Scribd
Upload
48 views

Aws Csa VPC R 1.0

Amazon VPC allows users to create a virtual private cloud within AWS that can be isolated from other networks and provides full control over networking features. It allows users to define subnets and design custom network topologies. VPC provides benefits like control over IP addressing, improved security using network ACLs, isolating public and private subnets, and enabling hybrid cloud architectures. Key concepts include subnets, routing tables, internet gateways, NAT instances, network ACLs, and security groups. VPC peering allows connection between two VPCs within the same region. Extending on-premise networks to AWS can be done using virtual private gateways and customer gateways with VPN connections. Network ACLs provide network layer security controls while security groups control access to instances.

Uploaded by

Robin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

Aws Csa VPC R 1.0

Amazon VPC allows users to create a virtual private cloud within AWS that can be isolated from other networks and provides full control over networking features. It allows users to define subnets and design custom network topologies. VPC provides benefits like control over IP addressing, improved security using network ACLs, isolating public and private subnets, and enabling hybrid cloud architectures. Key concepts include subnets, routing tables, internet gateways, NAT instances, network ACLs, and security groups. VPC peering allows connection between two VPCs within the same region. Extending on-premise networks to AWS can be done using virtual private gateways and customer gateways with VPN connections. Network ACLs provide network layer security controls while security groups control access to instances.

Uploaded by

Robin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Amazon VPC

June 2015
What is Amazon VPC..?

• Isolated area in Amazon Cloud

• Provides full control on the networking

• Decide the number of subnets

• Allow to design own network Topology

6/26/2015 2
Why to use Amazon VPC..?

• Control of IP Addressing CIDR block

• Provide better Security using Network ACLs

• Isolated Public Subnet and Private Subnet

• Internet Gateway to control internet connectivity

• Support NAT for private subnet instances

• Customer Gateway Anchor to connect organization network

• Evolving EC2 feature set

• Enables Hybrid Cloud Architecture

3
Key Concept…

AWS cloud
• VPC & Subnet
Region

• Routing Table
Virtual Private Cloud
Internet gateway
• Internet Gateway
– Handle Internet-
routable traffic
– Perform network Router
address translation
Subnet
• NAT Instance
Subnet

NAT
• Network ACLs
security group
security group

– Layer of security Network ACLs

– Default Network ACL

• Security Group

6/26/2015 4
Key Concept…

• Internet Gateway
– Horizontally scaled,
redundant, and highly
available VPC component
– IG purposes
• Perform network address
translation
• Provide a target in VPC route
tables for Internet-routable
traffic
– One VPC one IG

• NAT Instance
– Provide internet access to
private subnet instances
– Primary role - port address
translation (PAT)
– Launch in public subnet

Image Source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

6/26/2015 5
LAB – Amazon VPC
• Create Amazon VPC with PUBLIC & PRIVATE subnet
• Launch NAT instance / Attach Internet Gateway
• Launch Windows instance in PUBLIC subnet
• Launch Windows instance in PRIVATE subnet
• Access the instance in PUBLIC subnet remotely
VPC Peering

• Connection between two VPCs


• Can connect VPC in different AWS account
• One to one relationship between two VPCs
• 50 VPC peering connection per region
• Within one region ONLY
• Communicates using PRIVATE IPs

AWS Account #1 AWS Account #2

Region

VPC peering

virtual private cloud virtual private cloud

7
VPC Peering

• Not Transitive in nature


?
• If Peering exists
A C
– between A and B
– Between B and C

Then Can A & C communicate via VPC peering ?


B
• Scenarios
– One to one - DEV, STAGING , UAT – want to connect / patch
– Common VPC to Many VPC
• Active Directory on Common VPC
• AV solution on common VPC
• Management Box on Common VPC
• Third party back up solution

8
Extending On-Premise Network to Cloud

• Virtual Private Gateway


– VPN concentrator on the Amazon side
– One VPC one Virtual Private Gateway
– 5 Virtual Private Gateway per region
– One to many connection
• Customer Gateway
– physical device or software application on
Corporate side
– 50 Customer Gateway per region
• VPN Connection
– Static and Dynamic routing

virtual private VPN


gateway connection customer gateway

virtual private cloud corporate data center

9
Extending On-Premise Network to Cloud

• If you do need site to site VPN use VPN


server such as OpenVPN server on EC2
server

• Clients would need to have VPN client


and connect it to the EC2 premise

• https://docs.openvpn.net/how-to-
tutorialsguides/virtual-
platforms/amazon-ec2-appliance-ami-
quick-start-guide/

10
Single Instance NAT Failure – Solution ?

http://aws.amazon.com/articles/2781451301784570

11
Note Again

• Internet Gateway
– Provides target in route table for Internet routable traffic
– Performs NAT for instances that have PUBLIC IP (from PUBLIC IP to PRIVATE IP)

• To enable access to or from the Internet for instances in a VPC subnet, you
must attach an Internet gateway to your VPC, ensure that your subnet's
route table points to the Internet gateway, ensure that instances in your
subnet have public IP addresses or Elastic IP addresses, and ensure that your
network access control and security group rules allow the relevant traffic to
flow to and from your instance.

6/26/2015 12
Network ACLs

• Security Control given at Network Layer


• Stateless
• Supports Allow and Deny Rule
• Can have number of rules
• Evaluates with lowest number first and if matches exits the match
• Useful for tighter security control , DDOS

6/26/2015 13
Comparing Security Group and ACLs
LAB – Amazon VPC
• Create two Amazon VPC with single private subnet
• Launch Windows instance in PRIVATE subnet of both VPC
• Create VPC Peering connection
• Access Windows instance of one VPC from another VPC
New Services

• VPC Flow Logs


– To troubleshoot connectivity and security issues
– To test network access rules functionality
– Alarms if unwanted traffic are detected
– Logs are saved into log groups in CloudWatch Logs
– no charge
– https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-
flows/

• VPC Endpoints
– Secure connection to S3 within VPC
– Easy to configure
– Highly reliable
– Does not require a gateway or NAT instances
– https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/

6/26/2015 16
Cost Aspects

• No Additional cost for Amazon VPC

• VPN Connection
• $0.05 per hour

17
VPC Limits

Resource Default Limit Comments


# of VPCs /region 5 Can be increased upon
request
# Internet 5 Linked with VPC limit,
Gateways/region Can be increased upon
request

Elastic IP addresses 5 Can be increased upon


request
Subnets/VPC 200 Can be increased upon
request

Security Groups/VPC 200 ..


Security Group/ENI 5

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

18
Best Practices
• Selecting right VPC Architecture design

• One time CIDR Block Selection

• Isolate VPC according to Use Case

• Unpopulated Public Subnet

• Control your In-Out traffic in VPC using ACLs and SG

• Tier your Security Groups

• Use EIP when needed

• Use Multi AZs in single Layer/tier subnets to balance ELB traffic

• Use Multi AZs in single Layer/tier to avoid single point failure

19
End of Module

Q&A

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy