Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Networking in AWS

Mark Wolfe
December 12, 2018
0
55

IP Networking in AWS

Presented at the AWS Users Group in Melbourne 12th of December 2018

Mark Wolfe

December 12, 2018
Tweet

More Decks by Mark Wolfe

See All by Mark Wolfe
Getting Into Vue.js
wolfeidau
0
170
AWS Automation With Lambda
wolfeidau
1
82
Ansible and Cloudformation
wolfeidau
1
200
Docker Security
wolfeidau
0
180
Building a Proxy in Go
wolfeidau
2
330
Using JWT to Authenticate Microservices
wolfeidau
1
240
Managing Secrets IN AWS
wolfeidau
0
120
ESPlant Workshop Firmware Overview and Demos
wolfeidau
0
110
Go kit - A Distributed Programming Toolkit
wolfeidau
0
130

Featured

See All Featured
Facilitating Awesome Meetings
lara
41
5.6k
Infographics Made Easy
chrislema
237
18k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Code Reviewing Like a Champion
maltzj
513
39k
Music & Morning Musume
bryan
41
5.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Making Projects Easy
brettharned
108
5.5k
Git: the NoSQL Database
bkeepers
PRO
422
63k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Code Review Best Practice
trishagee
54
15k

Transcript

  1. IP Networking in AWS Mark Wolfe @ Versent

  2. Welcome • @wolfeidau on Twitter • https://github.com/wolfeidau • APN Ambassador

    @ Versent

  3. IP Networking in AWS? • Most common type is IPv4

    addressing • VPC requires at least one CIDR • CIDR (Classless Inter-Domain Routing) • More Efficient use of IPv4 address space • Uses private RFC 1918 ranges

  4. Before we Start • Keep it simple • Plan for

    the future, don't build the future now • Build only what you need • Lay the ground work for a solid AWS network

  5. What do I need? • Keep a register of IPv4

    range allocations • https://spritelink.github.io/NIPAP/ • DNS, using route53 • Secrets, using AWS Secret Service and SSM • X509 certificates, using AWS Certificate manager

  6. Opensource • Start with Open Source, peer reviewed designs •

    https://github.com/widdix/aws-cf-templates • Comes with great documentation! • Great baseline / checklist • Another grab bag of templates by AWS • https://github.com/aws-samples/startup-kit- templates

  7. VPC with private and public subnets in two Availability Zones

    https://templates.cloudonaut.io/en/stable/vpc/

  8. What makes a VPC? • Made up of AWS Resources

    • Subnets • Routes • Security Groups • Internet Gateways (IGW) • VPNs • VPC Endpoints • More every reinvent..

  9. Just Getting Started? • VPC Fundamentals and Connectivity Options (NET201)

    by Gina Morris • https://www.youtube.com/watch?v=jZAvKgqlrjY

  10. Onto the New Stuff

  11. VPC Peering

  12. Transit Gateway • Dynamic and static layer 3 routing between

    Amazon Virtual Private Clouds (VPCs) and VPN • VPN connections between your AWS Transit Gateway and on-premises gateways using VPN • AWS Transit Gateway provides monitoring via cloudwatch metrics / logs
  13. None
  14. None

  15. Transit VPC? • This option is best suited for customers

    with the following use case/ requirements: • AWS resources in spoke VPCs need access to a wide variety of on- premises infrastructure • The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols) • They are implementing a hybrid architecture with complex network- routing requirements • Their security or compliance programs require additional network- based monitoring or filtering between AWS and on-premises resources • Day 1 CloudFormation support!

  16. Learn More! • Introducing AWS Transit Gateway (NET331) • https://www.youtube.com/watch?v=yQGxPEGt_-w

    • Advanced VPC Design and New Capabilities for Amazon VPC (NET303) • https://www.youtube.com/watch?v=fnxXNZdf6ew • NOTE: This talk covers new Client <-> VPC VPN support!

  17. AWS Resource Access Manager • Create resources centrally • Govern

    consumption of shared resources • View usage details for shared resources • This covers: • Subnets!? • Resolver Rules • License Configuration • Transit Gateways

  18. Shared VPCs • Share one or more subnets from a

    central shared service account • Enable other accounts to launch compute resources into that VPC • Windows • I need active directory, along with a raft of other centralised services to support a domain joined fleet of servers • “Security” software with a centralised controller

  19. Private Link • create your own application in your VPC

    and configure it to be imported like any other endpoint service. • Requires an NLB to front your service • Supports overlapping IPv4 ranges between servers and consumers • Managed workflow for sharing / requesting access to a VPC Endpoint using this service • This allows VPCs to be totally hidden from the consuming services • DNS is kinda magic*

  20. Private Link

  21. In Summary • IP Networking in AWS is constantly changing,

    always review the manual. • Watch reinvent VPC introduction videos each year at least, refreshing knowledge is key. • Keep things as simple as possible but no simpler • Use off the shelf patterns as a starting point, standing on the shoulders of giants.

  22. Questions • https://www.versent.com.au • https://www.stax.io/ • We are hiring! •

    wolfeidau on twitter / GitHub

  23. Links • https://www.keycdn.com/support/what-is-cidr • https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn- connection-sharing/ • AWS Security Hub

    https://aws.amazon.com/security-hub/ • Images from: • https://unsplash.com/@marcojodoin • Marc-Olivier Jodoin • https://unsplash.com/@adele_payman • Adele Payman