© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

VPC and DX PoP @ HKG

Ken ChanProduct Business Development Manager

Greater Chinakenchan@amazon.com

Customers have Data Centers

DeployDeploy

DEVELOPMENT& TEST

ALL TOGETHER NEW APPLICATIONS

DIGITAL

ANALYTICSBIG DATA

MOBILEDC MIGRATION

MISSIONCRITICAL APPS

ALL IN

1 2 3 4

The journey to AWS is a well-trodden path

HYBIRD

Integrated networking

Integrated access control

and VDI

Integrated storage and backups and

DR

Integrated Management

# 10.0.100.0

# 10.0.200.0

Microsoft Active Directory

Custom LDAP

App 1

AWS Storage Gateway

Integrating AWS with existing On-Premises Infrastructure

AmazonWorkspaces

AmazonS3

11’s 9 durability

AWS Directory Service

Marke

tplac

e

Create VPC

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Launch EC2 Instances

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Establish Public Connectivity

aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

Your default VPC is already configured this way

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

I love VPC what about … ?

Security ?Connectivity Option? DMZ / No Internet ?

??

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

VPC Endpoints for Amazon S3:Getting to Amazon S3 without the Internet

Amazon S3 without an Internet Gateway

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

Setting up an Amazon S3 endpoint

aws ec2 create-vpc-endpoint --vpc-id vpc-c15180a4 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-ef36e58a

Routes: Amazon S3 Connectivity

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a

|+-------------------------------------------------------------------+|||| Routes |||||+-----------------------+-----------------------------------------+||||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||||+-----------------------+-------------------------+----------------||||| 10.10.0.0/16 | | local ||||| | pl-68a54001 | vpce-a610f4cf ||+-------------------------+-------------------------+---------------+||

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Managed NAT Gateways

Network Address Translation Gateway for AWS

Managed NAT Gateways in VPC• How do these feature work? – New Architecture Implementations

Managed NAT Gateways• 1 managed NAT per AZ• No down time in case of failure –

AWS managed availability

Note: • NAT Gateways Exist within a

public subnet (OR rather their ENI’s do)

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

VPC Peering:Getting between VPCs without the Internet

Shared Services VPC using VPC peering

• Common/Core Services– Authentication/directory– Monitoring– Logging– Remote administration– Scanning

VPC peering for VPC-to-VPC Connectivity

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16vpc-c15180a4

10.10.1.0/24AZ A

10.20.1.0/24AZ A

VPC B - 10.20.0.0/16vpc-062dfc63

VPC peering Across Accounts

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16vpc-c15180a4

10.10.1.0/24AZ A

10.20.1.0/24AZ A

VPC B - 10.20.0.0/16vpc-062dfc63Account ID 472752909333

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

VPN and AWS Direct Connect:Getting between VPC and your data center

Customer data centerAWS Direct Connect

location

AWS Direct Connect Private Virtual Interface (PVI) connects to VGW on VPC• 1 PVI per VPC• 802.1Q VLAN Tags isolate traffic

across AWS Direct Connect

Private fiber connectionOne or multiple50 – 500 Mbps,1 Gbps or 10 Gbps pipes

Simplify with AWS Direct Connect

Public-facingweb app

AWS region

Prod QA Dev

At the Direct Connect location

CORP

AWS DirectConnect Routers

Customer Router

Colocation

DX Location

Customernetwork`

AWS backbonenetwork

Cross- connect

Customer router

Customer’s network

Demarcation

Dedicated port through Direct Connect partner

CORP

AWS DirectConnect Routers

Colocation

DX Location

Partner network

AWS backbonenetwork

Cross- connect

Customer router

Partnernetwork

Accesscircuit

Demarcation

Partnerequipment

VPC 1

Private Virtual Interface 1

VLAN Tag 101

BGP ASN 7224

BGP Announce 10.1.0.0/16

Interface IP 169.254.251.5/30 10.1.0.0/16

VGW 1

Multiple VPCs over AWS Direct Connect

CustomerSwitch + Router

Customer Interface 0/1.101

VLAN Tag 101

BGP ASN 65001

BGP Announce Customer Internal

Interface IP 169.254.251.6/30

VLAN 101

VLAN 102

VLAN 103

VPC 2

10.2.0.0/16

VGW 2

VPC 3

10.3.0.0/16

VGW 3

Private Virtual Interface 2

VLAN Tag 102

BGP ASN 7224

BGP Announce 10.2.0.0/16

Interface IP 169.254.251.9/30

Customer Interface 0/1.102

VLAN Tag 102

BGP ASN 65002

BGP Announce Customer Internal

Interface IP 169.254.251.10/30

Customer Interface 0/1.103

VLAN Tag 103

BGP ASN 65003

BGP Announce Customer Internal

Interface IP 169.254.251.14/30

Private Virtual Interface 3

VLAN Tag 103

BGP ASN 7224

BGP Announce 10.3.0.0/16

Interface IP 169.254.251.13/30

Route Table

Destination Target

10.1.0.0/16 PVI 1

10.2.0.0/16 PVI 2

10.3.0.0/16 PVI 3

Customer Internal Network

Customer internal network

VPC 1

Public Virtual Interface 1

VLAN Tag 501

BGP ASN 7224

BGP Announce AWS Regional Public CIDRs

Interface IP Public /30 Provided

10.1.0.0/16

VGW 1

Public AWS + VPCs over AWS Direct Connect

Customer Interface 0/1.501

VLAN Tag 501

BGP ASN 65501 (or Public)

BGP Announce Customer Public

Interface IP Public /30 Provided

VLAN 101

VLAN 102

VLAN 103

VLAN 501

VPC 2

10.2.0.0/16

VGW 2

VPC 3

10.3.0.0/16

VGW 3

Public AWSRegions for S3

Route Table

Destination Target

10.1.0.0/16 PVI 1

10.2.0.0/16 PVI 2

10.3.0.0/16 PVI 3

Public AWS PVI 5

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Dedicated 1G or 10G port

AWS Direct Connect Requirements• 1 Gbps: 1000BASE-LX (1310nm) over single-mode fiber (SMF)• 10 Gbps: 10GBASE-LR (1310nm) over single-mode fiber (SMF)• Single Connector (SC)• 802.1Q VLAN Tags• Auto-negotiation is off• Full Duplex. Speed is 1Gbps

• Cannot downgrade to 100Mbps

• Private• AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP

session and will advertise the VPC CIDR block over BGP• Public

• A public or private ASN. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 65000 range

• Public IPs (/30) allocated by you for the BGP session

Getting Started with DX

Create Connection to issue LOA

LOA

Pass this LOA to our DX partner to get cross connection setup

VPN Connection

Corporate Data Center

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Using AWS Direct Connect

Corporate Data Center

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7

Redundant VPN connection

Remote Connectivity Best Practices

Availability: GoodCorporate Data Center

Availability Zone Availability Zone

BGP Each VPN connection consists of 2 IPSec tunnels.

Use Border Gateway Protocol (BGP) for failure recovery.

BGP

Remote Connectivity Best Practices

Availability: BetterCorporate Data Center

Availability Zone Availability Zone

BGP A pair of VPN

connections (4 IPSec tunnels total) protects against failure of your

customer gateway

BGP BGP

BGP

Availability: BestCorporate Data Center

Availability Zone Availability Zone

BGP

Redundant AWS Direct Connect connections

with VPN backupBGP

BGP

BGP

Remote Connectivity Best Practices

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Putting it All together, what does VPC look like for Typical Enterprise Hybrid Architecture ?

Availability Zone 1b

Availability Zone 1a

DX Connection

Internal customers On-PremiseHKG

Symantec DPM

InternetAWS API

VPC Peering

ShareServices

AD, DNS

MonitoringLogging

VPC Peering

Private Subnet

Apps 1

VPC CIDR: 10.1.0.0/16

Private Subnet

Apps 3

VPC CIDR: 10.3.0.0/16

Private Subnet

Apps 2

VPC CIDR: 10.2.0.0/16

VLAN 101 VLAN 102

VLAN 103

VPC CIDR: 172.1.0.0/16

VPC CIDR: 172.2.0.0/16

I love AWS what about … ?

??

Hybrid Management ?

Migration ?

Reliability ?Scalability

Availability ?Performance ?

Support ?Skills to adopt

quickly ?

Security ?Compliance and

Audit ?

Certifications and accreditations for workloads that matter

AWS CloudTrail - AWS API call logging for governance & compliance

Stores data in S3, or archive to Glacier

Log and review user activity

Architected for Enterprise Security Requirements

You are making API calls...

On a growing set of services around

the world…

AWS CloudTrail is continuously recording API

calls…

And delivering log files to you

RedshiftAWS CloudFormation

AWS Elastic Beanstalk

AWS CloudTrail

Store/ archive

Troubleshoot

Monitor and alarm

You are making API

calls...

On a growing set of AWS services

around the world..

CloudTrail is continuously recording API

calls

Amazon Elastic Block Store

(Amazon EBS)

Amazon S3 bucket

Using CloudWatch and AWS CloudTrail for Real-time Alert

Amazon SNS

CloudWatchLogs

Private subnet

Complianceapp

AWS Lambda

If SSH REJECT > 10, then…

ElasticNetwork Interface

Metric filter

Filter on all SSH REJECTFlow Log group

CloudWatch alarm

Source IP

Using CloudWatch and VPC Log for Realtime Alert

AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.

AWS Config

AWS Config Continue …

• VPC Security Groups (mandatory)– Instance level, stateful– Supports ALLOW rules only– Default deny inbound, allow outbound

• VPC NACLs (optional)– Subnet level, stateless– Supports ALLOW and DENY– Default allow all– Use as guard rails (port 135, 21, 23…)

• EC2 dedicated instance also available • No Additional cost for SGs/NACLs: $0

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

… Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

Security Group Functional Diagram

Built-In Firewall: Security Groups and NACLs

Amazon VPC

Dedicated Host also Available too !

World Class Storage Systems Amazon EBS

• Increases Performance and Capacity of General Purpose (SSD) and Provisioned IOPS (SSD) volumes + Encryption using AWS KMS

AWS EBS Volume Types Capacity IOPS Throughput

Amazon EBS General Purpose (SSD) 16 TB(up from 1TB)

10000 IOPS(up from 3000 IOPS)

160 MB/s *

Amazon EBS Provisioned IOPS (SSD) 16 TB(up from 1TB)

20000 IOPS(up from 4000 IOPS)

320 MB/s *

EBS

Tamper-resistant customer controlled hardware security modules within your VPC• Industry-standard SafeNet Luna devices. Common Criteria

EAL4+, NIST FIPS 140-2 certified• No access from Amazon administrators who manage and

maintain the appliance• High availability and replication with on-premise HSMs

Reliable & Durable Key Storage• Use for transparent data encryption on self-managed

databases and natively with AWS Redshift• Integrate with applications using Java APIs and AWS SDKs• Integration with marketplace disk-encryption and SSL

You can store your encryption keys in AWS CloudHSM

AWS IAM (Identity and Access Management)

• Various authentication token issued for each user Access key and Secret key for authentication upon use of SDKs Security Certificate (X.509) Login password for AWS management console Multi-Factor Authentication (MFA) device

For providing additional level of security for management console

AWSDevelopers O&M

AWS IAM (Identity and Access Management) Continue…

Authorizes every request from API and Management Console

All operations granted

All S3 operations granted

S3 Read-only access granted

Administrator group

Developer group

O&M group

New directory in AWS Connect existing directory to AWS

Simple AD AD ConnectorBased on Samba 4 Custom federation proxy

On-premises

AWS Directory Services

Directory Connect

DX

p2.16xlarge

vCPU = 16

732GB RAM

x1.32xlarge

vCPU = 128

2TB RAM

X1 Memory Optimized InstancesIntel® Xeon E7-8880 v3 (Haswell) ProcessorsThis custom processor, designed specifically for EC2Support Enhanced Networking (SRIOV)I/O Performance: Very High (20 Gigabit Ethernet) via ENA

Broad Set of Compute Instance Types …

P2 GPU InstancesIntel® Xeon® E5-2686 v4 (Broadwell) processorsNVIDIA K80 GPUSupport Enhanced Networking (SRIOV)I/O Performance: Very High (20 Gigabit Ethernet) via ENA

16 x NVIDIA GPUs2496 Cores12GB MemoryGPU P2P

Availability Zone A

Region

Availability Zone B

High Availability across data centers Multi AZ

Amazon EC2 SLA 99.95%

Amazon RDS SLA 99.95% forMulti-AZ

AWS Services Health Dashboard Reliability Track Record

• Real time update– http://status.aws.amazon.com/

and rich console services Control

AWS Management Portal for vCenter ControlVM Import/Export also available for vmdk, vhd and ova

VMWare on AWS Partnership

AWS Application Discovery Services

Customerpremises

Application users

AWS

• Start a replication instance• Connect to source and target

databases• Select tables, schemas, or

databases

Let AWS DMS create tables, load data, and keep them in sync

Switch applications over to the target at your convenience

AWSDMS

AWS DX

Amazon Database Migration Services (DMS)

Amazon Server Migration Services (SMS)

Run Command Maintenance Window

Inventory

State Manager Parameter Store

Patch Manager

Automation

Deploy, Configure,and Administer

Track andUpdate

Shared Capabilities

Amazon EC2 System Manager (Manage Hybrid Environment)

Support for many language stacks and tools

Android iOS Java nodeJS .NET PHP Python Ruby

and specialized cloud tools integrated in your development environment

Eclipse Visual Studio CLI Powershell

AWS provide Rich set of APIs for programming platform or language

AWS Hong Kong CustomersAWS Customers in Hong Kong

AWS Instructor-Led Training Courses

24x7 AWS Business and Enterprise

Support

AWS Professional

Services

AWS are ready to serve you !

• Cloud Adoption Framework• Architecture Jumpstart• Application Portfolio Assessment• Security Operations Playbook• Resident Architect

Remember to complete your evaluations!

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thankyou

Ken ChanProduct Business Development Manager

Greater Chinakenchan@amazon.com