Академический Документы
Профессиональный Документы
Культура Документы
Steve Seymour
Principal Solutions Architect
@sseymour
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Instance
54.4.5.6
172.31.1.24
172.31.0.128
54.2.3.4
172.31.0.129 172.31.1.27
VPC
VPC: your private network in AWS
Walkthrough: setting up an
Internet-connected VPC
Creating an Internet-connected VPC: steps
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
Choosing an IPv4 address range for your VPC
172.31.0.0/16
Recommended:
Recommended:
/16
RFC1918 range
(64K addresses)
Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
Secondary
CIDR
Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
172.31.32.0/20
Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
172.31.32.0/20
172.31.112.0/20
IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
2001:db8:1234:1a00::/56
Amazon Global Unicast
Associate an /56 IPv6 CIDR
Addresses (GUA) –
(Automatically allocated)
Internet Routable
Subnets
VPC subnets and Availability Zones
172.31.0.0/16
172.31.0.0/16 2001:db8:1234:1a00::/56
For IPv6 -
• /56 Allocated per VPC (Lots of addresses)
• /64 subnets (256 Subnets)
Route to the Internet
Routing in your VPC
VPC subnet
Has no route to Internet
VPC subnet
Outbound-only Internet access: NAT gateway
0.0.0.0/0
0.0.0.0/0
NAT gateway
172.31.0.0/16 10.55.0.0/16
VPC Peering
ALLOW
Orange Security Group Blue Security Group
Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
172.31.0.0/16 10.55.0.0/16
Step 1
Step 2
Step 2
Step 3
Create routes
Connecting to on-premises networks:
Virtual Private Network & Direct Connect
Extend an on-premises network into your VPC
VPN
Direct Connect
AWS VPN basics
192.168.0.0/16 172.31.0.0/16
Customer Virtual
Gateway Gateway
192.168/16
AWS Services in VPC Endpoints for DNS in-VPC with Logging VPC Traffic
Your VPC Amazon S3 & Amazon Route 53 with VPC Flow Logs
DynamoDB
AWS services in your VPC
Example: Amazon RDS database in your VPC
Your data
DynamoDB S3 Bucket
Table
AWS VPC endpoints
DynamoDB S3 Bucket
Table
S3
Route S3-bound
traffic to the VPCE
S3 Bucket
DynamoDB
DynamoDB
Table
IAM policy for VPC endpoints
IAM Policy at VPC Endpoint:
Restrict actions of VPC in S3
S3 Bucket
Private Hosted
example.demohostedzone.org à
Zone
172.31.0.99
VPC Flow Logs:
VPC traffic metadata in Amazon
CloudWatch Logs
VPC Flow Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
UDP Port 53 = DNS
REJECT
VPC: your private network in AWS
The VPC network
VPC network security
VPC connectivity
Thank you!
Steve Seymour
Principal Solutions Architect
@sseymour