Networking in AWS · Networking in AWS Carl Simpson –Technical Architect, Zen Internet Limited...

Networking in AWSCarl Simpson – Technical Architect, Zen Internet Limited

[email protected]

About Me:

About Me:

• Technical Architect – Cloud & Hosting @ Zen Internet Limited

About Me:


• 12 years at Zen Internet

About Me:



• Networking guy turned Cloud guy

About Me:



• Networking guy turned Cloud guy

• Makes comments like: • “Someone should do a talk on AWS networking!”

What we’re going to cover:


• VPC


• VPC

• VPC End Points


• VPC

• VPC End Points

• VPC Peering


• VPC

• VPC End Points

• VPC Peering

• Direct Connect

What is a VPC?

What is a VPC?

• VPC = Virtual Private Cloud

What is a VPC?

• VPC = Virtual Private Cloud

• A private network ‘container’ within your AWS account:

VPC – A Container for:


IP Subnet

IP Subnet


IP SubnetRoute Table

Route Table

IP Subnet



Security Group

Security Group

Route Table

IP Subnet



EC2

instance

Security Group

Security Group

Route Table

EC2

instanceIP Subnet



EC2

instance

Amazon RDS

Security Group

Security Group

Route Table

EC2

instanceIP Subnet



EC2

instance

Amazon RDSRedis

Security Group

Security Group

Route Table

EC2

instanceIP Subnet

Setting up your VPC

Pick a region

AWS Region

AWS Region

Choose VPC address space

AWS Region

VPC 10.0.0.0/16

VPCIPv4 CIDR block:10.0.0.0/16

Pick some Availability Zones*Use three AZ where available

AWS Region

AZ BAZ A

VPC 10.0.0.0/16

AZ - A AZ - B

Create some subnets

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Subnet A Public Subnet B

Create some subnets

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Subnet B

Private Subnet 1B

Private Subnet 2B

Suitable for ‘most’ cases

/22 /22 /22

/20 /20 /20

What makes a subnet public?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16


What makes a subnet public?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Public Route Table


What makes a subnet private?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

What makes a subnet private?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway

Private Route Table 1 Private Route Table 2

Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

Private Route Table 1 Private Route

Table 2

NAT Gateway

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

What might a private subnet have?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

What might a private subnet have?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

VGW

Virtual Private Gateway

Private Subnet 1A

Private Subnet 2A

Private Subnet 1B

Private Subnet 2B

Adding some servers/services

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

Elastic Load BalancerVPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server


AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16


VGW

DB

Server

Web

Server

DB

Server

Web

Server

Load Balancer (ELB)


AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16


VGW

DB

Server

Web

Server

DB

Server

Web

Server

Load Balancer (ELB)

Web Server


AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16


VGW

DB

Server

Web

Server

DB

Server

Web

Server

Load Balancer (ELB)

Web Server

Database Server

What’s outside the VPC?

AWS Region

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16


VGW

DB

Server

Web

Server

DB

Server

Web

Server


AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A


VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC10.0.0.0/16

AWS Public Services


AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A


VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC10.0.0.0/16

AWS Public Services

But I want my stuff to be totally private!

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

But I want my stuff to be totally private!

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

Internet

Use VPC Endpoints

AWS Region

Amazon S3Lambda function

AWS Public Services

VPGVPC NAT gateway

Amazon DynamoDB

Use VPC Endpoints

AWS Region

Amazon S3Lambda function

AWS Public Services

VGWVPC NAT gateway

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

Saves money on NAT Gateway data transfer!

• * Currently in preview.• Endpoints for other services coming

*

Why use VPC Endpoints?


• Improve Security


• Improve Security• Reference them in security groups



• Restrict S3 buckets to only VPC end point access (bucket policy)

{"Sid": "Access-to-specific-VPCE-only","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::examplebucket",

"arn:aws:s3:::examplebucket/*"],"Condition": {

"StringNotEquals": {"aws:sourceVpce": "vpce-1a2b3c4d"

}}




• Performance




• Performance

• Save Money

VPC Endpoints

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

VPC Endpoints

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

VPC Endpoints

AWS Region

AWS PublicServices

AZ BAZ A

Private Subnet 1A

Private Subnet 2A


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

Putting it all together

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16


VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

VPC Endpoint

VPC Endpoint

VPC Endpoint

What VPC things haven’t I mentioned?


IPv6


IPv6

VPC Flow s

IPv4 reminder

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC 10.0.0.0/16

VPC NAT gateway

VGW

Amazon S3

Lambda function

Amazon DynamoDB

Dual Stack (IPv4 & IPv6)

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

+

Dual Stack (IPv4 & IPv6)

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

AWS assigned /56 IPv6 address space

+

Focusing on IPv6 - /64s Everywhere

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB


/64 /64

/64 /64

/64 /64

Focusing on IPv6 (Public Subnet Routing)

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB


/64 /64

/64 /64

/64 /64

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

Amazon S3

Lambda function

Amazon DynamoDB

Egress Only GW

Focusing on IPv6 (Private Subnet Routing)


/64 /64

/64 /64

/64 /64

Egress Only Gateway

AWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

VGW

Amazon S3

Lambda function

Amazon DynamoDB

Egress Only GW

Focusing on IPv6 (External Private Routing)


/64 /64

/64 /64

/64 /64

Dual Stack – All together


Egress Only GatewayAWS Region

AWS PublicServices

AZ B

Public Subnet B

AZ A

Public Subnet A

Private Subnet 1A

Private Subnet 2A

Public Route Table

VPC NAT gateway


Private Subnet 1A

Private Subnet 2A

VPC10.0.0.0/16

2001:DB8::/56

VPC NAT gateway

VGW

DB

Server

Web

Server

DB

Server

Web

Server

Amazon S3

Lambda function

Amazon DynamoDB

Egress Only GW

+

Some CloudFormation IPv6 nonsense


What the docs say:Ipv6TestSubnetCidrBlock:

Type: "AWS::EC2::SubnetCidrBlock"

Properties:

Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

SubnetId: !Ref Ipv6TestSubnet




Properties:






Properties:






Properties:






Properties:



What you need to do:Ipv6TestSubnetCidrBlock:

Type: 'AWS::EC2::SubnetCidrBlock'

Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a

DependsOn: VpcIpv6CidrBlock




Properties:





Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a


Look up the /56 CIDR Block




Properties:





Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a


Split on 00::/56 and grab the 1st

part




Properties:





Properties:

Ipv6CidrBlock:

'Fn::Join':

- '00'

- - 'Fn::Select':

- '0'

- 'Fn::Split':

- '00::/56'

- 'Fn::Select':

- '0'

- 'Fn::GetAtt':

- Vpc

- Ipv6CidrBlocks

- '::/64'

SubnetId:

Ref: PubSubnet1a


Join your chosen:• Subnet ‘hextet’,• AWS assigned prefix &• /::64

Auditing (VPC Flow Logs)

Auditing (VPC Flow Logs)

flow logs

elastic network

adapter

elastic network

adapter

So we’re done?

BIG

BIG

BIG

BIG

BIGNo! There’s more!

You can have lots of VPCs

Baby

Baby

BabyBaby

Baby

Baby

So why have multiple VPCs?Baby

Baby

Baby

Baby

Baby

Baby

So why have multiple VPCs?

Question: “Why have multiple AWS accounts?”

Baby

Baby

Baby

Baby

Baby

Baby

Why have multiple accounts?


• Damage limitation



• Control/Autonomy







• Regulation




• Regulation

• Disaster Recovery

“But I need my resources to communicate with those in other VPCs!”

Use VPC Peering

A B

VPC Peering

VPC peering got much better in the last year!


• Reference Security Groups in peered VPCs

Reference Security Groups in peered VPCs

A B

e.g. VPC A Security Group ID sg-000001a allows inbound port 80 from Security Group ID sg-000001b which is applied to resources in VPC B



• Resolve DNS in peered VPCs

Resolve DNS in peered VPCs

A B

e.g. When VPC A resolves ‘ec2-35-176-15-190.eu-west-2.compute.amazonaws.com’ which lives in VPC B, it resolves to 10.10.0.162 not 35.176.15.190







• AWS have good (not cheap) transit VPC solutions

VPC peering limitations


• Unique address space required


• Unique address space required

• No VPC Transit

No (native) VPC transit

VPC peering full mesh

Why would I want to transit a VPC anyway?


• Force all traffic through central firewall(s)

Force all traffic through central firewall(s)


‘local’ routes create real challenges!


Local Routes create real challenges! Subnet A

Subnet B

Subnet C

Web

DB

FW/IDS



Subnet B

Subnet C

Web

DB

FW/IDS



Subnet B

Subnet C

Web

DB

FW/IDS



Subnet B

Subnet C

Web

DB

FW/IDS



Subnet B

Subnet C

Web

DB

FW/IDS

P

Force all (inter-subnet) traffic through a firewall (for IDS/IPS)

Customer-VPC - 10.0.0.0/16AZ B

Author

Diagram Status

Carl Simpson – Zen Internet Ltd

Draft – Version 3

TransitSub1B10.0.103.0/24

PubSub2B10.0.102.0/24

Co-lo

10.0.107.0/24 - DBSub1B

DB-i2DB-SG1

CiscoASA-B

A

B

AWSPri RT-B

TransitSub2B10.0.104.0/24 A

10.0.105.0/24 – WebFarmSub2B B

10.0.106.0/24 – WebFarmSub2B C

B

CiscoFP-B

A

B

Web2-i4 Web2-i5 Web2-i6

Web-i41 Web-i5 Web-i6

D

Routing Table:10.0.0.0/16 via local192.168.0.1 via CiscoFP-B-int-B 192.168.0.2 via CiscoFP-A-int-B 0.0.0.0/0 via CiscoASA-int-B

Routing Table:10.0.102.0/24 via connected10.0.103.0/24 via connected0.0.0.0/0 via AWS Pub2 RT 192.168.0.2/32 via F5-int-B 10.0.5.0/24 via CiscoFP-B-int-A 10.0.6.0/24 via CiscoFP-B-int-A 10.0.105.0/24 via CiscoFP-B-int-A 10.0.106.0/24 via CiscoFP-B-int-A

Routing Table:10.0.101.0/24 via connected10.0.102.0/24 via connected0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-B-int-A 10.0.6.0/24 via CiscoASA-B-int-A 10.0.105.0/24 via CiscoASA-B-int-A 10.0.106.0/24 via CiscoASA-B-int-A

Routing Table:10.0.0.0/16 via local0.0.0.0/0 via IGW

SNAT to 192.168.0.2

WebSG1

WebSG2

Routing Table:10.0.103.0/24 via connected10.0.104.0/24 via connected0.0.0.0/0 via CiscoASA-int-B 192.168.0.2/32 via CiscoASA-int-B 10.0.105.0/24 via AWS Pri RT-B-int-A 10.0.106.0/24 via AWS Pri RT-B-int-A 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A

AWS RT(unused)

AWSPub2 RT

EIP4

PubSub1B10.0.101.0/24

AWSPub1 RT

F5-B

AEIP2 LbSG1

AZ A

TransitSub1A10.0.3.0/24

PubSub2A10.0.2.0/24

10.0.7.0/24 - DBSub1A

DB-i1DB-SG1

CiscoASA-A

A

B

AWSPri RT-A

TransitSub2A10.0.4.0/24A

10.0.5.0/24 - WebFarmSub1AB

10.0.6.0/24 – WebFarmSub2AC

IGW

B

CiscoFP-A

A

B

Web2-i3Web2-i2Web2-i1

Web-i3Web-i2Web-i1

D

Routing Table:10.0.0.0/16 via local192.168.0.1 via CiscoFP-A-int-B 192.168.0.2 via CiscoFP-B-int-B 0.0.0.0/0 via CiscoASA-A-int-B

Routing Table:10.0.2.0/24 via connected10.0.3.0/24 via connected0.0.0.0/0 via AWS Pub2 RT 192.168.0.1/32 via F5-int-B 10.0.5.0/24 via CiscoFP-A-int-A 10.0.6.0/24 via CiscoFP-A-int-A 10.0.105.0/24 via CiscoFP-A-int-A 10.0.106.0/24 via CiscoFP-A-int-A

Routing Table:10.0.1.0/24 via connected10.0.2.0/24 via connected0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-A-int-A 10.0.6.0/24 via CiscoASA-A-int-A 10.0.105.0/24 via CiscoASA-A-int-A 10.0.106.0/24 via CiscoASA-A-int-A

Routing Table:10.0.0.0/16 via local0.0.0.0/0 via IGW

SNAT to 192.168.0.1

WebSG1

WebSG2

Routing Table:10.0.3.0/24 via connected10.0.4.0/24 via connected0.0.0.0/0 via CiscoASA-int-B 192.168.0.1/32 via CiscoASA-int-B 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A 10.0.105.0/24 via AWS Pri RT-A-int-A 10.0.106.0/24 via AWS Pri RT-A-int-A

AWS RT(unused)

AWSPub2 RT

EIP3

PubSub1A10.0.1.0/24

AWSPub1 RT

F5-A

A EIP1 LbSG1

Date 27/08/2015

VGW

CiscoASACiscoASA

Route53(health checked & RR/weighted

DNS)

Clientsquery

AZ C:192.168.0.3 – SNAT F5 load balancer 10.0.201.0/24 – PubSub1C 10.0.202.0/24 – PubSub2C10.0.203.0/24 – TransitSub1C10.0.204.0/24 – TransitSub2C10.0.205.0/24 – WebFarmSub1C10.0.206.0/24 – WebFarmSub2C10.0.207.0/24 – DbSub1C


• Force all traffic through a firewall

• Privately route between VPCs in remote regions

AWS Global VPC Transit Solutionhttps://aws.amazon.com/answers/networking/transit-vpc/

Direct Connect

Why use Direct Connect?


• Lower latency

EU-WEST-1(Dublin)

You Are Here!

EU-WEST-2(London)

EU-WEST-1(Dublin)

Manchester

EU-WEST-2(London)

EU-WEST-1(Dublin)

Manchester

EU-WEST-2(London)

EU-WEST-1(Dublin)

Manchester

EU-WEST-2(London)

Best DirectConnect Path


• Lower latency X


• Lower latency

• Service Level Agreement

X

Lets check the AWS Direct Connect FAQs:

“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”

Lets check the AWS Direct Connect FAQs:

“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”

Answer:

“Not at this time.”


• Lower latency


X

X


• Lower latency


• High Bandwidth

X

X

AWS Direct Connect Bandwidth


• Provides 1 Gbps and 10 Gbps ports


• Provides 1 Gbps and 10 Gbps ports

• Now supports LACP


• Lower latency


• High Bandwidth

X

X


• Lower latency


• High Bandwidth

• Consistent Network Performance

X

X

Consistent Network Performance?


• Dedicated Links


• Dedicated Links

• Isolated from Internet Routing changes


• Dedicated Links


• More controlled environment


• Dedicated Links


• More controlled environment


• Lower latency


• High Bandwidth


X

X


• Lower latency


• High Bandwidth


• Private Connectivity to Amazon VPC

X

X


• Lower latency


• High Bandwidth



• Private Connectivity to AWS public services

X

X

Connectivity Options - Single Site Solution

Customer Office

VGW

Connectivity Options - Single Site SolutionUse Zen, we can provide this! :-)

Customer Office

VGW

Connectivity Options - Multi-site solution

Customer Office(s)

Customer IPVPN/MPLS

Customer Data Centre(s)

VGW

Connectivity Options - Multi-site solutionUse Zen, we can provide this too! :-)

Customer Office(s)

Customer IPVPN/MPLS


VGW

Connectivity Options –Multi-site solution (private and public)Use Zen, we can provide this too! :-)

Customer Requires Public IP space for access to public services!

Customer Office(s)

Customer IPVPN/MPLS


Amazon S3Lambda functionAmazon SQS

Public Services

VGW


• Lower latency


• High Bandwidth




X

X


• Lower latency


• High Bandwidth




X

X


• Lower latency


• High Bandwidth




X

X

So how do I get Direct Connect?


• DIY connection• 1G or 10G bandwidth options only

• Build your network out to a direct connect location


• DIY connection• 1G or 10G bandwidth options only

• Build your network out to a direct connect location

• Hosted connection• 50M bandwidth and up

• Partner ‘may’ bring the connection to you

Direct Connect - A little more detail

Direct Connect Routing

AWS Router

Customer/Partner Router

VLAN 1

Customer/Partner ASN

Amazon ASN

VGW


AWS Router


VLAN 1

eBGP Customer/Partner ASN

Amazon ASN

VGW


AWS Router


VLAN 1


Amazon ASN

VGW

Announce Routes Announce Routes


AWS Router


VLAN 1


Amazon ASN

VGW


MED and AS PATH prepending supported


AWS Router


VLAN 1


Amazon ASN

VGW


MED and AS PATH prepending supported

Direct Connect preferred over VPN connection

What we’ve covered:

• VPC

• VPC End Points

• VPC Peering

• Direct Connect

Final thing…

Public Cloud Connect

Another Cloud Provider

AWS (EU-West) RegionsPublic Cloud Connect:for multi-cloud access Customer Site 1

Customer Site 2

Customer Site n

Thanks!

Questions?

Date post:	19-Jul-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	1 times

Networking in AWS · Networking in AWS Carl Simpson –Technical Architect, Zen Internet Limited...

Documents