In this design-oriented session, we address the many real-life conditions that lead to different VPC design scenarios. We break down the reasons why customers choose to deploy a single VPC, as opposed to a multi-VPC approach. We also explore the architectures that lead to customers deploying advanced VPC designs, such as shared services VPCs or multi-region transit VPCs. Additionally, we explore in detail the tools you need to support these architectures, such as AWS Direct Connect, VPC peering, VPN, AWS Identity and Access Management (IAM), and resource tagging. Laptops are not required.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop: Amazon Virtual Private Cloud (Amazon
VPC) Design Scenarios for Real-Life Use Cases
David Murray
Solution Architect
AWS
@dbamurray
N E T 3 2 0
Wayne Davis
Solution Architect
AWS

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Accounts & Amazon VPCs
• Architectures
• Single/Few VPC Architectures
• Multi VPC Architectures
• Software as a Service Architectures
• Transit Connectivity Architectures
• Where do I start?
• Scenarios – Collaborative
Architectures
• Where do I go to after this?

4. “Anyone who sits on top of the largest hydrogen-oxygen fueled
system in the world, knowing they’re going to light the bottom,
and doesn’t get a little worried, does not fully understand the
situation...”
John Young – Astronaut –
About to embark on a life changing
adventure

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A happy marriage
• VPC decisions usually spawn out of the
account structure conversation
• Account structures are usually built
around the need for how granular you
need control of
• Security
• Billing
• AWS limits
• Blast radius
• Larger enterprises tend to want granular
controls around security and billing

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases – Single
Amazon VPC
• Start-ups
• Single geographical region
• Minimize data costs
• Developer mindset

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Single Amazon VPC architecture
Account 1
Quick setup
Tight perimeter
control
Single network
topology
Single BGP session
• Complexity
• Limits
• Tagging
• IAM
• Cost control

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scenario – Single
Amazon VPC
• Container microservices

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Single Amazon VPC microservices
Flat Network
No VPC peering
data costs
Blast radius
Isolation
billing &
security
Simple network
management

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases – Multi
Amazon VPC
• Complex enterprises
• Granular billing requirements
• Security separation
• Shared services
• Infrastructure mindset

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi account architecture – Option 1
Account 1 Account 2 Account 3Minimal blast
radius
Tight limit &
cost control
Access control
Multi-account
administration
Complex DNS
strategy
BGP per VPC
(unless AWS
Direct Connect
gateway)
Complex
address
management

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi Account Architecture – Option 2
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource Share
Resource Share
Infrastructure
account

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Baseline security
IAM
Security groups
Amazon VPC Sharing Segmentation options: Layers
Account Account
Account Account
Account Account
Account Account
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs
Tenant and infrastructure
Shared Security line
Tenant
configuration
Infrastructure
configuration

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scenario – Multi
Amazon VPC
• Multi account DNS

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi Amazon VPC DNS – “Legacy”

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi Amazon VPC DNS – Amazon Route 53 Resolver
dev.awscloud.example.com
corporate data center
DNS Server
prod.awscloud.example.com sandbox.awscloud.example.com bi.awscloud.example.com it.awscloud.example.com
onprem.example.com
Cross-account Hosted Zone-VPC association
awscloud.example.com
DNS requests
onprem.example.com
(Forwarding rule)
Rules
DNS VPC
Route53 Resolver
Endpoints
Amazon
Route 53
Private
Hosted Zones
VPC
Names
Internet
Domains

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases – SaaS
Amazon VPC
• Internal
• Shared software application
• External
• Third-party SaaS application

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS Amazon VPC architecture
AWS
Region Shared
service

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scenario – Shared
services Amazon VPC
• External software as a service

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Service Amazon VPC Architecture – Service VPC
Consumer Account
AZ A
AZ B
AZ C
Service Provider Account
AZ A
NLB AZ B
AZ C

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases – Transit
connectivity
• Inter-VPC communications
• Multi region architectures
• Traffic visibility
• Third-party cloud connectivity

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Option 1 transit Amazon VPC architecture
Transitive
networking
Automated
setup
Greater network
visibility
Complex
routing
Complex
network
management
Support and
operational
costs

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Option 2: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing domain
Routing domain
AWS Direct
Connect *
Regional router
Scalable
Flexible routing
Available Q1 2019

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Quick comparison: Transit Gateway and Transit Amazon VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Transit VPC Transit Gateway

29. Reference
network
architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect *
Account Account Account Account IAM, Cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1 2019

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where do I start?
• Start with your business
• How complex is my business?
• How many business units (BU)
do I have?
• How do we budget across the
business units?
• A single IT budget
• Each BU controls own
budget
• Does each BU work on its own
project or share the workload?
• What are our
security/compliance
requirements?

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where do I start?
• Then look at the people?
• Do we have an infrastructure or
developer mindset?
• Who will be managing the
cloud environment?
• Do they have a traditional
infrastructure background?
• Will developers be building
and running their own
environment(s)?

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where do I start?
• Finally look at the technical
requirements
• Do we require Hybrid
connectivity to on premise?
• Do we need a multi region
architecture?
• How comfortable are we with
using native cloud based
security to control access
between workloads?
• Do we have requirements for
expensive vendor equipment?

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Break into teams …
Image Credit Nasa

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts – find on Youtube
NET322-Centralizing DNS Management in a Multi-Account
Environment
NET323-How Vanguard and Bloomberg use AWS Privatelink
NET402 - [NEW LAUNCH!] AWS Transit Gateway and Transit
VPCs, Reference Architectures for Many VPCs

37. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
David Murray
murrayda@amazon.com
Wayne Davis
wayneaws@amazon.com

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.