Amazon Virtual Private Cloud Deep Dive - s3-eu-west-1 ...dive/1300_VPC_Randa… · Amazon Virtual...
-
Upload
truongduong -
Category
Documents
-
view
230 -
download
2
Transcript of Amazon Virtual Private Cloud Deep Dive - s3-eu-west-1 ...dive/1300_VPC_Randa… · Amazon Virtual...
-
2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Amazon Virtual Private Cloud
Deep DiveRandall Hunt Developer Evangelist, AWS
-
Related Presentations Videos online
https://www.youtube.com/user/AmazonWebServices
ARC205 VPC Fundamentals and Connectivity
ARC401 Black Belt Networking for Cloud Ninja Application centric, network monitoring, management, floating IPs
ARC403 From One to Many: Evolving VPC Design
SDD302 A Tale of One Thousand Instances Example of EC2-Classic customer adopting VPC
SDD419 Amazon EC2 Networking Deep Dive Network performance, placement groups, enhanced networking
SDD422 Amazon VPC Deep Dive (this talk)
https://www.youtube.com/user/AmazonWebServiceshttps://www.youtube.com/watch?v=Ws0hIKf81MQhttps://www.youtube.com/watch?v=-klyaq9R0XUhttps://www.youtube.com/watch?v=jjk_zZRLXXwhttps://www.youtube.com/watch?v=z3x-dNoSoUQhttps://www.youtube.com/watch?v=JUw8y_pqD_Yhttps://www.youtube.com/watch?v=HexrVfuIY1k
-
Topics today
-
Virtual networking options
EC2-Classic
Simple to get started
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
-
Virtual networking options
EC2-Classic
Simple to get started
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region
-
Confirming your default VPC
describe-account-attributes
VPC only
-
1. Routing & private connections
-
Implementing a hybrid architecture
Corporate Data Center
-
Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
-
Create VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
-
Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
-
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7
-
Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets
-
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.
-
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
-
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
-
VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
-
Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing
table(s) with routes present in the VGW
-
Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2baws ec2 create-route-table --vpc vpc-c15180a4aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW
-
Software VPN for VPC-to-VPC connectivity
# VPC Aaws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-checkaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc# VPC Baws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-checkaws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 -instance-id i-9c1b693a
-
Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances
-
Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
default routing table
-
Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internetaws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
-
2. VPC peering
-
Shared services VPC using VPC peering
Common/core services
Authentication/directory
Monitoring
Logging
Remote administration
Scanning
-
Provides infrastructure zoning
Dev: VPC B
Test: VPC C
Production: VPC D
-
VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
-
VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333
# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
-
VPC peering Additional considerations
Security groups not supported across peerings Workaround: specify rules by IP prefix
No transit capability for VPN, AWS Direct Connect, or 3rd VPCs Example: Cannot access VPC C from VPC A via VPC B
Workaround: Create a direct peering from VPC A to VPC C
Peer VPC address ranges cannot overlap But, you can peer with 2+ VPCs that themselves overlap
Use subnets/routing tables to pick the VPC to use
-
VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peeringaws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
-
3. Enhanced networking
-
Latency: Packets per second
Instance 1 Instance 2
...........
-
Packet processing in Amazon EC2:
VIF
Virtualization layer
eth
0
eth
1
Instance Virtual NICs
Physical NIC
-
Packet processing in Amazon EC2:
SR-IOV
eth
0
Instance
VF Driver
eth
1
VF
Virtualization layer
Physical NIC
-
Inter-instance latency
-
SR-IOV: Is this thing on?
It may already be!
For many newer AMIs, enhanced
networking is already on:
Newest Amazon Linux AMIs
Windows Server 2012 R2 AMI
No need to configure
-
SRIOV: Is this thing on? (Linux)
No Yes!
[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0
driver: vif
version:
firmware-version:
bus-info: vif-0
[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0
driver: ixgbevf
version: 2.14.2+amzn
firmware-version: N/A
bus-info: 0000:00:03.0
-
SRIOV: Is this thing on? (Windows)
No Yes!
-
AMI/instance support for SR-IOV
C3, C4, I2, D2, R3 instance families: 23 types
HVM virtualization type
Required kernel version Linux: 2.6.32+
Windows: Server 2008 R2+
Appropriate VF driver Linux: ixgbevf 2.14.2+ module
Windows: Intel 82599 Virtual Function driver
-
Walkthrough: Enabling enhanced networking
(Amazon Linux)
amzn-ami-hvm-2012.03.1.x86_64-ebs
hvm
-
Walkthrough: Enabling enhanced networking
(Amazon Linux)
--attribute sriovNetSupport
InstanceId i-37c5d1d9
Not yet!
-
Walkthrough: Enabling enhanced networking
(Amazon Linux)
[ec2-user@ip-10-0-3-125 ~]$ sudo yum update
OS update
-
Walkthrough: Enabling enhanced networking
(Amazon Linux)
reboot-instances
Reboot
(OS update)
-
Walkthrough: Enabling enhanced networking
(Windows)
-
Walkthrough: Enabling enhanced networking
(Windows)Add to Windows driver store
-
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
Stop the instance
-
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
--sriov-net-support simple
Enable SRIOV
Cannot be undone
-
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
Start
-
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
--attribute sriovNetSupport
InstanceId i-37c5d1d9
Value simpleWere on
-
Elastic
network
interface
Subnet A
us-east-1a10.0.1.0/24
10.0.1.100
Subnet A2
us-east-1a10.0.2.0/24
10.0.1.101
10.0.2.50
10.0.2.51
Subnet C
us-east-1c10.0.3.0/24
10.0.3.99
Instance
1
Instance
2
Instance
3 Instance
4
-
elastic
network
interface
Subnet A
us-east-1a10.0.1.0/24
10.0.1.100
Subnet A2
us-east-1a10.0.2.0/24
10.0.1.101
10.0.2.50
10.0.2.51
Subnet C
us-east-1c10.0.3.0/24
10.0.3.99
Instance
1
Instance
2
Instance
3 Instance
4
Placement group
-
Placement Groups
~1.5-3x better inter-instance ping (YMMV)
Cannot span AZs
Cannot be applied to running instances
Only available for certain instance types
Not great for things that scale horizontally
(capacity limited)
-
4. VPC for EC2-Classic customers
-
Adopting VPC
Customers tell us they want to adopt VPC
Have significant EC2-Classic
infrastructure
Where do I start?
-
Start simple
One subnet per AZ
Each instance has a public
IP address and Internet
connectivity
Use security groups to
control access
-
Add features at your own pace
Multiple interfaces per
instance
Multiple IPs per interface
Enhanced networking
Private connectivity
VPC peering
-
VPC ClassicLink
Incremental adoption of VPC
Private IP communication
between EC2-Classic and VPC
instances
Security groups between EC2-
Classic and VPC instances
Designed for the largest
deployments
-
ClassicLink
RDS DB
Instance
Route53
ELB
-
ClassicLink
RDS DB
Instance
ELB
Route53
-
ClassicLink
RDS DB
Instance
ELB
Route53
-
ClassicLink
RDS DB
Instance
ELB
Route53
-
ClassicLink
RDS DB
Instance
ELB
Route53
-
ClassicLink
RDS DB
Instance
Route53
-
ClassicLink
RDS DB
Instance
Route53
-
ClassicLink
Preparation: Create VPC and configure for ClassicLink
Create VPC security groups and deploy VPC components
Add EC2-Classic instances to your VPC security groups
Deploy components in stages in VPC
Clean up un-used EC2-Classic instances
Pros Cons
(Potentially) No disruptive maintenance Additional complexity during migration
Direct private IP connectivity and security group
integration
Still need to replace EC2-Classic
instances with new VPC instances
Designed for the largest deployments
-
ClassicLink Component stages
Start with AWS-managed
infrastructure RDS, ElastiCache, Redshift
Next ELB
Then instancesEC2-Classic
ClassicLink
RDS DB
InstanceElastiCache
Cache NodeElastic Load
Balancer
RDS DB
InstanceElastiCache
Cache NodeElastic Load
Balancer
-
ClassicLink Additional considerations
VPC address ranges for use with ClassicLink
10.0.0.0/15, or any other range outside 10.0.0.0/8
Why? EC2-Classic instance private IP addresses are in 10.2.0.0 10.255.255.255
VPC also cant have extra route table entries to 10.0.0.0/8
ClassicLink instances use EC2-Classic for all Internet traffic. No
access from VPN/Direct Connect or a VPC peer to a ClassicLink
instance.
ClassicLink must be enabled after instance launch (Run) or Start
VPC instance DNS names do not resolve from EC2-Classic, and vice-
versa
-
ClassicLink APIs & CLI
-
Enabling ClassicLink
vpc-4325f426
To use ClassicLink the VPC must
have this feature enabled. Can
be restricted with IAM policy.
-
Attaching a EC2-Classic instance to a VPC
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link this specific instance to
the VPC using the specified
VPC security groups
-
Attaching a EC2-Classic instance to a VPC
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link required after Run (new
instance launch) or Start
(stopped instance)
-
ClassicLink and other services
Elastic Load Balancing
EC2-Classic instances can be backends of VPC balancers
Spot
Running spot instances can be linked
Auto Scaling
Configure to link classic instances following launch