Networking in AWS

Wong Voon Wong

Partner Solutions Architect
29 Apr 2022

© 2022, Amazon Web Services, Inc. or its Affiliates.

 Table of contents
• Regions and Availability Zones (AZs) • VPC Peering
• VPC Overview • VPN Connectivity
• Subnets and AZs • Direct Connect
• Route Tables • Direct Connect Gateway
• Internet Access • Transit Gateway
• NAT Gateways • AWS Client VPN
• Multi-AZ Best Practices • Route 53
• Security Groups • CloudFront
• Network Access Control Lists (NACLs)

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Regions and Availability Zones (AZs)
AWS Cloud

Region – us-east-1 Region – us-west-2

AZ us-east-1a AZ us-east-1b AZ us-west-a AZ us-west-b

AZ us-east-1c AZ us-west-c

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 AWS VPC - Overview
AWS Cloud

Account 123456789

Region US-EAST-1

VPC AWS Identity and Access

Management

Amazon Simple Storage

Service (S3)
EC2 Instances

Elastic Load Balancing Amazon Route 53

Amazon RDS Amazon DynamoDB

instance

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Subnets and AZs
Region us-east-1

VPC 10.0.0.0/16

Availability Zone us-east-1a Availability Zone us-east-1b

Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24

EC2 Instances
Amazon RDS
instance

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 AZ ID

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Route Tables – Internal VPC Traffic
VPC 10.0.0.0/16
Route Table 1 - Rules
Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24
Destination Target
10.0.0.0/16 local
EC2 Instance EC2 Instance
10.0.1.1 10.0.2.1

Route Table 1 Route Table 1

10.0.2.1

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Route Tables – Internet Traffic
Route Table 1 - Rules
VPC 10.0.0.0/16
Destination Target
Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24 10.0.0.0/16 local

EC2 Instance EC2 Instance

10.0.1.1 10.0.2.1

Route Table 1
Route Table 1

1.2.3.4
Internet 1.2.3.4

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Route Tables – Internet Traffic
Route Table 1 - Rules
VPC 10.0.0.0/16
Destination Target
Subnet 2 10.0.2.0/24 10.0.0.0/16 local
Subnet 1 10.0.1.0/24
0.0.0.0/0 Igw-12345

EC2 Instance
EC2 Instance
10.0.1.1 10.0.2.1

1.2.3.4

Route Table 1 Route Table 1

Internet Internet 1.2.3.4

gateway

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Public vs. Private Subnet
VPC 10.0.0.0/16
Private Route Table Public Route Table

Destinatio Target Private Subnet 1 Public subnet 1 Destination Target

n 10.0.1.0/24 10.0.2.0/24 10.0.0.0/16 local
10.0.0.0/16 local 0.0.0.0/0 Igw-12345

EC2 Instance EC2 Instance

10.0.1.1 10.0.2.1

Private Route Public Route

Table Table
Internet
gateway

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Public IPs
VPC 10.0.0.0/16
Public Route Table
Public subnet 1 10.0.2.0/24 Destination Target
10.0.0.0/16 local
0.0.0.0/0 Igw-12345

EC2 Instance
Private IP: 10.0.2.1
Public IP: 1.2.3.4
Internet
gateway

Route Table

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 VPC - DNS & DHCP
VPC 10.0.0.0/16
Reserved for AWS use:
10.0.0.0
10.0.0.1
10.0.0.2
10.0.0.3
VPC DHCP VPC DNS 10.0.0.255

Public subnet 1 10.0.2.0/24

EC2 Instance
Private IP: 10.0.2.1
Private DNS: ip-10.0.2.1.us-west-2.compute.internal

Public IP: 1.2.3.4

Public DNS: ec2-1.2.3.4.us-west-2.compute.amazonaws.com

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Internet Access for Private Subnets – NAT Gateway
VPC 10.0.0.0/16
Private Route Table Public Route Table

Destination Target Private Subnet 1 Public subnet 1 Destination Target

Destination Target 10.0.1.0/24 10.0.2.0/24 10.0.0.0/16 local
10.0.0.0/16 local
10.0.0.0/16
0.0.0.0/0 local
ngw-345 0.0.0.0/0 Igw-12345

Private instance
Private IP: 10.0.1.1 NAT gateway
Ngw-345
1.2.3.4 EIP: 2.3.4.5

Private Route Public Route

Table Table Internet
Internet 1.2.3.4
gateway

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Multi-AZ Best Practices
Region us-east-1

VPC 10.0.0.0/16
IGW

AZ (us-east-1a) AZ (us-east-1b)

Public subnet 1 Load Public subnet 2

10.0.1.0/24
balancer 10.0.3.0/24

Web Server Web Server

Private Subnet 1 Private Subnet 2

10.0.2.0/24 10.0.4.0/24

Database server Sync Database standby

replication

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Security Groups – Default Group Rules
VPC 10.0.0.0/16 Security Group 1

Availability Zone us-east-1a Inbound Rules

Subnet 1 10.0.1.0/24 Protocol Port Source

Security group 1

Outbound Rules
EC2
Protocol Port Destination
All All 0.0.0.0/0

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Security Groups – Web Server Example
VPC 10.0.0.0/16 Security Group 1

Inbound Rules
Availability Zone us-east-1a
Protocol Port Source
Subnet 1 10.0.1.0/24 TCP 80 0.0.0.0/0

Security group 1

Outbound Rules

EC2 Protocol Port Destination

All All 0.0.0.0/0

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Security Groups – Reference other groups
Web server security group
VPC 10.0.0.0/16
Inbound Rules
Availability Zone us-east-1a
Protocol Port Source
Subnet 1 10.0.1.0/24 TCP 80 0.0.0.0/0

Outbound Rules
Webserver security group Protocol Port Destination
All All 0.0.0.0/0

EC2
Database security group
Inbound Rules
Database security group
Protocol Port Source
TCP 3306 sg-webserver

EC2 Outbound Rules

Protocol Port Destination
All All 0.0.0.0/0

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Security Groups – Self-referencing rules

VPC 10.0.0.0/16

Availability Zone us-east-1a Hadoop Security Group

Subnet 1 10.0.1.0/24
Inbound Rules

Hadoop security group Hadoop security group Protocol Port Source

TCP 80 sg-hadoop

EC2 EC2 Outbound Rules

Protocol Port Destination

Hadoop security group Hadoop security group
All All 0.0.0.0/0

EC2 EC2

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Network Access Control Lists (NACLs)
Region us-east-1 NACL Configuration

VPC 10.0.0.0/16 Inbound Rules

Rule # Protocol Port Source Effect
Availability Zone us-east-1a
1 All All 0.0.0.0/0 Allow

Subnet 1 10.0.1.0/24

Outbound Rules

Rule # Protocol Port Source Effect

1 All All 0.0.0.0/0 Allow
Network
access
control list

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 VPC Building Blocks - Summary
VPC 10.0.0.0/16

Private Subnet 1 Public subnet 1

10.0.2.0/24
10.0.1.0/24

Database security group Web server security group

Database EC2 EC2 webserver

NAT gateway Internet

gateway

NACL
NACL
Private Route Public Route
Table Table

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
Stay on AWS network: VPC Endpoints
Amazon
VPC PrivateLink

VPC VPC
• Connect your VPC to:
Internet gateway
• Supported AWS services
Network Load Balancer
• VPC endpoint services Public subnet
(NLB)

powered by PrivateLink
VPC Endpoint Service
• Doesn’t require public IPs or
EC2
Internet connectivity Instance
VPC Endpoint
• Horizontally scaled, redundant, Amazon
and highly available Private subnet
Simple Storage Service
(S3)

• Robust access control

• Metrics for traffic visibility EC2 VPC Endpoint
Instance
AWS
Key Management Service

© 2022, Amazon Web Services, Inc. or its Affiliates..

 VPC Peering
VPC 1 VPC 2
10.0.0.0/16 192.168.0.0/16
Route Table 1 Route 2 Table
Private Subnet 1 Private Subnet 2
Destination Target 10.0.0.0/24 192.168.0.0/24 Destination Target
10.0.0.0/16 local 192.168.0.0/16 local
192.168.0.1 VPX-123 10.0.0.0/16 VPX-123

Peering
Private instance connection Private instance
VPX-123
10.0.0.1 192.168.0.1

Route Table 1 Route Table 2

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 VPC Peering – No Transitive Routing

VPC 1 VPC 2 VPC 3

Peering Peering
connection connection

• VPC 1 can reach VPC 2

• VPC 1 cannot reach VPC 3

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 VPC Peering – No Transitive Routing

VPC 1 VPC 2 VPC 3

Peering Peering
connection connection

Peering
connection

• VPC 1 can reach VPC 2

• VPC 1 can reach VPC 3

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 AWS Site-to-Site VPN
On-prem data center VPC 10.0.0.0/16 VPC Route Table
172.16.0.0/16
Destination Target
10.0.0.0/16 local
172.16.0.0/16 VGW-123

IPSec Route Table

Customer Virtual
gateway Private
Gateway
VGW-123

• One VGW per VPC

• BGP or static routes
• Redundant IPSec tunnels
• Redundant routers across two AZs

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 AWS Site-to-Site VPN
VPC VPC Route Table
10.0.0.0/16 Destination Target
Virtual
On-prem data center Private Gateway
10.0.0.0/16 local
172.16.0.0/16 VGW-123
172.16.0.0/16 VGW-123

IPSec
Customer
gateway Route Table

IPSec
IPSec
On-prem data center
172.17.0.0/16
On-prem data center
172.18.0.0/16
Customer
gateway

Customer
gateway

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 AWS Direct Connect
Customer Data Center Direct Connect Location AWS Cloud
Equinix DA1
Region us-east-1
Customer or AWS cage
partner cage VPC

Private VIF

Customer Customer or AWS Direct VGW EC2

router partner router Connect
Pu
Endpoint bli
cV
IF

• 1 or 100 Gbps (50 Mbps+ via partners)

• Consistent performance
• May lower data transfer cost Amazon S3

• Redundant connections optional Amazon DynamoDB

(recommended)
© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 VPN & Direct Connect - Mesh Topology

VPC VPC
VPC Peering

VPC

VPN
Direct Connect
VPN

Data center Data center

Data center
© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Transit Gateway & Direct Connect Gateway
VPC VPC

VPC

and/or

AWS Transit Gateway AWS Direct Connect

Gateway

VPN Direct Connect

Data center Data center

VPN & Direct Connect

Data center
© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 AWS Client VPN
AWS Cloud

VPC
10.0.0.0/16
On-prem data center
172.16.0.0/16 IPSec
Route Table
Customer VGW-123
gateway

Availability Zone 1

Subnet 1
Security group
TLS
TCP or UDP
User Client VPN
AWS Client VPN
1.2.3.4 Network Interface
Endpoint 10.0.0.1
With OpenVPN Client
192.168.0.1/24
Security group

EC2
10.0.0.2

Route Table Authorizations

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 DNS with Amazon Route 53
• Global DNS service
• 100% Availability SLA Amazon Route 53

• Domain registrar
GET example.com
• Public and private DNS zones

• Supports Region us-east-1

(N. Virginia)
• Health checks
• DNS failover
• Round-robin routing
• Weighted routing
• Geolocation
• Latency-based routing
Elastic Load Balancer

Web Service

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 DNS with Amazon Route 53

• Global DNS service

• 100% Availability SLA Amazon Route 53

• Domain registrar
GET example.com
• Public and private DNS zones

• Supports Region us-east-1

(N. Virginia)
• Health checks App Version A App Version B
• DNS failover 95% Traffic A/B 5% Traffic
Testing
• Round-robin routing
• Weighted routing
• Geolocation
• Latency-based routing
Elastic Load Balancer Elastic Load Balancer

Web Service Web Service

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 DNS with Amazon Route 53
GET example.com
• Global DNS service
• 100% Availability SLA Amazon Route 53

• Domain registrar Yes Main No

Site
• Public and private DNS zones Healthy

• Supports Region us-east-1

(N. Virginia)
Region us-west-2
(Oregon)
• Health checks App Version A App Version B App DR
• DNS failover 95% Traffic A/B 5% Traffic
Testing
• Round-robin routing
• Weighted routing
• Geolocation
• Latency-based routing
Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer

Web Service Web Service Web Service

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Hybrid DNS Resolution - Route 53 Resolvers

On-prem data center VPC

172.16.0.0/16 10.0.0.0/16

Subnet 1

app1.corp.com Customer VGW

gateway Route 53 Resolver
10.0.2.1, 10.0.2.2

dns.corp.com
database.example.com

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Amazon CloudFront

• Global CDN
• 220+ Points of Presence

1. User makes request

2. Routed to edge
location
3. Edge gets from
origin
4. Origin returns to
edge
5. Edge caches
response
6. Edge returns to user

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.
 Up Next
Hands-on Lab - VPC

© 2022,
2021, Amazon Web Services, Inc. or its Affiliates.