Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this talk, we discuss advanced tasks in Amazon VPC, including the implementation of VPC peering, the creation of multiple network zones, the establishment of private connections, and the use of multiple routing tables. We also provide information for current EC2-Classic network customers and help you prepare to adopt Amazon VPC.
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
1. November 14, 2014 | Las Vegas, NV
Kevin Miller, Sr. Manager, AWS EC2 Networking
2.
3.
4. EC2-Classic
Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the EC2-Classic experience
If and when needed, begin using any VPC feature you require
VPC
Advanced virtual networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced Networking
And more to come...
5. EC2-Classic
Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the EC2-Classic experience
If and when needed, begin using any VPC feature you require
VPC
Advanced virtual networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced Networking
And more to come...
All accounts created after 12/4/2013 support VPC only and have a default VPC in each region
13. Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets
14. corporate data center
Availability Zone
Availability Zone
Each VPN connection consists of 2 IPSectunnels. Use BGP for failure recovery.
15. corporate data center
Availability Zone
Availability Zone
A pair of VPN connections (4 IPSectunnels total) protects against failure of your customer gateway.
16. Corporate Data Center
Availability Zone
Availability Zone
Redundant AWS Direct Connect connections with VPN backup
18. Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16
aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update
routing table(s) with routes
present in the VGW
19. Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b
aws ec2 create-route-table --vpc vpc-c15180a4
aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW
23. Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instance
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internet
aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
41. Pros
Cons
One time move
Requires(longer) maintenance window
Easy back-out plan
Testup-front
Easier for smaller deployments
Harderfor larger deployments
You can dry-run this whole sequence without turning off the Classic instances
46. Pros
Cons
Shorter,per-component maintenancewindows
Requires maintenance windows
Per component back-out plans
Takes longer to complete migration
Easier for larger deployments
Per component integration (EIPs/ElasticLoad Balancing, CIDR-based security group rules)
56. Pros
Cons
(Potentially) No maintenancewindow
Additional complexity during migration
Directprivate IP connectivity and security group integration
Still need toreplace EC2-Classic instances with new VPC instances
Designedfor the largest deployments