account. Step 1.
  • 37. Delegate Virtual Interface to Another Account. Step 2.
  • 38. Agenda –  VPN –  Design Patterns •  VPC Design –  Concepts
  • 41. VPC A - 10.0.0.0/16 AvailabilityZoneA AvailabilityZoneB Choose your VPC address range •  Your own private, isolated section of the AWS cloud •  Every VPC has a private IP address space •  That maximum CIDR block you can allocate is /16 •  For example 10.0.0.0/16 – this allows 256*256 = 65,536 IP addresses Select IP addressing strategy •  You can’t change the VPC address space once it’s created •  Think about overlaps with other VPCs or existing corporate networks •  Don’t waste address space, but don’t’ constrain your growth either
  • 42. VPC A - 10.0.0.0/16 AvailabilityZoneA
  • 43. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.5.0/2410.0.4.0/24
  • 44. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Bastio n
  • 45. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 App “Web servers can connect to app servers on port 8080” Log EC 2 Web Bastion
  • 46. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 Ap p “Web servers can connect to app servers on port 8080” “Allow outbound connections to the log server” Log EC 2 Web Bastio n
  • 47. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Bastio n 10.0.4.0/24 EC 2 Ap p “Web servers can connect to app servers on port 8080” “Allow outbound connections to the log server” “Allow SSH and ICMP from instances in the Bastion security group” Log EC 2 Web
  • 48. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Security groups •  Operate at the instance level •  Supports ALLOW rules only •  Are stateful •  Max 50 rules per security group •  Max 5 groups per instance Bastio n
  • 49. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Bastio n
  • 50. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web “Deny all traffic between the web server subnet and the database server subnet” Bastio n
  • 51. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 Web Bastio n NACLs are optional •  Applied at subnet level •  Stateless and permit all by default •  ALLOW and DENY •  Applies to all instances in the subnet •  Use as guard rails (port 21, 135,…)
  • 52. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 WebEC 2 Web Elastic Load Balancer Bastio n
  • 53. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 WebEC 2 Web Elastic Load Balancer Bastio n
  • 54. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 Router 10.0.5.0/2410.0.4.0/24 EC 2 Ap p Log EC 2 WebEC 2 WebEC 2 EC 2 Web Elastic load balancers •  Instances can automatically be added and removed from the balancing pool using rules •  You can add instances into security groups at launch time Elastic Load Balancer Auto scalin g Bastio n
  • 55. VPC A - 10.0.0.0/16 AvailabilityZoneA EC 2 EC 2 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway VPC Router
  • 56. VPC A - 10.0.0.0/16 AvailabilityZoneA EC 2 EC 2 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway VPC Router Internet routing •  Add route tables to subnets to control Internet traffic flows – these become Public subnets •  Internet Gateway routing allows you to allocate a static Elastic IP address or use AWS-managed public IP addresses to your instance
  • 57. VPC A - 10.0.0.0/16 AvailabilityZoneA EC 2 EC 2 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway VPC Router Internet routing •  Use a NAT instance to provide Internet connectivity for private subnets - required to access AWS update repositories •  This will also allow back-end servers to route to AWS APIs – for example storing logs on S3, or using Dynamo, SQS, SNS and SWS NA T
  • 58. VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 NA T 10.0.4.0/24 EC 2 Ap p EC 2 WebEC 2 WebEC 2 EC 2 Web VPC Router Amazon S3 DynamoDB Amazon SNS Amazon SQS Internet Gateway NA T
  • 59. Agenda –  VPN –  Design Patterns •  VPC Design –  Concepts –  Design Patterns
  • 60. To NACL or not to NACL? Pros Another layer of defense Can speed up deals •  Fits legacy IT models •  Network/FW Engineer’s friend Can help with networking compliance •  Separate groups for SGs/NALCs Explicit deny rules Apply to an entire subnet Cons Adds complexity Can slow down adoption •  Fits legacy IT processes •  DevOps Enemy Potentially not necessary for compliance •  Third-party proactive controls •  SG audits (programmable infra) Stateless FW rules Apply only to subnets/CIDR addresses
  • 62. Routing Instances Love Them NAT instances VPN tunnels (between VPCs) Data loss prevention Intrusion detection Hate Them Single point of failure Extra costs (EC2, third-party licenses) More for customer to manage Potential network bottleneck
  • 64. AWS region Public-facing web app Internal company app What’s next? VPN connection Customer data center Multiple VPCs
  • 66. Multiple VPCs tips and tricks
  • 67. Public-facing web app Internal company app #2 HA pair VPN endpointsCustomer data center Internal company app #3 Internal company app #4 Internal company app #1 Internal company Dev Internal company QA AWS region BackupAD, DNS Monitoring Logging Multiple VPCs over IPSEC VPN
  • 68. About IPSEC and multiple VPCs
  • 69. Public-facing web app Internal company app #2 HA pair VPN endpointsCustomer data center Internal company app #3 Internal company app #4 Internal company app #1 Internal company Dev Internal company QA AWS region BackupAD, DNS Monitoring Logging Multiple VPCs over AWS Direct Connect Direct Connect Facility Customer Data Center Physical Connection Logical Connections VLANs Logical Connections VLANs
  • 70. About AWS Direct Connect and multiple VPCs
  • 71. •  Security groups and NACLs still apply AWS region Public-facing web app Internal company app #1 HA pair VPN endpoints company data center Internal company app #2 Internal company app #3 Internal company app #4 Services VPC Internal company Dev Internal company QA AD, DNS Monitoring Logging •  Security groups still bound to single VPC Multiple VPCs over VPC Peering
  • 73. 10.1.0.0/16 10.0.0.0/16 •  VPCs within same region Peer Request Peer Accept •  Same or different accounts •  IP space cannot overlap •  Only 1 between any 2 VPCs VPC peering configuration
  • 75. 10.0.0.0/16 10.0.0.0/16 PCX-1 PCX-2 Subnet 1 10.1.1.0/24 Subnet 2 10.1.2.0/24 10.1.0.0/16 Route Table Subnet 1 Destination Target 10.1.0.0/16 local 10.0.0.0/16 PCX-1 Route Table Subnet 2 Destination Target 10.1.0.0/16 local 10.0.0.0/16 PCX-2 A B C
  • 80. Peer review •  Shared infrastructure services moved to VPC •  1 to 1 peering = app isolation •  Security groups and NACLs still apply AWS region Public-facing web app Internal company app #1 HA pair VPN endpoints company data center Internal company app #2 Internal company app #3 Internal company app #4 Services VPC Internal company Dev Internal company QA AD, DNS Monitoring Logging •  Security groups still bound to single VPC Multiple accounts
  • 81. About VPC peering and multiple VPCs
  • 83. Model 2: “Shared Services Model”
  • 84. Model 3: “HIPS Model”
  • 85. Scenario #4 – “Threat Layer Model”
  • 86. Model 5: “NIDS Model”
  • 87. Model 6: “Hybrid Model”
  • 89. Agenda –  VPN –  Design Patterns •  VPC Design –  Concepts –  Design Patterns •  Security Pro Tips
  • 90. MFA
  • 93. CloudTrail – Log & monitor these! •  API actions with potential impact –  Internet Gateway –  Routes and Route Tables –  Network ACLs –  EC2 instances (run/create/launch/terminate) –  Security Groups –  CloudTrail (stop/delete/update) –  Put[Group/Role/User]Policy –  ModifyAccount –  ModifyBilling, ModifyPaymentMethods –  "Type":"Root" –  Create[User/Role/Group] –  CreateAccessKey
  • 94. Continuous Change Recording Changing Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
  • 96. segregate duties With  AWS  IAM  you  get  to  control  who  can  do   what  in  your  AWS  environment  and  from  where     Fine-­‐grained  control  of  your  AWS  cloud  with  two-­‐ factor  authen;ca;on     Integrated  with  your  exis;ng  corporate  directory   using  SAML  2.0  and  single  sign-­‐on   AWS account owner Network management Security management Server management Storage management
  • 97. DDoS Protection Inbound HTTP CloudFront Amazon S3 WAFDynamic App App AppPeering DDoS users