AMERICAS

NET201

AWS networking fundamentals

Aarthi Raju
Principal Solutions Architect
AWS

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B
VPC

Instance Instance

Instance Instance
Amazon Virtual Private Cloud (Amazon VPC)
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Subnets
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Public subnet Public subnet

Private subnet Private subnet

Amazon Elastic Compute Cloud (Amazon EC2)
instances Availability Zone
US-EAST-1A
Availability Zone
US-EAST-1B

VPC
Public subnet Public subnet

Instance Instance

Private subnet Private subnet

Instance Instance
Gateways, endpoints, and peering
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Public subnet Public subnet

Instance Instance

Private subnet Private subnet

Instance Instance
Example web application
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Public subnet Public subnet

ELB
Web server
security
Web server group Web server

Private subnet Private subnet

Application
server
Application server security Application server
group
IP addressing
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Public subnet Public subnet

Private subnet Private subnet

Where to use IPv4 addresses?
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Subnet Subnet

172.31. 172.31.

Subnet Subnet

172.31. 172.31.
Where to use IPv6 addresses?
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Subnet Subnet

172.31. 172.31.
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64

Subnet Subnet

172.31. 172.31.
2600:1f16:14d:6328::/64 2600:1f16:14d:6329::/64

2600:1f16:14d:6300::/56
The 5 things required for internet traffic
1. Public IP address
2. Internet gateway attached to a VPC
3. Route to an internet gateway
4. Network access control list (ACL) allow rule
5. Security group allow rule
Public IP addresses for your instances
• Auto-assign public IP addresses
• Elastic IP addresses
• Amazon Elastic IP address pool
• Bring Your Own IP (BYOIP) pool
Public IP addresses
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC
Subnet Subnet

Subnet Subnet
Gateways, endpoints, and peering

Customer VPN NAT Internet AWS Transit Endpoints Peering

gateway gateway gateway gateway Gateway connection
Internet access
Public and private subnets
Private subnet Public subnet
Network address translation (NAT) gateway
Private subnet Public subnet
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security
• Network ACLs
• Security groups
• VPC Flow Logs
• Amazon VPC Traffic Mirroring
Network ACLs
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Public subnet Public subnet

Web server Web server

Private subnet Private subnet

Application Application
server server
Security groups – Inbound
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Public subnet Public subnet

Web server
security group
sg-0f004ca5495132527
Web server Web server

Private subnet Private subnet

Application
server security
group
Application sg-090a960aee374b3cd Application
server server
VPC Flow Logs
• Amazon CloudWatch Logs or Amazon S3
• Does not impact throughput or latency
• Apply to VPC, subnet, or elastic
network interface
• Accepted, rejected, or all traffic
Amazon VPC Traffic Mirroring
• Mirror to another elastic network interface or Network Load Balancer
with UDP listener
• Packet copy – shares interface bandwidth
• Traffic mirror filters to define interesting traffic
• Traffic mirror session is the combination of source, target, and filter

Filter 1
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting between VPCs
AWS Cloud

VPC VPC

VPC
VPC peering
AWS Cloud

VPC VPC

Peering

VPC
VPC peering
AWS Cloud

VPC

Peering

VPC
VPC peering
AWS Cloud

Peering
VPC VPC

Peering Peering

VPC
VPC peering
AWS Cloud

Peering
VPC VPC

Peering Peering

VPC
VPC peering
AWS Cloud

Peering
VPC VPC

Peering Peering

VPC
VPC peering – Things to know
• Can reference security groups from the peer VPC in the same region

• Can enable DNS hostname resolution to return private IP addresses

• Can peer for both IPv4 and IPv6 addresses

• Cannot have overlapping IP addresses

• Cannot have multiple peers between the same pair of VPCs

• Cannot use jumbo frames across inter-region VPC peering

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Site-to-Site VPN setup – VGW

VPC 10.0.0.0/16
Corporate data center
172.16.0.0/16

Virtual private
gateway
AWS Site-to-Site VPN – CGW

VPC 10.0.0.0/16
Corporate data center
172.16.0.0/16

Virtual private Customer

gateway gateway

IP address not needed when

certificate is used
AWS Site-to-Site VPN

I don’t…
VPC 10.0.0.0/16 I know how to get to
172.16.0.0/16 Corporate data center
172.16.0.0/16

Instance Virtual private Customer

gateway gateway

1x VPN connection = 2x VPN tunnels

AWS Site-to-Site VPN

VPC 10.0.0.0/16
Corporate data center
172.16.0.0/16

Instance Virtual private Customer

gateway gateway
172.16.0.0/16
via VGW

1x VPN connection = 2x VPN tunnels

AWS Site-to-Site VPN

VPC 10.0.0.0/16
Corporate data center
1 tunnel always preferred 172.16.0.0/16

Instance Virtual private Customer

gateway gateway
172.16.0.0/16
via VGW

1x VPN connection = 2x VPN tunnels

1x VPN tunnel = 1.25 Gbps
AWS Direct Connect – Physical connection
AWS global network

Corporate data center

172.16.0.0/16

AWS Customer Customer

router router router

Direct Connect
location
AWS Direct Connect – Interface types
• Private VIF – used to connect to Amazon VPCs using private IP
addresses; directly or via Direct Connect gateway
• Transit VIF – used to connect to AWS transit gateways via Direct
Connect gateway
• Public VIF – used to access all AWS public services using public
IP addresses

All virtual interfaces are 802.1Q VLANs with BGP peering

AWS Direct Connect gateway – Private VIF
AWS global network

Region

VPC Corporate data center

10.0.0.0/16 Private virtual 172.16.0.0/16
interface

VPC
10.1.0.0/16 AWS Customer Customer
router router router
Region
Direct Connect
VPC
10.2.0.0/16
location

Direct
Connect
gateway
AWS Direct Connect – Public VIF
AWS global network

Corporate data center

Amazon Simple Amazon Public virtual
DynamoDB
172.16.0.0/16
Storage Service interface
(Amazon S3) Amazon
CloudWatch
AWS Customer Customer
router router router

Direct Connect
VPC
10.2.0.0/16
location
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interconnecting VPCs at scale – VPC peering
AWS Cloud

Peering
VPC VPC

Peering Peering

VPC
Interconnecting VPCs at scale – VPC peering
AWS Cloud

VPC Peering VPC Peering VPC

Peering Peering Peering Peering

VPC VPC VPC

Peering Peering
Multiple VPCs access models – AWS Transit Gateway
AWS Cloud

VPC VPC VPC

AWS Transit Gateway

VPC VPC VPC

AWS Transit Gateway with AWS Site-to-Site VPN
VPC

VPC
Corporate data center
VPN attachment 172.16.0.0/16

VPC

AWS Transit Gateway

VPC TGW route table

172.16.0.0/16 via VPN
VPC route table
172.16.0.0/16 via TGW
AWS Transit Gateway with Direct Connect gateway
AWS global network

Region

VPC Corporate data center

10.0.0.0/16 Transit virtual 172.16.0.0/16
interface
VPC AWS
10.1.0.0/16 Transit AWS Customer Customer
Gateway router router router
Region
Direct Connect
VPC
10.2.0.0/16
location

AWS
Transit Direct
Gateway Connect
gateway
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC endpoints
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

VPC

Public subnet Public subnet

Amazon S3

Instance Instance
Route table
Private subnet (main) Private subnet

Instance Instance DynamoDB

Gateway VPC endpoints
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

VPC

Private subnet Private subnet

Amazon S3

Instance
Route table
Private subnet (main) Private subnet
Gateway
VPC
endpoint DynamoDB
Instance
Gateway VPC endpoints
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

VPC

Private subnet Private subnet

Amazon S3

Instance
Route table
Private subnet (main) Private subnet

Instance DynamoDB
Gateway VPC endpoints
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

VPC

Private subnet Private subnet

Amazon S3

Instance
Route table
Private subnet (main) Private subnet

Instance DynamoDB
Gateway VPC endpoints
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

VPC

Private subnet Private subnet

Amazon S3

Instance
Route table
Private subnet (main) Private subnet

Instance DynamoDB
Interface VPC endpoints (AWS PrivateLink)
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

AWS Transfer
VPC
for SFTP Amazon API
Private subnet Private subnet Gateway

Amazon
CloudWatch
Instance Instance
AWS
CodeCommit
Amazon Kinesis
Private subnet Private subnet Data Streams

AWS Systems
Manager
Amazon Simple
Queue Service
(Amazon SQS)
Interface VPC endpoints (AWS PrivateLink)
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

AWS Transfer
VPC
for SFTP Amazon API
Private subnet Private subnet Gateway

Amazon
CloudWatch
Instance Instance
AWS
CodeCommit
Amazon Kinesis
Private subnet Private subnet Data Streams

AWS Systems
Manager
Amazon SQS
Interface VPC endpoints (AWS PrivateLink)
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

AWS Transfer
VPC
for SFTP Amazon API
Private subnet Private subnet Gateway

sqs.us-east-1.amazonaws.com? Amazon
CloudWatch
172.31.1.5 / 172.31.2.7
Instance Instance
AWS
CodeCommit
Amazon Kinesis
Private subnet Private subnet Data Streams

AWS Systems
Manager
Amazon SQS
AWS PrivateLink – Your own services
US-EAST-1

Availability Zone Availability Zone

US-EAST-1A US-EAST-1B

VPC (172.31.0.0/16) VPC (10.50.0.0/16)

Private subnet Private subnet

Instance Instance

Private subnet Private subnet

Network
Load
Balancer
AWS PrivateLink – Your own services, on premises

Availability Zone
US-EAST-1B Corporate data center
172.16.0.0/16
VPC (10.50.0.0/16)

Private subnet

Instance

Private subnet DX
Network or VPN
Load
Balancer
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Your VPC Availability Zone
US-EAST-1A
IGW
Availability Zone
US-EAST-1B

VPC VPC
NAT-GW NAT-GW
VPCE Amazon S3
Public subnet Public subnet
ELB

Private subnet Private subnet

Amazon SQS

VPC
peering Web server Web server

Private subnet Private subnet Corporate

data center

VPN
CGW

ENIs

P S D
X VIF
G
VGW AWS Transit Gateway W
VPN
AWS Amazon
WorkSpaces CGW
Lambda
 Security IGW VPC Flow Logs
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B

VPC VPC
NAT-GW NAT-GW
VPCE Amazon S3
Public subnet Public subnet
ELB

Private subnet Private subnet

Amazon SQS

Web server
VPC security group
peering Web server Web server
PrivateLink VPC
Private subnet Private subnet

Application server
security group
Application Application
server server

Traffic P EIGW S
mirroring

AWS Transit
Gateway
What’s new since re:Invent 2019?
• Amazon VPC Ingress Routing – AWS CloudFormation support
• AWS Transit Gateway
• Inter-region peering
• Multicast support
• Additional regions

• Amazon VPC Flow Logs now supports 1-minute aggregation intervals

 Learn networking with AWS Training and Certification
Resources created by the experts at AWS to help you build and validate cloud networking skills

Free digital courses cover topics related to networking and

content delivery, including Introduction to Amazon CloudFront
and AWS Transit Gateway Networking and Scaling

Validate expertise with the AWS Certified Advanced

Networking – Specialty exam

Visit the advanced networking learning path at aws.amazon.com/training/path-advanced-networking

Thank you!

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.