Date post: | 06-Jan-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 166 times |
Download: | 4 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mark Ryland—Director, Solutions Architecture, Worldwide Public Sector
Mingxue Zhao—Senior Product Manager, Amazon EC2 Networking
December 1, 2016
NEW LAUNCH!
IPv6 in the Cloud:
Virtual Private Cloud Deep Dive
NET307
What to Expect from the Session
• IPv6: why it matters
• AWS networking review
• IPv4 in Amazon VPC review: key concepts
• IPv6 in Amazon VPC: similarities and differences
• Demo
• Questions
The Large Address Space of IPv6
We’re running out of IPv4
address space…
IPv6: way bigger than IPv4…
Another visualization attempt, sorry
300 PPI monitors with each pixel representing an IP address in /24 (224) versus /64 (264) subnet
IPv4
IPv6
18.2”
10.2
”
301.2 miles1
69
.5 m
iles
The Large Address Space of IPv6…
• But much more than that…
• Fundamentally: from scarcity to abundance
• E.g., now each Amazon CloudFront distribution gets an
unchanging set of IPv6 addresses
• E.g., every IPv6 address in Amazon VPC is like an EIP – globally
unique and unchanging for life of the Amazon VPC/subnet/instance
• Expect more benefits like that over time…
Priva
te
ba
ckh
au
l
AWS Network Overview
• Blue=AWS public address space
• Edge services (CloudFront/
Amazon Route 53 points of
presence)
• Connectivity from PoPs to regions is
largely private
• Green dots in diagram represent
service endpoints (public IP
addresses)
• Historically all IPv4…
EC2 network
VPC 1
VPC 2
VPC 3
VPC N
Customer private
network
Direct Connect
S3
Amazon
DynamoDB
Amazon SQS…
etc.
(Amazon EC2, CF
APIs, etc.)
Edge services
IGW
CGW
Inte
rne
t
AW
S p
ub
lic a
dd
ress s
pace
Clo
ud
Fro
nt
AW
S
WA
FR
ou
te 5
3
Inte
rnet
AW
S p
ublic
ad
dre
ss s
pa
ce
Abstracted services
Priva
te
ba
ckh
au
l
Network Overview…
EC2 network
VPC 1
VPC 2
VPC 3
VPC N
Customer private
network
Direct Connect
S3
DynamoDB
SQS…etc.
(EC2, CF APIs, etc.)
Edge services
IGW
CGW
Inte
rne
t
AW
S p
ub
lic a
dd
ress s
pace
Clo
ud
Fro
nt
WA
FR
ou
te 5
3
Inte
rnet
AW
S p
ublic
ad
dre
ss s
pa
ce
Abstracted services
• Publicly addressable “abstracted services”[1] network
• Data planes vs. (control planes)
• EC2 network with VPCs “inside”• User-defined IPv4 CIDRs up to /16
• Subnets rom /16 to /28 “inside” Availability Zones
• Customer private connections• Direct Connect: private peering to
customer VPCs and/or AWS public address space
• VPNs: IPsec tunnels over Internet to VPCs
Space
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
Priva
te
ba
ckh
au
l
Network Overview…
EC2 network
VPC 1
VPC 2
VPC 3
VPC N
Customer private
network
Direct Connect
S3
DynamoDB
SQS…etc.
(EC2, CF APIs, etc.)
EGW
Edge services
IGW
CGW
Inte
rne
t
AW
S p
ub
lic a
dd
ress s
pace
Clo
ud
Fro
nt
WA
FR
ou
te 5
3
AW
S p
ublic
ad
dre
ss s
pa
ce
Abstracted services
Inte
rnet
• Publicly addressable “abstracted
services”[1] network
• Data planes vs. (control planes)
• EC2 network with VPCs “inside”
• User-defined IPv4 CIDRs up to /16
• Subnets rom /16 to /28 “inside” AZs
• Customer private connections
• Direct Connect: private peering to customer
VPCs and/or AWS public address space
• VPNs: IPsec tunnels over Internet to VPCs
• Blue endpoints = IPv6 as of today
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
Key Concepts of IPv6 in Amazon VPC – Dual-stack
• You can now enable IPv6 and have a dual-stack VPC
10.0.3.3 - 54.0.0.3
Instance
10.0.0.0/16
10.0.3.0/24 2001:db8::/64
2001:db8::3
Subnet
2001:db8::/56
Key Concepts of IPv6 in Amazon VPC – Dual-stack
• IPv4 is the default; IPv6 is opt-in
My VPCs
My Subnets
Key Concepts of IPv6 in Amazon VPC – Dual-stack
My Instances
Key Concepts – IPv4 Review
• Every instance has a private IPv4 address (typically an
RFC1918 address)
• To be “on” the Internet, you associate a public IPv4
address, which is 1:1 NATed to the private address
• OS “sees” the private address
• The Internet “sees” the public address
• NAT (actually NAT/PAT) is often used so instances can
reach out to the Internet, but the Internet cannot reach in
(egress-only Internet access)
Key Concepts – IPv6 GUAs
• For IPv6, Amazon VPC instances receive Global Unicast
Addresses (GUA), which are Internet routable
• GUAs directly assigned to instances; there is no 1:1 NAT
in the case of Internet access
• Using GUAs does not mean losing security or privacy—to
have Internet access, you also need to have proper route
tables, security groups, and gateways
EIGW X
10.0.3.3 - 54.0.0.3
Instance
2001:db8::3
Subnet
New Feature – Egress-only Internet Gateway
• A new virtual device that
provides egress-only Internet
access over IPv6
• No middle box to perform
NAT, and no additional cost
• No performance/availability/
connection limits
Key Concepts of IPv6 in Amazon VPC
• Most core concepts remain the same and work the same
• Security groups, route tables, and network ACLs
• IPv4 rules apply to IPv4 traffic
• IPv6 rules apply to IPv6 traffic
• Security group reference applies to both IPv4 and IPv6 traffic
Example Security Group Rules
Key Concepts of IPv6 in Amazon VPC
• When you turn on IPv6 in Amazon VPC, the system
automatically makes the following updates for your route
tables, security groups, and network ACLs:
• Create an open-to-all IPv6 egress rule in each security group, if
you have the default open-to-all IPv4 rule
• Create a local route using the Amazon VPC’s CIDR block
• Create an open-to-all IPv6 entry in each ACL if you have the
default open-to-all IPv4 rule
• You need to make all other updates
Turning on/off IPv6 in an Amazon VPC
• You can enable IPv6 when creating a new Amazon VPC
• Enabling IPv6 in an existing Amazon VPC:
1. Associate an IPv6 CIDR block with the Amazon VPC
2. Associate an IPv6 CIDR block with the subnet; (optional) mark
auto-assign-ipv6-address flag
3. Configure security groups and route tables (and network ACLs
and gateways, if applicable).
4. Assign IPv6 addresses to instances
5. (Optional) update OS and DHCPv6 client
• Disabling IPv6 in an Amazon VPC – reverse the process
above
Other Amazon VPC Features
Internet Gateway
VPC Flow Logs
Instance metadata*
VPC peering
Direct Connect
Not Available at this launch: Elastic IPv6 Addresses, VGW/VPN Connections, Amazon
VPC Endpoints, customer-provided IPv6 CIDR blocks
Amazon EC2 Default
DNS Resolution*
Instance Types That Support IPv6
• Instance types:
• C3, C4, C5, M4, T2, I2, I3, D2, R3, R4, X1, P2, F1
• And all new instances to come
• Purchase options:
• On-demand instances
• Reserved instances
• Spot instances (Spot Fleet will come soon)
Regions
• IPv6 in Amazon VPC is now available in US-East-2
(Ohio) region
• All other commercial regions (except China) and AWS
GovCloud (US) Region are coming soon!
Recommended Sessions
• 4:00pm today (12/1) – NET204: IPv6 in the Cloud:
Protocol and AWS Service Overview
• 9:30am tomorrow (12/2) – NET303: NextGen
Networking: New Capabilities for Amazon’s Virtual
Private Cloud
Remember to complete
your evaluations!
Thank you!