Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Virtual Private Cloud

Amazon Virtual Private Cloud

Cc95ef8bf38403916f40854c4ede4853?s=128

Pierre GOUDJO

January 20, 2022
Tweet

More Decks by Pierre GOUDJO

Other Decks in Technology

Transcript

  1. Amazon Virtual Private Cloud Pierre GOUDJO

  2. None
  3. In 2006 EC2 was born

  4. At the time, all EC2 instances ran in a single

    fl at network shared with other customers
  5. That’s what is now called EC2- Classic

  6. None
  7. None
  8. So Amazon released VPC in 2009

  9. VPC is a virtual network de fi ned by an

    AWS customer
  10. VPC are fully isolated one from another

  11. Nowadays AWS network looks like

  12. AWS cloud is made of multiple regions

  13. None
  14. A region is made of multiple availability zones

  15. None
  16. VPC is a private network spreading all AZs

  17. VPC can be split into multiple subnets (IP ranges) each

    located in an AZ
  18. All these network components can be managed via an API

  19. That’s Software Defined Networking at a global scale

  20. The IP ranges of VPC and subnets are specified using

    CIDR
  21. CIDR

  22. Security and monitoring

  23. None
  24. NACL

  25. Network Access Control List is a firewall for controlling traffic

    in and out of one or more subnets
  26. Network Access Control List ALLOW/DENY Rules Inbound Rule # Type

    Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Support ALLOW and DENY rules
  27. Network Access Control List Stateless Inbound Rule # Type Protocol

    Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Return traf fi c must be explicitly allowed
  28. Network Access Control List Rule processing order Inbound Rule #

    Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW 110 HTTPS TCP 443 0.0.0.0/0 ALLOW 120 HTTP TCP 80 0.0.0.0/0 DENY * All ipv4 All All 0.0.0.0/0 DENY Rules are processed in order. Rule 120 won’t be applied
  29. Network Access Control List Default NACL Inbound Rule # Type

    Protocol Port Range Source Allow/Deny 100 ALL IPv4 ALL ALL 0.0.0.0/0 ALLOW * ALL IPv4 ALL ALL 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 ALL IPv4 ALL ALL 0.0.0.0/0 ALLOW * ALL IPv4 ALL ALL 0.0.0.0/0 DENY All traf fi c allowed
  30. One NACL per subnet, if not speci fi ed will

    use the VPC default one
  31. NACL can be used by multiple subnets

  32. Security Group

  33. Security group acts as a firewall for your instance to

    control inbound and outbound traffic
  34. Security groups Only ALLOW rules Inbound Type Protocol Port Range

    Source HTTP TCP 80 0.0.0.0/0 Outbound Type Protocol Port Range Source ALL IPv4 ALL ALL 0.0.0.0/0 ONLY ALLOW Rules
  35. Security groups Stateful Inbound Type Protocol Port Range Source HTTP

    TCP 80 0.0.0.0/0 Outbound Type Protocol Port Range Destination SSH TCP 22 10.0.0.1/32 No need to specify a mirror rule as request sent from instance is automatically allowed to fl ow out
  36. VPC Flow Logs

  37. Capture info about IP traf fi c going to and

    from network interfaces in the VPC
  38. None
  39. A flow log can be created for an entire VPC,

    a subnet or an individual network interface
  40. VPC Networking Components

  41. Internet Gateway Router

  42. Internet Gateway • Allows communication between your VPC and the

    internet • Highly available, scalable, redundant • One per VPC • Support IPv6 and IPv4
  43. Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw-id Internet Gateway Router

  44. Router and Route table • VPC has an implicit router

    • Route tables control where network tra ffi c is directed • Each subnet is associated with a route table either • Explicitly with a dedicated route table • Implicitly with the VPC main route table • Each route speci fi es a destination (IP) and a target (local, internet gateway, NAT devices, another VPC…)
  45. None
  46. NAT Gateway • Provides internet access to resources in private

    subnet • External services cannot initiate connection with those instances • Can scale from 5Gbps up to 45Gbps • Not supported for IPv6 tra ffi c • Can be monitored with CloudWatch
  47. None
  48. NAT instance • EC2 instance that can do NAT translation

    • Not recommended anymore as Amazon doesn’t provide support for NAT AMI • Not supported for IPv6 tra ffi c
  49. Destination Target 10.0.0.0/16 local 2001:db8:1234:1a00::/64 local ::/0 eigw-id

  50. Egress-only internet gateways • Allow outbound tra ffi c over

    IPv6 from instance in your VPC to internet • Prevent internet from initiating an IPv6 connection to your instances • IPv6 only
  51. DHCP Options Sets • options fi eld of DHCP message

    contains con fi guration parameters like domain name, domain name server, netbios-node-type, etc… • A VPC can have a maximum of one DHCP options set associated • DHCP option set cannot be modi fi ed after creation • DHCP options supported • domain-name-servers: up to 4 DNS servers or AmazonProvidedDNS • domain-name • ntp-servers: default to None, can use Amazon Time Sync Service at 169.254.169.123 • netbios-name-servers • netbios-node-type
  52. EC2 Networking Components

  53. Instance IP Addressing • Amazon EC2 and VPC support IPv4

    and IPv6 • By default, IPv4 is used. Can’t be disabled • Multiple private addresses can be assigned to a single network interface. The number depends on the instance type
  54. None
  55. Elastic Network Interface • Represents a virtual network card •

    Can be attach to/detach from an EC2 instance • The card can be in a di ff erent subnet than the EC2 instance (dual-homed) • One public IPv4 address • One MAC address • Can achieve multicast with an overlay network and a ENI
  56. None
  57. Elastic IP • Static, public IPv4 address • Can be

    associated with any instance or network interface in any VPC • Can be remapped to another instance • Can have one at no charge when associated with a running instance • Pay for additional or no associated one
  58. None
  59. Network Firewall • Network fi rewall and intrusion detection •

    Deep packet inspection on egress and ingress tra ff i c • Stateful protocol inspection • Compatible with Suricata (IPS) rules
  60. None
  61. VPC endpoints — AWS PrivateLink • Tra ff i c

    between your VPC and the resources doesn’t leave AWS network • 2 types: • Gateway endpoints for S3 and DynamoDB resources • Interface endpoints for some AWS services (PrivateLink) and third-parties AWS partners
  62. Gateway endpoints to connect with S3 and associated route tables

  63. Interface endpoint with the associated network interface

  64. Interface endpoint with the associated network interface and private DNS

    on
  65. None
  66. VPC peering • Networking connection between two VPCs • Instances

    in either VPC can communicate with each other as if they are in the same network
  67. None
  68. Transit Gateway • Hub and spoke design for connecting VPCs

    • Transit Gateway is a Regional resource and can connect thousands of VPCs within the same AWS Region • Transit Gateway vs VPC Peering • Lower cost • No bandwidth limits • Latency • Security Groups compatibility
  69. Communication with on- premises components

  70. None
  71. Direct Connect • Links your internal network to an AWS

    Direct connect location • You can create virtual interfaces directly to public AWS services or AWS VPC, bypassing internet service providers • It is possible to use a AWS Direct connection to access multiple regions or accounts
  72. Direct connect gateway used with 2 regions

  73. None
  74. VPN • 2 o ff ers: • AWS Client VPN:

    fully managed VPN service. • Allow users to securely connect to AWS resources or on-premises networks. • Site-to-Site VPN: create secure connection between your data center and your AWS resources. • Allow secure connection of VPC and on-premises networks