IP Networking in AWS? • Most common type is IPv4 addressing • VPC requires at least one CIDR • CIDR (Classless Inter-Domain Routing) • More Efficient use of IPv4 address space • Uses private RFC 1918 ranges
Before we Start • Keep it simple • Plan for the future, don't build the future now • Build only what you need • Lay the ground work for a solid AWS network
What do I need? • Keep a register of IPv4 range allocations • https://spritelink.github.io/NIPAP/ • DNS, using route53 • Secrets, using AWS Secret Service and SSM • X509 certificates, using AWS Certificate manager
Opensource • Start with Open Source, peer reviewed designs • https://github.com/widdix/aws-cf-templates • Comes with great documentation! • Great baseline / checklist • Another grab bag of templates by AWS • https://github.com/aws-samples/startup-kit- templates
What makes a VPC? • Made up of AWS Resources • Subnets • Routes • Security Groups • Internet Gateways (IGW) • VPNs • VPC Endpoints • More every reinvent..
Transit VPC? • This option is best suited for customers with the following use case/ requirements: • AWS resources in spoke VPCs need access to a wide variety of on- premises infrastructure • The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols) • They are implementing a hybrid architecture with complex network- routing requirements • Their security or compliance programs require additional network- based monitoring or filtering between AWS and on-premises resources • Day 1 CloudFormation support!
Shared VPCs • Share one or more subnets from a central shared service account • Enable other accounts to launch compute resources into that VPC • Windows • I need active directory, along with a raft of other centralised services to support a domain joined fleet of servers • “Security” software with a centralised controller
Private Link • create your own application in your VPC and configure it to be imported like any other endpoint service. • Requires an NLB to front your service • Supports overlapping IPv4 ranges between servers and consumers • Managed workflow for sharing / requesting access to a VPC Endpoint using this service • This allows VPCs to be totally hidden from the consuming services • DNS is kinda magic*
In Summary • IP Networking in AWS is constantly changing, always review the manual. • Watch reinvent VPC introduction videos each year at least, refreshing knowledge is key. • Keep things as simple as possible but no simpler • Use off the shelf patterns as a starting point, standing on the shoulders of giants.
wolfeidau
geeforr
reverentgeek
keathley
jcasabona
kastner
robhawkes
bluesmoon
eileencodes
jponch
philnash
hursman
nonsquared