A Case Study in Virtual Private Cloud

Gerry Miller

Chief Technologist

Cloudticity

What is Virtual Private Cloud?

Your datacenter connected to dynamic private resources in a public cloud

Application Architecture

Content Management System

Web Service Proxy

Web Browser

Database Server

CMS People ServicesMarketing Staging

Services Server

Service Bus

Data ProxyServices

Marketing App

Outside Services

Oracle

Postalsoft

Email Marketing

Salesforce.com

VPC Architecture

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Subnets

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Architecture

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Connection to Datacenter

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Architecture

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Using Internal Resources

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Architecture

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

Customer Access to System

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

VPC Architecture

DEV Web Server192.168.92.88 (internal)

184.xxx.xxx.xxx (external)

QA Web Server192.168.92.92 (internal)

184.xxx.xxx.xxx (external)

Domain Controller192.168.92.218

DEV SQL Server192.168.92.237

QA SQL Server192.168.92.197

DEV Enterprise Service Bus192.168.92.147

QA Enterprise Service Bus192.168.92.188

Internet Users

Amazon Internet Gateway

Amazon VPN Gateway

AW

S Inte

rnal C

on

nectio

ns

Corp VPN Device212.14.xx.xx

Corp Firewall

Amazon Firewall

Internet

Internal192.168.92.128/25

External192.168.92.0/25

Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN

Routes traffic for

192.168.92.0/24

subnet

Co

rpo

rate

Ne

two

rk

XMPie (DEV, QA, PROD)

Oracle DEV

Oracle QA

Oracle PROD

PostalSoft DEV

All external traffic

routed to Internet

(must include 80, 443,

DNS, NTP, etc.)

outbound-initiated

only

Port 50000

bidirectional

Ports 80, 443, and

full SMB access to

UNC locations on

XMPie servers

(unidirectional

from VPC)

Port 50001

bidirectional

Port 50002

bidirectional

Ports 21, 80, 443

from VPC to

server

(unidirectional)

CorporateInternalFirewall

WindowsFirewall

Corp server auth and ACLs across all internal datacenters

VPC Security Layers

InternetAmazonExternalFirewall

AmazonExernalRouting

Rules

AmazonSecurityGroups

AmazonRouting

ACLsWindowsFirewall

WebServer

Auth & ACLs

AmazonInternalFirewall

AmazonSecurityGroups

WindowsFirewall ESB & DB

ServerAuth & ACLs

AmazonInternalRouting

Rules

AmazonRouting

ACLs

AmazonRouting

ACLs

CorporateVPN

Firewall

AmazonRouting

Rules

Things We Learned

Thank You!

Any Questions?

Gerry Miller gerry@cloudticity.com http://cloudticity.com

Wrangle the Cloud™