amazon virtual private cloud (vpc) sean kerrigan - f19...9/19/19 3 switches/ hubs •makes 1...
TRANSCRIPT
9/19/19
1
AMAZON VIRTUAL PRIVATE CLOUD (VPC)SEAN KERRIGAN
AGENDA
• What is VPC
• Intro to Networking
• Virtual Networking
• Example/ Demo
• Conclusion
WHAT IS VPC?
• A logical separation of “Networks”
• Virtual network/ data centers
• Created in 2013
9/19/19
2
INTRO TO NETWORKING
• Packets
• Router
• Switches
• DHCP
• Network Access Control List
• Subnetting/Network Address
Translation (NAT)
PACKETS
• How PC, routers, server, and all network devices communicate
• Streams of bits
• Contains SRC IP, DST IP, SRC MAC, DST MAC, and all other data
ROUTER
• Forwards packets based on Routing tables
• Border Gateway = Edge of Local Area Network (LAN)
9/19/19
3
SWITCHES/ HUBS
• Makes 1 connection more
• Think power strip
• Switch = reply to sender (smart)
• Hubs = reply all (dumb)
DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)
• Auto IP address configurations
• Users Devices asks : DHCP server responds with IP address and DNS
• Happens every time you connect to WMU Secure/ WMU Open
SUBNETTING/NETWORK ADDRESS TRANSLATION (NAT)
• Subnets define number of addresses in network• IP:192.168.1.1 subnet: 255.255.255.0 = Network: 192.168.1 | end user IP: 254
• Host ip: 192.168.1.0, broadcast ip: 192.168.1.255
• Subnets of subnets are common
• IP:192.168.1.1 subnet: 255.255.255.128 = Network: 192.168.1.0 | end user IP: 126• IP:192.168.1.128 subnet: 255.255.255.128 = Network: 192.168.1.128 | end user IP: 126
• NAT local IP to external IP• Gateway changes the IP on packets
• ISP will see traffic as WMU not Sean Kerrigan• They will still your MAC address
9/19/19
4
VIRTUAL NETWORKING
• Networking Principals
• Security Groups• Internet Gateway (IGWs)
• Elastic IP (EIP) Addresses• Elastic Network Interface (ENI)
• Endpoints
• Peering• Security Groups/ Access control List
• VPG, CGW, and VPN
VPC NETWORKING PRINCIPALS
• Subnets
• Public – Directs Traffic to IGW
• Private – Does not Directs Traffic to IGW
• VPN-only – Directs Traffic to Virtual Private Gateway(VPG) and No route to IGW
• Internal IP is private (not accessible from internet)
• 5 IP addresses from each are used by Amazon
VPC NETWORKING PRINCIPALS
• Route Tables • Default/ local route = non-removable and preset
• Allows for internal communication
• Unless otherwise defined, a subnets will use the main routing table
9/19/19
5
VPC NETWORKING PRINCIPALS
• Network Address translation:• Instance (linux NAT AMI)
• Managed by you
• Instance name is amzn-ami-vpc-nat
• Disable src/dst check
• Gateway
• Managed by amazon
• Allocate EIP
INTERNET GATEWAYS
• Converts packet SRC IP form the instance IP to
Elastic IP(EIP)
• Does the reverse for inbound traffic
• Send all non-local traffic (0.0.0.0/0) to this device
• Configure ACL, security Groups to receive traffic
ELASTIC IP ADDRESSES (EIPS)
• Static public IP address grabbed from amazon pool
• Cost if not in use but still associated
• Can move between instances in the same region
• EIP must release to disassociate
9/19/19
6
ELASTIC NETWORK INTERFACE (ENI)
• Work like real network interfaces (NIC)
• Allow 1 IP per ENI
• Duel-homed instance use multiple ENI
• Proprietary to amazon
ENDPOINTS
• Think your PC… but AWS instance
• EC2 = Ram and OS
• S3 = Hard drive
• DynamoDB = installed DBMS
• All these components and more will work together without internet access (no IGW)
• Must set endpoint rule
PEERING
• Instances in different VPCs can talk without issue
• Set up like a Facebook friend request
• One – one relations
9/19/19
7
SECURITY GROUPS/ ACCESS CONTROL LIST
• Security group• Stateful firewall (connection based… acks are sent no matter what)
• Up 500 per VPC
• 50 in, 50 out rules per
• Instance layer
• ACL• Stateless firewall (ack is declined)
• Subnet layer
VIRTUAL PRIVATE GATEWAYS (VPG), CUSTOMER GATEWAY (CGW), VIRTUAL PRIVATE NETWORK(VPN)
• Connecting current Data Center
• VPG is amazons “gateway router”
• CGW is your gateway router
• Supports Boarder Gateway Protocol (BGP)
• VPN is the tunnel between
EXAMPLES
• Short on time:• Create a VPC
• Else:• Create 2 subnets in a VPC
• Connect to the internet
9/19/19
8
CONCLUSION
• VPC was created in 2013
• Subnets • contained in availability zones
• only as large as 255.255.0.0 or /16
• DHCP:• Gives info like DNS, NTP and NetBIOS
• ACL = stateless
• Security Groups = stateful
• Its like adding a new data center into an existing network system