This document provides an overview of AWS networking fundamentals including VPC concepts such as IP addressing, subnets, routing, security groups, and connecting VPCs. It discusses choosing IP address ranges and creating subnets across availability zones. It also covers routing and traffic flow, DNS options, network security using security groups and network ACLs, and VPC flow logs. Methods for connecting VPCs like VPC peering, Transit Gateway, VPN connections, and Direct Connect are also summarized.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS networking fundamentals
Carl Johnson
Solutions Architect
Amazon Web Services
S V C 3 0 4

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
?

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Let’s take a closer look
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet Public subnet
VPC CIDR 10.1.0.0/16 + Expand + IPv6
Amazon VPC
Amazon EC2
InstanceB
10.1.1.11/24
InstanceA
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
Internet
Amazon S3 Amazon
DynamoDB
AWS Lambda Amazon SQS Amazon SNS
AWS IoT

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Woah, hold up…

5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IP addressing Creating subnets Routing in a VPC Security
VPC concepts & fundamentals
DNS in-VPC with
Amazon Route
53

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Choosing an IP address range

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918
range
Recommended:
/16
(65,536 addresses)
Avoid ranges that overlap with
other networks to which you
might connect

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Creating subnets in a VPC

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
2600:1f16:14d:6300::/56
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
+ Expand

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routing in a VPC

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table
• But, you can create and assign different route tables to different subnets

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Traffic destined for my VPC
stays in my VPC

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
DNS in a VPC

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
hostnames to instances

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Route 53 private hosted zones
Private Hosted Zone
example.demohostedzone.org →
172.31.0.99

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Route 53 Resolver for hybrid clouds
Route 53 Resolver
endpoints
Conditional forwarding
rules

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Flow LogsNetwork Access
Control List
Security Groups
Network security

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
“MyWebServers” security group
“MyBackends” security group
Allow only “MyWebServers”
Security groups follow application structure
Web Web Web Web
App App App
Internet
gateway

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups example: Web servers
Allow HTTP traffic from anywhere

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups example: Backends
Allow application traffic from
web servers only

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Network security
Flow LogsNetwork Access
Control List
Security Groups

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: Return traffic is automatically allowed
regardless of any rules
Is stateless: return traffic must be explicitly allowed
by rules
All rules evaluated before deciding whether to allow
traffic
Rules evaluated in order when deciding whether to
allow traffic
Applies only to instances explicitly associated with
the security group
Automatically applies to all instances launched into
associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these
are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Network security
Flow LogsNetwork Access
Control List
Security Groups

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs
AZ 2AZ 1
• Visibility
• Troubleshooting
• Analyze traffic
Amazon S3 Amazon CloudWatch Logs
VPC Flow Logs

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs: Setup
VPC traffic metadata captured
in Amazon S3
or Amazon CloudWatch Logs

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs format

30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Internet
connectivity
Connecting to other
VPCs
Connecting to your on-
premises network
Connecting your VPC
or not

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Internet connectivity or not

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGW
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.1.0.0/16 Local
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Let’s take a closer look
Amazon
DynamoDB
AWS Lambda Amazon SQS Amazon SNS
AWS IoT

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to other VPCs
VPC peering Transit Gateway

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC peering
• Full private IP connectivity between
two VPCs
• Can peer VPCs across regions
• VPCs can be in different accounts
• VPC CIDR ranges must not overlap
10.0.0.0/16
10.2.0.0/16
10.1.0.0/16
10.3.0.0/16

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish a VPC peering: Initiate request
Step 1
Initiate peering
request
172.31.0.0/16 10.55.0.0/16

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish a VPC peering: Accept request
Step 1
Initiate peering
request
Step 2
Accept peering
request
172.31.0.0/16 10.55.0.0/16

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish a VPC peering: Create a route
Step 1
Initiate peering
request
Step 2
Accept peering
request
Step 3
172.31.0.0/16 10.55.0.0/16
Traffic destined for the peered VPC should
go to the peering

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC peering Transit Gateway
and beyond
Connecting to other VPCs

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPN connectionCustomer
gateway
Amazon VPC Amazon VPC
AWS Direct Connect
Gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN
connection
VPN connection
VPC peering
Before Transit Gateway

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
1
3
2 4
B Local
A
C PCX-2
D PCX-3
E PCX-4
Destination Target
A B
C
D E
PCX-1

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Full mesh: How many Amazon VPC peering connections do
I need (full mesh)?
n(n-1)
2
VPC x 10

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Full mesh: How many Amazon VPC peering connections do
I need (full mesh)?
10(10-1)
2
VPC x 10

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Full mesh: How many Amazon VPC peering connections do
I need (full mesh)?
VPC x 10
45

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Full mesh: How many Amazon VPC peering connections do
I need (full mesh)?
100(100-1)
2
VPC x 100

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Full mesh: How many Amazon VPC peering connections do
I need (full mesh)?
VPC x 100
4500

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Static routes per Amazon
VPC route table
100
Amazon VPC peering
connections per Amazon VPC
125

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Transit
Gateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
VPN
connection
AWS Direct
Connect Gateway
(coming soon)
With Transit Gateway

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
B Local
0.0.0.0/0
Destination Target
A B
TGW
C
Transit
Gateway
1 2
3 4
TGW Route Table (s)
VPC A: Attachment 1
VPC B: Attachment 2
VPC C: Attachment 3
On premises: VPN 4
RT1
RT2
On premises
With Transit Gateway

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Attachment
The connection from an
Amazon VPC and
VPN to a Transit Gateway
Association
The route table used to route
packets coming from an
attachment (from an Amazon
VPC and VPN)
Propagation
The route table where the
attachments routes are
installed

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.1.0.0/16 Local
0.0.0.0/0 TGW
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/8 TGW
Transit Gateway route table (s)
Transit
Gateway

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
After: AWS Transit Gateway
X
Y
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
Transit Gateway route table (s)
Transit
Gateway

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
Propagation turned off, you can still
statically configure routes
Transit Gateway route table (s)
Transit
Gateway

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n p r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
OnpremisesfromQ
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
OnpremisesfromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
OnpremisesfromQ
Llama from X
OnpremisesfromQ
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Transit Gateway route table (s)
Transit
Gateway

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n p r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
OnpremisesfromQ
Llama from X
OnpremisesfromQ
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCLlama
DSTonpremises
Transit Gateway route table (s)
OnpremisesfromQ
OnpremisesfromQ
Transit
Gateway

56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n p r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
OnpremisesfromQ
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
OnpremisesfromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
OnpremisesfromQ
Llama from X
OnpremisesfromQ
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCLlama
DSTonpremises
Transit Gateway route table (s)
Transit
Gateway

57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n p r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
OnpremisesfromQ
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
OnpremisesfromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
OnpremisesfromQ
Llama from X
OnpremisesfromQ
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRC:Barry
DSTon-premises
Transit Gateway route table (s)
Transit
Gateway

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Llama
X
Y
Z
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
O n p r e m i s e s
Q
RT1
RT2
RT3
Associations
RT1
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
OnpremisesfromQ
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
172.16.0.0/16 via Q
Associations
RT2
Propagations
OnpremisesfromQ
Barry from ZBarry from Z
Routes
172.16.0.0/16 via Q
10.3.0.0/16 via X
Associations
RT3
Propagations
OnpremisesfromQ
Llama from X
OnpremisesfromQ
Pegasus from Y
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via ZBarry from Z
172.16.0.0/16
172.16.0.0/16 via Q
Packet
SRCBarry
DSTon
premises
Transit Gateway route table (s)
Transit
Gateway

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After: AWS Transit Gateway – Console

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Unicorn TGW
This TGW is Awesome
After: AWS Transit Gateway – Console

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After: AWS Transit Gateway – Console

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Transit Gateways per account /
Transit Gateways attachments per
Amazon VPC
5
Maximum burstable
bandwidth per attachment
50 Gbps

63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Maximum bandwidth per VPN
connection
1.25 Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g., 8 tunnels = 10 Gbps
*

64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routes per
Transit Gateway
10,000
Number of Transit Gateway
attachments per region per account
5,000
!!!

65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Cross region connectivity?
Transit Gateway is a region-level
construct today

66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to on-premises
networks:
AWS VPN AWS Direct Connect

67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
Virtual private
gateway
VGW
IPsec tunnel over
the internet
Customer gateway
CGW
Internet

68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
IPsec tunnel over
the internet
Internet
Transit
Gateway
Customer gateway
CGW

69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Attachment
to Amazon
VPC
TLS-based tunnel
over the internet
User with open
VPN client
Client VPN
endpoint
Client
Internet
On premises
Amazon S3 Amazon
DynamoDB

70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to on-premises
networks
AWS VPN AWS Direct Connect

71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect—What ’s that?
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
VGW

72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect—What ’s that?
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF

73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect Gateway
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
O n e p r i v a t e V I F → M a n y V P C s
AWS Direct
Connect
Gateway

74. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect Gateway
AWS Region 1
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
O n e p r i v a t e V I F → M a n y V P C s
AWS Region 2
AWS Direct
Connect
Gateway

75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service Provider
Network
AWS Direct Connect Gateway
AWS Account 1
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
O n e p r i v a t e V I F → M a n y V P C s
AWS Account 2
AWS Direct
Connect
Gateway
Multi-account DX Gateway
NEW

76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
New partner connection speeds
1 , 2 , 5 , o r 1 0 G b p s o f c a p a c i t y
https://amzn.to/2YtGNue
Also NEW

77. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

78. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC sharing VPC endpoints and
AWS PrivateLink
…more AWS networking

79. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing
Before

80. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

81. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing
After

82. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

83. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
L l a m aP e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n aS t e v eS u e
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant

84. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC owners are responsible for creating, managing, and
deleting all VPC level entities.
Amazon VPC owners cannot modify or delete participant
resources.
Amazon VPC owner

85. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Participants that are in a shared Amazon VPC are responsible for the creation,
management and deletion of their resources including Amazon Elastic Compute Cloud
(Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) databases,
and load balancers.
However, they cannot modify any Amazon VPC-level entities including route tables,
network ACLs, or subnets (or view / modify resources belonging to other participants).
Amazon VPC participant

86. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Why use multiple accounts?

87. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Why use Amazon VPC sharing?
Preser ve IP space
Use fewer IPv4 CIDRs
Interconnectivity
No VPC peering required
B i l l i n g a n d s e c u r i t y
C o n t i n u e t o e n j o y s e g r e g a t i o n
w i t h m u l t i p l e a c c o u n t s
S e p a ra t i o n o f d u t i e s
c e n t ra l t e a m c a n c r e a t e a n d m a n a g e
y o u r A m a z o n V P C
S a m e A Z c o s t f o r d a t a t ra n s f e r i s n i l !

88. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS
PrivateLink

89. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
Destination Target
10.1.0.0/16 Local
DDB.prefix.list VPCE-123
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
VPCE =
Virtual Private Endpoint
(Type: Gateway)

90. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS
PrivateLink

91. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon API Gateway
AWS CloudFormation
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS Config
Amazon EC2 API
Elastic Load Balancing API
AWS Key Management Service
Amazon Kinesis Data Streams
Amazon SageMaker Runtime
AWS Secrets Manager
AWS Security Token Service
AWS Service Catalog
Amazon SNS
AWS Systems Manager
NAT
InstanceB
10.1.1.11/24
NAT-GW
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet
InstanceA
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
22+ services now
supported over AWS
PrivateLink
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
AWS PrivateLink can reach
public services, privately
from your VPC
No routes needed!
(almost)
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
+ More

92. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
How it works
AWS PrivateLink
Type: Gateway
Type: Interface

93. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS
PrivateLink

94. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
And now AWS PrivateLink
for service providers
Customer VPC
Service provider VPC
Application, e.g., SaaS
NLB
AWS
PrivateLink
VPC Endpoint: vpce-2222.foo.amazon.com

95. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

96. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
Peering
VPC
Flow Logs
VPN
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
Intra or
Inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Let’s take a closer look
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IoT
Amazon
CloudWatch
AWS
PrivateLink
Transit
Gateway
Onpremises
AWS PrivateLink
Enabled Services
Other Routes TGW
Other Routes TGW
Amazon S3

97. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Matt Lehwess
mlehwess@amazon.com