Amazon VPC

Transcript

1. Amazon VPC qrtt1

2. Amazon VPC 
 is the networking layer for Amazon EC2

   configurable on-demand self-service

3. Old Account With Classic-EC2 & VPC

4. New Account Is VPC only

5. Scenarios for Amazon VPC • Scenario 1: VPC with a

   Public Subnet Only ! ! ! ! commons

6. Scenarios for Amazon VPC • Scenario 2: VPC with Public

   and Private Subnets ! ! ! ! commons

7. Scenarios for Amazon VPC • Scenario 3: VPC with Public

   and Private Subnets and Hardware VPN Access ! ! ! ! commons

8. Scenarios for Amazon VPC • Scenario 4: VPC with a

   Private Subnet Only and Hardware VPN Access Your VPC and Subnets ! ! ! ! commons

9. Default VPC commons

10. Default VPC commons • When

11. VPC the container for other sub elements define the max

    range for subnets by CIDR block 10.0.0.0/16 ~ 10.0.0.0/28 unchangeable after it created

12. region My First VPC 10.0.0.0/16 Non-Default VPC route table &

    network acl are created by vpc

13. region My First VPC 10.0.0.0/16 Non-Default VPC route table
 (and

    network ACL) route local traffic by default. This rule cannot be removed

14. region My First VPC 10.0.0.0/16 route table
 10.0.0.0/16 -> local

    Availability Zone 1a VPC subnet 10.0.1.0/24

15. region My First VPC 10.0.0.0/16 route table
 10.0.0.0/16 -> local

    Availability Zone 1a VPC subnet 10.0.1.0/24 subnet with a local traffic only route table 
 called the private subnet. ! No traffic can reach outside, 
 even the aws service, such as S3, EC2, …

16. region My First VPC 10.0.0.0/16 route table
 10.0.0.0/16 -> local

    Availability Zone 1a VPC subnet 10.0.1.0/24 How to make a public subnet ? create a internet gateway(IGW) for VPC, 
 and attach the IGW to 
 the existing or a new route table 
 which associated with the subnets
17. None

18. region My First VPC 10.0.0.0/16 route table
 10.0.0.0/16 -> local


    0.0.0.0/0-> igw Availability Zone 1a VPC subnet 10.0.1.0/24 I am a public subnet

19. region My First VPC 10.0.0.0/16 route table
 10.0.0.0/16 -> local


    0.0.0.0/0-> igw Availability Zone 1a VPC subnet 10.0.1.0/24 I am a public subnet instances in the public subnet can access the internet

20. region My First VPC 10.0.0.0/16 route table
 10.0.0.0/16 -> local

    Availability Zone 1a VPC subnet 10.0.1.0/24 How does a private subnet access the internet ? I am a private subnet

21. VPC subnet 10.0.1.0/24 How does a private subnet access the

    internet ? I am a private subnet VPC subnet 10.0.2.0/24 I am a public subnet route table
 10.0.0.0/16 -> local
 0.0.0.0/0-> igw launch a NAT Instance
 in the public subnet route table
 10.0.0.0/16 -> local ami: amzn-ami-vpc-nat

22. VPC subnet 10.0.1.0/24 How does a private subnet access the

    internet ? I am a private subnet VPC subnet 10.0.2.0/24 I am a public subnet route table
 10.0.0.0/16 -> local
 0.0.0.0/0-> igw configurate private subnet route table using 
 nat-instance-id route table
 10.0.0.0/16 -> local
 0.0.0.0/0 -> nat-instance-id

23. Demo • VPC with Public Subnet • VPC with Public

    Subnet & Private Subnet • NAT instance !

24. Demo: public subnet • Just a subnet with Internet Gateway

    ! ! ! !

25. Demo: private subnet + NAT • Just a subnet with

    0.0.0.0/0 => NAT Instance ID • Tips: • AMI for NAT Instance • Disable Source/Desk. Check • Enable pass rule in Security Group

26. NAT Instance • What’s the magic in the nat-image ?

    • /etc/rc.local • /usr/local/sbin/configure-pat.sh • http:/ /bit.ly/1odhe63

27. Resources • http:/ /aws.amazon.com/documentation/vpc/ • From One to Many: Evolving

    VPC Design (ARC401) | AWS re:Invent 2013 • slide: http:/ /slidesha.re/1rGmtBv • video: http:/ /bit.ly/1rGmxkF • Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013 • slide: http:/ /slidesha.re/1rGmoxQ • video: http:/ /bit.ly/1rGmC83