aws networking fundamentals
TRANSCRIPT
![Page 1: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/1.jpg)
![Page 2: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/2.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS networking fundamentals
N E T 2 0 1 - R
Alan Halachmi
Director, Public Sector
AWS Solutions Architecture
Amazon Web Services
Steve Seymour
WW Tech Leader, Networking
AWS Solutions Architecture
Amazon Web Services
![Page 3: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/3.jpg)
AWS global infrastructure
![Page 4: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/4.jpg)
AWS Region
![Page 5: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/5.jpg)
US-EAST-1
![Page 6: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/6.jpg)
Availability Zone (AZ)
![Page 7: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/7.jpg)
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
![Page 8: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/8.jpg)
Data center
![Page 9: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/9.jpg)
Rack, host, EC2 instance
![Page 10: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/10.jpg)
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
![Page 11: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/11.jpg)
VPC
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
![Page 12: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/12.jpg)
VPC
US-EAST-1
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
![Page 13: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/13.jpg)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Amazon Virtual Private Cloud (Amazon VPC)
![Page 14: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/14.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Subnets
![Page 15: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/15.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
EC2 instances
Instance Instance
Instance Instance
![Page 16: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/16.jpg)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
Gateways, endpoints & peering
![Page 17: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/17.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Example web application
Web Server
Security Group
App Server
Security Group
ELB
![Page 18: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/18.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
IP addressing
![Page 19: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/19.jpg)
Private IP address range for your VPC – IPv4
• ”CIDR” Range ?
• Classless Inter-domain Routing
• No more Class A, B, C
• RFC1918
• 192.168.0.0 /16
• 172.16.0.0 /12
• 10.0.0.0 /8
• How much ?
• /16
• /28
![Page 20: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/20.jpg)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Where to use IPv4 addresses ?
172.31. 172.31.
172.31. 172.31.
![Page 21: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/21.jpg)
IPv6 basicsIPv6: Colon-Separated Hextet Notation + CIDR
2001:0db8:0ec2:0000:0000:0000:0000:0001/64 0000:0000:0000:0000:0000:0000:0000:0001/128
2001:db8:ec2:0:0:0:0:1/64 0:0:0:0:0:0:0:1/128
2001:db8:ec2::1/64 ::1/128
Unicast Addresses
Loopback Address ::1
Link Local Address (LLA) fe80::/10 (fe80::/64 in practice)
Global Unicast Address (GUA) 2600:1f16:14d:6300::/64
Multicast Addresses (ff00::/8)
All Nodes ff02::1
All Routers ff02::2
Solicited Node ff02::1:ff00:0/104
![Page 22: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/22.jpg)
IPv6 on AWS
• /56 VPC
• /64 Subnets
• Dualstack
• Link Local Address and Global Unicast Address requiredIPv4 Private Address
IPv6 Link Local Address (Private)IPv6 Global Unicast Address (Public)
![Page 23: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/23.jpg)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Where to use IPv6 addresses ?
2600:1f16:14d:6300::/56
172.31. 172.31.
172.31. 172.31.
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64
2600:1f16:14d:6328::/64 2600:1f16:14d:6329::/64
![Page 24: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/24.jpg)
The “5 Things” required for Internet traffic
1. Public IP Address
2. Internet Gateway Attached to a VPC
3. Route to an Internet Gateway
4. NACL Allow Rule
5. Security Group Allow Rule
![Page 25: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/25.jpg)
Public IP addresses for your instances
• Auto-assign public IP addresses
• Elastic IP Addresses (EIP)
• Amazon EIP Pool
• Bring Your Own IP (BYOIP) Pool
![Page 26: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/26.jpg)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Public IP addresses
![Page 27: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/27.jpg)
Gateways, endpoints & peering
Customer Gateway EndpointsInternet GatewayNAT Gateway Peering connectionVPN Gateway AWS Transit Gateway
![Page 28: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/28.jpg)
Internet access
![Page 29: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/29.jpg)
Internet access
![Page 30: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/30.jpg)
Different routes for different subnets
Public subnet
Private subnet
![Page 31: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/31.jpg)
Public & private subnets
Public subnetPrivate subnet
![Page 32: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/32.jpg)
Network Address Translation (NAT) Gateway
Public subnetPrivate subnet
![Page 33: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/33.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 34: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/34.jpg)
Network security
• Network ACLs
• Security Groups
• VPC Flow Logs
• Amazon VPC Traffic Mirroring
![Page 35: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/35.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Network ACLs
![Page 36: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/36.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Security groups – Inbound
Web Server
Security Group
sg-0f004ca5495132527
App Server
Security Group
sg-090a960aee374b3cd
![Page 37: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/37.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Security groups – Outbound
Web Server
Security Group
sg-0f004ca5495132527
App Server
Security Group
sg-090a960aee374b3cd
![Page 38: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/38.jpg)
VPC flow logs
• Amazon CloudWatch Logs or Amazon S3
• Does not impact throughput or latency
• Apply to VPC, Subnet, or ENI
• Accepted, Rejected, or All traffic
![Page 39: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/39.jpg)
Amazon VPC traffic mirroring
• Mirror to another ENI or Network Load Balancer with UDP listener
• Packet copy. Shares interface bandwidth.
• Traffic mirror filters to define “interesting traffic”
• Traffic mirror session is the combination of source, target, and filter
Filter 1
![Page 40: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/40.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 41: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/41.jpg)
Web Server
High availability & scale
![Page 42: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/42.jpg)
Web ServerElastic Load Balancing
Web Server
Web Server
Elastic Load Balancing
Elastic Load Balancing (ELB) distributes incoming application or network
traffic across multiple targets, such as Amazon EC2 instances, containers,
Lambda functions, and IP addresses, in multiple Availability Zones.
![Page 43: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/43.jpg)
ELB: Options
Application Load Balancer Classic Load BalancerNetwork Load Balancer
![Page 44: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/44.jpg)
Web ServerElastic Load Balancing
IP Target
Web Server
ALB: Components
Health check
Health check
Listener
Target
Target Group
default
Forward /img/*
Listener Rule
![Page 45: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/45.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Example web application
Web Server
Security Group
App Server
Security Group
ELB
![Page 46: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/46.jpg)
Public subnet Public subnet
Private subnet Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Web Server Web Server
Application
Server
Application
Server
Example web application – Final
Web Server
Security Group
App Server
Security Group
ELB
Private subnet Private subnet
![Page 47: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/47.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 48: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/48.jpg)
Connecting between VPCs
VPC
VPC
VPC
AWS Cloud
![Page 49: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/49.jpg)
VPC peering – same region
VPC
VPC
VPC
AWS Cloud
![Page 50: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/50.jpg)
VPC peering – same region
VPC
VPC
VPC
Peering
AWS Cloud
![Page 51: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/51.jpg)
VPC peering – same region
VPC
VPC
Peering
AWS Cloud
![Page 52: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/52.jpg)
VPC peering – same region
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
![Page 53: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/53.jpg)
VPC peering – same region
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
![Page 54: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/54.jpg)
VPC peering – same region
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
![Page 55: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/55.jpg)
VPC peering – same region
VPC
VPC
VPCPeering
Peering
AWS Cloud
![Page 56: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/56.jpg)
VPC peering – same region
VPC
VPC
VPCPeering
Peering
AWS Cloud
![Page 57: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/57.jpg)
VPC peering – different region
![Page 58: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/58.jpg)
VPC peering – different account
![Page 59: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/59.jpg)
VPC peering – things to know
• Can reference security groups from the peer VPC in the same region
• Can enable DNS hostname resolution to return private IP addresses
• Can peer for both IPv4 & IPv6 addresses
• Cannot have overlapping IP addresses
• Cannot have multiple peers between the same pair of VPCs
• Cannot use jumbo frames across inter-region VPC peering
![Page 60: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/60.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 61: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/61.jpg)
VPC 10.0.0.0/16
AWS site-to-site VPN setup – VGW
Corporate Data Center
172.16.0.0/16
Virtual Private
Gateway
![Page 62: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/62.jpg)
VPC 10.0.0.0/16
AWS site-to-site VPN – CGW
Corporate Data Center
172.16.0.0/16
Customer
GatewayVirtual Private
Gateway
IP Address not needed when
Certificate is used
![Page 63: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/63.jpg)
VPC 10.0.0.0/16
AWS site-to-site VPN
Corporate Data Center
172.16.0.0/16
Virtual Private
Gateway
1x VPN Connection = 2x VPN Tunnels
Instance
I know how to get to
172.16.0.0/16
I don’t…
Customer
Gateway
![Page 64: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/64.jpg)
VPC 10.0.0.0/16
AWS site-to-site VPN
Corporate Data Center
172.16.0.0/16
1x VPN Connection = 2x VPN Tunnels
Instance Customer
Gateway
Virtual Private
Gateway172.16.0.0/16
via VGW
![Page 65: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/65.jpg)
VPC 10.0.0.0/16
AWS site-to-site VPN
Corporate Data Center
172.16.0.0/16
Customer
Gateway
Virtual Private
Gateway
1x VPN Connection = 2x VPN Tunnels
Instance
172.16.0.0/16
via VGW
1x VPN Tunnel = 1.25Gbps
1 Tunnel always preferred
![Page 66: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/66.jpg)
AWS Direct Connect – physical connection
Corporate Data Center
172.16.0.0/16
Direct Connect
Location
AWS Global Network
Customer
Router
Direct Connect
Location
AWS
RouterCustomer
Router
![Page 67: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/67.jpg)
AWS Direct Connect – Interface types
• Private VIF – Used to connect to Amazon VPCs using private IP
addresses; directly or via Direct Connect gateway
• Transit VIF – Used to connect to AWS Transit Gateways via Direct
Connect gateway
• Public VIF – Used to access all AWS public services using public IP
addresses
All Virtual Interfaces are 802.1Q VLANs with BGP peering
![Page 68: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/68.jpg)
AWS Direct Connect gateway – Private VIF
Corporate Data Center
172.16.0.0/16
Customer
Router
Direct Connect
Location
AWS
Router
AWS Global Network
Customer
Router
VPC
10.0.0.0/16 Private Virtual
Interface
Direct
Connect
Gateway
VPC
10.1.0.0/16
VPC
10.2.0.0/16
Region
Region
![Page 69: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/69.jpg)
Route propagation
• Enable propagation on the Route Table
• Automatically populates with anything the VGW learns via BGP
VPC 10.0.0.0/16VGW
Corporate Data Center (192.168.0.0/16)
DX or S2S VPN
![Page 70: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/70.jpg)
AWS Direct Connect – Public VIF
Corporate Data Center
172.16.0.0/16
AWS Global Network
Public Virtual
InterfaceAmazon Simple Storage
Service (Amazon S3)
Amazon CloudWatch
Amazon DynamoDB
VPC
10.2.0.0/16
Customer
Router
Direct Connect
Location
AWS
RouterCustomer
Router
![Page 71: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/71.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 72: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/72.jpg)
Interconnecting VPCs at scale – VPC peering
Peering
VPC
VPC
VPCPeering
Peering
AWS Cloud
![Page 73: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/73.jpg)
Interconnecting VPCs at scale – VPC peering
Peering
VPC
VPC
VPCPeering
Peering
VPC VPC
Peering
VPC
Peering
Peering
Peering Peering
AWS Cloud
![Page 74: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/74.jpg)
Multiple VPCs access models – AWS Transit Gateway
VPC
VPC
VPC
VPC VPC
VPC
AWS Transit Gateway
AWS Cloud
![Page 75: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/75.jpg)
VPC
AWS Transit Gateway with AWS site-to-site VPN
VPC
VPC
VPC
AWS Transit Gateway
VPN Attachment
VPC Route Table
172.16.0.0/16 via TGW
TGW Route Table
172.16.0.0/16 via VPN
Corporate Data Center
172.16.0.0/16
![Page 76: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/76.jpg)
AWS Transit Gateway with DX gateway
Corporate Data Center
172.16.0.0/16
Customer
Router
Direct Connect
Location
AWS
Router
AWS Global Network
Customer
Router
VPC
10.0.0.0/16 Transit Virtual
Interface
VPC
10.1.0.0/16
VPC
10.2.0.0/16
Region
Region
AWS
Transit
Gateway
AWS
Transit
Gateway
DX
Gateway
![Page 77: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/77.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 78: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/78.jpg)
Amazon Route 53 Resolver
• VPC+2 Resolver
• enableDnsHostnames
• enableDnsSupport
• Private Hosted Zones
• Inbound and Outbound Endpoints
VPC 10.0.0.0/16
PRIVATE HOSTED
ZONE: example.aws
Instance
10.0.0.2
Route 53 Resolver
![Page 79: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/79.jpg)
VPC DNS options
Use Amazon DNS serverHave EC2 auto-assign DNS
host names to instances
![Page 80: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/80.jpg)
Amazon Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org →
172.31.0.99
![Page 81: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/81.jpg)
Associating private hosted zones to multiple VPCs
VPC 10.0.0.0/16
PRIVATE HOSTED
ZONE: example.aws
Instance
10.0.0.2
Route 53 Resolver
VPC 10.1.0.0/16
Instance
10.1.0.2
Route 53 Resolver
PRIVATE HOSTED
ZONE: example.aws
Associate
PRIVATE HOSTED
ZONE: example2.aws
PRIVATE HOSTED
ZONE: example2.aws
![Page 82: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/82.jpg)
Resolving AWS domains from on-premises – Route 53 Resolver
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
PRIVATE HOSTED
ZONE: example.aws
10.0.0.2
Route 53 Resolver
Route 53
Resolver
Inbound ENI
Server
![Page 83: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/83.jpg)
Resolving on-premise domains from AWS – Route 53 Resolver
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
PRIVATE ZONE:
example.internal
10.0.0.2
Route 53 Resolver
Route 53
Resolver
Outbound ENI
Server
Instance
RESOLVER RULE:
FORWARD: example.internal
TO: Server
![Page 84: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/84.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 85: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/85.jpg)
Other AWS services in your VPC
• Amazon Relational Database Service (Amazon RDS)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Amazon RDS
instance
PAmazon RDS
instance
S
![Page 86: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/86.jpg)
Other AWS services in your VPC
• Amazon Relational Database Service (Amazon RDS)
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Amazon RDS
instance
PAmazon RDS
instance
S
![Page 87: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/87.jpg)
Other AWS services in your VPC
• Amazon WorkSpaces
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Streaming
Gateway
![Page 88: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/88.jpg)
Other AWS services in your VPC
• Amazon WorkSpaces
Subnet Subnet
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
SERVICE VPC
Streaming
Gateway
WorkSpace WorkSpace WorkSpace WorkSpace
![Page 89: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/89.jpg)
Other AWS services in your VPC
• AWS Lambda
• VPC-2-VPC NAT (V2N)
Subnet Subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
LAMBDA SERVICE VPC V2N
![Page 90: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/90.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 91: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/91.jpg)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Internet Gateway
(IGW)
Route Table
(Main)
![Page 92: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/92.jpg)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
![Page 93: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/93.jpg)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
![Page 94: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/94.jpg)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
![Page 95: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/95.jpg)
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
Instance Instance
Public subnet Public subnet
Private subnet Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
![Page 96: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/96.jpg)
Private subnet
Private subnet
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway
VPC Endpoint
![Page 97: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/97.jpg)
Private subnet
Private subnet
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
![Page 98: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/98.jpg)
Private subnet
Private subnet
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
Gateway VPC endpoints
![Page 99: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/99.jpg)
Private subnet
Private subnet
Gateway VPC endpoints
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance
Instance
Private subnet
Private subnet
US-EAST-1
Amazon S3
DynamoDB
Route Table
(Main)
![Page 100: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/100.jpg)
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue
Service (Amazon SQS)
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
![Page 101: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/101.jpg)
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
sqs.us-east-1.amazonaws.com ?
52.94.242.77
![Page 102: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/102.jpg)
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
sqs.us-east-1.amazonaws.com ?
52.94.242.77
![Page 103: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/103.jpg)
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
![Page 104: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/104.jpg)
Private subnet Private subnet
Interface VPC endpoints (AWS PrivateLink)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
Amazon API Gateway
Amazon CloudWatch
AWS CodeCommit
Amazon Simple Queue Service
AWS Systems Manager
AWS Transfer for SFTP
Amazon Kinesis
Data Streams
sqs.us-east-1.amazonaws.com ?
172.31.1.5 / 172.31.2.7
![Page 105: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/105.jpg)
Private subnet Private subnet
AWS PrivateLink – your own services
VPC (172.31.0.0/16)
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
Instance Instance
US-EAST-1
Private subnet Private subnet
VPC (10.50.0.0/16)
Network
Load
Balancer
![Page 106: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/106.jpg)
Private subnet
AWS PrivateLink – Your own services – On-prem
Availability Zone
US-EAST-1B
Instance
Private subnet
VPC (10.50.0.0/16)
Network
Load
Balancer
Corporate Data Center
172.16.0.0/16
DX
or
VPN
![Page 107: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/107.jpg)
Endpoint policies
• A VPC endpoint policy is an AWS Identity and Access Management (IAM) resource policy that you attach to an endpoint
• An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies)
Example for S3
• IAM policy at VPC endpoint: You may only access the “Data” bucket
• IAM policy at S3 bucket: Access to this bucket is only allowed from VPCE-X
![Page 108: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/108.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 109: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/109.jpg)
Private subnet Private subnet
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B
VPC
Public subnet Public subnet
Private subnet Private subnet
Your VPC
P S
AWS Transit Gateway
Amazon SQS
Amazon S3VPCE
IGW
Web Server Web Server
ELB
LAMBDA
VPC
VPC
PEERING
WORKSPACES
ENI’s
Corporate
Data Center
D
X
G
W
VIF
VGW
CGWVPN
NAT-GWNAT-GW
VPN
CGW
VPC+2
Route 53 Resolver
PRIVATE
HOSTED
ZONES
![Page 110: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/110.jpg)
VPC
Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1BSecurity
App Server
Security Group
Private subnet Private subnet
Application
Server
Application
Server
P S
AWS Transit
Gateway
Amazon SQS
Amazon S3VPCE
Web Server
Security Group
VPC
VPC
PEERING
NAT-GWNAT-GW
Public subnet Public subnet
IGW
ELB
Private subnet Private subnet
Web Server Web Server
EIGW
PrivateLink VPC
VPC Flow Logs
Traffic Mirroring
![Page 111: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/111.jpg)
Related sessions
Tuesday
• NET317-R Connectivity to AWS and hybrid AWS network architectures
• NET320-R1 The right AWS network architecture for the right reason
Wednesday
• NET305-R1 Advanced VPC design and new capabilities for Amazon VPC
• NET203-L Leadership session: Networking
Thursday
• NET339 Innovation and operation of the AWS global network infrastructure
• NET322-R1 Shared VPC: Simplify your AWS Cloud scale network with VPC sharing
![Page 112: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/112.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Free digital courses cover topics related to networking and content delivery, including Introduction to Amazon CloudFront and Introduction to Amazon VPC
Visit aws.amazon.com/training/paths-specialty
Validate expertise with the AWS Certified Advanced Networking - specialty exam
Learn networking with AWS Training and CertificationResources created by the experts at AWS to help you build and validate networking skills
![Page 113: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/113.jpg)
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alan HalachmiDirector, Public Sector
AWS Solutions Architecture
Amazon Web Services
Steve Seymour
WW Tech Leader, Networking
AWS Solutions Architecture
Amazon Web Services
![Page 114: AWS networking fundamentals](https://reader030.vdocuments.us/reader030/viewer/2022020622/61edc9e8fd8c492dd1097798/html5/thumbnails/114.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.