Upgrade to Pro — share decks privately, control downloads, hide ads and more …

VPC Internals & Networking

VPC Internals & Networking

- VPC and subnet basics
- Networking components - IGW, NACL, security groups, route table etc.
- Strategies for public/private subnets
- VPC peering & expanding existing VPC
- Demo - VPC creation & cross region VPC peering
- Best practices

Speaker: Amod Kadam - Founder & Chief Architect at Cloud Manthan

5e52b319ba9161289760b00be4d63c46?s=128

AWS User Group Mumbai

July 14, 2018
Tweet

Transcript

  1. Virtual Private Cloud June 2018

  2. Agenda • Key Concepts ◦ Subnets ◦ Route table ◦

    Internet Gateway ◦ NAT Gateways ◦ Security in VPC ◦ VPC Endpoints ◦ Multiple CIDR Blocks with VPC ◦ VPC Peering ◦ VPC topologies • Demo ◦ Setting Up VPC with Public and Private Subnet ◦ Setting up VPC Peering 2
  3. Key Concepts

  4. VPC • Virtual Network dedicated to AWS account • Logically

    isolated from other virtual network • VPC spans across AZs • VPC can have multiple subnets • Supports IPv4 and IPv6 • Must specify CIDR block /16 or smaller /28 (IPv4) 4
  5. Subnets • Subnet resides in single AZ • Choose Range

    of IP addresses in VPC • Type of Subnets ◦ Group instances based on your security and operational needs ▪ Public Subnet • route to Internet Gateway ◦ e.g. Web Server ▪ Private Subnet • does not have route to Internet Gateway ◦ e.g. DB in private subnet ▪ VPN-Only Subnet • A subnet which doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection 5
  6. Routing table • Each subnet must be associated with Route

    Table • Route table specifies allowed rules for inbound and outbound traffic • Custom route tables can be created 6
  7. Internet Gateway • Scalable, Redundant component which Enables communication between

    EC2 and Internet • No availability risk • No bandwidth limit • Provides ‘target’ in route table • Performs NAT for ec2 servers • Egress Only Internet Gateways ◦ For IPv6 only ◦ Only outbound Internet access ◦ prevents the Internet from initiating an IPv6 connection with your instances. 7
  8. NAT Gateway • Used to enable instances in a private

    subnet to connect to the Internet • Supports upto 45Gbps 8
  9. Security in VPC ... • Security Groups ◦ applied at

    instance level ◦ stateful model ◦ inbound and outbound rules ◦ does not support Deny • Network Access Control List (NACL) ◦ applied at Network Level ◦ inbound and outbound rules ◦ stateless model ◦ Supports Allow as well Deny rules 9
  10. ...Security in VPC

  11. VPC Endpoint • Enables to privately connect your VPC to

    supported AWS services without requiring an internet gateway, NAT device, VPN connection • Gateway Endpoint ◦ gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service ▪ s3 & dynamoDB
  12. Multiple CIDR Blocks with VPC • Not possible to increase

    or decrease the size of an existing CIDR block • Can have multiple CIDR blocks ◦ Primary ◦ Secondary 12
  13. VPC Peering • Scenarios ◦ One to one - DEV,

    STAGING , UAT – want to connect / patch • Common VPC to Many VPC ◦ AV solution on common VPC ◦ Management Box on Common VPC ◦ Third party backup solution 13 virtual private cloud virtual private cloud VPC peering AWS Account #1 AWS Account #2 Region
  14. VPC topologies

  15. No Internet Access - Private Subnets

  16. Internet + No Internet Access - Public + Private Subnets

  17. Internet + No Internet Access - Public + Private Subnets

  18. AWS & Corporate or Home Network

  19. AWS & Corporate or Home Network

  20. Private Link

  21. Subnets - Public, Private & VPN Only 21

  22. Demo ◦ Setting Up VPC with Public and Private Subnet

    ◦ Setting up VPC Peering
  23. 23 Best Practices • Selecting right VPC Architecture design •

    One time CIDR Block Selection - Can be extended • Isolate VPCs according to Use Case • Unpopulated Public Subnet • Control your In-Out traffic in VPC using ACLs and SG • Tier your Security Groups • Use EIP when needed • Use Multi AZ deployment model
  24. Thanks amod.kadam@cloudmanthan.com +91 98923 00901