Amazon Virtual Private Cloud

Transcript

1. Amazon Virtual Private Cloud Pierre GOUDJO

2. None

3. In 2006 EC2 was born

4. At the time, all EC2 instances ran in a single

   fl at network shared with other customers

5. That’s what is now called EC2- Classic

6. None
7. None

8. So Amazon released VPC in 2009

9. VPC is a virtual network de fi ned by an

   AWS customer

10. VPC are fully isolated one from another

11. Nowadays AWS network looks like

12. AWS cloud is made of multiple regions

13. None

14. A region is made of multiple availability zones

15. None

16. VPC is a private network spreading all AZs

17. VPC can be split into multiple subnets (IP ranges) each

    located in an AZ

18. All these network components can be managed via an API

19. That’s Software Defined Networking at a global scale

20. The IP ranges of VPC and subnets are specified using

    CIDR

21. CIDR

22. Security and monitoring

23. None

24. NACL

25. Network Access Control List is a firewall for controlling traffic

    in and out of one or more subnets

26. Network Access Control List ALLOW/DENY Rules Inbound Rule # Type

    Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Support ALLOW and DENY rules

27. Network Access Control List Stateless Inbound Rule # Type Protocol

    Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Return traf fi c must be explicitly allowed

28. Network Access Control List Rule processing order Inbound Rule #

    Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW 110 HTTPS TCP 443 0.0.0.0/0 ALLOW 120 HTTP TCP 80 0.0.0.0/0 DENY * All ipv4 All All 0.0.0.0/0 DENY Rules are processed in order. Rule 120 won’t be applied

29. Network Access Control List Default NACL Inbound Rule # Type

    Protocol Port Range Source Allow/Deny 100 ALL IPv4 ALL ALL 0.0.0.0/0 ALLOW * ALL IPv4 ALL ALL 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 ALL IPv4 ALL ALL 0.0.0.0/0 ALLOW * ALL IPv4 ALL ALL 0.0.0.0/0 DENY All traf fi c allowed

30. One NACL per subnet, if not speci fi ed will

    use the VPC default one

31. NACL can be used by multiple subnets

32. Security Group

33. Security group acts as a firewall for your instance to

    control inbound and outbound traffic

34. Security groups Only ALLOW rules Inbound Type Protocol Port Range

    Source HTTP TCP 80 0.0.0.0/0 Outbound Type Protocol Port Range Source ALL IPv4 ALL ALL 0.0.0.0/0 ONLY ALLOW Rules

35. Security groups Stateful Inbound Type Protocol Port Range Source HTTP

    TCP 80 0.0.0.0/0 Outbound Type Protocol Port Range Destination SSH TCP 22 10.0.0.1/32 No need to specify a mirror rule as request sent from instance is automatically allowed to fl ow out

36. VPC Flow Logs

37. Capture info about IP traf fi c going to and

    from network interfaces in the VPC
38. None

39. A flow log can be created for an entire VPC,

    a subnet or an individual network interface

40. VPC Networking Components

41. Internet Gateway Router

42. Internet Gateway • Allows communication between your VPC and the

    internet • Highly available, scalable, redundant • One per VPC • Support IPv6 and IPv4

43. Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw-id Internet Gateway Router

44. Router and Route table • VPC has an implicit router

    • Route tables control where network tra ffi c is directed • Each subnet is associated with a route table either • Explicitly with a dedicated route table • Implicitly with the VPC main route table • Each route speci fi es a destination (IP) and a target (local, internet gateway, NAT devices, another VPC…)
45. None

46. NAT Gateway • Provides internet access to resources in private

    subnet • External services cannot initiate connection with those instances • Can scale from 5Gbps up to 45Gbps • Not supported for IPv6 tra ffi c • Can be monitored with CloudWatch
47. None

48. NAT instance • EC2 instance that can do NAT translation

    • Not recommended anymore as Amazon doesn’t provide support for NAT AMI • Not supported for IPv6 tra ffi c

49. Destination Target 10.0.0.0/16 local 2001:db8:1234:1a00::/64 local ::/0 eigw-id

50. Egress-only internet gateways • Allow outbound tra ffi c over

    IPv6 from instance in your VPC to internet • Prevent internet from initiating an IPv6 connection to your instances • IPv6 only

51. DHCP Options Sets • options fi eld of DHCP message

    contains con fi guration parameters like domain name, domain name server, netbios-node-type, etc… • A VPC can have a maximum of one DHCP options set associated • DHCP option set cannot be modi fi ed after creation • DHCP options supported • domain-name-servers: up to 4 DNS servers or AmazonProvidedDNS • domain-name • ntp-servers: default to None, can use Amazon Time Sync Service at 169.254.169.123 • netbios-name-servers • netbios-node-type

52. EC2 Networking Components

53. Instance IP Addressing • Amazon EC2 and VPC support IPv4

    and IPv6 • By default, IPv4 is used. Can’t be disabled • Multiple private addresses can be assigned to a single network interface. The number depends on the instance type
54. None

55. Elastic Network Interface • Represents a virtual network card •

    Can be attach to/detach from an EC2 instance • The card can be in a di ff erent subnet than the EC2 instance (dual-homed) • One public IPv4 address • One MAC address • Can achieve multicast with an overlay network and a ENI
56. None

57. Elastic IP • Static, public IPv4 address • Can be

    associated with any instance or network interface in any VPC • Can be remapped to another instance • Can have one at no charge when associated with a running instance • Pay for additional or no associated one
58. None

59. Network Firewall • Network fi rewall and intrusion detection •

    Deep packet inspection on egress and ingress tra ff i c • Stateful protocol inspection • Compatible with Suricata (IPS) rules
60. None

61. VPC endpoints — AWS PrivateLink • Tra ff i c

    between your VPC and the resources doesn’t leave AWS network • 2 types: • Gateway endpoints for S3 and DynamoDB resources • Interface endpoints for some AWS services (PrivateLink) and third-parties AWS partners

62. Gateway endpoints to connect with S3 and associated route tables

63. Interface endpoint with the associated network interface

64. Interface endpoint with the associated network interface and private DNS

    on
65. None

66. VPC peering • Networking connection between two VPCs • Instances

    in either VPC can communicate with each other as if they are in the same network
67. None

68. Transit Gateway • Hub and spoke design for connecting VPCs

    • Transit Gateway is a Regional resource and can connect thousands of VPCs within the same AWS Region • Transit Gateway vs VPC Peering • Lower cost • No bandwidth limits • Latency • Security Groups compatibility

69. Communication with on- premises components

70. None

71. Direct Connect • Links your internal network to an AWS

    Direct connect location • You can create virtual interfaces directly to public AWS services or AWS VPC, bypassing internet service providers • It is possible to use a AWS Direct connection to access multiple regions or accounts

72. Direct connect gateway used with 2 regions

73. None

74. VPN • 2 o ff ers: • AWS Client VPN:

    fully managed VPN service. • Allow users to securely connect to AWS resources or on-premises networks. • Site-to-Site VPN: create secure connection between your data center and your AWS resources. • Allow secure connection of VPC and on-premises networks