webinar aws 201 - using amazon virtual private cloud (vpc)
DESCRIPTION
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)TRANSCRIPT
AWS$201$
Using$Amazon$Virtual$Private$Cloud$(VPC)$
Markku$Lepistö$B$Technology$Evangelist$@markkulepisto$
Housekeeping
• Presentation ~40mins • Post Questions Online • Q&A at the end using the online chat • Reminder – Fill in the survey!
What is Hybrid IT?
Hybrid IT: A Definition
$$$$$
hIp://www.gartner.com/technology/research/technicalBprofessionals/hybridBcloud.jsp$
“Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”
$$$$$
hIp://www.gartner.com/technology/research/technicalBprofessionals/hybridBcloud.jsp$
“Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”
Hybrid IT: A Definition
Build$ Deliver$
Hybrid IT: A Definition
Services( Business(Outcomes(
Solu1ons(
AWS Service Building Blocks
Services: AWS Platform
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
Database Storage Compute
Our “Hybrid” Focus
Cloud Apps On-Premise Apps
Private Connections
Workload Migrations
Access Control Integration
Work with Existing Management Tools
Your Data Centers
Tools to Support Hybrid IT Architectures
VM Import/Export
VPC Network
IAM Policies
Virtual Images
On-Premise Apps
Private Network
Your Data Centers VPC
Corporate Directory
Your Cloud Apps
Your Data Our Storage
Services: Networking: VPC
Compute$ Storage$
AWS$Global$Infrastructure$
Database$
App$Services$
Deployment$&$AdministraVon$
Networking$
Extend your data center with Amazon VPC
Compute$ Storage$
AWS$Global$Infrastructure$
Database$
App$Services$
Deployment$&$AdministraVon$
Networking$
Services: Networking: VPC
Extend your data center with Amazon VPC • Create logically isolated section of AWS Cloud using
your own network address space • Complete control over your virtual networking environment
including creation of subnets, IP addressing, routing tables and network gateways
• Create private or public subnets in multiple Availability Zones • You choose where to deploy EC2 instances • You manage network security at subnet level using NACLs • You manage EC2 Instance Security Groups,
providing stateful network firewall per instance
10.100.0.0/16(Application
Server$
Availability Zone B Availability Zone A
10.100.2.0/23$10.100.0.0/23$
Integrate your network with Amazon VPC • Connect via standard IPSEC Internet VPN tunnels, or • Private link to AWS Direct Connect peering location,
or a combination of both • Connection port speeds from 50M to 10G, you choose the
connection speed you want • Connect multiple VPCs using industry standard VLANs and
layer 3 routing protocols • Integrate your network to your private VPC resources • Deploy your own network equipment into Direct Connect
peering location, e.g. WAN Optimization Devices
Compute$ Storage$
AWS$Global$Infrastructure$
Database$
App$Services$
Deployment$&$AdministraVon$
Networking$
Customer VPC
Internet VPN Connection$
Customer IPSEC Router/Firewall$
Customer Direct Connect Router$
Private$Direct$Connect
Customer Corporate Network
Services: Networking: VPN & Direct Connect
Demo step 1 Create a new VPC in Singapore
VPN Tunnels$
Office VPN Gateway$
Workstation
VPC Configuration - Singapore • VPC CIDR Network: 10.100.0.0/16 • VPC Subnet 1: 10.100.0.0/23 • VPC Subnet 2: 10.100.2.0/23 • VPN Type: Dynamic BGP
Office Configuration - Tokyo • Corporate Network: 10.96.0.0/16 • Office Network: 10.96.24.0/21 • VPN Gateway: 54.178.135.26 (public IP)
Our First Virtual Private Cloud
Availability Zone B Availability Zone A
Demo starts
You can create multi-tier architectures VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2(
10.0.5.0/24
Bas1on(
10.0.4.0/24
EC2(App( Log(
EC2(Web(
Load(balancing(
Firewall every single compute instance VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2(
10.0.5.0/24
Bas1on(
10.0.4.0/24
EC2(App(
“Web servers will accept Port 80 from load balancers”
“App servers will accept Port 8080
from web servers”
“Allow SSH access only from
Bastion hosts”
Log(
EC2(Web(
Load(balancing(
Enable Network Access Control on every subnet VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2(
10.0.5.0/24
Bas1on(
10.0.4.0/24
EC2(App( Log(
EC2(Web(
“Deny all traffic between the web server subnet and the database
server subnet”
Load(balancing(
Control every Internet connection VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2(
10.0.3.0/24
EC2(
10.0.4.0/24
EC2(App(
EC2(Web(EC2(Web(EC2(EC2(Web(
Internet$Gateway$
Control(Internet(rou1ng(• Create$Public$subnets$and$
Private$subnets$• Create(Internet(Gateways(or$
NAT(instances(for$controlling$internetBfacing$traffic$
• Allocate$Elas1c(IP(addresses(• Implement$DMZ$
architectures$as$per$normal$best$pracVces$
Load(balancing(
Connect in private to your existing datacenters VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2(
10.0.3.0/24
EC2(
10.0.4.0/24
EC2(App(
EC2(Web(EC2(Web(EC2(EC2(Web(
Use Internet VPNs or use AWS Direct
Connect
Your(office(/(DC(
Load(balancing(
You can route to the Internet using your gateway VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2(
10.0.3.0/24
EC2(
10.0.4.0/24
EC2(App(
EC2(Web(EC2(Web(EC2(EC2(Web(
Use Internet VPNs or use AWS Direct
Connect
Load(balancing(
Your(office(/(DC(
Common Hybrid Workloads
Disaster Recovery
Application Server$
Virtual Server$
File Server$
Database Server$
Backup Server$
Cloud on standby DR setup • Eliminate need for DR data center • Reduce capital expense for duplicate infrastructure • Pay for only what you use
• Real-time, secure, database replication from on-premise to down-sized database server running on AWS
• Application backups and virtual server images stored on S3 • Storage appliance volume data preserved on S3 as snapshot
Amazon S3$
Database Server$
Disaster Recovery Amazon S3$
Application Server$
Virtual Server$
File Server$
Database Server$
Cloud on standby DR invocation • AWS services available within minutes • Pay only for services used during DR failover • Ability to test DR by replicating entire environment in
another VPC with same configuration • Amazon EC2 instances created, data restored from backup • Database server resized to production requirements • Storage appliances started on EC2 • File server data preserved on S3 as image snapshot • Virtual Servers restored via VMimport process
Users
App A$
App B$ App C$
Development and Test Development VPC$ Test VPC$
Corporate Network
App A$
App B$ App C$
AWS Elastic Beanstalk$
AWS Opsworks$
AWS CloudFormation$
Development and Test Development VPC$
Corporate Network
App A$
App B$ App C$
AWS Elastic Beanstalk$
AWS Opsworks$
AWS CloudFormation$
Archive to Amazon S3$
Corporate Network
Proof Of Concept – Big Data Analytics Deploy Proof Of Concept environments • Test new products or new version of existing products • Create POC environments in isolated VPCs • Alleviate need for capital investments • Deploy with pre-defined templates • Leverage AWS Marketplace for range of different solutions,
pay by the hour for enterprise software
BI Analytics
Platform$
Amazon S3$
AWS Redshift$
Amazon EMR$
Demo step 2 – Create IPSEC VPN tunnels between the VPC and our Office, Deploy a CMS within the VPC
Drupal Server$
Availability Zone A Availability Zone B Router / VPN GW$
Workstation
Our Office - Tokyo$
Our VPC Singapore$
Demo continues
Thank$you$
Markku$Lepistö$B$Technology$Evangelist$@markkulepisto$
Your$feedback$is$important$
Let’s$have$a$Poll!$Let$us$know$what$you$want$to$see$next$
Your$feedback$is$important$
Please$complete$the$Survey!$What’s$good,$what’s$not$
What$you$want$to$see$at$these$events$
What$you$want$AWS$to$deliver$for$you$
Q&A