AWS VPC 101

Transcript

1. Ashwin | Jun 11, 2020 AWS VPC 101 AWS UG

   BLR

2. $ whoami • Old school linux / sysadmin • <3

   Shell / Unix • Cloud • IoT • Mail • DNS • Engineering @ Verloop

3. Agenda • VPC intro • History of the VPC •

   Regions / Subnets - Availability Zones • Route Table • NACLs • Security Groups • Peering

4. What is a VPC ?

5. Your VPC is a Data Center…

6. • Virtual Network dedicated to your AWS Account • Logically

   Isolated • RFC compliant • Container for your AWS Resources - EC2, RDS, EKS, Fargate • Resources talk to the internet via the VPC • Regular network constructs - IP ranges, subnets, route tables, etc… • Security - NACL, Security Groups

7. Quick History Lesson…

8. AWS EC2 Classic • Flat network - Distributed over AWS

   infrastructure • Shared with multiple customers • Discontinued with introduction of AWS VPC • All instances received a public IP address • DNS hostnames were fixed + enabled by default • Shared hardware tenancy only

9. Regions, AZs and Subnets

10. Regions • Physical location • Cluster of data centres •

    Multiple isolated, physically separate AZs

11. Availability Zone • Isolated logical cluster of data centres •

    Separation of risk domains - power, internet, cooling, security • Interconnected by low latency redundant networks

12. Now the fun part…

13. 172.31.0.0/16

14. • Every region has a default VPC • RFC 1918

    compatible private range. • No conflict with internet ranges • Ipv4 default • Ipv6 overlay network with dual stack n/w config • Default VPC lets you have 65535 Ipv4 addresses

15. Subnets

16. None

17. • Belong to a VPC • Resides completely within an

    AZ • Subsetof VPC CIDR block • Resource in subnet can be public OR private based on route tables

18. Route Tables

19. • Rules to move network packets around • Every VPC

    has a default route table • Can also assign different route tables to different subnets

20. Traffic for my VPC stays inside my VPC

21. Route Tables continued…

22. None

23. Destination Target 172.31.0.0/16 local 0.0.0.0/0 igw_id IP: 35.10.245.123 IP: 35.10.211.231

    Destination Target 172.31.0.0/16 local 0.0.0.0/0 nat_gw_id

24. Security Groups

25. • Distributed Firewall • Instance level • Grant access to

    resources on the network • Can be grouped by IP, CIDR range or even security group • STATEFUL - One rule, both directions! • All rules evaluated before allowing traffic • Applies only on assignment
26. None

27. DO NOT TOUCH THE NACLs!!!

28. • Subnet level access control • Rules have priority and

    are evaluated in order • STATELESS - One rule, one direction! • Automatically applies to all resources in associated subnet

29. Peering

30. • Network connection between 2 VPCs • Handle traffic using

    private IPv4 address • Seamless handover between networks • Mandatory for both networks to be on separate CIDR blocks
31. None

32. Questions ???

33. Thank you! [email protected] https://cruisemaniac.com