AWS Networking Fundamentals - Level 200 (United States)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone thank you for taking the time to attend the aws networking fundamentals session today my name is arthi raju and i'm a principal solutions architect with aws a number of folks attending the session today might already be familiar with the traditional data center network design architecture or you might be familiar with the general networking concepts my goal for the next 30 minutes is to cover the aws networking services and features that can help you build your network architectures on aws so let's jump right in with aws we do have the concept of a region a region is an isolated geographical area and within this region we do have one or more or multiple availability zones an availability zone can be one or more data centers that have redundant power networking between them and within these availability zones we then have multiple racks and then we have multiple hosts so how does this all map into the diagram that you see here so we do have u.s east one which is our region it is uh it is our northern virginia region and within this region we have multiple availability zones for simplicity i'm just showing two availability zones here so we have us east 1a and then u.s east 1b and then within these availability zones we do have ec2 instances which are the actual hosts that run within the availability zone we're going to be spending a good chunk of our time talking about virtual private cloud and the features so what is the virtual private cloud the green box that you see in this diagram here i'm going to remove all the physical constructs out of this diagram and just focus on the vpc a virtual private cloud is an isolated net network that you define on this aws infrastructure we'll talk about ip addressing as we go but key thing to understand here is a vpc is a regional construct when you create a vpc you will be asked to select a region once you do that you then create subnets within these vpcs so this subnet is very typical to what you would configure in your data center so you create subnets that are part of your vpc network space and there can be different types of subnets public subnets and private subnets and i'll be covering about the differences between these subnets and also which application goes into the public subnet versus the private subnet key thing to note for subnets is these when you launch a subnet it is within an availability zone so submits as you see in the diagram here do not span across availability zones so in this diagram i have two subnets and one availability zone and two subnets in the other availability zone now that i have my subnets i can now launch instances within these subnets that i have so i do now have a vpc i have subnets i have my ec2 instances but there's the major limiting factor these instances don't have any communication outside of this vpc or even within the vpc you still need to do certain tuning in order for the instances to communicate with each other what are those aws provides a number of gateways endpoints and peering connections that provide you this ability to communicate either within the vpc or between vpcs or even to your on-premises network and that's what we're going to be covering as we go through the flow of these slides we'll call we'll talk about gateways we'll talk about endpoints and how to use that but before that let's take a look at this web application from a 10 000 foot overview i just don't want to like talk about gateways and end points i want to also focus on how you can use this into this application that you're building this is a typical web application that i have i do have the same diagram i have the web application in two availability zones and let's see how some of the constructs that we're talking is going to roll into this web application first things first let's get talking about the ip addressing you have your vpcs you have your subnets when you create a vpc today they support both ipv4 and ipv6 addresses with ipv4 i can define a slider block as you see here and this could be an rfc 1918 space or it could be any ip ranges key thing to note is these ip ranges are not out routable outside of the vpc the vpc sider block can be anywhere from slash 16 to slash 28 and the smallest you could go is slash 28 of course we don't recommend you to use a slash 28 because you're limited by the number of ips and also when you use the slash 28 you're limited to one subnet remember our application that we're building we want it to be highly available so i'm need to at least multiple subnets here you can also enable ipv6 on your vpc once you enable ipv6 this becomes a dual stack vpc so what is a dual stack vpc and how can you use ipv6 addresses so with ipv6 we assign a a slash 56 slider to your vpc we also have then assign subnets to your vpc space that are in this fixed at the slash 64 subnet range once you have this you now have a full vpc with an ipv4 as well as an ipv6 addressing ranges so we've built this vpc with our ip addressing the next step is you still don't have that external communication that we're talking about uh there are five things that are required and as you see on the slide here these five things will enable you to uh for your instances to get that outbound internet connectivity so let's talk about them first thing your instances require a public ip address this could be a public ip address from amazon school so when you launch an instance you can select auto assign public ip address and this allows amazon to automatically assign a public iop address you could also use something called an elastic ip address a common question that we get is hey what's the difference between the auto assigned public ip address versus the elastic ip address the difference is with auto assigned public ip addresses during instance life cycle events you might lose these ip addresses whereas with elastic ip addresses once it's allocated into your account it stays there no matter like what happens to your instance as long as you go into your account dr disassociate this ip address it stays there forever within the elastic ip addresses we also have a feature where you can bring in your public ip addresses into your vpc and we do support this for ipv4 today so if you look at our diagram back here i've got my public ip addresses assigned on my ec2 instances the next thing we're going to be looking at is once i assign my public ip i now need internet connectivity so i need to create a gateway and remember this is the first gateway we're talking about i need to create a gateway called internet gateway what this internet gateway is is it's a highly scaled gateway that aws manages and all this does is a stateless one is to onenet it maps your private ip address to a public ip address so i go into my console i can create an internet gateway that's what you see in the diagram here once that's done uh you go into your ec2 instances route table and add a route that says any traffic going out to the internet the next hop should be my internet gateway and you're going to be seeing this updating the route table often any kind of traffic that we want to send out from the ec2 the basic rule applies you go into your ec2 instance and update your route tables so what we've got is we've got step two and step three covered now so we've got uh our internet connectivity figured out i mentioned briefly when we started about different types of subnets public subnet and private subnet the difference between these is pretty straightforward the name indicates it all with public subnet you have your public ip address it has internet gateway and it has that internet connectivity whereas with private subnets you don't have any of that these are instances that sit inside the private subnet so what kind of applications or what kind of applications would run in private subnet was this public subnet my web server for example remember the web server that we are building this could sit inside my public subnet and my database for example or application servers they don't need any external connectivity so i could put these inside my private subnet a common question that comes up is um hey i have these application servers in my private subnet uh i still need internet connectivity in order to update my repositories what do i do uh for this we have the second type of gateway that i'm going to be talking about nat gateway network address translation gateway so if you're familiar with the on-premises networking world you might be familiar with network address translation what we do is amazon provides this nat gateway that you could deploy in the public subnet assign an elastic ip and all it's doing is doing a port address translation so it takes traffic from your private subnet uses the net gateway sends it out to the internet and fetches any updates that you want so as you see here you'll see in the route table that my private instance a has a route to the nat gateway and then the nat gateway has the internet gateway attached to it so now we've completed the connectivity piece we've got internet connectivity figured out for our application but there's two other important things that we want to uh talk about one is the network access control list and the other is security group what they do is we talked about this internet connectivity and the flow of traffic these allows you to define the rules for that flow of traffic and as we're talking about flow of traffic we'll also see how you can actually capture them using vpc flow logs or using traffic mirroring this is our application my web servers in public subnet my application servers and private subnet network access control lists operate at the subnet level what this means is by default the network access lists are stateless so i'll have to define inbound rules and i'll have to define outbound rules so with the default rule this is what you will get you will get the default inbound rule that allows all traffic and the default outbound that allows all traffic for most customers this might be sufficient but what if you want to fine-tune these network access control lists and in our example here as you see i have my application server this server doesn't need any traffic coming from outside of the vpc it only needs traffic coming in from my web server subnet so in this case as you see here i've updated my route tables for my private subnet to allow traffic coming in only from the subnet of my uh public subnet where the web server resides similarly on the outbound i'm defining a rule to allow only traffic go to the public subnet and you see the only thing that's different is my destination is still the same ip range of my public subnet i'm only modifying the ports because i know what the incoming port is the outgoing port is one of the ephemeral ports the next security control you have is using security groups these are tied to the net elastic network interface that is wrapped around the ec2 instance so if you think about when to use security groups these are applied at the instance level itself and these are stateful so if you look at our diagram here i can have a security group role for my inbound traffic that says any traffic on port 443 https is allowed on my web server similarly for my application server i can set a rule that says any traffic ideally what i want to do is allow only traffic coming in from the web server so what i'm doing is i'm specifying the source as a security group this is uh easier for you because when you specify the source as a security group the security group can be applied to your web servers and what it means is any web server that has the security group is allowed to communicate your application server so for we've talked about the connectivity the last two things i mentioned was around the logging of all this connectivity vpc flow logs is a feature that allows you to lock this metadata so if you look at the flow log record here you can see that you can see the source ip destination ips source port destination port and depending upon what traffic you're capturing you can capture like all traffic you can capture only traffic that's denied for example and you can specify this either at the vpc level the subnet level or specifically at a particular elastic network interface these are then pushed to either amazon cloud watch or amazon s3 the last thing is for customers looking for a little more than what they see in the metadata this is where you will see customers use traffic mirroring what traffic mirroring does is you create a filter you tell what traffic you want to copy so when traffic hits a source you define the source it basically takes that copies that traffic into a destination that you specify remember that given this is copying packets into a destination you're actually sharing bandwidth and i want to call that out because that's important as you're building these large-scale traffic mirroring uh filters so it's important that you're you know that you're sharing bandwidth so now we've completed part one which is connectivity within the vpc now let's say i have multiple vpcs how do i now span my connectivity to these multiple vpcs and now we have three vpcs here each with their own side of block what if i want these vpcs to communicate with each other of course i can use an internet gateway communicate between these vpcs as you see here but what if i don't want to use the public space i want to use the rfc 1918 address ranges that i've defined here so what you could do is you could use a feature called vpc pairing this is available for peering between vpcs in the same region or across different regions and you can also use it to peer between vpcs in your own account or different account the workflow is still the same you create a peering request you send the peering request and the destination vpc has to accept it once that's done you create going back to our basics you go in and update your route tables to tell your route table what the next hop is and in this case it's a pcx which is appearing connection now i could do the same thing for all the vpcs i go in update route tables on all the vpcs some key things to note with vpc peering you can reference security groups for the vpcs that you have that are within the same region when you do inter-region vpc peering you cannot do this also when you enable dns resolution on your vpc and you're trying to uh resolve to a public ip amazon will be able to resolve to the private ip because we now have a data path running between these vpcs some things that won't work transitive routing does not work it's also important to select your cider blocks that don't overlap with each other last thing is jumbo frames when you're within a region is supported but when you're crossing regions it is not supported so the next step is i have a data center how do i connect from my vpc to my data center and it's pretty straightforward most customers start with a side-to-side vpn this is an ipsec vpn and as you might know ipsec requires two endpoints for the uh tunnel termination on the aws site we are introducing the gateway again here and this time it's a virtual private gateway this access the ipsec termination point on the aws site so when you create this gateway you can select you can give it a name and you tell us what autonomous system number you want to use similarly we need a gateway on the other side and this is the customer gateway so when you create a customer gateway you tell us what kind of vpn connection are you using static versus dynamic a dynamic is when you use a routing protocol such as bgp to advertise the routes whereas the static you'll have to manually tell us what routes needs to be advertised you also select the bgp autonomous system number and your side of the router will need a public ip address if you don't have a fixed ip address you could off definitely use the certificate based vpn once that's done i go into my console click create vpn connection what this does is it creates two endpoints on the aws side one in each availability zone and this is great because for hi purposes even if one availability zone goes down you still have the end point on the other availability zone and it terminates on the customer gateway side that you own so if you think about it it's one vpn connection but it's actually two tunnels so using bgp your vgw now learns what routes you're advertising but what about instances behind the vpc like it has no idea what routes you're advertising so same rule applies you go into your instance and update the route table saying that hey any traffic that needs to go to my data center my next hub is my virtual private gateway key thing to note is each tunnel is capped at a bandwidth of 1.25 gigs and even though we have two tunnels aws sends all traffic through one tunnel in an active passive mode so that's what you see here we will send tunnel through uh we will send you traffic through one of the tunnels a common question that we get here is hey i don't want to go update my route table every time new routes are added from my on-premises site so you could use a feature called route propagation what this does when enabled is whatever routes your vhw learns it's automatically propagated to the route tables the ipsec vpn connection is over the internet so there's going to be latency there's going to be like limited bandwidth that we saw for customers who are looking for a step more with higher bandwidth and dedicated connection this is where they can use the aws direct connect the aws direct connect consists of two pieces one is the physical piece which is the physical connection that you see here this is where an aws router is placed in a co-location a customer router might be in the same location or they could use one of our partners a physical cross connect is done at this location and from there from the customer router to the data center the last mile connectivity is taken care by the customer once we've got this physical connection figured out and this physical connection can be a one gig or a 10 gig or you could also we also support link aggregation today once the physical connection is figured out the logical connection kicks in and this is where we use virtual interfaces these are simply 802.1 queue vlan tagging and bgp pairing so the three types of interfaces that we're going to be talking about are the private virtual interface the public and the transit virtual interface what is the private whiff very simple think about a private whiff as any communication from your on premises into a virtual private cloud so in this case we've got the physical connection figured in order to establish that private whiff i created direct connect gateway which is the other gateway uh in our series of gateways that we've been talking about so we created reconnect gateway and attach the vpcs to this direct connect gateway and these vpcs could be in any region and now once that's done you create a private fifth from this direct connect gateway what this now allows me to do is allows me to talk from this customer data center that could be in any location for example sydney australia to vpcs in any region like from sydney australia i could talk to a vpc in region 1 which could be u.s east virginia and region 2 which could be u.s west california so this is what the private whiff enables you to do what about the public with so the public whiffs basically and enables you to talk to any aws services that have a public ip so aws advertises all the public ip ranges back to your on premises and you will be able to communicate with services like dynamodb s3 etc before talking about the transit pif i want to take a step back to talk about transit gateway you're all familiar with this diagram already we talked about the peering peering works great depending on the scale of your network architecture what if the number of vpcs you have grows to what you're seeing on the screen here it becomes complex to manage these peering connections because you have to have one is to one connection this is where aws introduce the uh next set of gateway which is the transit gateway what the transit gateway does is you can now attach all your vpcs to this transit gateway it acts as a hub and then carries traffic to the other spokes so vpca can talk to vpce or vpcb can talk to vpcd as long as it's attached to the transit gateway so how does this work going back to the vpn connection that we had same thing i'm attaching all my vpcs to the transit gateway and then i have a vpn connection from the transit gateway to my on-premises so now i can update my route tables to say hey any traffic send it to the transit gateway the transit gateway has its own routing table and for simplicity i'm using the default here and sending everything back to my data center so this is where the transit whiff is going to be helpful with aws direct connect when you have a transit gateway so this is how it looks so i have all my vpcs that i connect to my transit gateway and now i connect the transit gateway to the direct connect gateway remember earlier in the private vip we were connecting the vpcs directly so you have now the transit gateway that's replacing that and for the virtual interface this is where i create a transit with that allows me to communicate between my vpcs that are connected to the thw and my data center so we completed a couple of things we completed connectivity within the vpc we completed connectivity between vpcs and we also completed connectivity to our on premises what about services from your vpc uh to for example s3 or efs etc this is where we're going to see about vpc endpoints we do have two types of endpoint the first one is the gateway vpc endpoint what this gateway vpc endpoint does let's see so let's say you have instances that want to communicate to amazon s3 you could use the internet gateway as you see in this diagram communicate back to the uh internet gateway go out and reach aws amazon s3 but there's also um you could use vpc endpoints to communicate privately to amazon s3 what you're doing is i'm creating a gateway vpc endpoint within this vpc and of course i need to update my route tables to see the next hop for amazon for example in this case i'm taking s3 for s3 the next hop will be my vpc endpoint so today only two services are supported with the gateway vpc endpoint one is s3 and the other is dynamo and each has their own public ip prefixes that are represented in this prefix list that you see here so any traffic from my instance can use this vpc endpoint to communicate to either amazon s3 or if i create one for dynamo it can communicate to dynamodb for most of our other aws services we launched aws private link which is based on our hyper plane technology and this is the same technology that is used for nat gateway network load balancers etc what interface vpc endpoint does is i can create this interface vpc endpoint and what it does is it puts an interface in the subnets that you select and allows that private communication between your instances and the aws services in that region so for example in this case i have an sqs request that i need to do so my instance needs to communicate to sqs and i create a vpc endpoint it goes to the vpc endpoint it reaches the vpc endpoint and communicates to the sqs service private link can also be used for your own services what this means is it can be used in a consumer producer relationship to come privately talk between vpcs uh so let's say on the vpc on the right i have a sas provider who is running a specific service that you want to consume privately so the sas provider is using a network load balancer which supports ip target groups and they're running a service behind the network load balancer you can create a private link in your account and privately communicate to this service in the other vpc what this also means is you can now extend this like as i mentioned network load balancer supports ip target groups which means these ips could also be on premises so you can extend services from your vpc to communicate back to your data center through a direct connect or a vpn using private link so let's all uh let's bring this everything together we talked about a number of gateways today we talked about different connection mechanisms with endpoints and peering connections so how does this all fit into that the application that we were building so our application is going to be in this vpc across two availability zones you could use load balancing in order to front end your application so we've got our subnets figured out we've got our web servers and application servers we talked about how this application can connect to other vpcs using vpc peering we also talked about how you can connect this application to your on-premises using a site-to-site vpn connection the next thing we talked about is communicating to services such as amazon s3 or dynamo using vpc endpoints and then we talked about the interface type endpoints which is powered by private link to communicate to the other uh aws services that supports interface vpc type endpoints today we also then talked about using transit gateway that enables you to connect multiple vpcs together and that can also then be used to talk back to your on-premises using a vpn or using a direct connect gateway i also want to quickly point out some of the features that we've launched since reinvent 2019 before we wrap up this session we talked about interface vpc endpoints we just launched the ses service for this support for interface vpc endpoints so now if you have applications that require to communicate to ses you can use the interface vpc endpoints we talked a lot about transit gateway we launched a couple of features interregion peering this allows you to pure your transit gateways uh across regions and then we also launched support for multicast routing and other additional regions where transit gateway is being supported the last thing that i want to call out is with vpc floor logs earlier we used to have a 10 minute aggregation interval you now have the ability to have one minute aggregation interval so you have more flow records that you can use to analyze data and with that that's a wrap to this session i wanted to thank you for taking time to attend this session today and the session slides and the videos will be available on the aws events page thank you everyone

Info

Channel: AWS Events

Views: 8,500

Rating: undefined out of 5

Keywords: AWS, AWS Summit Online, May 13, 2020, United States, level 200, Amazon, Virtual Private Cloud, Amazon VPC, AWS Direct Connect, compute & networking, AWS Events

Id: DcvTAYxtoRU

Channel Id: undefined

Length: 28min 24sec (1704 seconds)

Published: Fri Jul 24 2020