VPC Internals & Networking

Transcript

1. Virtual Private Cloud June 2018

2. Agenda • Key Concepts ◦ Subnets ◦ Route table ◦

   Internet Gateway ◦ NAT Gateways ◦ Security in VPC ◦ VPC Endpoints ◦ Multiple CIDR Blocks with VPC ◦ VPC Peering ◦ VPC topologies • Demo ◦ Setting Up VPC with Public and Private Subnet ◦ Setting up VPC Peering 2

3. Key Concepts

4. VPC • Virtual Network dedicated to AWS account • Logically

   isolated from other virtual network • VPC spans across AZs • VPC can have multiple subnets • Supports IPv4 and IPv6 • Must specify CIDR block /16 or smaller /28 (IPv4) 4

5. Subnets • Subnet resides in single AZ • Choose Range

   of IP addresses in VPC • Type of Subnets ◦ Group instances based on your security and operational needs ▪ Public Subnet • route to Internet Gateway ◦ e.g. Web Server ▪ Private Subnet • does not have route to Internet Gateway ◦ e.g. DB in private subnet ▪ VPN-Only Subnet • A subnet which doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection 5

6. Routing table • Each subnet must be associated with Route

   Table • Route table specifies allowed rules for inbound and outbound traffic • Custom route tables can be created 6

7. Internet Gateway • Scalable, Redundant component which Enables communication between

   EC2 and Internet • No availability risk • No bandwidth limit • Provides ‘target’ in route table • Performs NAT for ec2 servers • Egress Only Internet Gateways ◦ For IPv6 only ◦ Only outbound Internet access ◦ prevents the Internet from initiating an IPv6 connection with your instances. 7

8. NAT Gateway • Used to enable instances in a private

   subnet to connect to the Internet • Supports upto 45Gbps 8

9. Security in VPC ... • Security Groups ◦ applied at

   instance level ◦ stateful model ◦ inbound and outbound rules ◦ does not support Deny • Network Access Control List (NACL) ◦ applied at Network Level ◦ inbound and outbound rules ◦ stateless model ◦ Supports Allow as well Deny rules 9

10. ...Security in VPC

11. VPC Endpoint • Enables to privately connect your VPC to

    supported AWS services without requiring an internet gateway, NAT device, VPN connection • Gateway Endpoint ◦ gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service ▪ s3 & dynamoDB

12. Multiple CIDR Blocks with VPC • Not possible to increase

    or decrease the size of an existing CIDR block • Can have multiple CIDR blocks ◦ Primary ◦ Secondary 12

13. VPC Peering • Scenarios ◦ One to one - DEV,

    STAGING , UAT – want to connect / patch • Common VPC to Many VPC ◦ AV solution on common VPC ◦ Management Box on Common VPC ◦ Third party backup solution 13 virtual private cloud virtual private cloud VPC peering AWS Account #1 AWS Account #2 Region

14. VPC topologies

15. No Internet Access - Private Subnets

16. Internet + No Internet Access - Public + Private Subnets

17. Internet + No Internet Access - Public + Private Subnets

18. AWS & Corporate or Home Network

19. AWS & Corporate or Home Network

20. Private Link

21. Subnets - Public, Private & VPN Only 21

22. Demo ◦ Setting Up VPC with Public and Private Subnet

    ◦ Setting up VPC Peering

23. 23 Best Practices • Selecting right VPC Architecture design •

    One time CIDR Block Selection - Can be extended • Isolate VPCs according to Use Case • Unpopulated Public Subnet • Control your In-Out traffic in VPC using ACLs and SG • Tier your Security Groups • Use EIP when needed • Use Multi AZ deployment model

24. Thanks [email protected] +91 98923 00901