Chris Swan, CTO, @cpswan

AWS VPC

© 2015

Why VPCs?

© 2015

VPCs

Containment of traffic

Layer 3 construct (not a VLAN)

Control over IP addressing

RFC1918

Instance private IP sustained over start/stop

Something to connect into

VPNs

Direct connect

Amazon was filling up the original 10.0.0.0/8 in US-East-1?

© 2015

VPCs are Region bounded

Subnets are Availability Zone (AZ) bounded

© 2015

VPCs are a regional construct

US-East-1

My VPC

172.31.0.0/16

© 2015

Subnets fit into availability zones

US-East-1

US-East-1E

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

© 2015

Public subnets attach to the Internet via a gateway

US-East-1

US-East-1E

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

IGW

© 2015

Private subnets aren’t Internet attached

US-East-1

US-East-1E

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

IGW

My Priv-1E

172.31.6.0/24

© 2015

Private subnets can route out via a NAT VM

US-East-1

US-East-1E

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

IGW

My Priv-1E

172.31.6.0/24

NAT

© 2015

In region redundancy across AZs

US-East-1

US-East-1E

US-East-1A

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

IGW

My Priv-1E

172.31.6.0/24

NAT My Pub-1A

172.31.1.0/24

IGW

My Priv-1A

172.31.2.0/24

NAT

© 2015

VPC interconnectivity

© 2015

VPC VPN gateways

US-East-1

US-East-1E

US-East-1A

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

IGW

My Priv-1E

172.31.6.0/24

NAT My Pub-1A

172.31.1.0/24

IGW

My Priv-1A

172.31.2.0/24

NAT

VPN VPN

© 2015

3rd Party VPN gateways

(e.g. Cohesive Networks VNS3)

US-East-1

US-East-1E

US-East-1A

My VPC

172.31.0.0/16

My Pub-1E

172.31.5.0/24

IGW

My Priv-1E

172.31.6.0/24

VPN My Pub-1A

172.31.1.0/24

IGW

My Priv-1A

172.31.2.0/24

VPN

© 2015

Direct connect

US-East-1

US-East-1E

US-East-1A

My VPC

172.31.0.0/16

My Priv-1E

172.31.6.0/24

My Priv-1A

172.31.2.0/24

DC DC

© 2015

Secured Direct connect

US-East-1

US-East-1E

US-East-1A

My VPC

172.31.0.0/16

My Priv-1E

172.31.6.0/24

My Priv-1A

172.31.2.0/24

DC DC

VPN VPN

© 2015

VPC peering

US-East-1

My VPC

172.31.0.0/16

My other VPC

172.30.0.0/16

© 2015

Addressing

© 2015

VPC addresses

Must be RFC 1918

10.0.0.0

172.16-31.0.0

192.168.0.0

(Bring your own IPs by using overlay networks like VNS3)

Can’t be larger than a /16

Beware of defaults

© 2015

Public IPs

Can be auto assigned

Subnet will default to enabled or disabled

Can be overridden when launching instances

Not persistent

Elastic IPs (EIPs)

Region (not VPC) bounded

Reassignable between instances

Persistent

No tagging or unique identifier

© 2015

Security

© 2015

Security groups

Apply at the instance level

May reference other groups

Can have multiple groups per instance

Act as whitelists of what can get through

Rules evaluated in aggregate

VPC bounded

Stateful

May use IETF protocol numbers in addition to TCP and UDP

e.g. IPsec, GRE

© 2015

ACLs

Apply at the subnet level

Allow and deny (blacklist)

Rules processed in order

Stateless

© 2015

If you want to learn more

On Slideshare (not by me):

AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)

http://is.gd/AWSVPC