s u m m i t - aws-de-marketing.s3-eu-central-1.amazonaws.com... · summit © 2019, amazon web...

S U MM I TB E R L I N

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT

AWS Networking – Advanced Concepts and New Capabilities

Viktor GoldbergCloud Infrastructure ArchitectAWS Professional Services

Matt JohnsonManager, Solutions ArchitectureAWS WWPS UK

SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Amazon Virtual Private Cloud (Amazon VPC) enables you to have complete control

over your AWS virtual networking environment.

In this session, we will work through the process and features involved to build an

advanced hybrid and connected architecture exploring the new capabilities

including VPC Shared Subnets, AWS Transit Gateway, Route 53 Resolver and AWS

Global Accelerator.

We dive into how they work and how you might use them.

What to expect


What not to expect

• Explanation of VPC basics; we assume that you know:• VPCs

• Subnets

• Route Tables

• Security Groups / NACLs

• Explanation of AWS core services


Agenda

Account

Strategy

VPN

WAN

AWS Direct Connect

Transit VPC

Network

Services

Connectivity

WAN

Shared

ServicesMulti-Region

Options


Our starting point

VPN

WAN

AWS Direct Connect

Virtual private gateway

Dev Prod


Challenge: Adding more VPCs

VPN

WAN

AWS Direct Connect

Dev Prod Dev Prod Dev Prod


Challenge: Peering VPCs

VPN

WAN

AWS Direct Connect


Connect dev and prod

VPC peering

Connect the yellow environment

How does this scale?

Let’s:


VPN

WAN

AWS Direct Connect



Scaling connections?

Scaling VPC peering?

Shared services?

Firewall and services?


Transit VPC

VPN

WAN

AWS Direct Connect

Transit VPC




VPN

WAN

AWS Direct Connect

Transit Gateway

AWSTransit Gateway




Automation of infrastructure

AWS Direct Connect and VPN standards

Subnet and routing standards

AWS Identity and Access Management

Strict security groups and routing

Identifying resources with tags

S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s

Account and VPC segmentat ion

Infrastructure and

NetworkingPolicy and IAM


Segmentation: Decision inputs

Relationship between accounts, VPCs, and tenants?

• Do accounts and tenants trust each other?

• Is the current network segmentation intentional or a side effect?

Who owns security and networking?

• Each team or a centralized team?

Compliance and governance requirements?

• Can they be scoped to an account or a VPC level


Baseline security

IAM

Security groups

Segmentation options: Layers

Application Application

Application Application

Application

Application

Inside the account

At the VPC

ACLs

Network security

Route tables

Network ACLs

Separate VPCs


Segmentation in a VPC with network ACLs

Inbound network ACL

# Source Action

100 10.0.1.0/24 ALLOW

101 10.0.101.0/24 ALLOW

200 10.0.0.0/16 DENY

300 0.0.0.0/0 ALLOW

Mimic behavior of a single VPC:


both?

Provide granular account control with centralized infrastructure


VPC sharing

Easily share VPC networks between AWS accounts, providing

central oversight and control for networking engineers

VPC Sharing and Resource Access ManagerShare subnets between accounts in an AWS Organization

Account

Account

Account

Account

Resource Share

• Public subnets

• Private subnets

Resource Share

• Private subnets

Infrastructure

account

VPC Sharing and Resource Access ManagerAccount owners only see subnets and their resources

Account

Account


Segmentation in a Shared VPC with network ACLs

Account

Account

Account

Account

Public subnet

Private subnet Private subnet

Resource share

• Public subnets

• Private subnets

Resource share

• Public subnets

• Private subnets

Public subnet

10.0.1.0/24 10.0.2.0/24

10.0.101.0/24 10.0.102.0/24

Inbound network ACL

# Source Action

100 10.0.1.0/24 ALLOW

101 10.0.101.0/24 ALLOW

200 10.0.0.0/16 DENY

300 0.0.0.0/0 ALLOW

Mimic behavior of a single VPC:


VPC Sharing benefits

Less unused resources

• Higher density subnets, add up

to 5 additional CIDRs

• More efficient use of VPN and

AWS Direct Connect

Separation of duties

• Infrastructure strictly controls

routing, IP addresses, and VPC

structure

• Developers own their resources,

accounts, and security groups

Decouple accounts and networks

• Account protection and billing

without additional infrastructure

• Many accounts with fewer

networks

• Avoid VPC peering charges


Segmentation considerations: Where to start

Security groups and IAM are effective and proven• Encourage IAM and security group use and monitor security configuration

Shared VPCs• Tenants should limit access from the internet and other tenants• VPCs using VPC peering are likely to benefit from Shared VPCs• Design around resource and limit contention

Separate VPCs• Often the best security decision is the simplest. Separate VPCs are simple.• Use separate VPCs for strong network segmentation and resource isolation• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)

Transit Gateway route tables define multi-VPC policy• Consider isolating environments (dev and prod) and allow access to shared resources


Shared services connectivity options

VPC peering

• One-to-one connectivity

• Scales to 100 VPCs

• Security groups across VPCs

• Inter-region peering

Transit VPC

• Shared services as a spoke

• Bandwidth constrained

• Complex management

• Instance and licensing costsVPN

WAN

AWS Direct Connect

Transit VPC

Shared

Services

AWS Transit Gateway

• Many-to-many or one-to-many with route tables

• Highly scalable

• Hourly per AZ endpoint costs

Account Account

Account Account

Development

Account Account

Account Account

Testing

Account Account

Account Account

Production Shared Services

Route

Tables

Route

Tables

Transit Gateway

AWS PrivateLink

• One-to-many connectivity

• Highly scalable

• Supports overlapping CIDRs

• Uses Elastic Load Balancing

• Load balancing and hourly endpoint costs


VPN

WAN

AWS Direct Connect

Transit VPC

Transit VPC Mechanics


Route table

Destination Target

10.2.0.0/16 Local

0.0.0.0/0 VGW

Transit VPC: Routing

Virtual private

gateway (VGW)

Virtual Private

Network (VPN)

Transit VPC

10.0.0.0/16

10.1.0.0/16 10.2.0.0/16

Internet

The VPN Instances

advertise routes to each

VGW with BGP. This can be

a default route or individual

routes.


Why doesn’t peer ing work?

VPC peering

Transit VPC

10.0.0.0/16

10.1.0.0/16 10.2.0.0/16Route table

Destination Target

10.2.0.0/16 Local

0.0.0.0/0 PCX

Internet


Why doesn’t peer ing work?

VPC peering

Transit VPC

10.0.0.0/16

10.1.0.0/16 10.2.0.0/16Route table

Destination Target

10.2.0.0/16 Local

0.0.0.0/0 PCX

Internet

Destination: InternetTraffic must either

originate or terminate

on a network interface

in the VPC

Transitive routing


Why does VPN work?

Transit VPC

10.0.0.0/16

10.1.0.0/16 10.2.0.0/16Route table

Destination Target

10.2.0.0/16 Local

0.0.0.0/0 VGW

Internet

Destination: Internet

Virtual Private

Network (VPN)

Traffic must either

originate or terminate

on a network interface

in the VPC

Transitive routing


Shared services connectivity options at scale

VPC Peering

• 1-to-1 connectivity

• Scales to 100 VPCs

• Security groups across VPCs

• Inter-region peering

Transit VPC

• Shared services as a spoke

• Bandwidth restricted

• Complex management

• Instance and licensing costs

AWS Transit Gateway

• Many-to-many or one-to-many with route tables

• Highly scalable

• Hourly per AZ endpoint costs

Account Account

Account Account

Development

Account Account

Account Account

Testing

Account Account

Account Account

Production Shared Services

Route

Tables

Route

Tables

Transit Gateway

AWS PrivateLink

• One-to-many connectivity

• Highly scalable

• Supports overlapping CIDRs

• Uses Elastic Load Balancing

• Load balancing and hourly endpoint costs


What is the AWS Transit Gateway?


Introducing: Transit Gateway

AWS Region

Transit Gateway

ENIs

VPN

Routing domain

Routing domain

AWS Direct

Connect *

Regional service

Scalable

Flexible routing

Available Q1 2019


Flat: Transit Gateway route domains (route tables)

Transit Gateway

Route Destination

10.1.0.0/16 vpc-att-1xxxxxxx




Default

routing domain

Route Destination

10.1.0.0/16 Local

10.0.0.0/8 tgw-xxxxxxxxx

Per VPC


Isolated: Transit Gateway route domains

Transit Gateway

Route Destination

0.0.0.0/0 VPN

Routing domain

for VPN

Route Destination

10.1.0.0/16 Local


Per VPC

VPN

Routing domain for VPCs

Route Destination

10.1.0.0/16 vpc-att-1xxxx


Route Destination





Transit Gateway

Route Destination

0.0.0.0/0 VPN

Route Destination

10.1.0.0/16 Local


Per VPC

VPN

Route Destination



Route Destination



Associate

go

Propagate routescan reach

Routing domain

for VPN




Transit Gateway

Route Destination

0.0.0.0/0 VPN

Route Destination

10.1.0.0/16 Local


Per VPC

VPN

Route Destination



Route Destination



Routing domain

for VPN




Transit GatewayShared

services

VPN

VPC

Route Destination



Route Destination



Route Destination

10.0.0.0/8 VPN


VPCs associate to a route table with routes to shared resources

Shared resources attach to a route table with routes to all resources

Reference Network Architecture

Account Account

Account Account

Account Account

Account Account

Account Account

Account Account

VPNAWS Direct

Connect *

Account Account Account Account IAM, cross-account roles

Route

tables

Route

tables

Transit Gateway

Available Q1 2019


Quick comparison: Transit Gateway and Transit VPC

VPN

WAN

AWS Direct Connect

Transit VPC

Transit VPC Transit Gateway


AWS Global Infrastructure

• 20 Regions with 60 Availability Zones

• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud

Global Infrastructure


160 Points of Presence (PoPs)

• 149 Edge Locations

• 11 Regional Edge Caches

Points of Presence





Amazon Global Network

• Redundant 100 GbE network

• Private network capacity betweenall AWS region, except China

Global Network




160 Points of Presence (PoPs)

• 149 Edge Locations

• 11 Regional Edge Caches


Multiple services traverse the backbone


Content Distribution with Amazon CloudFront

Fast, massively scaled and

globally distributed

Highly Programmable

Deep Integration with AWS

Network and application

protection at the edge


Local ISP Network A B C D E F

Access Application!

Accessing your application is not this straightforward!It can take many networks to reach the application

Paths to and from the application may differ

Each hop impacts performance and can introduce risk

Introducing AWS Global Accelerator


Local ISP AWS Network

Accessing your web applications with AWS Global Accelerator

Adding AWS Global Accelerator removes these inefficiencies

Leverages the Global AWS Network

Resulting in improved performance


AWS Region 1 AWS Region 2

3.10.3.1253.10.3.125


Connecting to on-premises

Virtual Private Gateway VPN AWS Direct Connect

VPN WAN

• Per VPC

• 1.25 Gbps per tunnel

• Encrypted in transit

• Per VPC (50 per port)

• Multiple VPCs with Direct Connect gateway

• No bandwidth restraint

AWS Transit Gateway VPN

VPN

• Multiple VPCs

• Add VPN connection as needed

• 1.25 Gbps per tunnel

• Roadmap: AWS Direct Connect

Amazon EC2 Customer VPN

VPN

• Per VPC or multiple (Transit VPC)

• Bandwidths vary by instance type

• AWS Marketplace options

• Scalability is generally limited by management complexity


Connecting to On-premises at Scale

Virtual Private Gateway VPN AWS Direct Connect

VPN WAN

• Per VPC

• 1.25 gbps per tunnel

• Encrypted in transit

• Per VPC (50 per port)

• Multiple VPCs with Direct Connect gateway

• No bandwidth restraint

AWS Transit Gateway VPN

VPN

• Multiple VPCs

• Add VPN connection as needed

• 1.25 gbps per tunnel

• Roadmap: AWS Direct Connect

Amazon EC2 Customer VPN

VPN

• Per VPC or multiple (Transit VPC)

• Bandwidths vary by instance type

• AWS Marketplace options

• Scalability is generally limited by management complexity


Private connectivity with AWS Direct Connect

Dedicated private connection

from on-premised to AWS

Consistent network

performance

Reduced bandwidth costs

Compatible with all

AWS services


AWS Direct Connect to Many VPCs

AWS Region

10.1.0.0/16

WAN

On-premises

AWS Direct Connect

location

Private virtual interface (VIF)

Customer

router

AWS

router

Customer

router

AWS

router

10.2.0.0/16

Up to 50 VIFs per port

AWS Direct Connect

location 2

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

AWS Direct Connect and Transit Gateway

Use Direct Connect in parallel Use VPN over a Direct Connect public virtual interface (VIF)

Account Account

Account Account

Account Account

Account Account

Account Account

Account Account

VPN

AWS Direct

Connect

Route

Tables

Route

Tables

Transit GatewayPrivate virtual

interfaces

VPN

AWS Direct

Connect

Route

Tables

Route

Tables

Transit Gateway

Public virtual

interface

AWS Region

Receive AWS

public IP addresses

Native Direct Connect support planned for Q1 2019


VPN With Transit Gateway

VPN

Route

tables

Route

tables

Transit Gateway

Customer Gateway

Consolidate VPN at the Transit Gateway (TGW)

• VPN acts similar to the Virtual Private Gateway (VGW)

• Bandwidth, configuration, APIs, cost, and experience

• VPN is attached to a TGW instead of a VGW

• Same 1.25 gbps bandwidth per tunnel applies

Encryption to the edge of many VPCs

• Traffic is encrypted until it’s inside the VPC

• Does not natively encrypt traffic between VPCs

• Inter-region VPC peering does


VPN with Transit Gateway: Add more bandwidth

VPN

Route

tables

Route

tables

Transit Gateway

Customer Gateway

Support for spreading traffic across many tunnels

• Equal Cost Multi-Path (ECMP) support with BGP multi-

path

• Tested up to 50 Gbps of traffic

• Split traffic into smaller flows, multi-part uploads, etc.

Check your on-premises configuration

• Multi-path BGP

• ECMP support, amount of equal paths, reverse-path

forwarding/spoofing checks

• Only supported with BGP, not static routing


Route 53 Resolver

Managed DNS Resolver service from Route 53

Create conditional forwarding rules to re-direct

query traffic

Enables hybrid connectivity over AWS Direct Connect

and Managed VPN


Enabling Hybrid Cloud

VPC

Data Center



VPC

Data Center

X



VPC

Data Center



VPC

Data Center

VPC

VPC


Route 53 Resolver


Benefit to you: Reduced Complexity


Benefit to you: Availability

• Use AWS high availability architecture

• Create additional redundancy by provisioning more ENIs in different AZs

VPC


Benefit to you: Cross Account Rules Sharing

VPC

VPC

VPC


Client VPN

Support for OpenVPN clients

Available in 4 regions at

launch; others coming soon

Connected users charged per user per hour


Attachment

to Amazon

VPC

TLS based tunnel

over the internet

User with Open

VPN Client

Client VPN Endpoint

Client

The

InternetAmazon

DynamoDBAmazon S3

On-Premises


Private connectivity with Inter-region Peering

Private connectivity for two

or more VPCs between regions

Highly available, no single

point of failure

All traffic stays on the AWS

global backbone network

All traffic encrypted and

anonymized


Multiple Regions

WAN

On-premises

AWS Direct Connect

location

Private virtual

interface (VIF)

Customer

router

AWS

router

Customer

router

AWS

router

AWS Region

AWS Direct Connect

location 2

Direct

Connect

gateway

Account

AWS Region


Takeaways

We have tools and architectures that horizontally scale to many VPCs

There’s wiggle room for your specific use cases

Use services in combination to meet scale and security requirements


Advice

• Networking changes fast, no more crystal balls

• Start simple! Stay simple. Reduce complexity to smaller scopes

• Segment and modify as needed

• Experiment and test

Thank you!


s u m m i t - aws-de-marketing.s3-eu-central-1.amazonaws.com... · summit © 2019, amazon web...

Documents