IP Networking in AWS Mark Wolfe @ Versent 

Welcome • @wolfeidau on Twitter • https://github.com/wolfeidau • APN Ambassador @ Versent 

IP Networking in AWS? • Most common type is IPv4 addressing • VPC requires at least one CIDR • CIDR (Classless Inter-Domain Routing) • More Efficient use of IPv4 address space • Uses private RFC 1918 ranges 

Before we Start • Keep it simple • Plan for the future, don't build the future now • Build only what you need • Lay the ground work for a solid AWS network 

What do I need? • Keep a register of IPv4 range allocations • https://spritelink.github.io/NIPAP/ • DNS, using route53 • Secrets, using AWS Secret Service and SSM • X509 certificates, using AWS Certificate manager 

Opensource • Start with Open Source, peer reviewed designs • https://github.com/widdix/aws-cf-templates • Comes with great documentation! • Great baseline / checklist • Another grab bag of templates by AWS • https://github.com/aws-samples/startup-kit- templates 

VPC with private and public subnets in two Availability Zones https://templates.cloudonaut.io/en/stable/vpc/ 

What makes a VPC? • Made up of AWS Resources • Subnets • Routes • Security Groups • Internet Gateways (IGW) • VPNs • VPC Endpoints • More every reinvent.. 

Just Getting Started? • VPC Fundamentals and Connectivity Options (NET201) by Gina Morris • https://www.youtube.com/watch?v=jZAvKgqlrjY 

Onto the New Stuff 

VPC Peering 

Transit Gateway • Dynamic and static layer 3 routing between Amazon Virtual Private Clouds (VPCs) and VPN • VPN connections between your AWS Transit Gateway and on-premises gateways using VPN • AWS Transit Gateway provides monitoring via cloudwatch metrics / logs 

No content

No content

Transit VPC? • This option is best suited for customers with the following use case/ requirements: • AWS resources in spoke VPCs need access to a wide variety of on- premises infrastructure • The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols) • They are implementing a hybrid architecture with complex network- routing requirements • Their security or compliance programs require additional network- based monitoring or filtering between AWS and on-premises resources • Day 1 CloudFormation support! 

Learn More! • Introducing AWS Transit Gateway (NET331) • https://www.youtube.com/watch?v=yQGxPEGt_-w • Advanced VPC Design and New Capabilities for Amazon VPC (NET303) • https://www.youtube.com/watch?v=fnxXNZdf6ew • NOTE: This talk covers new Client <-> VPC VPN support! 

AWS Resource Access Manager • Create resources centrally • Govern consumption of shared resources • View usage details for shared resources • This covers: • Subnets!? • Resolver Rules • License Configuration • Transit Gateways 

Shared VPCs • Share one or more subnets from a central shared service account • Enable other accounts to launch compute resources into that VPC • Windows • I need active directory, along with a raft of other centralised services to support a domain joined fleet of servers • “Security” software with a centralised controller 

Private Link • create your own application in your VPC and configure it to be imported like any other endpoint service. • Requires an NLB to front your service • Supports overlapping IPv4 ranges between servers and consumers • Managed workflow for sharing / requesting access to a VPC Endpoint using this service • This allows VPCs to be totally hidden from the consuming services • DNS is kinda magic* 

Private Link 

In Summary • IP Networking in AWS is constantly changing, always review the manual. • Watch reinvent VPC introduction videos each year at least, refreshing knowledge is key. • Keep things as simple as possible but no simpler • Use off the shelf patterns as a starting point, standing on the shoulders of giants. 

Questions • https://www.versent.com.au • https://www.stax.io/ • We are hiring! • wolfeidau on twitter / GitHub 

Links • https://www.keycdn.com/support/what-is-cidr • https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn- connection-sharing/ • AWS Security Hub https://aws.amazon.com/security-hub/ • Images from: • https://unsplash.com/@marcojodoin • Marc-Olivier Jodoin • https://unsplash.com/@adele_payman • Adele Payman