Amazon Virtual Private Cloud Deep Dive - s3-eu-west-1 ...dive/1300_VPC_Randa… · Amazon Virtual...

2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Amazon Virtual Private Cloud

Deep DiveRandall Hunt Developer Evangelist, AWS

Related Presentations Videos online

https://www.youtube.com/user/AmazonWebServices

ARC205 VPC Fundamentals and Connectivity

ARC401 Black Belt Networking for Cloud Ninja Application centric, network monitoring, management, floating IPs

ARC403 From One to Many: Evolving VPC Design

SDD302 A Tale of One Thousand Instances Example of EC2-Classic customer adopting VPC

SDD419 Amazon EC2 Networking Deep Dive Network performance, placement groups, enhanced networking

SDD422 Amazon VPC Deep Dive (this talk)

https://www.youtube.com/user/AmazonWebServiceshttps://www.youtube.com/watch?v=Ws0hIKf81MQhttps://www.youtube.com/watch?v=-klyaq9R0XUhttps://www.youtube.com/watch?v=jjk_zZRLXXwhttps://www.youtube.com/watch?v=z3x-dNoSoUQhttps://www.youtube.com/watch?v=JUw8y_pqD_Yhttps://www.youtube.com/watch?v=HexrVfuIY1k

Topics today

Virtual networking options

EC2-Classic

Simple to get started

all instances have

Internet connectivity,

auto-assigned private

and public IP addresses

Inbound security groups

Default VPC

The best of both

Get started using the

EC2-Classic

experience

If and when needed,

begin using any VPC

feature you require

VPC

Advanced virtual

networking services:

ENIs and multiple IPs

routing tables

egress security groups

network ACLs

private connectivity

Enhanced networking

And more to come...

Virtual networking options

EC2-Classic

Simple to get started

all instances have

Internet connectivity,

auto-assigned private

and public IP addresses

Inbound security groups

Default VPC

The best of both

Get started using the

EC2-Classic

experience

If and when needed,

begin using any VPC

feature you require

VPC

Advanced virtual

networking services:

ENIs and multiple IPs

routing tables

egress security groups

network ACLs

private connectivity

Enhanced networking

And more to come...

All accounts created after

12/4/2013 support VPC

only and have a default

VPC in each region

Confirming your default VPC

describe-account-attributes

VPC only

1. Routing & private connections

Implementing a hybrid architecture

Corporate Data Center

Create VPC


aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Create VPN connection


aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Launch instances


aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Using AWS Direct Connect


aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7

Configuring route table


192.168.0.0/16

aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7

Each VPC has a single

routing table at creation time,

used by all subnets

Remote connectivity best practices


Availability Zone Availability Zone

Each VPN connection

consists of 2 IPSec

tunnels. Use BGP for

failure recovery.




A pair of VPN

connections (4 IPSec

tunnels total) protects

against failure of your

customer gateway




Redundant AWS Direct

Connect connections

with VPN backup

VPC with private and public connectivity


192.168.0.0/16

aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7

Automatic route propagation from VGW


192.168.0.0/16

aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7

Used to automatically update routing

table(s) with routes present in the VGW

Isolating connectivity by subnet

Corporate

192.168.0.0/16

aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2baws ec2 create-route-table --vpc vpc-c15180a4aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

Subnet with connectivity only

to other instances and the

Internet via the IGW

Software VPN for VPC-to-VPC connectivity

# VPC Aaws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-checkaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc# VPC Baws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-checkaws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 -instance-id i-9c1b693a


Software VPN

between these

instances


Enabling communication

between instances in these

subnets; adding routes to the

default routing table

Software firewall to the Internet

Routing all traffic from subnets

to the Internet via a firewall is

conceptually similar

# Default routing table directs traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Internetaws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

2. VPC peering

Shared services VPC using VPC peering

Common/core services

Authentication/directory

Monitoring

Logging

Remote administration

Scanning

Provides infrastructure zoning

Dev: VPC B

Test: VPC C

Production: VPC D

VPC peering for VPC-to-VPC connectivity

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16

vpc-c15180a4

VPC B - 10.20.0.0/16

vpc-062dfc63

VPC peering across accounts

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333

# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16

vpc-c15180a4

VPC B - 10.20.0.0/16

vpc-062dfc63

Account ID 472752909333

VPC peering Additional considerations

Security groups not supported across peerings Workaround: specify rules by IP prefix

No transit capability for VPN, AWS Direct Connect, or 3rd VPCs Example: Cannot access VPC C from VPC A via VPC B

Workaround: Create a direct peering from VPC A to VPC C

Peer VPC address ranges cannot overlap But, you can peer with 2+ VPCs that themselves overlap

Use subnets/routing tables to pick the VPC to use

VPC peering with software firewall

VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16

# Default routing table directs Peer traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Peeringaws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87

3. Enhanced networking

Latency: Packets per second

Instance 1 Instance 2

...........

Packet processing in Amazon EC2:

VIF

Virtualization layer

eth

0

eth

1

Instance Virtual NICs

Physical NIC

Packet processing in Amazon EC2:

SR-IOV

eth

0

Instance

VF Driver

eth

1

VF

Virtualization layer

Physical NIC

Inter-instance latency

SR-IOV: Is this thing on?

It may already be!

For many newer AMIs, enhanced

networking is already on:

Newest Amazon Linux AMIs

Windows Server 2012 R2 AMI

No need to configure

SRIOV: Is this thing on? (Linux)

No Yes!

[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0

driver: vif

version:

firmware-version:

bus-info: vif-0

[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0

driver: ixgbevf

version: 2.14.2+amzn

firmware-version: N/A

bus-info: 0000:00:03.0

SRIOV: Is this thing on? (Windows)

No Yes!

AMI/instance support for SR-IOV

C3, C4, I2, D2, R3 instance families: 23 types

HVM virtualization type

Required kernel version Linux: 2.6.32+

Windows: Server 2008 R2+

Appropriate VF driver Linux: ixgbevf 2.14.2+ module

Windows: Intel 82599 Virtual Function driver

Walkthrough: Enabling enhanced networking

(Amazon Linux)

amzn-ami-hvm-2012.03.1.x86_64-ebs

hvm


(Amazon Linux)

--attribute sriovNetSupport

InstanceId i-37c5d1d9

Not yet!


(Amazon Linux)

[ec2-user@ip-10-0-3-125 ~]$ sudo yum update

OS update


(Amazon Linux)

reboot-instances

Reboot

(OS update)


(Windows)


(Windows)Add to Windows driver store


All EBS-backed instances

stop-instances

Stop the instance



stop-instances

--sriov-net-support simple

Enable SRIOV

Cannot be undone



start-instances

Start



start-instances

--attribute sriovNetSupport

InstanceId i-37c5d1d9

Value simpleWere on

Elastic

network

interface

Subnet A

us-east-1a10.0.1.0/24

10.0.1.100

Subnet A2

us-east-1a10.0.2.0/24

10.0.1.101

10.0.2.50

10.0.2.51

Subnet C

us-east-1c10.0.3.0/24

10.0.3.99

Instance

1

Instance

2

Instance

3 Instance

4

elastic

network

interface

Subnet A

us-east-1a10.0.1.0/24

10.0.1.100

Subnet A2

us-east-1a10.0.2.0/24

10.0.1.101

10.0.2.50

10.0.2.51

Subnet C

us-east-1c10.0.3.0/24

10.0.3.99

Instance

1

Instance

2

Instance

3 Instance

4

Placement group

Placement Groups

~1.5-3x better inter-instance ping (YMMV)

Cannot span AZs

Cannot be applied to running instances

Only available for certain instance types

Not great for things that scale horizontally

(capacity limited)

4. VPC for EC2-Classic customers

Adopting VPC

Customers tell us they want to adopt VPC

Have significant EC2-Classic

infrastructure

Where do I start?

Start simple

One subnet per AZ

Each instance has a public

IP address and Internet

connectivity

Use security groups to

control access

Add features at your own pace

Multiple interfaces per

instance

Multiple IPs per interface

Enhanced networking

Private connectivity

VPC peering

VPC ClassicLink

Incremental adoption of VPC

Private IP communication

between EC2-Classic and VPC

instances

Security groups between EC2-

Classic and VPC instances

Designed for the largest

deployments

ClassicLink

RDS DB

Instance

Route53

ELB

ClassicLink

RDS DB

Instance

ELB

Route53

ClassicLink

RDS DB

Instance

Route53

ClassicLink

Preparation: Create VPC and configure for ClassicLink

Create VPC security groups and deploy VPC components

Add EC2-Classic instances to your VPC security groups

Deploy components in stages in VPC

Clean up un-used EC2-Classic instances

Pros Cons

(Potentially) No disruptive maintenance Additional complexity during migration

Direct private IP connectivity and security group

integration

Still need to replace EC2-Classic

instances with new VPC instances

Designed for the largest deployments

ClassicLink Component stages

Start with AWS-managed

infrastructure RDS, ElastiCache, Redshift

Next ELB

Then instancesEC2-Classic

ClassicLink

RDS DB

InstanceElastiCache

Cache NodeElastic Load

Balancer

RDS DB

InstanceElastiCache

Cache NodeElastic Load

Balancer

ClassicLink Additional considerations

VPC address ranges for use with ClassicLink

10.0.0.0/15, or any other range outside 10.0.0.0/8

Why? EC2-Classic instance private IP addresses are in 10.2.0.0 10.255.255.255

VPC also cant have extra route table entries to 10.0.0.0/8

ClassicLink instances use EC2-Classic for all Internet traffic. No

access from VPN/Direct Connect or a VPC peer to a ClassicLink

instance.

ClassicLink must be enabled after instance launch (Run) or Start

VPC instance DNS names do not resolve from EC2-Classic, and vice-

versa

ClassicLink APIs & CLI

Enabling ClassicLink

vpc-4325f426

To use ClassicLink the VPC must

have this feature enabled. Can

be restricted with IAM policy.

Attaching a EC2-Classic instance to a VPC

i-2b3ecd1c

vpc-4325f426 sg-da107fbf

Link this specific instance to

the VPC using the specified

VPC security groups

Attaching a EC2-Classic instance to a VPC

i-2b3ecd1c

vpc-4325f426 sg-da107fbf

Link required after Run (new

instance launch) or Start

(stopped instance)

ClassicLink and other services

Elastic Load Balancing

EC2-Classic instances can be backends of VPC balancers

Spot

Running spot instances can be linked

Auto Scaling

Configure to link classic instances following launch

Amazon Virtual Private Cloud Deep Dive - s3-eu-west-1 ...dive/1300_VPC_Randa… · Amazon Virtual...

Documents

Transcript of Amazon Virtual Private Cloud Deep Dive - s3-eu-west-1 ...dive/1300_VPC_Randa… · Amazon Virtual...