Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Networking in AWS

Mark Wolfe
December 12, 2018
0
58

IP Networking in AWS

Presented at the AWS Users Group in Melbourne 12th of December 2018

Mark Wolfe

December 12, 2018
Tweet

More Decks by Mark Wolfe

See All by Mark Wolfe
Getting Into Vue.js
wolfeidau
0
180
AWS Automation With Lambda
wolfeidau
1
85
Ansible and Cloudformation
wolfeidau
1
220
Docker Security
wolfeidau
0
180
Building a Proxy in Go
wolfeidau
2
360
Using JWT to Authenticate Microservices
wolfeidau
1
240
Managing Secrets IN AWS
wolfeidau
0
130
ESPlant Workshop Firmware Overview and Demos
wolfeidau
0
110
Go kit - A Distributed Programming Toolkit
wolfeidau
0
140

Featured

See All Featured
A better future with KSS
kneath
238
17k
Documentation Writing (for coders)
carmenintech
65
4.4k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
The Pragmatic Product Professional
lauravandoore
31
6.3k
The Invisible Side of Design
smashingmag
298
50k
Designing the Hi-DPI Web
ddemaree
280
34k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Designing Experiences People Love
moore
138
23k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Product Roadmaps are Hard
iamctodd
PRO
49
11k

Transcript

  1. IP Networking in AWS Mark Wolfe @ Versent

  2. Welcome • @wolfeidau on Twitter • https://github.com/wolfeidau • APN Ambassador

    @ Versent

  3. IP Networking in AWS? • Most common type is IPv4

    addressing • VPC requires at least one CIDR • CIDR (Classless Inter-Domain Routing) • More Efficient use of IPv4 address space • Uses private RFC 1918 ranges

  4. Before we Start • Keep it simple • Plan for

    the future, don't build the future now • Build only what you need • Lay the ground work for a solid AWS network

  5. What do I need? • Keep a register of IPv4

    range allocations • https://spritelink.github.io/NIPAP/ • DNS, using route53 • Secrets, using AWS Secret Service and SSM • X509 certificates, using AWS Certificate manager

  6. Opensource • Start with Open Source, peer reviewed designs •

    https://github.com/widdix/aws-cf-templates • Comes with great documentation! • Great baseline / checklist • Another grab bag of templates by AWS • https://github.com/aws-samples/startup-kit- templates

  7. VPC with private and public subnets in two Availability Zones

    https://templates.cloudonaut.io/en/stable/vpc/

  8. What makes a VPC? • Made up of AWS Resources

    • Subnets • Routes • Security Groups • Internet Gateways (IGW) • VPNs • VPC Endpoints • More every reinvent..

  9. Just Getting Started? • VPC Fundamentals and Connectivity Options (NET201)

    by Gina Morris • https://www.youtube.com/watch?v=jZAvKgqlrjY

  10. Onto the New Stuff

  11. VPC Peering

  12. Transit Gateway • Dynamic and static layer 3 routing between

    Amazon Virtual Private Clouds (VPCs) and VPN • VPN connections between your AWS Transit Gateway and on-premises gateways using VPN • AWS Transit Gateway provides monitoring via cloudwatch metrics / logs
  13. None
  14. None

  15. Transit VPC? • This option is best suited for customers

    with the following use case/ requirements: • AWS resources in spoke VPCs need access to a wide variety of on- premises infrastructure • The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols) • They are implementing a hybrid architecture with complex network- routing requirements • Their security or compliance programs require additional network- based monitoring or filtering between AWS and on-premises resources • Day 1 CloudFormation support!

  16. Learn More! • Introducing AWS Transit Gateway (NET331) • https://www.youtube.com/watch?v=yQGxPEGt_-w

    • Advanced VPC Design and New Capabilities for Amazon VPC (NET303) • https://www.youtube.com/watch?v=fnxXNZdf6ew • NOTE: This talk covers new Client <-> VPC VPN support!

  17. AWS Resource Access Manager • Create resources centrally • Govern

    consumption of shared resources • View usage details for shared resources • This covers: • Subnets!? • Resolver Rules • License Configuration • Transit Gateways

  18. Shared VPCs • Share one or more subnets from a

    central shared service account • Enable other accounts to launch compute resources into that VPC • Windows • I need active directory, along with a raft of other centralised services to support a domain joined fleet of servers • “Security” software with a centralised controller

  19. Private Link • create your own application in your VPC

    and configure it to be imported like any other endpoint service. • Requires an NLB to front your service • Supports overlapping IPv4 ranges between servers and consumers • Managed workflow for sharing / requesting access to a VPC Endpoint using this service • This allows VPCs to be totally hidden from the consuming services • DNS is kinda magic*

  20. Private Link

  21. In Summary • IP Networking in AWS is constantly changing,

    always review the manual. • Watch reinvent VPC introduction videos each year at least, refreshing knowledge is key. • Keep things as simple as possible but no simpler • Use off the shelf patterns as a starting point, standing on the shoulders of giants.

  22. Questions • https://www.versent.com.au • https://www.stax.io/ • We are hiring! •

    wolfeidau on twitter / GitHub

  23. Links • https://www.keycdn.com/support/what-is-cidr • https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn- connection-sharing/ • AWS Security Hub

    https://aws.amazon.com/security-hub/ • Images from: • https://unsplash.com/@marcojodoin • Marc-Olivier Jodoin • https://unsplash.com/@adele_payman • Adele Payman