In this session, we cover build-out and design fundamentals for virtual private clouds (VPCs), including selecting an IP space, subnetting, routing, and security. We discuss different approaches and scenarios for connecting a VPC to a datacenter with AWS VPN or AWS Direct Connect. We also introduce our latest networking services and updates, including AWS Transit Gateway and AWS PrivateLink. This mid-level architecture discussion is for software architects, network administrators, and technology decision makers interested in understanding the building blocks AWS makes available with Amazon Virtual Private Cloud (Amazon VPC) and learning how to connect VPCs with offices and datacenter footprints.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Fundamentos de Networking
Cláudio Freire Júnior
Solutions Architect
Amazon Web Services
S V C 2 1 1
Willien Carvalho Fernandes
Cloud Architect
Presença Digital/Claro Brasil

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
O que esperar dessa sessão.
• Obter familiaridade com conceitos de VPC;
• Criação de uma VPC básica;
• Aprender um pouco sobre incrementos na sua rede virtual;
• Entender opções de conectividade
• Entre VPCs;
• Para a sua on-premises;
• Para serviços AWS;
• Case Claro Brasil;
• VPC Sharing e VPC Endpoints;

3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Endereçamento
de IP
Criação de
subnets
Roteamento
em uma VPC
Segurança
VPC conceitos e fundamentos
DNS em VPC
com Amazon
Route 53

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Escolhendo uma faixa de
endereços IP

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Escolhendo uma faixa de endereços IP para sua VPC
172.31.0.0/16
Recomendado:
Faixa RFC1918
Recomendado:
/16
(65,536 endereços)
Evite faixas que sobrepõem
outras redes que você possa se
conectar

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Criando subnets em uma
VPC

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC subnets e Zonas de Disponibilidade
172.31.0.0/16
Zona de Disponibilidade Zona de Disponibilidade Zona de Disponibilidade
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
us-east-1a us-east-1b us-east-1c

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IPv6 na sua VPC
• Pode ter um dual-stack VPC e adicionar um CIDR IPv6
• Tamanhos fixos para VPC e subnets:
• /56 VPC (4,722,366,482,869,645,213,696 endereços)
• /64 subnets (18,446,744,073,709,551,616 endereços)

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC subnets e Zonas de Disponibilidade
172.31.0.0/16
Zona de Disponibilidade Zona de Disponibilidade Zona de Disponibilidade
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
us-east-1a us-east-1b us-east-1c
2600:1f16:14d:6300::/56
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
+ Expansão

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Roteamento na VPC

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Roteando na sua VPC
• Route table contém regras para quais pacotes trafegarão;
• Sua VPC possui uma tabela de rota default;
• Mas, você pode criar e atribuir diferentes route tables para
diferentes subnets;

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Tráfego destinado para
minha VPC continua nela

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
DNS dentro da VPC

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC opções de DNS
Usar Amazon DNS server
Ter EC2 autodesignar DNS
host names para instâncias

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org 
172.31.0.99

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Route 53 Resolver em ambiente híbrido
Route 53 Resolver
endpoints
Regras condicionais de
encaminhamento

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Flow LogsNetwork access
control list
(network ACL)
Security Groups
Segurança de rede

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
“MyWebServers” security group
“MyBackends” security group
Permitir somente “MyWebServers”
Security groups seguem estrutura de aplicação
Web Web Web Web
App App App
IGW

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Exemplo de security groups: Servidores web
Permite tráfego HTTP traffic de
qualquer lugar

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Exemplo security groups: Backends
Permite tráfego para
apenas dos servidores web

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Segurança de rede
Flow LogsNetwork ACLSecurity Groups

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups vs. Network ACLs
Security group Network ACL
Opera à nível de instância Opera à nível de subnet
Suporta regras de allow apenas Suporta regras de allow deny
É stateful: tráfego de retorno é
automaticamente permitido
É stateless: tráfego de retorno deve ser
explicitamente permitido
Todas as regras avaliadas antes de decidir se
deve permitir o tráfego
Regras avaliadas para decidir se deve permitir o
tráfego
Aplica-se apenas a instâncias explicitamente
associadas ao security group
Aplica-se automaticamente a todas as instâncias
iniciadas em subnets associadas
Não filtra o tráfego de ou para endereços locais de link (169.254.0.0/16) ou endereços IPv4
reservados pela AWS; esses são os quatro primeiros endereços IPv4 da subnet (incluindo o servidor
DNS da Amazon VPC)

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Segurança de rede
Flow LogsNetwork ACLSecurity Groups

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs
AZ 2AZ 1
• Visibilidade
• Troubleshooting
• Análise de tráfego
Amazon S3 Amazon CloudWatch Logs
VPC Flow Logs

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Flow Logs - formato

27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Conectividade à
Internet
Conectando à
outras VPCs
Conectando-se à sua
rede on-premises
Conectando sua VPC
ou não

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Conectividade à Internet
ou não

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGW
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.1.0.0/16 Local
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS
Lambda
Amazon
SQS
Amazon
SNS
AWS IoT
Core

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Conectando à outras VPCs
VPC Peering Transit Gateway

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC peering
• Completa conectividade privada de
IP entre duas VPCs;
• Pode ser feito com VPCs entre duas
regiões;
• VPCs podem estar em contas
diferentes;
• Faixas de VPC CIDR não podem
fazer overlapping
10.0.0.0/16
10.2.0.0/16
10.1.0.0/16
10.3.0.0/16

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Estabelecendo um VPC peering: Aceitando request
Passo 1
Iniciando peering
request
Passo 2
Aceitando
peering request
172.31.0.0/16 10.55.0.0/16

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Estabelecendo um VPC peering: Criando uma rota
Passo 1
Initiate peering
request
Step 2
Accept peering
request
Passo 3
172.31.0.0/16 10.55.0.0/16
Tráfego destinado à peered VPC deve ir
para a peering

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Peering Transit Gateway
e além…
Conectando à outras VPCs

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPN connectionCustomer
gateway
Amazon VPC Amazon VPC
AWS Direct
Connect Gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN
connection
VPN connection
VPC peering
Antes do Transit Gateway …

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Transit
Gateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
VPN
connection
AWS Direct
Connect Gateway
Com Transit Gateway …

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Conectando-se a redes on
premises
AWS VPN AWS Direct Connect

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
Túnel IPsec
através da internet
The internet
Transit GW
Customer
gateway

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Conectando-se a redes on-
premises:
AWS VPN AWS Direct Connect

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF
Provedor de
serviço de rede
AWS Direct Connect – O que é isso?

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
U m V I F p r i v a d o  M u i t a s V P C s
AWS Direct
Connect
Gateway
Provedor de
serviço de rede
AWS Direct Connect Gateway

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
AWS Region 1
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
AWS Region 2
AWS Direct
Connect
Gateway
Provedor de
serviço de rede
U m V I F p r i v a d o  M ú l t i p l a s R e g i o n s
AWS Direct Connect Gateway

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
AWS Account 1
On premises
AWS Direct Connect location
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
AWS Account 2
AWS Direct
Connect
Gateway
DX Gateway – Múltiplas Contas
Novo
Provedor de
serviço de rede
U m V I F p r i v a d o  M ú l t i p l a s A W S A c c o u n t s
AWS Direct Connect Gateway

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS VPN vs. AWS Direct Connect
• Ambos permitem conexão segura entre sua rede e
VPC
• VPN é um par de túnel IPSec que trafegará pela
Internet
• DX é conexão dedicada e latência controlada;
• Para workloads de alta disponibilidade: Utilizar
ambos (failover)

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Transit Gateway Convergence
Claro Brasil
Willien Carvalho Fernandes
Cloud Architect
Presença Digital/Claro Brasil

47. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Antes Depois

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Antes Depois
Fragmentação+
Complexidade
• Múltiplas instâncias e túneis IPSec
• Múltiplos peerings entre VPCs
• Administração complexa e
descentralizada
Convergência+
Simplicidade
• Integração de VPCs e VPNs
centralizadas
• Otimização de roteamento
• Integração de parceiros simplificada
• Administração simplificada e fácil

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Comparativo
Antes Depois
VPC Peerings 26 0
Instâncias VPN 15 0
Túneis IPSec 30 5
Redução de Custo /mês N/A 90%

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Sharing VPC endpoints/
AWS PrivateLink
…mais AWS networking

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC Sharing
Antes

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC Sharing
Depois

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
L l a m a
10.3.0.0/16
P e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
L l a m aP e g a s u s
10.2.0.0/16
B a r r y
10.1.0.0/16
I g u a n aS t e v eS u e
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant

57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Por que usar Amazon VPC sharing?
Pre se rv e e s p a ç o d e I P
U se m e n o s I Pv 4 C I D R s
I n t e rc o n e ct iv ida d e
N ã o re q u e r V PC Pe e ri n g
B i l l i n g e S e g u r a n ç a
C o n t i n u e a a p r o v e i t a r a
s e g r e g a ç ã o c o m m ú l t i p l a s c o n t a s
S e p a r a ç ã o d e t a r e f a s
U m t i m e c e n t r a l p o d e c r i a r e
g e r e n c i a r s u a A m a z o n V P C
C u s t o p a r a d a t a t r a n s f e r n a m e s m a
A Z é n u l o !

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints/AWS
PrivateLink
Gateway VPC
endpoints

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Gateway VPC Endpoint – Amazon S3 e Amazon
DynamoDB
S3 bucket
Route S3-bound traffic
to the VPC endpoint

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Tipo: Gateway
Tipo: Interface

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints/AWS
PrivateLink
Gateway VPC
endpoints

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon API Gateway
AWS CloudFormation
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS Config
Amazon EC2 API
Elastic Load Balancing API
AWS Key Management Service
Amazon Kinesis Data Streams
Amazon SageMaker Runtime
AWS Secrets Manager
AWS Security Token Service
AWS Service Catalog
Amazon SNS
AWS Systems Manager
NAT
InstanceB
10.1.1.11/24
NAT-GW
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet
InstânciaA
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstânciaC
10.1.2.11/24
InstânciaD
10.1.3.11/24
+ Expand + IPv6
25+ serviços agora
suportados pelo AWS
PrivateLink
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
AWS PrivateLink pode
alcançar serviços
públicos, de forma
privada da sua VPC
Nenhuma rota necessária!
(quase)
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
+ Mais

63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Sugestões
• Sempre tenha em mente na hora na arquitetura escalabilidade, alta
disponibilidade e segurança;
• Comece simples! Para pequenos workloads, não há necessidade de
complexidade;
• Possuímos documentação vasta para os serviços, diversos vídeos,
treinamentos, para ajuda-lo no entendimento dos serviços ou ainda
busque ajuda com a AWS ou nossos parceiros;
• Experimente, teste e implemente;

64. Obrigado!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cláudio Freire Júnior
freirec@amazon.com

65. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Por favor, responda a pesquisa ao final
da sessão no app. Ao finalizar a
pesquisa, passe no Help Desk e retire
seu brinde!”