an introduction to amazon vpc

56
PRIVATE ISLANDS FOR RENT AN INTRODUCTION TO AMAZON VPC Sarah Zelechoski | @szelechoski #vBrownBag 10/28/2015

Upload: sarah-zelechoski

Post on 14-Apr-2017

2.680 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: An Introduction to Amazon VPC

PRIVATE ISLANDS FOR RENTAN INTRODUCTION TO AMAZON VPC

Sarah Zelechoski | @szelechoski#vBrownBag 10/28/2015

Page 2: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

I MY DATACENTER

‣ own your own equipment

‣ private network segment

‣ control over security

‣ hand-on support/physical access

‣ invested a lot in

‣ hardware

‣ storage

‣ staff

‣ virtualization

Page 3: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

BUT CLOUD IS THE NEW HOTNESS

‣ scale up/scale down

‣ only pay for usage

‣ geography

‣ push button interface

‣ scripting/automation community

‣ less maintenance

‣ hardware/power/bandwidth

Page 4: An Introduction to Amazon VPC

WE TRIED AWS A FEW YEARS AGO, BUT ...

Every Company Ever

AN INTRODUCTION TO AMAZON VPC

Page 5: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

THE 'BURBS (EC2-CLASSIC)

‣ no privacy

‣ shared hardware/resources

‣ no network segmentation

‣ shared private address space

‣ all instances public presence

‣ security groups inflexible

‣ ingress rules only

‣ unable to change live

Page 6: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

THE 'BURBS (EC2-CLASSIC)

‣ strict HOA

‣ stingy w/ IPs

‣ some instance types not allowed

‣ no connection back to your DC

‣ new AWS services not available

‣ overcrowding

‣ not available to new accounts

Page 7: An Introduction to Amazon VPC

GOOD NEWS EVERYONE!

Professor Farnsworth

Page 8: An Introduction to Amazon VPC
Page 9: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

YOUR LITTLE SLICE OF HEAVEN

‣ logically isolated

‣ option for single-tenant hardware

‣ private networking

‣ control

‣ security

‣ compatible with all AWS services

Page 10: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

AWS VPC AND NETWORKING

‣ VIRTUAL PRIVATE CLOUD (VPC) ‣ REGION ‣ INTERNET GATEWAY (IGW) ‣ SUBNETS ‣ PUBLIC SUBNETS ‣ DMZ ‣ BASTION HOST ‣ NAT

‣ PRIVATE SUBNETS ‣ ROUTING TABLES ‣ NETWORK ACLS ‣ SECURITY GROUPS ‣ ADVANCED TOPICS

Page 11: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

VPC

‣ self-contained / isolated

‣ /16 CIDR of your choosing

‣ build to suit

‣ custom subnet structure

‣ custom routing

‣ custom security

‣ resources assigned to single VPCPRIVATE ISLAND

Page 12: An Introduction to Amazon VPC
Page 13: An Introduction to Amazon VPC
Page 14: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

REGION

‣ geographical region

‣ multiple datacenters

‣ close to you or your customers

‣ some bigger/more popular than others

‣ VPC lives in one region

OCEAN

Page 15: An Introduction to Amazon VPC
Page 16: An Introduction to Amazon VPC
Page 17: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

INTERNET GATEWAY (IGW)

‣ all communication with Internet happens through IGW

‣ one IGW per VPC

‣ public subnets use as default gateway

‣ private subnets use a NAT instance to forward traffic

CHANNEL

Page 18: An Introduction to Amazon VPC
Page 19: An Introduction to Amazon VPC
Page 20: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

PUBLIC SUBNET

‣ classic DMZ

‣ instances have public IP

‣ traffic will flow directly to IGW

‣ can interface with instances inside

‣ houses all ingress points to your VPC

‣ minimize this footprint / fringe security THE SHALLOWS

Page 21: An Introduction to Amazon VPC
Page 22: An Introduction to Amazon VPC
Page 23: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

DMZ INSTANCES

‣ instances with public presence

‣ VPN appliance

‣ bastion host

‣ proxy server

‣ software load balancers

‣ security is important

‣ have a very good reasonGUEST CABANAS

Page 24: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

BASTION HOST

‣ alternative to VPN

‣ access private instances

‣ SSH for admins

‣ tunnel for automation tools

‣ needs strict security

‣ restrict ports

‣ SSH user-specific keysHELIPAD

Page 25: An Introduction to Amazon VPC
Page 26: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

ELASTIC LOAD BALANCER (ELB)

‣ public interface

‣ gateway to your applications and services

‣ expose different ports outside vs. inside

‣ SSL and SSL termination

‣ high availability and failover

ARRIVAL JETTY

Page 27: An Introduction to Amazon VPC
Page 28: An Introduction to Amazon VPC

star.reactiveops.com

Page 29: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

NETWORK ADDRESS TRANSLATION (NAT)

‣ private egress

‣ maps private network to public address

‣ allows outbound communication from private network

‣ reach out for

‣ git, ntp, apt/yum

‣ return traffic permitted EXCURSIONS

Page 30: An Introduction to Amazon VPC
Page 31: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

PRIVATE SUBNET

‣ inner sanctum

‣ instances only have private address

‣ not routable directly from internet

‣ ingress -> ELB

‣ egress -> NAT

‣ control access points

‣ network ACLs

‣ security groups RESORT

Page 32: An Introduction to Amazon VPC
Page 33: An Introduction to Amazon VPC
Page 34: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

ROUTING TABLES

‣ tells traffic how to get from one place to another

‣ VPC CIDR is local by default

‣ each routing table defines different default gateway

‣ public: 0.0.0.0/0 => IGW

‣ private: 0.0.0.0/0 => NAT

‣ one RT associated to subnet

‣ many subnets same RT CONCIERGE

Page 35: An Introduction to Amazon VPC
Page 36: An Introduction to Amazon VPC
Page 37: An Introduction to Amazon VPC
Page 38: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

NETWORK ACL

‣ control access to subnet

‣ evaluated in order

‣ ingress and egress

‣ ALLOW or DENY

‣ stateless!

‣ optional security layer

‣ default ALLOW allFRONT GATE

Page 39: An Introduction to Amazon VPC
Page 40: An Introduction to Amazon VPC
Page 41: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

SECURITY GROUPS

‣ instance based

‣ associated w/ network interface

‣ ingress AND egress

‣ tcp, udp, icmp ports

‣ SG or specific CIDR

‣ stateful!

‣ can change live

‣ principle of least privilege DOOR LOCKS

Page 42: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

SECURITY GROUPS

‣ port-based

‣ web-http: ingress port 80

‣ mysql : ingress port 3306

‣ ssh-local: ingress port 22 from VPC CIDR

‣ role-based

‣ presentation

‣ application

‣ data

Page 43: An Introduction to Amazon VPC
Page 44: An Introduction to Amazon VPC
Page 45: An Introduction to Amazon VPC

BUT WAIT, THERE'S MORE!

Billy Mays

Page 46: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

ADVANCED TOPICS

‣ AVAILABILITY ZONES ‣ ADVANCED SUBNETTING ‣ VPC PEERING

Page 47: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

AVAILABILITY ZONES

‣ isolated locations within a region

‣ connected by low latency links

‣ VPC can span multiple AZs

‣ single AZ failure happens

‣ AWS services built to span AZs

Page 48: An Introduction to Amazon VPC
Page 49: An Introduction to Amazon VPC
Page 50: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

ADVANCED SUBNETTING

‣ get away from public/private dichotomy

‣ create a new subnet when

‣ different hosts need to route in different ways

‣ using fault-tolerant configurations and distributing instances across availability zones

‣ increased security warrants the usage of network ACLs or abstraction

Page 51: An Introduction to Amazon VPC
Page 52: An Introduction to Amazon VPC
Page 53: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

ADVANCED SUBNETTING

‣ subnets should be as large as possible

‣ autoscaling groups quickly eat up addresses

‣ leave yourself room to grow

‣ align subnets to make network ACLs easy

VPC = 10.0.0.0/16public subnets = 10.0.0.0/19

AZ1 = 10.0.0.0/21 AZ2 = 10.0.8.0/21 AZ3 = 10.0.16.0/21 # spare 10.0.24.0/21

presentation subnets = 10.0.32.0/19 AZ1 = 10.0.32.0/21 AZ2 = 10.0.40.0/21 AZ3 = 10.0.48.0/21 # spare 10.0.56.0/21

application subnets = 10.0.64.0/19 AZ1 = 10.0.64.0/21 AZ2 = 10.0.72.0/21 AZ3 = 10.0.80.0/21 # spare 10.0.88.0/21

data subnets = 10.0.96.0/19 AZ1 = 10.0.96.0/21 AZ2 = 10.0.104.0/21 AZ3 = 10.0.112.0/21 # spare 10.0.120.0/21

/16: 65534 addresses/18: 16382 addresses/19: 8190 addresses/20: 4094 addresses

HTTPS://MEDIUM.COM/AWS-ACTIVATE-STARTUP-BLOG/PRACTICAL-VPC-

DESIGN-8412E1A18DCC

Page 54: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

VPC PEERING

‣ enable private routing of traffic between VPCs

‣ instances in either VPC communicate as if they reside on the same network

‣ no bandwidth loss

‣ used to share common resources

‣ used to separate areas of concern

Page 55: An Introduction to Amazon VPC

AN INTRODUCTION TO AMAZON VPC

VPC PEERING

‣ cannot connect matching or overlapping CIDR blocks

‣ peered VPCs must be in the same regions

‣ no transitive VPC peering

‣ reference of a SG from the peer VPC not supported. CIDR blocks must be used instead.

‣ private EC2 DNS cannot be resolved between instances in peered VPCs

Page 56: An Introduction to Amazon VPC