Presented at the AWS Users Group in Melbourne 12th of December 2018
IP Networking in AWS
Mark Wolfe @ Versent
• @wolfeidau on Twitter
• APN Ambassador @ Versent
IP Networking in AWS?
• Most common type is IPv4 addressing
• VPC requires at least one CIDR
• CIDR (Classless Inter-Domain Routing)
• More Efﬁcient use of IPv4 address space
• Uses private RFC 1918 ranges
Before we Start
• Keep it simple
• Plan for the future, don't build the future now
• Build only what you need
• Lay the ground work for a solid AWS network
What do I need?
• Keep a register of IPv4 range allocations
• DNS, using route53
• Secrets, using AWS Secret Service and SSM
• X509 certiﬁcates, using AWS Certiﬁcate manager
• Start with Open Source, peer reviewed designs
• Comes with great documentation!
• Great baseline / checklist
• Another grab bag of templates by AWS
VPC with private and public subnets
in two Availability Zones
What makes a VPC?
• Made up of AWS Resources
• Security Groups
• Internet Gateways (IGW)
• VPC Endpoints
• More every reinvent..
Just Getting Started?
• VPC Fundamentals and Connectivity Options
(NET201) by Gina Morris
Onto the New Stuff
• Dynamic and static layer 3 routing between Amazon
Virtual Private Clouds (VPCs) and VPN
• VPN connections between your AWS Transit
Gateway and on-premises gateways using VPN
• AWS Transit Gateway provides monitoring via
cloudwatch metrics / logs
• This option is best suited for customers with the following use case/
• AWS resources in spoke VPCs need access to a wide variety of on-
• The required on-premises resources are extremely difﬁcult to
replicate or proxy (e.g., proprietary mainframe protocols)
• They are implementing a hybrid architecture with complex network-
• Their security or compliance programs require additional network-
based monitoring or ﬁltering between AWS and on-premises resources
• Day 1 CloudFormation support!
• Introducing AWS Transit Gateway (NET331)
• Advanced VPC Design and New Capabilities for
Amazon VPC (NET303)
• NOTE: This talk covers new Client <-> VPC VPN
AWS Resource Access
• Create resources centrally
• Govern consumption of shared resources
• View usage details for shared resources
• This covers:
• Resolver Rules
• License Conﬁguration
• Transit Gateways
• Share one or more subnets from a central shared
• Enable other accounts to launch compute resources
into that VPC
• I need active directory, along with a raft of other
centralised services to support a domain joined
ﬂeet of servers
• “Security” software with a centralised controller
• create your own application in your VPC and conﬁgure it to be
imported like any other endpoint service.
• Requires an NLB to front your service
• Supports overlapping IPv4 ranges between servers and
• Managed workﬂow for sharing / requesting access to a VPC
Endpoint using this service
• This allows VPCs to be totally hidden from the consuming
• DNS is kinda magic*
• IP Networking in AWS is constantly changing, always
review the manual.
• Watch reinvent VPC introduction videos each year
at least, refreshing knowledge is key.
• Keep things as simple as possible but no simpler
• Use off the shelf patterns as a starting point,
standing on the shoulders of giants.
• We are hiring!
• wolfeidau on twitter / GitHub
• AWS Security Hub https://aws.amazon.com/security-hub/
• Images from:
• Marc-Olivier Jodoin
• Adele Payman