1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... ·...
Transcript of 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... ·...
![Page 1: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Seymour – Principal Solutions ArchitectNetworking Specialist, EMEA – Amazon Web Services
June 2017
Another Day, Another Billion Packets
@sseymour
![Page 2: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/2.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance
![Page 3: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/3.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance – Direct Connect
![Page 4: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/4.jpg)
AWS Direct Connect
• Dedicated, private connection into AWS
• 1 Gbps or 10 Gbps connections
• Create private (VPC) or public virtual interfaces to AWS
• Consistent network performance
• Option for redundant connections
• Uses BGP to exchange routing information over a VLAN
![Page 5: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/5.jpg)
AWS Direct Connect
AWS Region
Direct ConnectLocation
16 Regions - 60 Direct Connect Locations
![Page 6: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/6.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance - CloudFront
![Page 7: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/7.jpg)
The Amazon CloudFront Service
• Global Content Delivery Network with Massive Capacity and Scale
• Optimized for Performance and Scale
• Built in Security Features
• Self-Service Full Control Configurations
• Robust Real Time Reporting
Amazon CloudFront
• Static and Dynamic Object and Video Delivery
![Page 8: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/8.jpg)
Edge location
AWS Region / Regional Edge Cache
Regional Edge Cache
North AmericaCities: 19PoPs: 27
Europe / Middle East / AfricaCities: 15PoPs: 24
Amsterdam, The Netherlands (2)Berlin, GermanyDublin, Ireland
Frankfurt, Germany (5)London, England (4)
Madrid, SpainMarseille, France
Milan, ItalyMunich, GermanyParis, France (2)
Prague, Czech RepublicStockholm, Sweden
Vienna, AustriaWarsaw, Poland
Zurich, Switzerland
Ashburn, VA (3)Atlanta, GA (3)
Chicago, ILDallas/Fort Worth, TX (3)
Hayward, CAJacksonville, FL
Los Angeles, CA (2)Miami, FL
Minneapolis, MNMontreal, QCNewark, NJ
New York, NY (3)Palo Alto, CA
Philadelphia, PASan Jose, CA
Seattle, WA (2)South Bend, INSt. Louis, MOToronto, ON
CloudFront Regional Edge CachesRegional Edge Caches: 11
Oregon, N. Virginia, Ohio, Frankfurt, London, Sao Paulo, Mumbai, Singapore,
Seoul, Tokyo, Sydney
Asia PacificCities: 12PoPs: 20
Chennai, IndiaHong Kong, China (3)Manila, the PhilippinesMelbourne, Australia
Mumbai, India (2)New Delhi, IndiaOsaka, Japan
Seoul, Korea (3)Singapore (2)
Sydney, AustraliaTaipei, Taiwan
Tokyo, Japan (4)
South AmericaCities: 2PoPs: 3
Rio de Janeiro, Brazil (2)São Paulo, Brazil
CloudFront Global Content Delivery Network88 Edge Locations - 77 PoPs, 11 Regional Edge Caches (20 in last 12 months)
![Page 9: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/9.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance – Global Network
![Page 10: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/10.jpg)
![Page 11: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/11.jpg)
![Page 12: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/12.jpg)
![Page 13: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/13.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance - Region
![Page 14: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/14.jpg)
![Page 15: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/15.jpg)
![Page 16: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/16.jpg)
Cloudfront
Direct Connect VPC subnet
172.31.0.0/24
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance – Availability Zones
EC2Instance
EC2Instance
Availability Zone “a”
Availability Zone “b”
![Page 17: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/17.jpg)
![Page 18: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/18.jpg)
![Page 19: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/19.jpg)
![Page 20: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/20.jpg)
![Page 21: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/21.jpg)
![Page 22: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/22.jpg)
![Page 23: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/23.jpg)
![Page 24: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/24.jpg)
Cloudfront
Direct Connect VPC subnet
172.31.0.0/24
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance – EC2 Instances
EC2Instance
EC2Instance
Availability Zone “a”
Availability Zone “b”
![Page 25: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/25.jpg)
![Page 26: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/26.jpg)
![Page 27: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/27.jpg)
![Page 28: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/28.jpg)
Cloudfront
Direct Connect VPC subnet
172.31.0.0/24
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance – VPC
EC2Instance
EC2Instance
Availability Zone “a”
Availability Zone “b”
![Page 29: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/29.jpg)
VPC Requirements
Customer selected IP addressesRoute aggregation for external connectivityConformance with existing network designs
![Page 30: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/30.jpg)
172.31.0.0/18
192.168.0.0/16
Routing Table• 192.168.0.0/16: stay here• 172.31.0.0/18: AWS
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
Amazon Virtual Private Cloud
![Page 31: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/31.jpg)
This Is Just Virtual Networking!
Subnet ~= VLANVPC ~= VRF (virtual routing and forwarding)But…
![Page 32: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/32.jpg)
Scaling Challenges
VLAN ID space is constrained• 12 bits => 4096 total VLANs
VRF support is constrained• Large routers => 1-2 thousand VRFs
Fixed ratio of VLANs:VRFs
![Page 33: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/33.jpg)
Implementation Requirements
Scale to millions of environments the size of Amazon.comAny server, anywhere in a region can host an instance attached to any subnet in any VPC
![Page 34: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/34.jpg)
Server:Physical host in an Amazon data center
Instance:Amazon EC2 instance owned by a customer
VPC:Amazon Virtual Private Cloud owned by a customer
VPC ID:Identifier for a VPC such as vpc-1a2b3c4d
Mapping Service:Distributed lookup service. Maps VPC + Instance IP to server
Concepts
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
![Page 35: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/35.jpg)
L2 Src: MAC(10.0.0.2)L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has 10.0.0.3?
The switch floods the ARP request out all ports
L2 Src: MAC(10.0.0.3)L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at MAC(10.0.0.3)
The switch snoops the ARP response and learns the port for MAC(10.0.0.3).
L2 Src: MAC(10.0.0.2)L2 Dst: MAC(10.0.0.3)L3 Src: 10.0.0.2L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
Layer 2 (L2): Ethernet
10.0.0.2
10.0.0.3
Ethernet Switch
![Page 36: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/36.jpg)
L2 Src: MAC(10.0.0.3)L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at MAC(10.0.0.3)
Src: 192.168.0.3Dst: Mapping Service
Query: Blue 10.0.0.3
Src: Mapping Service Dst: 192.168.0.3
Reply: Host: 192.168.1.4MAC: MAC(10.0.0.3)
L2 Src: MAC(10.0.0.2)L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has 10.0.0.3?
Layer 2 (L2): VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
![Page 37: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/37.jpg)
Src: Mapping Service Dst: 192.168.1.4
Mapping valid:Blue 10.0.0.2 is at192.168.0.3
Src: 192.168.1.4Dst: Mapping Service
Validate: Blue 10.0.0.2 is at192.168.0.3
L2 Src: MAC(10.0.0.2)L2 Dst: MAC(10.0.0.3)L3 Src: 10.0.0.2L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
Src: 192.168.0.3Dst: 192.168.1.4
VPC: Blue
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Layer 2 (L2): VPC
…
![Page 38: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/38.jpg)
Src: 192.168.0.4Dst: Mapping Service
Query:Grey 10.0.0.3
L2 Src: MAC(10.0.0.4)L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has 10.0.0.3?
VPC Isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
![Page 39: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/39.jpg)
192.168.0.4 is not hosting any instances in VPC Blue.
Mapping DeniedAlarm Raised
L2 Src: MAC(10.0.0.4)L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has 10.0.0.3?
Src: 192.168.0.4Dst: Mapping Service
Query: Blue 10.0.0.3
VPC Isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
![Page 40: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/40.jpg)
Src: 192.168.1.4Dst: Mapping Service
Validate: Blue 10.0.0.4 is at192.168.0.4
Src: 192.168.0.4Dst: 192.168.1.4
L2 Src: MAC(10.0.0.4)L2 Dst: MAC(10.0.0.3)L3 Src: 10.0.0.4L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: Mapping Service Dst: 192.168.1.4
Mapping invalid!
192.168.1.4 does not deliver the packet to the instance.
Alarm Raised.
VPC Isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
![Page 41: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/41.jpg)
L2 Src: MAC(10.0.0.2)L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has 10.0.0.1?
L2 Src: MAC(10.0.0.1)L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at MAC(10.0.0.1)
L2 Src: MAC(10.0.0.2)L2 Dst: MAC(10.0.0.1)L3 Src: 10.0.0.2L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
Layer 3 (L3): IP Routing
10.0.0.2
10.0.1.3
Ethernet Switch
RouterEthernet Switch
L2 Src: MAC(10.0.1.1)L2 Dst: MAC(10.0.1.3)L3 Src: 10.0.0.2L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 42: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/42.jpg)
L2 Src: MAC(10.0.0.2)L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has 10.0.0.1?
L2 Src: MAC(10.0.0.1)L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at MAC(10.0.0.1)
Src: 192.168.0.3Dst: Mapping Service
Query: Blue 10.0.0.1
Src: Mapping Service Dst: 192.168.0.3
Reply: Host: GatewayMAC: MAC(10.0.0.1)
Layer 3 (L3): VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.410.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
![Page 43: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/43.jpg)
Src: Mapping Service Dst: 192.168.0.3
Reply: Host: 192.168.1.4MAC: MAC(10.0.1.3)
Src: 192.168.1.4Dst: Mapping Service
Validate: Blue 10.0.0.2 is at192.168.0.3
L2 Src: MAC(10.0.0.2)L2 Dst: MAC(10.0.0.1)L3 Src: 10.0.0.2L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
L2 Src: MAC(10.0.1.1)L2 Dst: MAC(10.0.1.3)L3 Src: 10.0.0.2L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
Src: Mapping Service Dst: 192.168.1.4
Mapping valid:Blue 10.0.0.2 is at192.168.0.3
Layer 3 (L3): VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.410.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Src: 192.168.0.3Dst: Mapping Service
Query: Blue 10.0.1.3
10.0.0.2
VPC: Blue
Src: 192.168.0.3Dst: 192.168.1.4
![Page 44: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/44.jpg)
Caching
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.1.1)L2 Dst: MAC(10.0.1.3)L3 Src: 10.0.0.2L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 45: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/45.jpg)
10.0.0.0/18
172.16.0.0/16
10.0.0.0/24 10.0.1.0/24
10.0.0.7
10.0.0.8
10.0.0.9
10.0.1.12
10.0.1.51
Getting Home – Or Anywhere, Really
VPC: Blue
Src: 192.168.0.3Dst: ???
L3 Src: 10.0.0.7L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
![Page 46: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/46.jpg)
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Edges
Server 192.168.0.3
Server 192.168.0.4
…
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
Mapping Service
10.0.0.2
VPC: Blue
Host 10.0.0.4 è 192.168.0.4Host 10.0.1.4 è 192.168.0.4…172.16.0.0/16 è Edge 192.168.4.3…
![Page 47: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/47.jpg)
Edges: VPN
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245Dst: 205.251.242.54
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
VPN
![Page 48: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/48.jpg)
Edges: Direct Connect
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245Dst: 205.251.242.54
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
AWSDirect Connect
![Page 49: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/49.jpg)
Edges: Internet (IGW)
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 10.0.0.2L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
Internet
54.148.157.46
![Page 50: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/50.jpg)
Edges: Recap
VPNEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245Dst: 205.251.242.54
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Direct ConnectEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245Dst: 205.251.242.54
L3 Src: 10.0.0.2L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
InternetEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3Dst: 192.168.4.3
L3 Src: 10.0.0.2L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 54.148.157.46L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…`
![Page 51: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/51.jpg)
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.2.12
172.31.2.51
VPC As A Platform
![Page 52: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/52.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance
![Page 53: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/53.jpg)
Cloudfront
EC2Instance
Direct Connect
Availability Zone “a”
VPC subnet172.31.0.0/24
EC2Instance
Availability Zone “b”
VPC subnet172.31.1.0/24
172.31.0.0/16
YourData Center
YourUsers
Edge to Instance
![Page 54: 1555 - Another day, another billion packetslondon-summit-slides-2017.s3.amazonaws.com/1555... · Another Day, Another Billion Packets @sseymour. Cloudfront EC2 Instance Direct Connect](https://reader033.fdocuments.us/reader033/viewer/2022042307/5ed2e8d44e7ab45be80cef7b/html5/thumbnails/54.jpg)
Thank you!
@sseymour