aws re:invent 2016: nextgen networking: new capabilities for amazon’s virtual private cloud...
TRANSCRIPT
![Page 1: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Camil Samaha, Solutions Architecture
Kaartik Viswanath, Product Manager, EC2 Networking
December 2, 2016
NET303
NextGen NetworkingNew Capabilities for the Amazon Virtual
Private Cloud
![Page 2: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/2.jpg)
What to Expect from the Session
• Review Amazon Virtual Private Cloud concepts
• Learn about new capabilities released over the
past year
• Discuss the value provided by these new
features
• Describe use cases
![Page 3: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/3.jpg)
Introducing VPC
EC2 instance
10.2.2.2
10.3.3.3
54.1.2.3
54.2.3.4
![Page 4: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/4.jpg)
Introducing VPC
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
![Page 5: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/5.jpg)
Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
![Page 6: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/6.jpg)
Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
Destination Target Status
10.10.0.0/16 local Active
Traffic destined to my VPC
stays in my VPC
![Page 7: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/7.jpg)
DNS support for non-RFC 1918 addresses (NEW)
• RFC 1918 private address ranges:
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Native EC2 DNS support for private VPC IP addresses
outside of the RFC 1918 space
• Removes the need for running custom DNS servers
![Page 8: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/8.jpg)
![Page 9: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/9.jpg)
Authorize traffic
10.10.1.0/24
us-west-2a
10.10.2.0/24
us-west-2b
security group
![Page 10: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/10.jpg)
Authorize traffic
• Network access control lists (ACLs)
• Can be applied at the subnet level
• Act as a stateless firewall for associated subnets
• Security groups (SGs)
• Can be applied at the instance level
• Act as a stateful firewall for associated instances
• New: Create up to 500 SGs per VPC (per region)
![Page 11: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/11.jpg)
Security group limits
• 500 security groups per VPC (per region)
• 50 inbound and 50 outbound rules per security group
• 5 security groups per network interface (max 16)
• Number to remember: 250
• (# of rules) * (# of security groups per interface) <= 250
• Example 1: if you want to increase the # of rules to 100, then
we decrease your # of security groups per interface to 2
• Example 2: if you want 10 security groups per interface, we
decrease your # of rules per security group to 25
![Page 12: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/12.jpg)
Establish public connectivity
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 igw-5a1ae13f Active
Everything not destined for
my VPC goes to the Internet
![Page 13: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/13.jpg)
Internet access via a NAT instance
10.10.1.0/24 10.10.2.0/24
0.0
.0.0
/0
0.0.0.0/0
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-instance-id Active
NAT instance
54.2.0.12 (EIP)
Everything not destined for
my VPC goes to the Internet
via the NAT instance
![Page 14: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/14.jpg)
Internet access via NAT Gateway (NEW)
10.10.1.0/24 10.10.2.0/24
0.0
.0.0
/0
0.0.0.0/0
Public IP: 54.2.0.12
NAT GatewayDestination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-0da73389b88c2bd3 Active
Everything not destined for
my VPC goes to the Internet
via the NAT Gateway
![Page 15: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/15.jpg)
Amazon VPC NAT Gateway
• Managed network address translation service
• You assign an Elastic IP address at creation
• Connections initiated from the Internet are prevented
• Each NAT gateway is created in a specific Availability
Zone (AZ)
• Built-in redundancy for high availability in the AZ
• Create a NAT gateway in each of your AZs for an AZ-
independent architecture
![Page 16: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/16.jpg)
Amazon VPC NAT Gateway (cont.)
• Automatic scaling
• Uniform offering; you don’t need to decide on the type or
size
• Up to 10 Gbps of bursty TCP, UDP, and ICMP traffic
• Use multiple gateways in multiple subnets for > 10 Gbps
• Can use a network ACL to control traffic to/from subnet
![Page 17: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/17.jpg)
Create a NAT Gateway
![Page 18: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/18.jpg)
Create a NAT Gateway
![Page 19: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/19.jpg)
Update subnet routing table
![Page 20: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/20.jpg)
VPC public connectivity via NAT
NAT instance(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Lots of work to manage
• Scaling hard, limited
NAT gateway
Pros
• Managed & maintained by AWS
• Highly available
• Optimized for NAT traffic
• Automatic scaling
Cons
• Port forwarding not supported
• TCP & ICMP fragmentation not
supported
![Page 21: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/21.jpg)
VPC Endpoints for Amazon S3
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
pl-68a54001 vpce-a610f4cf Active
Prefix list for Amazon S3;
IP range changes over time
and is managed by AWS
![Page 22: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/22.jpg)
Amazon EMR clusters in VPC private subnets
Private subnet
Public subnet
Amazon EMR
Service
Amazon S3S3 endpointCluster
IGW
NAT gateway
ENI
![Page 23: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/23.jpg)
Access resources in a VPC from AWS Lambda
Private subnet
Public subnetAmazon Redshift
Amazon S3S3 endpoint
IGW
NAT gateway
ENI
AWS Lambda
function
Amazon ElastiCache
Amazon RDS
![Page 24: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/24.jpg)
Amazon Redshift enhanced VPC routing
Private subnet
Public subnet
Amazon Redshift Amazon S3S3 endpoint
IGW
NAT gateway
ENI
Amazon S3
us-east-1 us-west-2
![Page 25: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/25.jpg)
VPC peering: Connecting VPCs without the Internet
10.10.1.0/24
VPC A
10.10.0.0/16
10.20.1.0/24
VPC B
10.20.0.0/16
Destination Target Status
10.10.0.0/16 local Active
10.20.0.0/16 pcx-44eb539a Active
Traffic destined for the peered
VPC should go to the peering
![Page 26: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/26.jpg)
VPC peering
10.10.1.0/24
10.10.0.0/16 10.20.0.0/16
10.20.1.0/24
10.20.30.0/24
New: Support for security group references between peered VPCs
Source Protocol Port Range
10.20.1.0/24 All All
10.20.30.7/32 All All
10.20.30.56/32 All All
Source Protocol Port Range
sg-530afe56 All All
![Page 27: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/27.jpg)
VPC peering
10.10.1.0/24
10.10.0.0/16 10.20.0.0/16
10.20.1.0/24
New: Support for DNS resolution between peered VPCs
10.20.1.35
54.4.5.6
#Before# dig ec2-54-4-5-6.compute-1.amazonaws.com +short
54.4.5.6
#After# dig ec2-54-4-5-6.compute-1.amazonaws.com +short
10.20.1.35
![Page 28: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/28.jpg)
IPv6 VPC/EC2 support (NEW)
• /56 CIDR block of globally unique addresses per VPC
• /64 GUA CIDR block per subnet
• Security groups, NACLs, Flow Logs
• Local, Internet gateway, Direct Connect, VPC peering
• Egress only internet gateway
• Supported EC2 instances: all current generation
instance types except M3 and G2
• IPv6 in the Cloud Overview and Deep Dive sessions
18,446,744,073,709,551,616
![Page 29: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/29.jpg)
2001:db8:1234:1a00::/64
IPv6 connectivity
10.10.1.0/24 10.10.2.0/24
10.10.0.0/16
NAT gateway
Internet gateway Egress-only Internet gateway
IPv4: 10.10.1.35 IPv4: 10.10.1.35Elastic IP: 198.51.4.2
Elastic IP: 198.51.4.5
2001:db8:1234:1a00::/56
2001:db8:1234:1a02::/64
IPv6: 2001:db8:1234:1a00::123IPv6: 2001:db8:1234:1a02::432
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 igw-id
::/0 igw-id
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 nat-id
::/0 eigw-id
![Page 30: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/30.jpg)
ClassicLink: Connecting VPC and EC2-Classic
• Connectivity over private IP addresses between linked
instances in EC2-Classic and VPC
• Phased migration to VPC
• Classic instances can take membership in VPC security
groups
• New: Support for DNS resolution of public
hostnames to private IP addresses
![Page 31: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/31.jpg)
ClassicLink over VPC peering (NEW)
VPC BVPC AClassic
![Page 32: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/32.jpg)
10000s instances.
1000s services.
Dozens of teams.
Moving at their own schedule.
Netflix – Migration from Classic to VPC
![Page 33: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/33.jpg)
Netflix
![Page 34: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/34.jpg)
Thank you!
![Page 35: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/35.jpg)
Remember to complete
your evaluations!
![Page 36: AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303)](https://reader033.vdocuments.site/reader033/viewer/2022042907/587082751a28ab57368b6b97/html5/thumbnails/36.jpg)
Related Sessions
• NET201 – Creating Your Virtual Data Center: VPC Fundamentals
and Connectivity Options
• NET204 – IPv6 in the Cloud: Protocol and AWS Service Overview
• NET304 – Moving Mountains: Netflix’s Migration into VPC
• NET307 – IPv6 in the Cloud: Virtual Private Cloud Deep Dive
• NET402 – Deep Dive: AWS Direct Connect and VPNs