Architecting a Virtual Private Cloud VPC on AWS

Amazon Virtual Private Cloud (VPC) allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Get a hands-on look at how to build a VPC on AWS so you can enjoy public cloud capabilities in a secure, closed environment.
展开查看详情

1.Architecting a VPC on AWS Tyler Bursee | AWS Solutions Architect

2.Agenda • Fundamentals • Advanced Topics – VPC Overview – VPC Peering – IP – VPC Flow Logging – Subnet Design – VPC Endpoints – Route and NAT – Direct Connect/VPN – Security Groups/NACL

3.Amazon VPC Overview

4. What is a Virtual Private Cloud? • Your own logically isolated section of theAmazon Web Services (AWS) Cloud • You have complete control over your virtual networking environment VPC Components: – User defined IP address range – Subnets – Route Tables – Access Control Lists – Network Gateways

5.Opening up a VPC VPC -User-defined address space up to /16 (65,536 addresses) Subnets -200 user-defined subnets up to /16 Route Tables – Define how traffic should be routed from/to each subnet Access Control Lists – Stateless network filtering between subnets Internet Gateway –A logical device enabling traffic to be routed to/from the public internet Managed NAT – Provide Network Address Translation to private instances for 10Gbps traffic Virtual Private Gateway -The Amazon end of a VPN connection Customer Gateway -The router at the customer end of a VPN connection

6.VPCs span an entire region VPC CIDR: 10.1.0.0 /16 Availability Zone A Availability Zone B

7.Subnets sit in a single VPC in a singleAZ VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

8.Planning the VPC IP Space

9.Plan your VPC IPspace before creating it • Consider future AWS region expansion • Consider future connectivity to your internal networks • Consider subnet design • VPC can be /16 down to /28 • CIDR cannot be modified after creation

10.Choosing IP address ranges for your VPC 172.31.0.0/16 Recommended: Recommended: /16 RFC1918 range (64K addresses)

11.Designing the Subnet

12.Public / Private Subnets VPC CIDR: 10.1.0.0 /16 PUBLIC PUBLIC Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) PRIVATE PRIVATE Subnet (10.1.3.0/24) Subnet (10.1.4.0/24) Availability Zone A Availability Zone B

13.Public / Private Subnets VPC CIDR: 10.1.0.0 /16 Web Web Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) (public) Database Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) (private) Availability Zone A Availability Zone B

14.Public / Private Subnets VPC CIDR: 10.1.0.0 /16 Web Web Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) (public) Database Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) (private) Availability Zone A Availability Zone B

15.Routing Traffic Through Subnets

16.Public Subnet Routing VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

17.Public Subnet Routing VPC CIDR: 10.1.0.0 /16 Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

18.Public Subnet Routing VPC CIDR: 10.1.0.0 /16 Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

19.Public Subnet Routing – Internet Gateway VPC CIDR: 10.1.0.0 /16 Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B

20.Public Subnet Routing – Internet Gateway • VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Internet Gateway

21.Private Subnet Routing VPC CIDR: 10.1.0.0 /16 Web Web Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) (public) Database Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) (private) Availability Zone A Availability Zone B

22.Private Subnet Routing Route Table • VPC CIDR: 10.1.0.0 /16 Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Internet Gateway Route Table Destination Target 10.1.0.0/16 Local • Web Web • Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) (public)

23.Private Subnet Routing – NAT Gateway VPC CIDR: 10.1.0.0 /16 N Web Web Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) (public) Database Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) (private) Availability Zone A Availability Zone B

24.Private Subnet Routing -NATGateway • VPC CIDR: 10.1.0.0 /16 • N • WebRoute Table Web • Subnet (10.1.1.0/24) Destination Target (public) Subnet (10.1.2.0/24) (public) 10.1.0.0/16 Local 0.0.0.0/0 NAT Endpoint

25.Private Subnet Routing VPC CIDR: 10.1.0.0 /16 N Web Web Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) (public) Database Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) (private) Availability Zone A Availability Zone B

26.Controlling your Traffic

27.Network ACLs = Stateless Firewall Rules Can be applied on a subnet basis English translation: Allow all traffic in

28.Security Groups = Stateful Firewall Rules In English: Hosts in this group are reachable from the Internet on port 80 HTTP

29.Comparing NACL and Security Group Comparison between Security Groups and Network ACLs Area of Security Security Group Network ACL Operational Level Instance level Subnet level Supports ALLOW rules… …only …and DENY rules State Type Stateful Stateless Evaluation method All rules evaluated Stop on firstmatch Applicability to Instances Only if SG explicitly Automatically to all added to instance instances insubnet Source / Destination IP CIDR and other IP CIDR only Security Groups