VPC Endpoints

Private Communication is Better

 Use-Case: EC2 and S3 Communication
For EC2 instances to be able to access public resources like S3, DynamoDB and others, the
traffic needed to be passed via Internet Gateway.

knowledge portal
 Architectural Perspective
EC2 traffic towards S3 is routed to Internet Gateway

Internet AWS Cloud

Public Subnet

EC2 Internet
Gateway Amazon S3 S3 Bucket

knowledge portal
 Challenge with Private Workloads

Internet
Public Subnet

EC2 Internet
Gateway Amazon S3 S3 Bucket

Private Subnet

No Internet Route

EC2
 Downsides of Using Public Internet

1. Data transfer cost of AWS

2 . Higher Latency

3. Can bottleneck your internet gateway.

4. Security

knowledge portal
 Overview of VPC Endpoints
VPC Endpoints allows us to connect VPC to another AWS services OR other supported
services over AWS private network.

AWS Cloud

Private Subnet

EC2 VPC Endpoint

Amazon S3 S3 Bucket

knowledge portal
 Overview of VPC Endpoints
VPC Endpoints allows us to connect VPC to another AWS services OR other supported
services over AWS network.

knowledge portal
 Revising Important Pointers

AWS PrivateLink is a technology that enables you to privately access services by using private IP
addresses.

To use AWS PrivateLink, you can create a VPC endpoint for a service in your VPC.

VPC Endpoint allows us to connect VPC to another AWS services over AWS network.

Traffic between your VPC and the other service does not leave the Amazon network.

knowledge portal
Gateway VPC Endpoints

Understanding Types
 VPC Endpoints Type
There are three primary types of VPC Endpoints available.

VPC Endpoints

Gateway Endpoints Interface Endpoints Gateway Load balancer Endpoints

knowledge portal
 Gateway VPC Endpoints
We specify the Gateway Endpoint as a route table target that is destined for supported AWS
services.

Destination Target

172.31.0.0/16 local

54.231.0.0/17 pl-1a2b3c4d vpce-11bb22cc

 Supported Services

A gateway endpoint is for the following supported AWS services:

1. Amazon S3

2. DynamoDB

knowledge portal
 Today’s Architecture

Internet
Public Subnet

EC2 Internet
Gateway Amazon S3 S3 Bucket

Private Subnet

No Internet Route

EC2
 Downsides of Gateway Endpoints - 1
In Gateway endpoints approach, the VPC endpoint was created outside your VPC and traffic
was routed via route table.

Thus, it is not possible to use it directly from VPN’s or Direct connects and variou others.

knowledge portal
 Downsides of Gateway Endpoints - 2

Endpoints are supported within the same Region only. You cannot create an endpoint between
a VPC and a service in a different Region.

Endpoints support IPv4 traffic only.

You must turn on DNS resolution in your VPC, or if you're using your own DNS server,
ensure that DNS requests to the required service (such as Amazon S3) are resolved correctly to
the IP addresses maintained by AWS.

knowledge portal
Interface Endpoints

New Generation Endpoint

 Downsides of Gateway Endpoints - 1
In Gateway endpoints approach, the VPC endpoint was created outside your VPC and traffic
was routed via route table.

Thus, it is not possible to use it directly from VPN’s or Direct connects and variou others.

knowledge portal
 Interface Endpoints
An interface endpoint is an elastic network interface with a private IP address from the IP
address range of your subnet.

It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint
service.

Private Subnet Amazon S3

EC2 Interface VPC Endpoint

Amazon SQS
 Benefits of Interface Endpoint

1. Interface endpoints enable the use of security groups to restrict access to the
endpoint.

2. VPN’s and Direct Connect based connections are supported.

3. Interface endpoints supports lot of services unlike Gateway endpoints.

knowledge portal
VPC Endpoint Services

More Use-Cases Supported

 Sample Use-Case
There are many service providers like DataDog, New Relic for which we need to upload our
server/application metrics through Internet.

Send Metrics Receive Metrics

Internet

Send Data - Internal Network

Consumers Service Providers

knowledge portal
 Dashboards using Metrics Collected

knowledge portal
 Possible Approach - VPC Peering
VPC Peering Approach will have multiple challenges related to CIDR overlap between clients.

Consumer 1
172.31.0.0/16

Service Providers

10.77.0.0/16

Consumers 2
172.31.0.0/16
 Service VPC Endpoints
You can create your own application in your VPC and configure it as an AWS
PrivateLink-powered service (referred to as an endpoint service)

knowledge portal
Direct Connect

Let’s Route Centrally

 Customer to VPC

knowledge portal
Packets travels via Hops
 Challenges
● Internet is a good option if amount of traffic is within a certain limit.
● There are always latencies which can also be involved.
● Many of the organization have hybrid architecture : DataCenter + AWS
● In such cases, latency can cause major challenges for the application
 Introducing DX
● In order to solve this challenge, AWS introduced Direct Connect.

● AWS Direct connect let’s customer establish a dedicated direct network connection
between the client’s network and one of the direct connect locations.
 Benefits of DX
Having direct connection between customer’s datacenter to AWS, brings tremendous amount
of benefits, some of them includes:

i) Consistent Network Performance:

ii) Reduces our bandwidth costs

iii) Private connectivity to our AWS VPC

 Architecture of DX

knowledge portal
Transit Gateways
Challenges and Structure
 Overview of Transit Gateways
A transit gateway is a network transit hub that you can use to interconnect your virtual
private clouds (VPC) and on-premises networks.

VPC 1 VPC N

Transit Gateways

knowledge portal
 VPC 1 VPC N

Transit Gateways

On-Premise DataCenter

knowledge portal
 Transit Gateway Concepts
1) Attachment

● We can attach a VPC or VPN connection to a transit gateway.

2) Transit gateway Route table

● A route table includes dynamic and static routes that decide the next hop based on the
destination IP address of the packet.

● Attachment can be associated with a single route table.

knowledge portal
 Transit Gateway Concepts
3) Association

● Each attachment is associated with exactly one route table.

4) Route Propagation

● A VPC or VPN connection can dynamically propagate routes to a transit gateway route table.
● With a VPC, you must create static routes to send traffic to the transit gateway.

● With a VPN connection, routes are propagated from the transit gateway to your on-premises
router using Border Gateway Protocol (BGP).

knowledge portal
 Logging Account Structure
Logs should be stored at centralized place where they can be monitored and analyzed in
regular basis.

CloudTrail

Account A

Central Account
Config

Account B

knowledge portal
 Publishing Account Architecture

This account structure can be beneficial for customers who want to centrally manage pre
approved server images and AWS CloudFormation templates across a company.

Service Catalog Account A

EC2 AMI
Account B

knowledge portal
 Billing Structure
You can use the consolidated billing feature in AWS Organizations to consolidate billing and
payment for multiple AWS accounts accounts

One Bill + Easy Tracking + Combined Usage + No Extra Fee

Account A
Master Account

Account B

knowledge portal
Placement Groups
Time to go fast
 Placement Groups
● Placement group are recommended for applications that require low latency, high
network throughput.

● Placement groups can also be used to influence placement of a group of EC2

instances.

knowledge portal
 Small Road vs Highway

knowledge portal
 Let’s understand GUI way

Placement Group

knowledge portal
 Point 2 - Influencing Placement of EC2
● A single server can run multiple virtual machines.
● This can lead to issues if you are running a cluster of servers.

Example:

● Medium Corp is running a MySQL cluster consisting of two servers in single AZ. In
the background, both the EC2 are part of the same underlying host.

knowledge portal
 Example Use-Case

Medium Corp is running a MySQL cluster consisting of two servers in single AZ. The
server are of type m4.large.

In the background, both the EC2 are part of the same underlying host.

Virtualization

knowledge portal
 Solution - Placement Group

With placement group, we can explicitly specify that two EC2 instance should not be part
of the same server (same rack of servers)

Virtualization Virtualization

knowledge portal
 Racks in Data Center

knowledge portal
 Types of Placement Groups
There are three types of placement groups available:

Sr No Type Description

1 Cluster Packs instances close to each other in an Availability Zone.

2 Partition Spreads instances in logical partition such that group of

instances in one partition do not share underlying hardware.

3 Spread Strictly places group of instances across distinct hardware to

reduce failures.

knowledge portal
 Cluster Placement Groups
Logical grouping of instances within a single Availability Zone.

Intended for applications that require low network latency and high network throughput.

knowledge portal
 Partition Placement Groups
AWS ensures that each partition within a placement group has its own set of racks.

In the below diagram, there are 3 partition and each partition has multiple EC2 instances.

Each of these partition resides in a different rack inside the Data center.

knowledge portal
 Spread Placement Group
A spread placement group is a group of instances that are each placed on distinct racks, with
each rack having its own network and power source.

In the following diagram, there are 7 EC2 instances and each instance is in a separate rack.

knowledge portal
 Important Points - Cluster Placement Groups

● A cluster placement group can't span multiple Availability Zones.

● Only specific types of EC2 instances can be launched.

● Maximum network throughput traffic between two instance in placement group is

limited by the slower of the two instance.

● Recommended to launch all instance together. Launching instance later can lead to
capacity errors. In such-case, stop and start all instances in the placement group.

knowledge portal
 Join us in our Adventure

kplabs.in/twitter

Be Awesome
kplabs.in/linkedin

instructors@kplabs.in