What’s New

D e e p d i ve o n n e w AW S n e t wo r k i n g
fe at u re s
Nick Matthews, Principal Solutions Architect
March 2018
@nickpowpow

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 What is an Amazon Virtual Private Cloud (VPC)?

“A virtual network that

closely resembles a
traditional network that
you'd operate in your own Instance Instance
data center”
Availability Zone Availability Zone

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Tra d i t i o n a l N e t wo r k

WAN
VPN VPN

Fiber

Applications Applications

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S N e t wo r k

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W H AT ’ S N E W :
INTER-REGION PEERING

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 I nte r - Re g i o n V P C Pe e r i n g
AWS Region AWS Region

VPC
Peering

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 VPC Inter -Region Peering
What does this change?

Before: Private connectivity between multiple regions

r e q u i r e d c o m p l i c a t e d V P N c o n n e c t i v i t y.

After: Amazon VPCs in different regions can have private

connectivity with VPC peering.

Note: Inter-Region peering is not currently available in China

or S eou l. S ec u rity g rou ps can n ot b e referen c ed b etween AWS
Regions.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W H AT ’ S N E W :
SECURITY GROUP RULE DESCRIPTIONS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 IGW

Instance A Instance B
10.1.1.11/24 10.1.2.22/24
Public Subnet Public Subnet

Instance C Instance D
10.1.3.33/24 10.1.4.44/24 VGW

Private Subnet Private Subnet

Availability Zone A Availability Zone B

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 In English: Descriptions can now be
IGW
added to security groups

Instance A Instance B
10.1.1.11/24 10.1.2.22/24
Public Subnet Public Subnet

Instance C Instance D
10.1.3.33/24 10.1.4.44/24 VGW

Private Subnet Private Subnet

Availability Zone A Availability Zone B

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Security Group Rule Descriptions
What does this change?

Before: Security groups could be unwieldy when used in

large numbers or managed by multiple parties

A f t e r : Yo u c a n n o w a d d d e s c r i p t i v e t e x t t o e a c h o f y o u r
security group rules!

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W H AT ’ S N E W :
E X PA N D YO U R E X I S T I N G V P C

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 10.1.0.0/16

IGW VPC CIDR 10.1.0.0/16

Instance A Instance B
10.1.1.11/24 10.1.2.22/24
Public Subnet Public Subnet

Instance C Instance D
10.1.3.33/24 10.1.4.44/24 VGW

Private Subnet Private Subnet

Availability Zone A Availability Zone B

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 10.1.0.0/16

IGW VPC CIDR 10.1.0.0/16, 10.2.0.0/16

10.2.0.0/16
Instance A Instance B Instance E
10.1.1.11/24 10.1.2.22/24 10.2.1.11/24
Public Subnet Public Subnet Public Subnet

Instance C Instance D Instance F

10.1.3.33/24 10.1.4.44/24 10.2.2.22/24 VGW

Private Subnet Private Subnet Private Subnet

Availability Zone A Availability Zone B Availability Zone C

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Before: VPC CIDR size was constant, delete and recreate

A f t e r : Yo u c a n n o w a d d a d d i t i o n a l ( u p t o 5 ) C I D R r a n g e s t o
your VPC (with some restrictions)

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W hy ? We u se R FC1 9 18 ran ges for AWS -man aged p rod u c ts
c o nta i n e d i n yo u r V P C , l i ke Wo r ks p a c e s

We allocate th ese ran ges b ased on you r in itial V PC

CIDR range

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W H AT ’ S N E W :
D I R E C T C O N N E C T G AT E WAY

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S D i re c t C o n n e c t fo r P r i vate A c c e s s
Private Virtual Interface (VIF)
AWS Region
AWS Direct Connect
Location 10.1.0.0/16

Customer AWS
Router Router

WAN
10.2.0.0/16

On-premises

AWS Direct Connect

Location 2
Customer AWS
Router Router

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S D i re c t C o n n e c t : L i n k A g g re gat i o n
Private Virtual Interface (VIF)
Link Aggregation AWS Region
(LAG)
10.1.0.0/16

Customer AWS
Router Router

WAN
10.2.0.0/16

On-premises

AWS Direct Connect

Location 2
Customer AWS
Router Router

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 D i re c t C o n n e c t G ate way Account

AWS Region
AWS Direct Connect
Location Direct 10.1.0.0/16

connect
gateway
Customer AWS
Router Router

WAN
10.2.0.0/16

On-premises
Private Virtual
AWS Direct Connect Interface (VIF)
Location 2
Customer AWS
Router Router

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Global Connectivity Account
AWS Region

AWS Direct Connect

Location Direct
connect
gateway
Customer AWS
Router Router

WAN AWS Region

On-premises
Private Virtual
AWS Direct Connect Interface (VIF)
Location 2
Customer AWS
Router Router

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S D i r e c t C o n n e c t G a t e w a y
What does this change?

B efore: AWS D irec t Con n ec t on ly worked from ‘ local’ p oints

of presence, requiring global presence. Each virtual
interface was limited to one VPC.

A fter: AWS D irec t Con n ec t p orts can reac h p rivate an d p u b lic

resou rc es ac ross th e world over th e AWS b ac kb on e. Eac h
virtual interface can reach multiple VPCs in the same account
(10).

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W H AT ’ S N E W :
NETWORK LOAD BALANCER

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 The Elastic Load Balancing Family

Application Load Balancer Network Load Balancer Classic Load Balancer

Previous generation
HTTP and HTTPS (VPC) TCP workloads (VPC)
for HTTP, HTTPS, TCP (Classic
Network)

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Load Balancer

New, layer 4 load-balancing platform

Connection-based load balancing
TCP protocol

High performance
Can handle millions of requests per sec

Static IP Support

Ideal for applications with long running

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
connections
Network Load Balancer

Extremely low latencies

Preserves Source IP

Same API as Application Load Balancer

Load Balancer API Deletion Protection

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migrating to Network Load Balancer

Migration is as simple as creating a new Network Load Balancer,

registering targets, and updating DNS to point at the new CNAME

Classic Load Balancer to Network Load Balancer migration utility:

https://github.com/aws/elastic-load-balancing-tools

NLB hourly costs are currently 10% cheaper than the CLB
NLB data transfer costs are 25% cheaper than CLB and ALB

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 W H AT ’ S N E W :
AW S P R I VAT E L I N K

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 S h a re d S e r v i c e s V P C
• Authentication
• Logging
• DevOps tools
• Security resources
• Deployed in each AWS Region

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Shared Services

V P C Pe e r i n g
C h a l l e n ge s
VPC Peering
Full VPC connectivity

…125
172.16.0.0/16 172.16.0.0/16 Scale

No overlapping addresses
AWS Direct
VPN
Connect

WAN
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 I nt ro d u c i n g : P r i vate L i n k
172.16.0.0/16

Availability Zone Availability Zone

172.16.1.0/24 172.16.2.0/24
Access is unidirectional
API API Shared Service

172.16.1.9 172.16.2.41

One IP Address for each

10.1.0.0/16
Availability Zone

Network Load
Balancer
10.1.1.127 10.1.2.35

10.1.1.0/24 10.1.2.0/24 The endpoint is a local IP address

Availability Zone Availability Zone

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 I nt ro d u c i n g : P r i vate L i n k
172.16.0.0/16

Availability Zone Availability Zone

172.16.1.0/24 172.16.2.0/24
Support for overlapping
IP address ranges API API Shared Service

172.16.1.9 172.16.2.41

10.1.0.0/16 10.1.0.0/16

10.1.1.127 10.1.2.35 10.1.1.162 10.1.2.22 …thousands

10.1.1.0/24 10.1.2.0/24 10.1.1.0/24 10.1.2.0/24
Availability Zone Availability Zone Availability Zone Availability Zone

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Customer Account

Shared Services:
• Security Services
• Logging
• Monitoring
Application VPC Peering • DevOps tools
Shared Services
• Authentication

Internet
Gateway
Amazon Services:
• Amazon EC2
AWS Direct Connect • Amazon S3
• Amazon Elastic
Amazon EC2 API Load Balancing
Internet • Amazon SSM
• Amazon KMS
Partner Services:
• SaaS
Firewall • API services
• Managed services
• Marketplace
W i t h o u t P r i vate L i n k Partner Services
offerings

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Customer Account

Shared Services:
Network
Interfaces • Security Services
• Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication

Amazon Services:
PrivateLink • Amazon EC2
AWS Direct Connect • Amazon S3
• Amazon Elastic
Amazon EC2 API Load Balancing
• Amazon SSM
• Amazon KMS
Network
Interfaces Partner Services:
• SaaS
• API services
Endpoint VPC • Managed services
• Marketplace
W i t h P r i vate L i n k Partner Services
offerings

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S M a r ke t p l a c e I nte g rat i o n

Discoverability of the services when

customers purchase SaaS on AWS
Marketplace

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Private Link
How it works

And more to come…

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S P r i vate L i n k — U s e C a s e s
Centralized internal services such as
logging, monitoring workloads serving
various VPCs

Anything behind a Network Load

Balancer

Microservice implementation

Your services, AWS services, and

third-party services SaaS serving your customers’
applications in other VPCs and on-
premises networks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AW S P r i v a t e L i n k
What does this change?

B efore: AWS ser vic es an d oth er c u stomer own ed or th ird p arty

services required internet routing or VPC peering

After: PrivateLink allows you to connect privately to a

sp ec ific ser vic e su c h as AWS K M S with ou t config u rin g
i n t e r n e t a c c e s s . Yo u c a n a l s o r e a c h y o u r o w n p r i v a t e s e r v i c e s
or AWS M arketp lac e S aaS offers.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Summary
• Inter-Region peering for Disaster Recovery and Active-Active applications
• Security Group rules descriptions for easier security management
• Re-size your VPC for more flexible CIDR allocations and growing VPCs
• Direct Connect Gateway to access services globally and to many VPCs
• PrivateLink to access AWS services privately
• PrivateLink to access your own services and partner services privately

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 T H A N K YO U !

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.