Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Networking in AWS

Ebf974e0dbcfe88c508df6f395661a4b?s=47 Mark Wolfe
December 12, 2018
30

IP Networking in AWS

Presented at the AWS Users Group in Melbourne 12th of December 2018

Ebf974e0dbcfe88c508df6f395661a4b?s=128

Mark Wolfe

December 12, 2018
Tweet

Transcript

  1. IP Networking in AWS Mark Wolfe @ Versent

  2. Welcome • @wolfeidau on Twitter • https://github.com/wolfeidau • APN Ambassador

    @ Versent
  3. IP Networking in AWS? • Most common type is IPv4

    addressing • VPC requires at least one CIDR • CIDR (Classless Inter-Domain Routing) • More Efficient use of IPv4 address space • Uses private RFC 1918 ranges
  4. Before we Start • Keep it simple • Plan for

    the future, don't build the future now • Build only what you need • Lay the ground work for a solid AWS network
  5. What do I need? • Keep a register of IPv4

    range allocations • https://spritelink.github.io/NIPAP/ • DNS, using route53 • Secrets, using AWS Secret Service and SSM • X509 certificates, using AWS Certificate manager
  6. Opensource • Start with Open Source, peer reviewed designs •

    https://github.com/widdix/aws-cf-templates • Comes with great documentation! • Great baseline / checklist • Another grab bag of templates by AWS • https://github.com/aws-samples/startup-kit- templates
  7. VPC with private and public subnets in two Availability Zones

    https://templates.cloudonaut.io/en/stable/vpc/
  8. What makes a VPC? • Made up of AWS Resources

    • Subnets • Routes • Security Groups • Internet Gateways (IGW) • VPNs • VPC Endpoints • More every reinvent..
  9. Just Getting Started? • VPC Fundamentals and Connectivity Options (NET201)

    by Gina Morris • https://www.youtube.com/watch?v=jZAvKgqlrjY
  10. Onto the New Stuff

  11. VPC Peering

  12. Transit Gateway • Dynamic and static layer 3 routing between

    Amazon Virtual Private Clouds (VPCs) and VPN • VPN connections between your AWS Transit Gateway and on-premises gateways using VPN • AWS Transit Gateway provides monitoring via cloudwatch metrics / logs
  13. None
  14. None
  15. Transit VPC? • This option is best suited for customers

    with the following use case/ requirements: • AWS resources in spoke VPCs need access to a wide variety of on- premises infrastructure • The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols) • They are implementing a hybrid architecture with complex network- routing requirements • Their security or compliance programs require additional network- based monitoring or filtering between AWS and on-premises resources • Day 1 CloudFormation support!
  16. Learn More! • Introducing AWS Transit Gateway (NET331) • https://www.youtube.com/watch?v=yQGxPEGt_-w

    • Advanced VPC Design and New Capabilities for Amazon VPC (NET303) • https://www.youtube.com/watch?v=fnxXNZdf6ew • NOTE: This talk covers new Client <-> VPC VPN support!
  17. AWS Resource Access Manager • Create resources centrally • Govern

    consumption of shared resources • View usage details for shared resources • This covers: • Subnets!? • Resolver Rules • License Configuration • Transit Gateways
  18. Shared VPCs • Share one or more subnets from a

    central shared service account • Enable other accounts to launch compute resources into that VPC • Windows • I need active directory, along with a raft of other centralised services to support a domain joined fleet of servers • “Security” software with a centralised controller
  19. Private Link • create your own application in your VPC

    and configure it to be imported like any other endpoint service. • Requires an NLB to front your service • Supports overlapping IPv4 ranges between servers and consumers • Managed workflow for sharing / requesting access to a VPC Endpoint using this service • This allows VPCs to be totally hidden from the consuming services • DNS is kinda magic*
  20. Private Link

  21. In Summary • IP Networking in AWS is constantly changing,

    always review the manual. • Watch reinvent VPC introduction videos each year at least, refreshing knowledge is key. • Keep things as simple as possible but no simpler • Use off the shelf patterns as a starting point, standing on the shoulders of giants.
  22. Questions • https://www.versent.com.au • https://www.stax.io/ • We are hiring! •

    wolfeidau on twitter / GitHub
  23. Links • https://www.keycdn.com/support/what-is-cidr • https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn- connection-sharing/ • AWS Security Hub

    https://aws.amazon.com/security-hub/ • Images from: • https://unsplash.com/@marcojodoin • Marc-Olivier Jodoin • https://unsplash.com/@adele_payman • Adele Payman