Scribd
Upload
155 views60 pages

Network Foundations On AWS

The document provides an overview of AWS global infrastructure and networking fundamentals including Amazon Virtual Private Cloud (Amazon VPC). It describes how VPCs are built within AWS regions and availability zones, including public and private subnets. It also covers IPv4 addressing and networking components within a VPC.

Uploaded by

Rajeev Jha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
155 views60 pages

Network Foundations On AWS

The document provides an overview of AWS global infrastructure and networking fundamentals including Amazon Virtual Private Cloud (Amazon VPC). It describes how VPCs are built within AWS regions and availability zones, including public and private subnets. It also covers IPv4 addressing and networking components within a VPC.

Uploaded by

Rajeev Jha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

L O N D O N | A P R I L 2 9 , 2 0 2 2

NT-01

AWS Networking Fundamentals

Laura Verghote (she/her)


Associate Technical Trainer
Amazon Web Services

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda

Global infrastructure

Amazon Virtual Private Cloud (Amazon VPC)

Basics of VPC security

Peering, endpoints, and gateways

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Global infrastructure

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS global infrastructure
Region & number of Availability Zones (AZs)
GovCloud (U.S.) Europe
U.S.-East (3), US-West (3) Frankfurt (3), Paris (3),
Ireland (3), Stockholm (3),
U.S. West London (3), Milan (3)
Oregon (4)
Northern California (3)

U.S. East Middle East


N. Virginia (6), Ohio (3) Bahrain (3)

Canada Asia Pacific


Central (3) Singapore (3), Sydney (3), Jakarta (3),
Tokyo (4), Osaka (3)
South America Seoul (4), Mumbai (3), Hong Kong (3)
São Paulo (3)

Africa China
Cape Town (3) Beijing (3), Ningxia (3)
Announced Regions
8 Regions in Australia, Canada, India, Indonesia, Israel, Australia, Switzerland,
Spain, and United Arab Emirates (UAE)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS global network components
eu-west-2 (London)
eu-west-2a eu-west-2b

AZ AZ
eu-west-2c

Datacenter Availability
Zone AZ
Region Global network
Availabiliy Zones consist of one or more discrete data centers, Redundant, parellel 100 GbE fiber network
each with redundant power, networking, and connectivity in an A Region is a physical location in the world and low-latency private capacity between all
AWS Region. where we have multiple Availability Zones. regions except China. Includes trans-ocean
cables.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudFront has
300+ locations, 290+ Edge
locations ,13 Regional
Edge Caches across 90+
cities in 47 countries

Regional Edge Caches


Edge Locations
Multiple Edge Locations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud continuum

AWS Regions
On premises

IoT
Metro centers

Rugged edge
5G networks

For most use cases For low latency, local data processing, data residency

Cloud continuum

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bringing the cloud to where you need it

AWS Regions

AWS Outposts AWS IoT Greengrass


and FreeRTOS

AWS Local Zones


AWS Snowball and
AWS Snowcone

AWS Wavelength

For most use cases For low latency, local data processing, data residency

Cloud continuum

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building a VPC
Region (eu-west-2)

VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building a VPC
Region (eu-west-2)

Availability Zone (eu-west-2a) Availability Zone (eu-west-2b)

VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone IDs for your AWS resources

Account Account
111111111111 222222222222

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building a VPC
Region (us-east-1)

Availability Zone (us-east-1a) Availability Zone (us-east-1b)

VPC

Public subnet Public subnet

Private subnet Private subnet

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building a VPC
Region (us-east-1)

Availability Zone (us-east-1a) Availability Zone (us-east-1b)

VPC

Public subnet Public subnet

Private subnet Private subnet

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv4 addressing
Availability Zone Availability Zone

VPC - 10.0.0.0/16 , 10.1.0.0/16

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv4 addressing
Availability Zone Availability Zone

VPC - 10.0.0.0/16 , 10.1.0.0/16

Reserved Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24

10.0.1.0 – Network Address EIP: 52.34.234.27


10.0.1.1 – VPC Router - 10.0.2.200
10.0.1.2 – Reserved 54.203.236.116
10.0.1.3 – Reserved - 10.0.1.38
- 10.0.2.47
10.0.1.255 – Network Broadcast - 10.0.1.112

...
Private subnet - 10.0.128.0/24 Private subnet - 10.1.129.0/24
10.0.128.0 – Network Address
10.0.128.1 – VPC Router
10.0.128.2 – Reserved
10.0.128.3 – Reserved
10.0.128.255 – Network Broadcast

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 addressing
Availability Zone Availability Zone

VPC - 10.0.0.0/16 , 10.1.0.0/16


2001:db8:ec2::/56
Reserved
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24 fd00:ec2::/32 - Reserved
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64 fe80::X:Xff:feX:X/64 – VPC Router
EIP: 52.34.234.27
- 10.0.2.200 2001:db8:ec2:01::0
54.203.236.116
2001:db8:ec2:01::1
- 10.0.1.38
- 10.0.2.47 2001:db8:ec2:01::2
- 10.0.1.112
2001:db8:ec2:01::3
- 2001:db8:ec2:1::1
2001:db8:ec2:01:ffff:ffff:ffff:ffff
...
Private subnet Private subnet - 10.1.129.0/24
2001:db8:ec2:80::/64
2001:db8:ec2:80::0
2001:db8:ec2:80::1
2001:db8:ec2:80::2
- 2001:db8:ec2:80::1 2001:db8:ec2:80::3
2001:db8:ec2:80:ffff:ffff:ffff:ffff

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intra-VPC routing

Availability Zone Availability Zone

VPC - 10.0.0.0/16 , 10.1.0.0/16


2001:db8:ec2::/56
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64

- 10.0.2.200
- 10.0.1.38
- 10.0.2.47
- 10.0.1.112
- 2001:db8:ec2:1::1

Private subnet Private subnet - 10.1.129.0/24


2001:db8:ec2:80::/64

- 2001:db8:ec2:80::1

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intra-VPC routing

Availability Zone Availability Zone

VPC - 10.0.0.0/16 , 10.1.0.0/16


2001:db8:ec2::/56
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64

- 10.0.2.200
- 10.0.1.38
- 10.0.2.47
- 10.0.1.112
- 2001:db8:ec2:1::1

Private subnet Private subnet - 10.1.129.0/24


2001:db8:ec2:80::/64

- 2001:db8:ec2:80::1

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Basics of VPC security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC defense in depth

VPC

Security
Public subnet group
Internet
gateway Instance
Security
Route table Network ACL group

Instance

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups

VPC - 10.0.0.0/16

Availability Zone

Public subnet - 10.0.1.0/24

Security group Security group

- 10.0.1.38 - 10.0.1.39
54.203.236.116 54.203.236.117

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups – default behavior

Security group

- 10.0.1.38
54.203.236.116
Inbound

Outbound
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups – default behavior

Security group

- 10.0.1.38
54.203.236.116 stateful
Inbound

Outbound
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Group Chaining
Availability Zone Inbound rule
Allow HTTPS port 443
Web security group Web security group Source: 0.0.0.0/0 (any)

Web Web
Inbound rule
Allow HTTP port 80
App security group App security group Source: Web tier

App App Inbound rule


Allow TCP port 3306
Data security group Data security group Source: App tier

Data Data

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network access control lists (NACLs)
VPC
Availability Zone 1 Inbound rules - default
Public subnet

Instance

Outbound rules - default


Availability Zone 2

Private subnet

Instance

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional configurations for inbound traffic
Public subnet

Security group

SRC Port: 1400


Network ACL
DST Port: 22
Instance

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional configurations for inbound traffic
Inbound

Public subnet

Security group

SRC Port: 22
SRC Port: 1400
Network ACL DST Port: 1400
DST Port: 22
Instance

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
Availability Zone Availability Zone

VPC - 10.0.0.0/16, 10.1.0.0/16


2001:db8:ec2::/56
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64

W 54.203.236.116 W EIP: 52.34.234.27


- 10.0.1.38 10.0.2.167
- 2001:db8:ec2:1::1

Private subnet Private subnet - 10.1.129.0/24


2001:db8:ec2:80::/64

DB DB
- 2001:db8:ec2:80::1 10.1.129.245

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
5 Requirements Availability Zone Availability Zone
1) Public IP
2) SGs allow VPC - 10.0.0.0/16 , 10.1.0.0/16
2001:db8:ec2::/56
3) NACLs allow
4) Attached internet Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64
gateway (IGW)
5) Route to IGW
W 54.203.236.116 B EIP: 52.34.234.27
- 10.0.1.38 10.0.2.167
- 2001:db8:ec2:1::1
Inbound

Private subnet Private subnet - 10.1.129.0/24


2001:db8:ec2:80::/64

DB O
- 2001:db8:ec2:80::1 10.1.129.245

Outbound
Inbound

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to the internet from private subnet
Availability Zone Availability Zone

VPC - 10.0.0.0/16
2001:db8:ec2::/56
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64

NAT gateway NAT gateway

Private subnet Private subnet - 10.1.129.0/24


2001:db8:ec2:80::/64

DB DB
- 2001:db8:ec2:80::1
10.1.129.245

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to the internet: IPv6
VPC 10.0.0.0/16 , 10.1.0.0/16
Egress-only
2001:db8:ec2::/56 Internet gateway
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64

W B

Private subnet Private subnet - 10.0.129.0/24


2001:db8:ec2:80::/64

DB O

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to the internet

VPC 10.0.0.0/16 , 10.1.0.0/16


Egress-only Internet gateway
2001:db8:ec2::/56 Internet gateway
Public subnet - 10.0.1.0/24 Public subnet - 10.0.2.0/24
2001:db8:ec2:01::/64 2001:db8:ec2:02::/64

W B
NAT gateway NAT gateway

Private subnet Private subnet - 10.0.129.0/24


2001:db8:ec2:80::/64

DB O

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC defense in depth

VPC

Security
Public subnet group
Internet
gateway Instance
Security
Route table Network ACL group

Instance

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Peering, endpoints,
and gateways

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Peering, endpoints, and gateways

AWS Client VPN Virtual private Direct Connect NAT Internet AWS Transit Endpoints Peering
endpoint gateway gateway gateway gateway Gateway connection

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting multiple VPC

VPC Peering Transit Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Peering
VPC - 10.0.0.0/16 VPC - 10.2.0.0/16
2001:db8:ec2::/56 2001:db8:ec2:100::/56

Public subnet - 10.0.1.0/24 Public subnet - 10.2.0.0/24


2001:db8:ec2:01::/64 2001:db8:ec2:100::/64

Private subnet Private subnet - 10.2.129.0/24


2001:db8:ec2:02::/64 Peering
connection

Route table Route table


10.0.0.0/16 local 10.2.0.0/16 local
2001:db8:ec2::/56 local 2001:db8:ec2:100::/56 local
10.2.0.0/16 pcx-1234 10.0.0.0/16 pcx-1234
2001:db8:ec2:100::/56 pcx-1234 2001:db8:ec2::/56 pcx-1234
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Peering
VPC B
VPC A VPC C
Destination Target
C Local
A PCX-1
B PCX-2
D PCX-3
E PCX-4

VPC D VPC E Number of peering


connections
for a full mesh:

n(n - 1)
2

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the problem?

Complexity:
100 (100 - 1)
= 4,950
2

Service Limit:

Amazon VPC peering connections


per Amazon VPC = 125
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway

WAN
Direct Connect +
Direct Connect gateway

VPN
AWS Transit
Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway component

VPC

Transit gateway
route tables
VPN connection

Direct Connect gateway

Transit Gateway
Attachments

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full Connectivity

Direct
Connect
VPC A VPC B

Transit Gateway

VPN
VPC C connection VPC D

Customer
gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partial connectivity

Direct
Connect
VPC A VPC B

Transit Gateway

VPN
VPC C connection VPC D

Customer
gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway route tables and domains
1
10.1.0.0/16
2001:db8:1::/56 TGW Route table 1 TGW Route table 2
10.2.0.0/16
2001:db8:2::/56 2
10.2.0.0/16 att-2 10.1.0.0/16 att-1
10.3.0.0/16 att-3 10.2.0.0/16 att-2
10.4.0.0/16 att-4 10.3.0.0/16 att-3
2001:db8:4::/56 att-4

4 10.4.0.0/16
2001:db8:4::/56
10.3.0.0/16
2001:db8:3::/56
3
AWS Transit
TGW Route table 4 Gateway TGW Route table 2
10.1.0.0/16 att-1 10.1.0.0/16 att-1
2001:db8:1::/56 att-1 10.2.0.0/16 att-2
10.3.0.0/16 att-3

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Without VPC endpoints

VPC 10.1.0.0/16, 2001:db8:1::/56


Amazon Amazon Aurora Amazon Kinesis
10.1.1.0/24
2001:db8:ec2:101::/64 CloudWatch Data Streams

10.1.2.0/24
2001:db8:ec2:110::/64 Amazon
Amazon S3 AWS KMS
API Gateway

Amazon S3 Amazon
DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With VPC endpoints: Interface endpoints

VPC 10.1.0.0/16, 2001:db8:1::/56


Amazon Amazon Aurora Amazon Kinesis
10.1.1.0/24
2001:db8:ec2:101::/64 CloudWatch Data Streams

AWS
10.1.2.0/24 PrivateLink
2001:db8:ec2:110::/64 Interface
Amazon S3 Amazon AWS KMS
endpoint
API Gateway
10.1.2.1

Amazon S3 Amazon
DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With VPC endpoints: Gateway endpoints

VPC 10.1.0.0/16, 2001:db8:1::/56


Amazon Amazon Aurora Amazon Kinesis
10.1.1.0/24
2001:db8:ec2:101::/64 CloudWatch Data Streams

AWS
10.1.2.0/24 PrivateLink
2001:db8:ec2:110::/64 Interface
Amazon S3 Amazon AWS KMS
endpoint
API Gateway
10.1.2.1

Gateway
endpoint

Destination Target
172.16.0.0/16 local
S3.prefix.list vpce-s3 Amazon S3 Amazon
DDB.prefix.list vpce-ddb DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With VPC endpoints: gateway endpoints

VPC 10.1.0.0/16, 2001:db8:1::/56


Amazon Amazon Aurora Amazon Kinesis
10.1.1.0/24
2001:db8:ec2:101::/64 CloudWatch Data Streams

AWS
10.1.2.0/24 PrivateLink
2001:db8:ec2:110::/64 Interface
Amazon S3 Amazon AWS KMS
endpoint
API Gateway
10.1.2.1

Gateway
endpoint

Destination Target
172.16.0.0/16 local
S3.prefix.list vpce-s3 Amazon S3 Amazon
DDB.prefix.list vpce-ddb DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid connectivity and gateways

AWS Site-to-Site VPN AWS Direct Connect

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Site-to-Site VPN

Public internet

VPC
Availability Availability
On-premises Zone A Zone B
VPN server Private Private
VPN connection subnet subnet
Customer Virtual
gateway
device private
gateway
Two
Corporate data center endpoints

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Site-to-Site VPN

Region
Option 1: Virtual VPC
private gateway

Virtual private EC2 instances


gateway
On-premises
VPC
VPN server Option 2: EC2 instance

Internet EC2 instances


Internet gateway
Corporate data center Option 3: Transit gateway

Transit Gateway Amazon VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Region
AWS Direct Connect location

Amazon S3
Corporate
data center
VPC 10.1.0.0/16, 2001:db8:1::/56

AWS Direct Customer


Connect router router

Direct Connect
gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Region
AWS Direct Connect location

Amazon S3
Corporate
data center
VPC 10.1.0.0/16, 2001:db8:1::/56

AWS Direct Customer


connect router router

Direct Connect
gateway

Virtual private
gateway
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect
Region
AWS Direct Connect location

Amazon S3
Corporate
data center
VPC 10.1.0.0/16, 2001:db8:1::/56

AWS Direct Customer


Connect router router

Direct Connect
gateway

AWS Transit
Gateway
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bringing it all together

Direct Connect Direct Connect


VPN gateway gateway

Region Local Zone

VPC VPC
Egress only Internet Virtual private
internet gateway gateway gateway
Public subnet Public Public
subnet subnet
Transit
NAT gateway Gateway

Private subnet Private Private


subnet subnet

Peering
connection

Endpoints

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn in-demand AWS Cloud skills

AWS Skill Builder AWS Certifications


Access 500+ free digital courses Earn an industry-recognized
and Learning Plans credential

Explore resources with a variety Receive Foundational,


of skill levels and 16+ languages Associate, Professional,
to meet your learning needs and Specialty certifications

Deepen your skills with digital Join the AWS Certified community
learning on demand and get exclusive benefits

Access new
Train now exam guides

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Laura Verghote

LinkedIn:
laura-verghote-6abb27155

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete
the session survey

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

You might also like