Networking in AWS

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Agenda

• Amazon VPC – Virtual Private Cloud

• VPC Building Blocks
• VPC Security
• VPC Connectivity Options
• Connect your Data Center to AWS
• Traffic Distribution

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Amazon VPC

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Amazon VPC - Virtual Private Cloud

Provision a logically isolated section of the AWS Cloud where you can launch AWS
resources in a virtual network that you define.

Bring your own network

IP Addresses Subnets Network Topology Routing Rules Security Rules

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Amazon Virtual Private Cloud (VPC)

AWS Cloud

VPC

Amazon EC2 AWS Lambda Amazon RDS Amazon Redshift Amazon Amazon Simple Storage
DynamoDB Service (S3)

Your Network goes here

© 2020, Amazon Web Services, Inc. or its Affiliates.

 VPC Building Blocks

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to segment my networks inside a VPC?
VPC Subnets

VPC 10.0.0.0/16

Availability Zone A Availability Zone B

• You can add one or more subnets in Subnet A1 Subnet B1

each Availability Zone

10.0.0.0/24 10.0.2.0/24
• AZs provides fault isolations
• Subnets are allocated as a subset of Subnet A2 Subnet B2

the VPC CIDR range 10.0.1.0/24 10.0.3.0/24

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to direct traffic out of my Subnets?
Subnets and Route Tables VPC

• Each subnet can have a unique Route Table Internet gateway

• Route Tables direct traffic out of the VPC, Public subnet

towards: VPC

• Internet Gateway
Route table
• Virtual Private Gateway Public subnet

• VPC Endpoints
Router
• Direct Connect Private subnet
Route table
• VPC Peering
• AWS Transit Gateway Corporate data center

• Subnets are named “Public Subnets” when Route table

connected to an Internet Gateway

© 2020, Amazon Web Services, Inc. or its Affiliates.
 How to connect my VPC to the Internet?
Internet Gateway
Internet

VPC

• Horizontally scaled, redundant, highly Internet gateway

available VPC component

• Connect your VPC Subnets to the Public subnet

Internet Private IP: 10.0.0.1

Public IP: 198.51.100.2
• Must be referenced on the Route EC2
Instance
Table Route table

• Performs NAT between Public and Private subnet

Private IP Addresses
Private IP: 10.1.1.1
EC2
Instance
Route table

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How does my instance get an IP address?
Elastic IP Address
Internet

VPC

Internet gateway
• Static, Public IPv4 address, associated
with your AWS account Public subnet

• Can be associated with an instance or Private IP: 10.0.0.1 Private IP: 10.0.0.2
Elastic IP: 198.51.100.2 Elastic IP: 198.51.100.2
network interface EC2 EC2
Instance Instance
• Can be remapped to another instance
in your account Private subnet

• Useful for redundancy when Load

Private IP: 10.1.1.1
Balancers are not an option EC2
Instance

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Can I have outbound only Internet access?
NAT Gateway
Internet

• Enable outbound connection to the VPC

internet Internet gateway

• No incoming connection - useful for
OS/packages updates, public web Public subnet

services access
• Fully managed by AWS EC2 NAT gateway
Instance
• Highly available
• Up to 10Gbps bandwidth Private subnet

• Supports TCP, UDP, and ICMP

Private IP: 10.1.1.1
protocols EC2
Instance
• Network ACLs apply to NAT gateway’s Route table

traffic
© 2020, Amazon Web Services, Inc. or its Affiliates.
 Can I have one account owning the VPC, and other using it?
Shared VPC
VPC

• VPC Owner can create and edit VPC Subnet Beta

Components AWS Account Alpha

• VPC Participants can launch resources AWS Account Beta

VPC Participant EC2 Instance Lambda function
VPC Owner

Create/Modify/Delete:
in their assigned Subnets Subnets
Route Tables
• Each participant pays for their own Network ACL
VPC Peering
Subnet Gama
resources and data transfer costs VPC Endpoints
Internet Gateways
NAT Gateways
• Based on AWS Resource Access Virtual Private Gateways
AWS Account Gama Transit Gateway attachment
Manager, under AWS Organizations VPC Participant
EC2 Instance Lambda function

© 2020, Amazon Web Services, Inc. or its Affiliates.

 VPC Security

© 2020, Amazon Web Services, Inc. or its Affiliates.

 VPC
Can I filter traffic reaching my instances?
Security Groups Internet gateway

HTTPS
(TCP 443)

• Virtual stateful firewall Security group “Web ELB”

• Inbound and Outbound customer

defined rules Elastic Load Balancing (ELB)

• Instance/Interface level inspection “Web ELB”

HTTP
(TCP 80)
• Micro segmentation Security group “Web Tier”

• Mandatory, all instances have an

associated Security Group Web Server Web Server

Amazon EC2
• Can be cross referenced “Web Tier”
MySQL
• Works across VPC Peering (TCP 3306)
Security group “DB Tier”
• Only supports allow rules
• Implicit deny all at the end
MySQL DB
© 2020, Amazon Web Services, Inc. or its Affiliates. Amazon Aurora
 Can I filter traffic on a subnet level?
0.0.0.0/0
Network Access Control List HTTPS
(TCP 443)

NACL “External Access”

Public subnet
• Inbound and Outbound
• Subnet level inspection Network
access control
• Optional level of security list Amazon EC2

• By default, allow all traffic

10.0.0.0/16
• Stateless MySQL
(TCP 3306)

• IP and TCP/UDP port based

NACL “Database Access”
• Supports allow and deny rules Private subnet

• Deny all at the end Other IPs

Other Ports
Network
access control
list MySQL DB
Amazon Aurora

© 2020, Amazon Web Services, Inc. or its Affiliates.

 VPC Connectivity Options

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to connect privately to public AWS Services?
VPC Endpoints
Amazon
VPC PrivateLink

• Connect your VPC to: VPC VPC

• Supported AWS services Internet gateway

• VPC endpoint services Network Load Balancer

(NLB)
Public subnet
powered by PrivateLink
• Doesn’t require public IPs or Internet VPC Endpoint Service

connectivity EC2
Instance
VPC Endpoint
• Traffic does not leave the AWS
Amazon
network. Private subnet
Simple Storage Service (S3)

• Horizontally scaled, redundant, and

highly available EC2 VPC Endpoint

• Robust access control Instance

AWS
Key Management Service

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to connect directly to other VPCs?
VPC Peering
• Scalable and high available VPC VPC

• Inter-account peering Public subnet Public subnet

VPC Peering
• Same or different AWS Regions
• Bi-directional traffic EC2
Instance
EC2
Instance
Route table Route table
• Remote Security groups can be
referenced
Private subnet Private subnet
• Routing policy with Route Tables
• Not all subnets need to connect EC2 EC2
to each other Instance
Route table
Instance
Route table

• No transitive routing, requires full-mesh

to interconnect multiple VPCs
• No support for overlapping IP addresses
© 2020, Amazon Web Services, Inc. or its Affiliates.
 How to connect multiple VPCs together?
AWS Transit Gateway
AWS Cloud

• Connect thousands of VPC across VPC VPC VPC

accounts …

• Connect your VPCs and on-premises

through a single gateway
• Centralize VPN and AWS Direct
Routing Domain A Routing Domain B
Connect connections
• Control segmentations and data flow AWS Transit Gateway Route table Route table
with Routing Tables
• Hub and Spoke design VPC Shared Services VPC

• Up to 50 Gbps per VPC connection

(burst)

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Connect Your Data Center to AWS

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to connect my Datacenter to AWS over the Internet?
AWS Virtual Private Network
AWS Cloud

VPC
• One VGW (Virtual Private Gateway)
Availability Zone 1 Availability Zone 2
per VPC
• Redundant IPSec VPN Tunnels
• Terminating in different AZs VGW (Virtual Private Gateway)
• IPSec
• AES 256-bit encryption VPN Connection

• SHA-2 hashing
• Scalable Internet
Corporate
• BGP or Static Routing data center
Customer
gateway

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to connect my Datacenter to AWS over dedicated circuits?
AWS Direct Connect
AWS Cloud

• Dedicated network connection from

your premises to AWS Direct Connect
Location
• Dedicated Connection (1/10 Gbps,
AWS DX Device
Multiple VIFs)
• AWS Partner Hosted Connection (50
Mbps to 10 Gbps, Single VIF) AWS Direct Connect

• Consistent Network Performance

• More consistent network experience
Corporate
data center

• Reduced egress data charges

Customer
gateway

• Connect to 90+ Direct Connection

Locations across the globe
© 2020, Amazon Web Services, Inc. or its Affiliates.
 How to add redundancy to my dedicated circuits?
AWS Direct Connect
AWS Cloud

• For redundancy, DX can deployed with

single or multiples:
Direct Connect Direct Connect
• Circuits Location Location

• Providers AWS DX Device AWS DX Device AWS DX Device AWS DX Device

• Customer Gateways
• Direct Connect Locations Corporate
data center
Corporate
data center

• Customer data centers Customer

gateway
Customer
gateway

• BGP Routing for redundancy

• AWS VPN can also be used as backup
path
AWS Direct Connect

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to access my VPCs or AWS Public Services over my DX?
AWS Direct Connect
AWS Cloud

VPC 1A VPC 1B Public AWS Services

Private Private Amazon Simple Storage

Virtual Interface Virtual Interface Service (S3)
• VIFs: Virtual Interface Public
Virtual Private Virtual Interface
• Private VIFs Gateways

• Access to VPC IP address

• Public VIFs
• Access to AWS Public IP
Direct Connect
address space Location
AWS DX Device

Corporate
data center AWS Direct Connect
Customer
gateway
© 2020, Amazon Web Services, Inc. or its Affiliates.
 How to connect to multiple AWS Regions/Accounts over DX?
AWS Direct Connect Gateway AWS Cloud

Region 1 Region 2

VPC 1A VPC 1B VPC 2A

• Global resource Private Private Private

Virtual Interface Virtual Interface Virtual Interface
• Connect to multiple VPCs
• VPCs can be on same or different
• Regions
• Accounts (same Payer ID) AWS Direct Connect
Gateway
• Enables traffic flow from the VPC to the
DX connection Direct Connect
Location
• For VPC to VPC Traffic, consider AWS DX Device

using AWS Transit Gateway

Corporate
data center
Customer
© 2020, Amazon Web Services, Inc. or its Affiliates. gateway
 How to connect at scale across accounts/Regions?
AWS DX Gateway + AWS Cloud

AWS Transit Gateway Region 1 Region 2

VPC 1A VPC 1B VPC 2A

• Transit VIF
• Connects to a AWS Transit
Gateway
AWS Transit Gateway
• Simplify your network architecture
and management overhead
AWS Direct Connect
• Create a hub-and-spoke model that Gateway

spans multiple
Direct Connect
• VPCs Location
AWS DX Device
• Regions
Corporate
• AWS accounts data center
Customer
© 2020, Amazon Web Services, Inc. or its Affiliates. gateway
 Traffic Distribution

© 2020, Amazon Web Services, Inc. or its Affiliates.

 How to scale my app horizontally inside my VPC?
Elastic Load Balancing VPC

Internet gateway

• Distributes incoming application or

Elastic Load Balancing (ELB)
network traffic across multiple targets
• EC2 instances Auto Scaling Group

• Containers
• IP address EC2 EC2 EC2 EC2
Instance Instance Instance Instance
• Multiple Availability Zones
• Scales automatically Elastic Load Balancing (ELB)

• Auto Scaling Groups can add or remove

Auto Scaling Group
instances as required
• Automatically register to the
EC2 EC2 EC2
Load Balancer Instance Instance Instance
EC2
Instance

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Elastic Load Balancing
Features Comparison
Feature Application Load Balancer Network Load Balancer
Protocols HTTP, HTTPS TCP
Platforms VPC VPC
Health checks √ √
CloudWatch metrics √ √
Logging √ √
Path-Based Routing √
Host-Based Routing √
Native HTTP/2 √
Configurable idle connection timeout √
SSL offloading √
Server Name Indication (SNI) √
Sticky sessions √
Back-end server encryption √
Static IP √
Elastic IP address √
Preserve Source
© 2020, Amazon IPInc.address
Web Services, or its Affiliates. √
 How to solve my Domain Names to IP Address?
Amazon Route 53
DNS Resolution Request

Amazon Route 53
• AWS DNS service Main
Yes No
• Domain Registration Site
Healthy

• Domain name resolution

Region us-east-1 Region us-west-2
• 100% availability SLA (N. Virginia) (Oregon)

App Version A App Version B App DR

• Health Checks 95% Traffic A/B 5% Traffic
Testing
• DNS Failover
• Latency Based Routing
• Geo Based Routing Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer

• Weighted Round Robin

Web Service Web Service Web Service
• Private DNS for VPC
© 2020, Amazon Web Services, Inc. or its Affiliates.
 Can I improve availability and performance of my global services?
AWS Global Accelerator
Users in US Users in Europe

• Uses AWS Global Network from Edge www.example.com

IP: 198.51.100.2
www.example.com
IP: 198.51.100.2
to Region
AWS Global Accelerator
• Client traffic ingresses via closes AWS Cloud
available Edge location Edge location
Edge location Edge location Edge location
• Route client to closest healthy
endpoint Redundant path

• No DNS switchover required, same IP Region us-east-1 (N. Virginia) Region eu-west-1 (Ireland)

address globally
• Static IP Anycast Elastic Load Balancer Elastic Load Balancer

Service Service

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Questions?

© 2020, Amazon Web Services, Inc. or its Affiliates.