Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Networking in AWS

Mark Wolfe
December 12, 2018

IP Networking in AWS

Presented at the AWS Users Group in Melbourne 12th of December 2018

Mark Wolfe

December 12, 2018


  1. IP Networking in AWS? • Most common type is IPv4

    addressing • VPC requires at least one CIDR • CIDR (Classless Inter-Domain Routing) • More Efficient use of IPv4 address space • Uses private RFC 1918 ranges
  2. Before we Start • Keep it simple • Plan for

    the future, don't build the future now • Build only what you need • Lay the ground work for a solid AWS network
  3. What do I need? • Keep a register of IPv4

    range allocations • https://spritelink.github.io/NIPAP/ • DNS, using route53 • Secrets, using AWS Secret Service and SSM • X509 certificates, using AWS Certificate manager
  4. Opensource • Start with Open Source, peer reviewed designs •

    https://github.com/widdix/aws-cf-templates • Comes with great documentation! • Great baseline / checklist • Another grab bag of templates by AWS • https://github.com/aws-samples/startup-kit- templates
  5. VPC with private and public subnets in two Availability Zones

  6. What makes a VPC? • Made up of AWS Resources

    • Subnets • Routes • Security Groups • Internet Gateways (IGW) • VPNs • VPC Endpoints • More every reinvent..
  7. Just Getting Started? • VPC Fundamentals and Connectivity Options (NET201)

    by Gina Morris • https://www.youtube.com/watch?v=jZAvKgqlrjY
  8. Transit Gateway • Dynamic and static layer 3 routing between

    Amazon Virtual Private Clouds (VPCs) and VPN • VPN connections between your AWS Transit Gateway and on-premises gateways using VPN • AWS Transit Gateway provides monitoring via cloudwatch metrics / logs
  9. Transit VPC? • This option is best suited for customers

    with the following use case/ requirements: • AWS resources in spoke VPCs need access to a wide variety of on- premises infrastructure • The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols) • They are implementing a hybrid architecture with complex network- routing requirements • Their security or compliance programs require additional network- based monitoring or filtering between AWS and on-premises resources • Day 1 CloudFormation support!
  10. Learn More! • Introducing AWS Transit Gateway (NET331) • https://www.youtube.com/watch?v=yQGxPEGt_-w

    • Advanced VPC Design and New Capabilities for Amazon VPC (NET303) • https://www.youtube.com/watch?v=fnxXNZdf6ew • NOTE: This talk covers new Client <-> VPC VPN support!
  11. AWS Resource Access Manager • Create resources centrally • Govern

    consumption of shared resources • View usage details for shared resources • This covers: • Subnets!? • Resolver Rules • License Configuration • Transit Gateways
  12. Shared VPCs • Share one or more subnets from a

    central shared service account • Enable other accounts to launch compute resources into that VPC • Windows • I need active directory, along with a raft of other centralised services to support a domain joined fleet of servers • “Security” software with a centralised controller
  13. Private Link • create your own application in your VPC

    and configure it to be imported like any other endpoint service. • Requires an NLB to front your service • Supports overlapping IPv4 ranges between servers and consumers • Managed workflow for sharing / requesting access to a VPC Endpoint using this service • This allows VPCs to be totally hidden from the consuming services • DNS is kinda magic*
  14. In Summary • IP Networking in AWS is constantly changing,

    always review the manual. • Watch reinvent VPC introduction videos each year at least, refreshing knowledge is key. • Keep things as simple as possible but no simpler • Use off the shelf patterns as a starting point, standing on the shoulders of giants.
  15. Links • https://www.keycdn.com/support/what-is-cidr • https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn- connection-sharing/ • AWS Security Hub

    https://aws.amazon.com/security-hub/ • Images from: • https://unsplash.com/@marcojodoin • Marc-Olivier Jodoin • https://unsplash.com/@adele_payman • Adele Payman