lessons learned from 2,000 amazon vpc configurations
TRANSCRIPT
Lessons Learned from 2,000 Amazon VPC Configurations
Eric OlsonVP EngineeringSoftNASFebruary 22, 2017
2
Agenda
© 2017 SoftNAS, Inc.
• What is a Virtual Private Cloud (VPC)?• 10 Lessons Learned• How SoftNAS Uses VPCs• SoftNAS Cloud Overview• Q&A
We’ve Configured Over 2,000 Amazon VPCs
4© 2017 SoftNAS, Inc.
What is SoftNAS Cloud?
• Powerful enterprise-class storage products for public, private and hybrid clouds
• Easy to use – rapid time to value• Freedom from platform lock-in
– Works with most popular cloud computing platforms• Amazon EC2®, VMware vSphere®,
Microsoft® Azure™, CenturyLink Cloud®
We believe in powerful, hassle-free storage
Amazon VPCs
© 2017 SoftNAS, Inc.
6
What is a Virtual Private Cloud (VPC)?
• A virtual network dedicated to your AWS environment• Logically isolated from other virtual networks in the AWS
cloud • A location for launching AWS resources, such as Amazon
EC2 instances,• Highly configurable virtual private network infrastructure
– Set IP address range– Create subnets– Configure route tables– Define network gateways (VPN) (IGW)– Configure security settings/ACL© 2017 SoftNAS, Inc.
© 2017 SoftNAS, Inc. 7
What is a Virtual Private Cloud?• Control
– IP address ranges, how routing works. VPN access, subnet architecture • Security
– Security Groups and ACL’s as well as routing rules • Features
– Multiple NIC interfaces, static private IP’s, T2/M4/C4 and other instances only in VPC
• Hybrid Cloud – Direct Connect can be leveraged to extend premise into AWS cloud
• Networking Advantages – VPC peering – within your organization or to others– Endpoint flow logs help with troubleshooting
© 2017 SoftNAS, Inc. 8
VPC Topology
• A VPC is used in a single region but can be multi-AZ• Each subnet lives in a single AZ • All subnets can route to each other by default • Network size can be set between a /16- /28 for VPC CIDR • Choose your IP prefix
© 2017 SoftNAS, Inc. 9
Accessing the VPC• Gateways
– Internet Gateway (IGW): ingress and egress Internet access – Virtual Private Gateway (VPG): AWS side of VPN connection – Customer Gateway (CG): customer side of a VPN connection
• VPNs– Direct Connect
• Dedicated bandwidth to VPC – Hardware based VPN
• On-premises to AWS over Internet • Major VPN vendors supported
© 2017 SoftNAS, Inc. 10
AWS VPC Packet Flow
VPC
Router
Subnet 1
10.0.0.0/24
Subnet 2
10.0.1.0/24
Subnet 3
10.0.2.0/24
Elastic network interface
InstanceB
InstanceA
InstanceC
10.0.0.197
10.0.0.211
10.0.1.99
10.0.2.176
© 2017 SoftNAS, Inc. 11
AWS VPC Packet Flow
Subnet 1 – 10.0.0.0/24
Instance A10.0.0.197
Instance B10.0.0.211
Routing TableARP Table
Firewall Outbound Firewall Outbound
Source / Dest CheckSecurity Group
Outbound
Source / Dest CheckSecurity Group
Inbound
© 2017 SoftNAS, Inc. 12
AWS VPC Packet FlowInstance B – 10.0.0.211 / 10.0.1.99
Subnet 1
Instance C – 10.0.2.176
Subnet 3Subnet 2
IP Routing Policy DBRte Tbl 1 Rte Tbl 2
Firewall Outbound
Src/Dst CheckSec Group Out
Route TableNet ACL Out
Src/Dst CheckSec Group Out
Route TableNet ACL Out
Firewall Inbound
Src/Dst CheckSec Group InNet ACL In
10 Lessons Learned
© 2017 SoftNAS, Inc.
© 2017 SoftNAS, Inc. 14
Organize Your AWS Environment1. Use tagging (you will thank me later) 2. Plan your CIDR block carefully!!
– Go bigger – not smaller– AWS reserves 5 IP addresses per subnet – Avoid overlapping CIDR – Save space for future expansion – You can never Add more IP’s to
© 2017 SoftNAS, Inc. 15
Subnet Your Way to Success3. Control network properly 4. Define your subnet strategy5. If your subnets are not associated to a specific route table then
they are associated to the main route 6. Align subnets to tiers, if possible
– DMZ/Proxy, ELB, App, DB7. Set subnet permissions to private by default for everything
– ELB filtering/monitoring in public – Use NAT to gain access to public networks– VPC peering for access to other VPCs– Endpoints for access to services like S3
© 2017 SoftNAS, Inc. 16
Control Your Access8. Do not set default route to Internet Gateway9. Use redundant NAT instances (size properly)
– Some Cloud Formation Templates exist to make this easier10. Use IAM for access control
– IAM can now be installed on a running instance – Attach IAM role to existing EC2 instance
How SoftNAS Uses VPCs
© 2017 SoftNAS, Inc.
© 2017 SoftNAS, Inc. 18
High-Availability Architecture• SNAP™ HA
– Provides high availability seamless failover across zones– Leverages secure block replication with SoftNAS SnapReplicate
• Recommended: SNAP HA in high-availability mode = 99.999% uptime
© 2017 SoftNAS, Inc. 19
Cross-Zone HA: AWS Elastic IP
© 2017 SoftNAS, Inc. 20
Cross-Zone HA: Private Virtual IP Addresses
© 2017 SoftNAS, Inc. 21
Common Mistakes• Need to deploy 2 ENI on each SoftNAS instance• Both NIC’s need to be in the same subnet• Security groups not open to allow ICMP health check• No access to S3 either via NAT or endpoint• For Private HA a VIP IP must not be in the CIDR of the VPC
SoftNAS Cloud Overview
© 2017 SoftNAS, Inc.
Flexible, Adaptable Architecture
Linux Virtual Appliance
ARCHITECTURE INTEGRATION DATA SERVICES
• API and CLI• Cross data center• Cross-zone VPC• Easy
administration• File gateway• HTML5 Admin UI• Software filer• ZFS on Linux
• AWS• Azure• CenturyLink cloud• CIFS w/ Active
directory• FC SAN• iSCSI LUN• iSCSI SAN• NFS• S3 Objects• SSD• VMware vSphere
• Block replication• Cloud disks• Compression• Inline deduplication• Instant snapshots• Multi-level caching• Storage pools• Thin provisioning• Writable
SnapClones™• Encryption
© 2017 SoftNAS, Inc.
Technology Partners
© 2017 SoftNAS, Inc.
Earn $100 AWS Credit!
First 100 attendees to register
ter.li/gky7u1
© 2017 SoftNAS, Inc.
Try SoftNAS Cloud® Free for 30 Days on AWS
26
Learn More softnas.com/aws
Free Trial (30 Days)softnas.com/tryaws
Contact Us softnas.com/contact
Supportsoftnas.com/helpdesk
softnas.com/tryaws© 2017 SoftNAS, Inc.