Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this talk, we discuss advanced tasks in Amazon VPC, including the implementation of VPC peering, the creation of multiple network zones, the establishment of private connections, and the use of multiple routing tables. We also provide information for current Amazon EC2-Classic network customers and help you prepare to adopt Amazon VPC.
2. Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
• ARC205 – VPC Fundamentals and Connectivity
• ARC401 – Black Belt Networking for Cloud Ninja
– Application centric, network monitoring, management, floating IPs
• ARC403 – From One to Many: Evolving VPC Design
• SDD302 – A Tale of One Thousand Instances
– Example of EC2-Classic customer adopting VPC
• SDD419 – Amazon EC2 Networking Deep Dive
– Network performance, placement groups, enhanced networking
8. VPC connectivity: TL;DR
• Most common case: Internet
connectivity
– Automatically enabled for default VPCs: You do
nothing
– Easy to enable for non-default VPCs: You do a little
bit
• There are many options, but they are
optional!
11. Routes: Local connectivity
aws ec2 describe-route-tables --route-
table-ids rtb-c9d737ad
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||+-----------------------+------------+-------------+||
Traffic to the VPC’s range
stays in the VPC
12. Establish public connectivity
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Your default VPC is already
configured this way
13. Routes: Internet connectivity
aws ec2 describe-route-tables --route-
table-ids rtb-ef36e58a
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||| 0.0.0.0/0 | igw-5a1ae13f | active ||
+----------------------------------------------------+||
Everything not destined for my
VPC goes to the Internet
21. The Amazon S3 Prefix List
--------------------------------------------------
| DescribePrefixLists |
+------------------------------------------------+
|| PrefixLists ||
|+---------------+------------------------------+|
|| PrefixListId | PrefixListName ||
|+---------------+------------------------------+|
|| pl-68a54001 | com.amazonaws.us-west-2.s3 ||
|+---------------+------------------------------+|
||| Cidrs |||
||+--------------------------------------------+||
||| 54.231.160.0/19 |||
||+--------------------------------------------+||
IP range for Amazon S3
Changes over time & managed by AWS
22. IAM policy: Amazon S3 bucket
{ "Version": "2012-10-17",
"Statement": [ {
"Sid": "Only my VPC Endpoint can access this bucket",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::bucket-of-awesome",
"arn:aws:s3:::bucket-of-awesome/*"],
"Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf" } }
}
]
}
aws s3api put-bucket-policy --bucket bucket-of-awesome --
policy file:///tmp/bucket_policy_for_vpce.json
In English:
Deny access to this bucket to
all but this VPC endpoint
23. IAM policy: VPC endpoint
{
"Statement": [ {
"Sid": "Access to bucket-of-awesome",
"Principal": "*",
"Action": [ "s3:GetObject", "s3:PutObject" ],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket-of-awesome",
"arn:aws:s3:::bucket-of-awesome/*"]
}
]
}
vpc-c15180a4
rtb-ef36e58a
--policy-document file:///tmp/vpce_policy_document.json
In English:
This VPC endpoint is allowed only to
Get/Put to bucket-of-awesome
VPC Endpoint IAM policy can be
modified after the fact.
29. VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-owner 472752909333
# In owner account 472752909333
aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
30. VPC peering – Additional considerations
• Security groups not supported across
peerings
• Data transfer between VPCs metered at
inter-AZ rate
• No “transit” capability for VPN, AWS Direct
Connect, or third-party VPCs
• Peer VPC address ranges cannot overlap
31.
32.
33. VPN and AWS DirectConnect:
Getting between VPC and your data center
35. Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
Redundant VPN connection
36. Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing table(s) with
routes present in the virtual private gateway (VGW)
37. Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
38. VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
39. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection consists of
2 IPSec tunnels.
Use Border Gateway Protocol
(BGP) for failure recovery.
40. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
41. Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
45. ClassicLink is relevant to you if:
• You have a significant
deployment on EC2-Classic
• You want a phased migration to
VPC to take advantage of:
– New instance types
– Enhanced networking
– VPC security benefits (Amazon S3
endpoints, etc.)
– Features (VPC Flow Logs, etc.)
46. What ClassicLink does: words
• Connectivity over private IP
address between linked
instances in EC2-Classic and
VPC
• Classic instances can take
membership in VPC Security
Groups
50. Attaching a EC2-Classic instance to a VPC
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link this specific instance to
the VPC using the specified
VPC security groups
51. Migration VPC: Keep it simple
• Internet connectivity
• One subnet per AZ
• Similar Security Groups
61. ClassicLink – Additional considerations
• VPC address ranges for use with ClassicLink
– 10.0.0.0/15, or any other range outside 10.0.0.0/8
– Why? EC2-Classic instance private IP addresses are in 10.2.0.0 – 10.255.255.255
• VPC also can’t have extra route table entries to 10.0.0.0/8
• ClassicLink instances use EC2-Classic for all Internet traffic. No
access from VPN/Direct Connect or a VPC peer to a ClassicLink
instance.
• ClassicLink must be enabled after instance launch (Run) or Start
• VPC instance DNS names do not resolve from EC2-Classic, and vice-
versa
65. See all of the traffic at your instances
• Visibility into effects of
Security Group rules
• Troubleshooting
network connectivity
• Ability to analyze
traffic
66. Getting set up: CloudWatch Logs
MyVPCFlowLogs
Your flow logs will go here
67. Getting set up: IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
VpcFlowLogsRole
VPC Flow Logs has permission to
assume this role
68. Getting set up: IAM Role, continued
{
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
aws iam put-role-policy --role-name VpcFlowLogsRole --policy-name
AccessToCloudWatchLogs --policy-document
file:///tmp/inline_policy_document.json
Grant VPC Flow Logs access to
your CloudWatch Logs
69. Getting set up: VPC Flow Logs
MyVPCFlowLogs
111122223333:role/VpcFlowLogsRole
-----------------------------------------------------------------
| CreateFlowLogs |
+-------------+-------------------------------------------------+
| ClientToken| 2VVt8sDNhVI3ZXy32ICeCU7MGykMPkQ5kzsdzHcXnk4= |
+-------------+-------------------------------------------------+
|| FlowLogIds ||
|+-------------------------------------------------------------+|
|| fl-ea995892 ||
|+-------------------------------------------------------------+|
Can be VPC, Subnet, or
NetworkInterface
Can be ACCEPT,
REJECT, or ALL