Take Amazon EC2 to the next level and create a virtual network in the AWS cloud using our API-defined networking solutions. Learn how to create networks that closely resemble those used in a traditional data center, enhance your knowledge of elastic network interfaces and multiple IP addresses for EC2 instances, and learn how to leverage egress filtering and network ACLs for an additional layer of security for your network. In addition to discussing virtual network security appliances, internal load balancing, and site to site VPN connectivity, we also discuss the past, present, and future for Amazon virtual networking.

2. Router Internet Customer VPN Gateway VPN Connection
Gateway Gateway

3. Internet
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5
10.141.9.8
10.99.42.97
10.155.6.7
10.16.22.33 10.131.7.28
10.6.78.201
Availability Zone 1a Availability Zone 1a
Customer 1 Customer 2 Customer 3

4. Internet
Public IPs Elastic IPs Public IPs Elastic IPs
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5
10.141.9.8
10.99.42.97
10.155.6.7
10.16.22.33 10.131.7.28
10.6.78.201
Availability Zone 1a Availability Zone 1a
Customer 1 Customer 2 Customer 3

5. Internet
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5
10.141.9.8
10.99.42.97
10.155.6.7
10.16.22.33 10.131.7.28
10.6.78.201
Availability Zone 1a Availability Zone 1a
Customer 1 Customer 2 Customer 3 VPC Customer

6. Internet
10.0.1.6
10.0.0.5 10.0.1.5
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Availability Zone 1a
VPC Customer

7. Internet
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Availability Zone 1a
VPC Customer

8. Internet
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Virtual Private Gateway
Availability Zone 1a Availability Zone 1a
VPN Connection
Customer Gateway
Customer Data Center

9. Internet
X
VPN Connection
Customer Gateway
Customer Data Center

10. Internet
Internet Gateway
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Virtual Private Gateway
Availability Zone 1a Availability Zone 1a
VPN Connection
Customer Gateway
Customer Data Center

11. Creating a VPC
C:>ec2-create-vpc 10.0.0.0/16
C:>ec2-create-subnet -c vpc-eabab681 -i
10.0.0.0/24 -z us-east-1b
C:>ec2-create-internet-gateway
C:>ec2-attach-internet-gateway igw-33bbb758
-c vpc-eabab681
C:>ec2-describe-route-tables
C:>ec2-create-route rtb-e8bab683 -r
0.0.0.0/0 -g igw-33bbb758

13. Network ACLs
Egress filtering
Change SG Multiple elastic
membership on network interfaces
running instances
Multiple IP
addresses
Support for all
protocols

19. 10.10.0.10
10.10.0.11 10.10.0.12

20. Demo

21. monitor.sh
#!/bin/sh
EC2_URL=https://ec2.us-west-2.amazonaws.com
. /etc/profile.d/aws-apitools-common.sh
echo `date` "-- Starting HA monitor" > /tmp/ha_monitor.log
while [ . ]; do
pingresult=`ping -c 3 -W 1 10.10.0.12 | grep icmp | wc -l`
if [ "$pingresult" == "0" ]; then
echo `date` "-- HA heartbeat failed, taking over VIP" >> /tmp/ha_monitor.log
ec2-assign-private-ip-addresses -n eni-a80b97c1 --secondary-private-ip-address
10.10.0.10 --allow-reassignment -U $EC2_URL >> /tmp/ha_monitor.log
pingresult=`ping -c 1 -W 1 10.10.0.10 | grep icmp | wc -l`
if [ "$pingresult" == "0" ]; then
echo `date` "--Restarting network" >> /tmp/ha_monitor.log
service network restart >> /tmp/ha_monitor.log
fi
sleep 60
fi
sleep 2
done

25. Demo

26. Public Subnet 1 Public Subnet 2
Private Subnet 1 Private Subnet 2

27. External LB
Public Subnet 1 Public Subnet 2
Internal LB
Private Subnet 1 Private Subnet 2

28. IDS / DLP IDS / DLP
Public Subnet 1 Public Subnet 2
Private Subnet 1 Private Subnet 2

29. Demo

30. Singapore Japan

32. We are sincerely eager to
hear your feedback on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.