Upload File

architecting on aws: vpc 介绍 - 开放文档 - free and...

  • Home
  • Documents
  • Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务
28
1 Architecting on AWS: VPC 介绍 AWS如何定义网络服务 AWS资深技术讲师 包光磊 Architecting on AWS – VPC 介绍

Upload: ngothuan

Post on 21-May-2018

261 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

1

Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

AWS资深技术讲师 包光磊

Architecting on AWS – VPC 介绍

Page 2: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

2

内容

什么是Amazon VPC?

子网、网关和路由规则的设置

Amazon VPC网络安全相关功能

Q & A

Architecting on AWS – Amazon VPC

Page 3: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

3

什么是Amazon VPC?

Virtual Private Cloud

AWS云中的一个私有的、隔离的部分

可自定义的虚拟网络拓扑

Architecting on AWS – Amazon VPC

Page 4: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

4

Route Table Elastic Network

Interface Router

Internet

Gateway Virtual

Private

Gateway

Subnet

VPC中的元素

Page 5: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

5

VPC的地点

区域

相互隔离的地理区域

可用区 (AZ)

数据中心

Page 6: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

6

区域和可用区

US East (VA)

AZ 1

AZ 2

AZ 3

AZ 4

AZ 5

US West (OR)

AZ 1

AZ 2

AZ 3

US West (CA)

AZ 1

AZ 2

AZ 3

GovCloud

AZ 1

AZ 2

APAC (Tokyo)

AZ 1

AZ 2

AZ 3

APAC (Singapore)

AZ 1

AZ 2

EU (Ireland)

AZ 1

AZ 2

AZ 3

S.America (Sao Paulo)

AZ 1

AZ 2

APAC (Sydney)

AZ 1

AZ 2

Page 7: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

7

Availability Zone A Availability Zone B

VPC CIDR: 10.1.0.0 /16

Page 8: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

8

在创建VPC IP地址空间之前请认真规划

• 考虑将来的扩张

• VPC可以从 /16 到 /28

• CIDR 不可修改

• 考虑将来是否需要与公司网络建立链接

• 重叠的IP地址空间 = 未来的痛苦

Page 9: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

9

Subnet

Availability Zone A

Subnet

Availability Zone B

VPC CIDR: 10.1.0.0 /16

Page 10: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

10

Public Subnet

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

VPC CIDR: 10.1.0.0 /16

Availability Zone A

Page 11: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

11

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

VPC CIDR: 10.1.0.0 /16

.1

.1 .1

.1

Page 12: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

12

Public Subnet

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

VPC CIDR: 10.1.0.0 /16

Route Table

Destination Target

10.1.0.0/16 local

Availability Zone A

Page 13: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

13

别碰默认路由表

Page 14: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

14

Availability Zone B

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Private Subnet

Instance A

10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

VPC CIDR: 10.1.0.0 /16

Route Table

Destination Target

10.1.0.0/16 local

10.1.1.0/24 Instance B

Page 15: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

15

网络ACLs与安全组

网络ACLs

作用在子网上

无状态

设置允许和拒绝(黑名单)

规则按顺序处理

安全组

作用在实例的ENI上

有状态

设置允许(白名单)

规则作为整体处理

SG能够引用同一个VPC中的另一个SG

VPC Subnet

Elastic Network

Instance

Security Group

Network ACL

Page 16: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

16

VPC网络ACLs适合做什么?

强制实行安全策略的基线

Example:

“不允许TFTP, NetBIOS 或 SMTP 从该子网出站”

弥补所有实例安全组的漏洞

职责分离 VPC Subnet

Instance

Page 17: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

17

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

Instance A

10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

VPC CIDR: 10.1.0.0 /16

想从VPC出门看世界?请开一道前门

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 IGW

54.200.129.18

Page 18: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

18

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

Instance A

Public: 54.200.129.18

Private: 10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

Route

Table

Internet

Amazon S3 DynamoDB

AWS

region

VPC外部的世界

Page 19: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

19

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

Instance A

Public: 54.200.129.18

Private: 10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

Route

Table

Internet

Amazon S3 DynamoDB

AWS

region

实例C需要访问互联网怎么办?

Page 20: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

20

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

NAT A

Public: 54.200.129.18

Private: 10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

Internet

Amazon S3 DynamoDB

AWS

region

部署一个做为

N etwork

A ddress

T ranslator

的实例

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 NAT

instanc

e

Page 21: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

21

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

Instance A

10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

VPC CIDR: 10.1.0.0 /16

Virtual Private Gateway

Internet

Gateway

Route Table

Destination Target

10.1.0.0/16 local

Corp CIDR VGW

连接企业私网?请开一道后门

Page 22: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

22

设计… 然后耗费大量时间搭建与部署

Architecting on AWS – Amazon VPC

Page 23: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

23

搭建、部署和设计同样迅速

Architecting on AWS – Amazon VPC

Page 24: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

24

Move to VPC !!!

Page 25: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

25

解决方案架构师

开发人员

系统操作管理员

入门

介绍AWS

系列视频

AWS

Essentials

Architecting

on AWS

Developing

on AWS

System

Operations

on AWS

Architecting on

AWS:

Advanced

Concepts

Advanced

Operation

on AWS

Big Data

on AWS

高级 专项

基于IT角色的讲师指导课程

Page 26: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

26

AWS 认证路线图

Page 27: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

27

AWS培训与认证

认证计划

aws.amazon.com/cn/certification

彰显你在AWS平台上的专业技术能力

免费教学视频

aws.amazon.bokecc.com

免费的教学视频让您在30

分钟之内快速了解 AWS

云服务

aws.amazon.com/cn/training

讲师指导课程

利用AWS设计,部署和操作可扩展的,高效应用的专业能

http://aws.amazon.com/cn/certification
http://aws.amazon.bokecc.com/
http://aws.amazon.com/training/
Page 28: Architecting on AWS: VPC 介绍 - 开放文档 - Free and …docs.huihoo.com/infoq/amazon-aws-define-network-service...1 Architecting on AWS: VPC 介绍 - AWS如何定义网络服务

28

谢谢大家! 下次再见

包光磊


[AWSマイスターシリーズ] Amazon VPC

Aws Amazon Vpc Connectivity Options

Bct Aws-VPC-Training

Architecting Mission Oriented Solutions in AWS …d36cz9buwru1tt.cloudfront.net/150AB-130-Architecting... ·  · 2013-09-09Architecting Mission Oriented Solutions in AWS GovCloud

AWS Networking - Sipart Networking Building your... · 2020. 11. 2. · Amazon VPC Traffic Mirroring ... AWS Transit Gateway with AWS site-to-site VPN VPC VPC VPC AWS Transit Gateway

Deploying Transit VPC with Autoscaling for Amazon Web ... · DeployingTransitVPCwithAutoscalingfor AmazonWebServices(AWS) TheAutoscalingfunctionalitymonitorstheTransitVPCandvirtualprivatecloud(VPC).Itautomatically

Architecting Active Directory on AWS · AWS Managed VPC Customer VPC App1 2 App 1 App 2 AWS Managed Microsoft AD DC AWS Managed Microsoft AD DC D C Availability Zone 1 Availability

(ARC206) Architecting Reactive Applications on AWS | AWS re:Invent 2014

Titus AWS VPC networking for containers

Container Days: Architecting Modern Apps on AWS

Learning Amazon Web Services (AWS)ptgmedia.pearsoncmg.com/images/9780135298343/...3 AWS Networking Services 77 VPC Networking 78 Partnering with AWS 79 ... Interface VPC Endpoints

Deploy AWS RDS Database In AWS VPC › wp-content › uploads › 2018 › 04 › ... · AWS Region AWS VPC - Overview Networking Setup AWS VPC Availability Zone A Availability Zone

[AWSマイスターシリーズ] Amazon Virtual Private Cloud (VPC)

AWS VPC, ELB, Route53 and CloudFront

Classmethod aws-study-vpc-20160114

Architecting for Greater Security on AWS

BASED AWS TRANSIT VPC - Juniper Networks

Architecting in Cloud : Your Guide to AWS

AWS VPC Peering & IP in IP tunneling

AWS Black Belt Techシリーズ Amazon VPC

Networking in AWS - Amazon S3 · PDF file• AWS networking services including: VPC ... VPC Subnet 1 VPC Subnet 2 ... • Best Practices for Evaluating ELB

AWS re:Invent 2016: Workshop: AWS Professional Services Effective Architecting Workshop (ARC320)

Architecting for Failure in AWS - PuppetConf 2013

[AWSマイスターシリーズ] Amazon VPC VPN & Direct Connect

AWS VPC ~インフラエンジニアへの道~

(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014

AWS Architecting for the cloud: Best practices

Architecting applications in the AWS cloud

Artem Zhurbila - 3 aws - route 53, vpc

AWS VPC distilled for MongoDB devOps

AWS VPC 事例紹介

20150115 AWS BlackBelt - Amazon VPC (Korea)

INSTRUCTOR-LED, VIRTUAL CLASSROOM COURSE … VIRTUAL CLASSROOM COURSE CATALOG Apple iPad Fundamentals Avaya ... Architecting on AWS Architecting on AWS - Advanced Concepts AWS Essentials

Architecting for the Cloud: AWS Best Practices

AWS re:Invent 2016: Architecting Next Generation SaaS Applications on AWS (ARC301)