AWS re:Invent 2023 - Advanced VPC designs and new capabilities (NET306)
what's up everyone how we doing pretty good Friday 10:00 a.m. so we per purposefully asked for this slot because we know only the dieh hard networking folks would come on a Friday at 10: a.m. so I mean this is a great Community I'm glad to be a part of it uh I'm Matt Lewis I'm a senior principal in ec2 this is actually the 10th Year I'll be at reinvent it's my 10 year anniversary at Amazon as well as a few weeks ago uh eighth year I think doing this session Alex has joined me for the last couple of years uh so Alex is a uh principal uh solution architect for a strategic account networking specialist an amazing networking wizard as well thank you thank you thank you all for joining us today um I'm I'm honored and humbled by the Numbers uh so thank you it really uh helps when next year comes around and we spend hundreds of hours in PowerPoint uh and designing stickers and it just makes it all worthwhile for sure all right so we've got got a lot of content uh so we're going to get right in there um so uh this is the title slide [Music] um and away we go so before we begin this is a 300 level session uh it's not a 200 level it's not a 400 level but that means we have to balance we have to balance between foundations and deep technical things so 300 is kind of that middle point so there's some folks in here that might not know what a VPC is maybe or there's folks here who are more experts than us so we try and straddle that line uh also uh we'll throw in a couple of photo icons I know folks love to take photos this session is recorded it will be on YouTube hi Mom how you doing and so you can check it out after the fact and please do so we're going to go through pretty quickly through some of these builds so don't be disappointed if you don't get a snap it'll be on YouTube and lastly this year we have the AWS cat networking wizard who'll be sprinkled throughout hope you all got a sticker if not come and see us later and there's a cool cat IP V6 sticker that we uh threw in there for good measure this year too so the idea of this session is really to talk about uh our services and features around networking then we want to talk about our new capabilities so what have we done in the last 12 months uh then we want to dive into deep Advanced architectures so things that you might build where you'll combine some of the features and services together into one so that said again I said I was going to go pretty quick here because we've got a lot of content uh let's talk about the foundations okay so ec2 classic back in 2006 it kind of looked like this but then I think it was around 2010 we uh released Amazon VPC it was designed to be kind of like your pseudo data center or virtual data center in the cloud we thought every customer would have one we turned out we were wrong uh but inside the VPC we have intra VPC components so things like subnets things like availability zones a VPC is a region level construct subnets are availability Zone construct rcts ec2 instances are availability Zone constructs they're all part of the region itself a VPC if someone says hey what is that I say well it's kind of like a private space but it's basically a VPC cider either V4 or V6 and so you'll designate cider or subnets to uh or subnet addresses to your subnets either uh V4 Jewel stack with V6 or V6 only which is actually kind of cool we also have this thing called an internet gateway it gives you internet access uh an egress only internet gateway uh for V6 and inside the VPC you have this thing called a route table and the route table basically directs traffic pretty straightforward and so you have things like elastic IPS you can talk to Public Services you can talk to the internet you can have private subnets that don't talk to the internet and maybe uh they'll talk to things like Gateway endpoints privately you'll notice we really like these Gateway things we bolt those onto the vpcs and we've been developing these Services as we go uh Network firewall will dive into that Gateway load balancer um a mechanism for you to build your own firewall uh egress Security vpcs application load balancer Network load balancer for inbound traffic I did say I was going to go fast uh VPC lce which is a new service we released last year was it or actually GA this year um so an amazing service where you can register services with a with a service directory and you build this thing called a service network Alex is going to do a deep dive on that so um that's going to be really interesting service endpoints to talk to Public Services maybe private services that you build again Gateway load balancer endpoints connecting to the VPC VPC peering I'll slow down in just a second we have cross region VPC peering Transit Gateway which released in 2018 amazing service 5,000 vpcs connected to one Transit Gateway in each region or you can peer Transit gateways together across regions or you could replace those Transit gateways with Cloud when or use them together and so you can deploy Cloud when globally uh we can do VPN connections uh Direct Connect physical fiber to AWS connected to Transit gateways if we want to Transit Gateway connect customers wanted to bridge their sdw deployments into AWS and so Transit Gateway would connect was one thing we built for that also of course we can connect Cloud to Cloud W connect just like for your sdw headends and direct connect and VPN for cloud Wan we're almost at the end of the foundations and then we'll all be on the same level hopefully fingers crossed uh we can do VPN uh client VPN connections instance connect so connecting to instances within uh your environment via the AWS console uh and then lastly uh AWS verified access so our zero trust front end to Applications within the VPC so the big question is can we fit all of that onto one slide the answer is absolutely yes and here it is here's the photo [Applause] slide this slide was a doozy I'm glad your folks like it okay let's move on Alex over to you for IP address management well so we want to build all those things right that we just showed on the previous slide but for that we need to start doing things the right way right and we need to start with IP address management and Matt talked about uh the capabilities of deploying uh we thought initially that everyone's going to have one VPC we were wrong um customers do have multiple vpcs sometimes a lot of vpcs and that means um a lot of IP address management but why is it so important well because there are a couple of things that a good IP address management uh scheme and mechanism enables you to do um first we're all battling public ipv4 exhaustion and understanding how you're using public ipv4 addresses and how you can optimize that is powered by a very good IP management tool then private IP before exhaustion very large Enterprises are saying well we're running out of our RFC 1918 space well sometimes a lot of the times that happens because IP management uh cost optimization how you can adopt Technologies like I V6 for cost optimization or for scale how you can minimize your cost spend uh driven by poor addressing uh scheme decisions IP management again and last but not least Global expansion think of uh starting to deploy uh your Global infrastructure in more AWS regions those need to start with vpcs right and you need to start with connectivity powered by IB management we have a tool for that uh it's called Amazon VPC iPad and it allows you to do ipv4 and IPv6 management at scale right it allows you to tap into historical insights for your IP addresses it allows you to implement your own business logic into how you assign IP addresses and of course for both ipv4 and IPv6 we talked a bit about ipam last year as well but there's a couple of new launches that we want to review for uh for this year first you can integrate ipam with accounts outside of your organization this has been a very long-standing ask from our customers because there's things like mergers and Acquisitions right and you can now gain detailed insights into your IP address utilization metrics and I'm very excited about this console and iPad that shows you exactly where your IP addresses are being used um how many uh vpcs are compliant how many vpcs have overlapping IP space how many are managed and not managed and it also gives you very detailed insights oh sorry it gives you very detailed insights into what your top subnets from utilization perspective are what your top vpcs from utilization perspective are so very cool dashboards now there's a great news also from ipam uh we always try to make the right things for our customers in terms of powering them to use the tools that they need uh at an optimal cost point so Amazon VPC ipam just launched free tier you have access to all the good in ipam in a region in an account um so you can use uh it to uh to configure and to manage your IP space uh it allows you to do bring your own IP as well on a per region and per account basis and it also enables you to get IPv6 addresses cers contiguous cers from Amazon this is a very important thing for for customers adopting IPv6 the reason for that is because it allows contiguous addressing and we talked a bit about how important is to understand your public ipv4 address utilization part of uh ipam and part of ipam free tier is public IP insights cross region cross Account Support so you can you you can go into public IP insights and you can see what types of addresses you're using where you're using them right and why um public IP insights also has a very cool console it it shows you by uh public IP address type uh how uh you're using these addresses um and it also gives you a lot of information related to security groups network interfaces to which those public ipv4 addresses are associated so it gives you the tool to make sure that you have the right information to optimize now a very important thing I mentioned about IPv6 addressing is summarization you will ask well why is that well in ipv4 you could easily summarize private ipv4 space in rfc1 1918 routes right in IPv6 it's no longer that you have Global unicast addresses on AWS you configure them in vpcs and if they're not summarized your rout tables are going to be very large so in ipam uh you can go and you can configure uh you can get from Amazon a contiguous cider per region in your account to address all the vpcs that you have there with that contiguous space which is dramatically simplifying your routing another very important IPv6 launch that happened this year is the ability to tiar your IPv6 addressing in the VPC by default we had vpcs that were sl56 and subnets that were /64 we now have the capability of choosing uh the size of the cider for the VPC and the size of the ciders for the subet and one very important feature that we're going to see a bit later what powers is the primary IPv6 address on an interface so think of the fact that you have an ec2 instance and this ec2 instance has uh its elastic network interfaces IPv6 addresses the first IPv6 address that you associate can now be configured as primary we have the foundation now let's start building thanks Alex okay so let's talk about some VPC networking things this is chapter three of our our session here today there's two main uh ways we think about VPC and networking one is extending the VPC boundary and the other is connecting to the VPC itself so there's really these two different ways you can think about connecting and really networking is about connecting applications together it's about routing so first we have VPC sharing now the idea behind VPC sharing was really we wanted uh networking folks to be able to control and build an environment vpcs subnets Etc and have other accounts other principles come in and deploy uh infrastructure or applications inside that VPC now VPC has been uh a VPC sharing is something that a lot of customers are utilizing uh these days where you can deploy Lander or ec2 and others inside someone else's VPC the great thing is as a owner of a VPC and when you're sharing that VPC out um you have control over things like the igws over the route table over the endpoints and the uh participant of that VPC does not so you still kind of maintain some of that control so the big question is do you expand your VPC by using uh things like VPC sharing or grow the size of your single VPC some customers do or do you create more vpcs create 10 or 100 a th000 there was a customer this week that said I think they had in excess of 4,000 vpcs in their deployment um that's one way to go too now it's not really a um it's not really an A or question this is really and question you can do both and so if we just compare the two together uh individual vpcs or single vpcs or in a large case what we call a hyperscale VPC um basically you've got a distributed uh sorry if you have individual vpcs you've got a distributed network of vpcs with a shared VPC you could have a hyperscale VPC or a single VPC and so we have this um unit of measure inside a VPC called an NA or a a network addressed unit we talked about it a little bit last year we're basically basically one IP address consumes an NA you can have up to 256,000 inuse IPS inside a single VPC 512 in a shared VPC so if you go down the uh shared VPC route you have to think about uh Na consumption uh with uh going down the individual VPC route for each application and having many vpcs you need to connect them together and so if you think about having many vpcs you're lowering that scope of impact if someone misconfigured a route table inside a VPC one application is affected if you've got a shared VPC and someone misconfigured a route table you've got a larger uh domain there to to consider now this year we did also release uh a feature that plays directly into the uh the multi VPC realm where you can now have an elastic network interface that is multi or have an instance that is multi VPC attached so an elastic network interface in another VPC this is still in the same AWS account and still in the same availability Zone but this is actually a great feature for folks that want to have that instance and drop it into another VPC without having to manage peering or Transit gateways Etc okay so connecting to the VPC we have a whole bunch of different mechanisms the first internet connectivity we've got an interesting architecture at the end of this small section but basically inside the VPC you've got your availability zones and public subnets routing you talk to an internet gateway or maybe an egress only internet gateway for your V6 you have private subnets you might use a n gateway to talk to the internet through uh a KN Gateway but again it's it all comes down to routing on a per subnet basis now if we uh talk about n Gateway specifically here uh this year we also released the feature where you can have now up to eight IP addresses associated with an N Gateway and we'll actually flow has traffic across those uh IP addresses why would you want that well originally an that Gateway could have one address and one address means 55,000 concurrent connections through an Gateway uh now we've got eight times that I think the numbers 455,000 concurrent connections over the eight IP so this is something that customers wanted to scale their net Gateway deployments pretty cool stuff okay we've also got that Gateway in a local Zone uh I did work on The Outpost uh service team for a little while and it was actually a very exciting time one of the tenants we had on that team was we want the same experience in local zones and outposts as the region and so what we're doing is we're trying to bring all those services to local zone so in this case we've actually now got Nat Gateway available in the LA um local Zone and so hopefully we can see more and more services deployed in local Zone in the future and here's this interesting architecture I was I was talking about um we have some customers that use V6 that's great um and they use the igw as an interconnectivity mechanism between vpcs instead of using Transit Gateway or instead of using peing and that's okay because they don't need that so in this case you could have um hosts within a VPC talking to public services or talking from an igw to an igw or there might be oneway communication or inside initiated communication from a host out an egress igw or or a e igw or it might talk via a igw to another VPC so in this case there basically using the as a Transit Gateway and with V6 that works because they're all public addresses so it's uh quite easy to do okay so the next uh connectivity mechanism is AWS private link and for the longest time this was one of my favorite Services because it was um when we released it it was the ability for you to take services and drop them into other people's vpcs or you consume services from other people's vpcs the first use case though was uh what we call interface endpoints for service connectivity where we basic basically enabled private connectivity for all of these Public Services into the VPC we started with about 30 Services we've now got 150 plus uh services that you can talk privately to Via interface endpoints in your VPC you can also um well with private link sorry a few more details here um a private link interface endpoint actually has two elastic uh network interfaces inside the VPC in two different subnets and they'll actually consume IP addresses inside your V VPC and so here we've got a topology where we've got private link also communicating with services in another VPC now what we've done this year is we're now giving you the ability to define those addresses and so you can tell private link interface and points what specific IPS to use in your VPC again it's your private range in your VPC so more control over that is uh a good thing okay connectivity with other vpcs take it away Alex thank you thank you okay so we scale right we start with our one VPC and then we create more either individual or shared or a combination of the two right and then we figure out well we need connectivity right how do we do that and we reviewed a couple of uh options we're going to dive a bit deeper into them the first one is VPC peering and is the uh foundational connectivity uh option uh for vpcs it's a onetoone uh connection between to vpcs and you can do int region VPC peering or cross region VPC peering as well one of the featur that's most liked by our customers for VPC peering is the ability to use Security Group referencing this means that in a security group uh associated with a resource in a VPC you can actually add a reference for either inbound or outbound a security group uh ID that is in that period VPC very important to keep in mind the use cases for VPC peering in the fact that everything that we're going to talk about after VPC peering does not exclude the use of VPC pering so you have to consider the fact that VPC pering is non-transitive right so it is a onetoone relationship uh you do have to consider the fact that um you do need uh to configure uh routing right Security Group referencing gives you that granular security access but how does that scale right um and if we dive a bit deeper and we scale right how do we do that and here's where Transit Gateway comes into play Transit Gateway gives you uh that um routing Hub centralized in a region to which you can connect thousands of VCS and you don't need to give up on VPC peering altoe right um transic has been released I think in 201 2018 right 2018 I think that was one of my most exciting reents this is my fifth year um now from the connectivity perspective Transit Gateway allows you to Route both ipv4 and IPv6 at scale within a region uh the construct of Transit Gateway comes in with our uh attachments and Route tables that enable you to segment right it automatically um is it is it is able to automatically propagate the routes that it learns from the vbcs and those route tables you can also configure static routes if you wish so and you have the ability of creating that netri segmentation right so you can choose attachments to Transit Gateway um the route tables to which these associate so that uh you separate your production environment from your development environment for example now I mentioned that you don't have to give up on VPC peering right you can use VPC peering and Transit Gateway and we'll see that you can use cloud run as well right in an architecture that powers your use cases right so let's look at the use cases though um so why would you use both High throughput latency sensitive communication cost optimization absolutely VPC puring gives you free int intra a data transfer costs so use it wisely uh scalability thousands of vpcs that need access to either hybrid connectivity or cross region connectivity or sd1 connectivity use transit gayway or Cloud one and think of the fact that uh you can combine the two right and you can leverage the hierarchy um of Transit Gateway uh routing and uh the optimized connectivity that VPC pering brings and do take into consideration the scaling of both right and how to use both to power your uh use cases now if we go into hybrid connectivity uh we have direct connect and Direct Connect is that dedicated connectivity that you can uh get from AWS it's a physical connection that only uh you use right um and it Powers your uh data center to uh to AWS uh routing and um reachability now we focused in the last year uh in getting closer to you we have over 130 uh locations for direct connect to get closer to the place where our customers have data centers right but we didn't stop there so with Direct Connect uh you have multiple types of virtual interfaces the first one is a private virtual interface and this is the most foundational way which you can deploy Direct Connect then uh you have direct connect Gateway which which allows you to connect vpcs across multiple regions to the same Direct Connect virtual interface um we've released this year or we've increased the quotas this year and you can have up to 20 uh virtual private gateways per Direct Connect Gateway from 10 um you can also have a public virtual interface to access uh AWS Public Service endpoints make sure you secure it because it gives access to um essentially everyone on AWS you get the public IP addresses uh of of AWS and we have the native integration for direct connect with Transit Gateway through the direct connect Gateway and Transit vivs and this year again uh We've increase the quota uh to up to four Transit virtual interfaces per direct connect connection and up to six sorry uh up to six uh Transit gateways per Direct Connect uh Gateway and I gave you a sneak peek into the following one I think this is probably one of the most requested quota increases that are customers had more routes advertised from AWS to on-prem so you have now 200 as a combination between ipv4 and IPv6 and now we get to the very exciting part where we put all these things together right um we take uh Global connectivity uh to to the next level with AWS Cloud R we uh spoke about Cloud R probably uh in all of our sessions so far since we launched it um Cloud R gives you this Global connectivity mechanism that allows you to Leverage The AWS Global backbone private connectivity right nothing goes over the uh over the Internet it allows you to also express your intent in terms of connectivity and we're going to see how that intent is expressed through the cloudm policy and also gives you that single pane of glass for Network visibility there's a lot of exciting things that we can talk about that are coming in that space so watch uh watch closely now let's look at the cloudon components and recap them uh for um what we can build with Cloud one the first one is the cetric policy and that ability to express in Json format what your intent is for netork connectivity and you start by saying these are my autonomous system uh number ranges that the coret hedges are going to be using and then you specify the AWS regions where you want Cloud one to deploy then uh this clicker uh then you specify the attachment policies and we are going to see that every attachment to Cloud one is associated and propagated in a cloud R segment based B on these policies here is where you control your net Rec configuration and that is that single pane of glass you can have multiple attachment rules Cloud one makes use of core Network edges in every region and these core Network edges are automatically peered with each other and they exchange routes dynamically using border Gateway Pro protocol bgp each of these core Network edes actually creates that transport on top of which you can configure the network segments which are your Global route tables in uh in a sense you can choose if segments configured in Cloud one are Global so spanning all regions that are defined in Cloud one or if you want region local segments this is actually a feature that a lot of our customers are using when uh they are dealing with regions and countries where they want data locality and they want uh to ensure the fact that communication does not go outside of that region moreover uh I was mentioning that each attachment is uh Associated and propagated based on the attachment tag this is different from the VPC tag when you create an attachment you have the option of specifying that attachment tag now a very interesting thing is for cloud one you can Define how you want attachments to be dealt with either Cloud one can automatically accept attachments or you can configure for example a pipeline that does that acceptance the interesting thing is that if you change the tag Cloud one reanalyzes what the new tag is on that attachment and remaps your attachment to the right segment so it's a continuous integration continuous deployment mechanism for your network now the VPC attachment makes use again of network interfaces very similar to how Transit Gateway attachments work you have to specify the cloud one attachment uh subnets in your vpcs and this is going to be very useful for new features that we've launched from the VPC perspective you do have to configure VPC routing Cloud run does not automatically propagate routes uh that it learns within its segments to VPC route tables because the VPC boundary as a network boundary gives you control over what you want to route in your VPC the connect attachment that Matt mentioned at the beginning allowing customers to integrate natively as D appliances into the VPC and into their Global Network um makes use of uh a new attachment type which is called The Connect attachment you have to specify a transport attachment for The Connect attachment on cloud one that transport attachment is a VPC attachment so on top of that transport attachment you create a connect attachment and on top of the connect attachment you create connect peers the default for The Connect peers encapsulation is gr generic routing encapsulation now we've heard your feedback and um we release least tunnel L connect this is cloud enabled sdan native without the encapsulation overhead overhead of Dr tunnels so it allows you to use natively the cloud one uh interfaces in the VPC to peer um bgp directly with Cloud one so let's see how it works we have the same transport attachment we have the same connect attachment and we create the tunnel ASN connect peers very important here is that each connect Pier has two b2p sessions for redundancy purposes you can have both gr and tunnels connect uh peers over the same connect attachment the the connect attachment and the transport attachment have to be part of the same route table on cloud one so production in our case here and uh if sd1 appliances are deployed outside of the attachment subnet you have to configure routing in the VPC for the routes that cloud R advertises through uh through bgp so very important therefore we recommend those appliances be deployed in the cloud one attachment subnets so that routing is seamless now another feature uh that was extremely asked for by our customers is Appliance Mode app client mode allows you to maintain easy symmetry when you're routing uh through inspection let's see the deployment with Cloud one for centralized inspection we deploy an inspection segment for each region where we want inspection to happen we have an inspection uh VPC and within the inspection VPC we deploy the either metric fire or gway balance or powered appliances very important there call out from our wizard the inspection segments are Global but they have a regional attachment only right so how does routing look like there's segment sharing between the production development any other segments that you may uh have and the inspection segments so for Ingress Ingress our packet flow will be fairly straightforward inspection goes uh through uh the network firewall or gway balance or end points return traffic or traffic initiated in the internet also is routed through the inspection appliances and back to uh back to the VPC now what do we do with cross segment here's where the appliance mode feature is very important we have Appliance mode enabled for the uh in uh the VPC inspection uh attachment and You observe that the route tables have slightly changed the reason for that is because we need to maintain symmetry when we're going cross region so in region VPC to VPC cross segment is fairly straightforward when we go um this is the return traffic when we go cross region that symmetry is important because if the firewall end points haven't seen that traffic in One Direction they will not know what to do with the same traffic in the reverse Direction and and here you can choose if you want to inspect traffic in both regions so that both firewall endpoints uh see the uh traffic flow or if you want to um inspect traffic in just one region and you can natively integrate Cloud one with your tgw infrastructure uh this is actually a very interesting integration because not all customers want to migrate from uh Transit gave away all their vpcs day one so you can use cloud R to Federate connectivity you have the route table attachment for Transit gateway to Cloud R all routing is fully Dynamic so you essentially end up creating a Global Network segmented using both AWS Cloud run and Transit Gateway this also Powers your direct connect integration with Cloud one so you can natively exchange routes dynamically with Transit Gateway and Cloud one and use directon Gateway for those rods to be advertised on premises here I have two segments production and development but you can also use a separate hybrid segment um if you want to and inspect that traffic we have a couple of blogs that explain those flows now last year at we invent we cornered a new term application networking right and what we mean by application networking is split across two different areas first is elastic load balancing that powers application delivery right and Amazon VPC lattice which is providing you not just with that highly available connectivity mechanism but also with the application features for elastic load balancing we released a feature that is uh very near and dear to to my heart and it is actually powered by that Prime primary IPv6 address on the interface that we talked about at the beginning is the ability to have IPv6 instance type targets for application load balancers Network load balancers um and you see here that in order to do that you have to have that primary IPv6 address on the eni now from the deployment perspective you folks are probably very familiar with how application load balancers are deployed um they have a load balancer submit and day support dual stock very important we just launched a couple of uh days ago uh Mutual TLS support for application of balancer this works by configuring a trust store um attaching uh the trust store to your uh ALB listener and enabling mtls on uh the uh ALB listener this means that your client traffic uh is uh um authenticated by the application load balancer and the application load balancer actually sends all that information back to the targets if you want to um configure additional business Logic for more details there is a full breakout session that talks about application networking and all the features on uh application load balancers now Network load balancer also has a new feature that got launched this year which is Security Group uh support this I think was one of the most uh up upvoted uh feature requests for Network load balancers now you have the ability to associate Security groups with your load balancer Enis some considerations here um relate to the fact that you have to associate those uh security groups at creation time also you can use Security Group referencing that we mentioned at the beginning to um reference security security groups of the load balancer on the target to make sure that you only allow traffic from the load balancer to the targets now let's go to probably my favorite topic um VPC lus and perhaps some of you are still wondering well why VPC latus well remember this this is kind of uh kind of complex it's a lot of things uh that you need to deploy and manage and configure uh to get all those nuts and bolts uh built in together right so Amazon VPC lus comes as an application networking product that takes a lot of that complexity away giving you the ability of configuring zero trust servico service communication on AWS without worrying about IP addresses and netwk anymore so it creates the netri path as well let's look at the use cases and um application application networking and VPC latus are very loved by uh eks and kubernetes enthusiasts but also by Network folks because they provide not only security features not only application Level Fe features but also Network level features and I think from the uh one of the the uh the features that I'm most excited about with VPC latus is that both admins and developers can look at the same configuration and understand it right uh there's no more disconnect between application level folks and network infrastructure components that VPC latus comes with and owers all these Services service nric is a new logical construct a new logical boundary services that you define that can have uh a deployment model across all of our compute uh platforms so ec2 Lambda uh ECS eks um when you create Services you can specify multiple Target groups and these Target groups can have uh different compute options then you have the service directory when you create a service that service appears in the service directory and you can share services using resource access manager as well as service networks using again resource access manager uh to populate Service uh directories in other accounts and off policies authentication and authorization that happens at VPC lus level you can have off policies associated with your service netri and with your services now let's see VPC L is in action and this is my favorite use case I think probably we're getting this question every day how do we configure a VPC um to have network connectivity that also has overlapping IP space and because VPC latus completely abstracts the network uh addressing we'll see how that happens we first Associate services with the service network then we associate the VPC with the service network allowing clients in the VPC to consume uh the services we conf figure off policies and we look at the life of a packet all the VPC constructs that you are familiar with security groups knackles route tables still apply so in order for a packet to go through VPC latus it has to be allowed right by all these uh security constructs so we start with the packet starting from the client to uh the service network once the NS resolution has happened and the client um gets the IP address of a VPC L service which is 1692 54 in ipv4 or uh Ula address in IPv6 that packet get packet gets generated and it needs to be allowed by the security group of The Source by the knle route table and the security group on the VPC Association this is one of the most powerful Fe features of VPC latus that allows you to use security at a in a layered approach right you don't have to give up on your security groups or on your knackles or on your rout tables right you use them um uh complimentary Now traffic was allowed it gets into the service network and at the service network all the O policies and the security configuration and the routing configuration are applied and last but not least the uh packet gets to the destination into the destination VPC and again it needs to be allowed by security groups and knackles and routing now there's a couple of new capabilities um for which our cat is very excited uh support for service targets and shared vpcs it's it's been a feature that's been asked by a lot of our customers uh General availability of the AWS Gateway API controller for Native integration with eks this is the powerful integration native integration withs services and crds and all uh the constructs that you have available there and identity heer propagation sigv4 a which allows you to do that authentication in uh remote regions right so we propagate that information natively now we've built connectivity let's secure it thanks Alex so I'm pretty sure sure Alex just stepped through the whole OSI model from the ground up all the way to application uh pretty awesome stuff we've got so many features now that that you can just or services that you can just build networking within AWS but security is still something that's in the heart of everything we do here at AWS first let's start with some administrative connectivity it may sound boring to the users but as an administrator it's something that's actually pretty important uh so we have this thing called Amazon ec2 instance connect and so basically the idea here is by installing the instance connect software on an ec2 instance you can connect to that instance from the ec2 console and so here's how it works basically you've got an administrator here on the left going through the console you have a ec2 instance with a public elastic IP and then you can communicate with that ec2 instance from the console itself so you don't have to manage things like handing out SSH keys to users that need to administer instances now there's one floor in this design which we worked pretty hard on on fixing in in the last year and so the problem was you needed to have a public ipv4 address for the instance and so that meant public subnets were accessible via instance connect and so what we've recently done is we've released Amazon ec2 instance connect endpoints and so what this means is we now use our endpoint technology to drop connectivity into the VPC and you can communicate with ec2 instances that don't have public ipv4 addresses and so no public uh whoops no public ipv4 uh addresses are needed here in this case pretty awesome okay as far as uh networking security I always think about things like inspection and so let's talk about inspecting in the VPC uh one of the I guess over the last few years uh one of the uh architectures that keeps popping up when when we talk to customers is configuring an egress security VPC so folks say hey I've got this environment I've got 10 vpcs I'd like to send everything through something like a firewall uh so back in 2020 we released uh AWS Network firewall so basically uh it allows for unified management and monitoring it uh it's a cloud native traffic inspection mechanism it's highly scalable and it has a flexible inspection engine that's built into it so basically what this is is powered by Gateway load balancer technology and we'll talk about Gateway load balancer but you can now have a uh firewall endpoint in the VPC that was as of 2020 the architecture looks something like this so you've got an ec2 instance you would route via the AWS network uh endpoint inside the subnet onto instances or maybe out into the internet gateway you can also have something like a Nat Gateway in line as well so now you're going through a network firewall through a n Gateway and then out into the public internet now the beauty of both n Gateway and network firewall is they man manage services they're both scalable and so you don't have to worry about spining up more instances to handle more traffic as you send more instances to the network firewall or in this case n Gateway as well now there's a whole bunch of other deployments that you can actually do with network firewall um this is just uh one one option really now recently we've also released IPv6 support you'll you'll notice that that's a a trend in a lot of the services that we're doing uh so we released V V6 um support So in this casee you could have a V4 subnet a dual stack with V6 and V4 or a V6 only subnet for your network firewall endpoints which V6 only is actually quite important to customers where we speak to folks that say hey we're using RFC 1918 addressing inside where our VPC environment so uh your 10 your 172s Etc but then they say we've got so many vpcs that we're running out of RFC 1918 addresses across both our AWS environment and and are on premises and so having the ability to deploy uh services like Network firewall in a subnet that only consumes V6 addresses is important to those folks so they're not burning more V4 addresses which they don't really have we also have inbound tless inspection now for Network firewall and so basically integrating with ad certificate manager uh we can decrypt uh tless traffic uh or you can figure tless inspection on the network file wall as well as well as there's a few considerations here for um inbound te list um inspection and we have outbound tier lless inspection for Network firewall as well so we're building these capabilities into the network firewall and you'll see uh these types of capabilities built across Network firewall a Gateway load balancer you know uh they're basically part of the same type of family given that uh Network firewall is built upon Gateway load balancer underneath the hood speaking of which so Gateway load balancer is really the ability to uh Implement thirdparty appliances inside your VPC for things like inspection and so that was where we released this in 2020 as well we wanted to say hey you can use AWS Network firewall but if you like or use uh existing firewall vendors you can use those in your VPC as well so that's where Gateway load balancer really comes into play and so basically it's a fault tolerant highly available infrastructure that you deploy and manage in a VPC that you own and manage with Gateway load balancer and Gateway load balancer end points inside a VPC and so it looks something like this where we've got a a VPC on the top here with a Gateway load balance end point traffic might be going from one instance to another but in this case we're actually routing via the Gateway load balancer endpoint so we're sending traffic down to a Gateway load balancer uh in another VPC and then sending or um flow hashing that traffic uh via geneve across uh applying es inside the uh inspection VPC on the bottom here now we also have V6 support for Gateway load balancer as well so hopefully we can get V6 everywhere that would be a great um a great scenario now there's a couple of considerations here so with Gateway load bouncer basically from the Gateway load balcer to the appliances we use what's called geneve tun tunneling encapsulation so in this case we're actually um sending V uh V6 inside the V4 geneve tunnel towards the appliances themselves so this is something that uh you would work with with your Appliance vendor to say hey uh firewall vendor we'd like to use this uh within uh our VPC and you'd use their service as the ec2 instance or their software and then the Gateway load balancer would be managed by by yourselves okay now let's talk about uh VPN L application access so the the VPC itself is basically I think of it like a wal garden and I think that's why customers love it so much they say hey I've got this VPC and that's my perimeter now you'll probably never hear me say VPC is a security mechanism because it really isn't it's everything else that goes into it but it is a control mechanism and so when you VPN into a VPC or you connect a direct connect you're extending that W Garden out to applications on premises and so what customers were asking for was the ability to connect on an application by application basis into the VPC or to the applications essentially zero trust network access to Applications inside of VPC so I think was it this year we G verified access so same with VPC ladders same as VPC ladders we announced it last year at re reinvent but a few months ago we uh went GA for verified access and basically the idea here is we have a verified access service sitting in front of the VPC connecting two services and it actually looks something like this where you you've got applications you've got an application load balancer great applications and application load balancers go hand inand but we're also now able to front end that with the verified access service and so that integrates with identity providers and also WF and now users actually through a uh user agent on a browser will connect through uh verified access through to the application itself so now you've got application by application access into the VPC without giving access to the whole VPC like you would from a routing and Security Group basis if you direct connect or VPN to that VPC and you'll notice here uh the extension of this diagram we're using hyperplane as well for these services so hyperplane Enis are a very common thing that you'll see as part of these services and how they're deployed uh within vpcs if you want to learn more about hyperplane come and chat to us after the the talk we can send you to a a few few talks that talk about that now this is 2023 and so we had to we had to we had to what how could we not have a generative AI section in this talk so networking and generative AI let's talk about that so back in I think this was 2010 I might mess up my my years a little bit here but we had the C1 instance which gave you one gigabits per second I I remember this I remember thinking man you can have a um virtual machine or ec2 instance that has 1 gig then um a little bit later we released the CC1 instance I think this is for clustered Computing uh we had uh basically we could do 10 gbits per second and we kind of extended that out in uh 2013 and I think 2015 for the C4s uh for 10 gbits per second with enhanced networking which gave you more packets per second uh and then EBS optimized by default so the EBS storage was optimized as well and we kept going from there so c5s uh which I think was in 2015 C5 NS which has our Network optimized instance at 100 gbits per second Imagine That I Used to manage an internet backbone for Asia Pacific country and we had 80 gigabits per second for the whole country and now you can have a c5n instance and I think this was around what 2016 it was 2016 um amazing stuff then we just kept going from there 200 gig with a C7 GN by the way these slides and the boxes are kind of to scale so you can see the difference between the instances bandwidth across these instance families uh in 2020 we released the p4d this was a cloud first 400 gbits per second per instance and so that was when we built what we call Ultra cluster 1.0 it's a great talk by Steph uh Steven Callahan um we call him Steph Cal but you guys don't know who Steph Cal is it's available on YouTube check it out he talks about the ultra cluster architecture super interesting stuff but basically what's happened is for uh generative AI or large language model training we've started building dedicated clone netw networks in not just data rooms but data centers and campuses of p4d instances so that we can uh allow our customers to come in and train uh large language models and so that's where the AI ml workloads really came into play in uh trn1 was I think 2022 800 gbits per second and it's just gotten crazy TRN 1n was this year I think 1,600 P5 3200 a couple of days ago trn2 6400 gbits per second per instance I haven't had the honor of spinning one of these up yet and trying to do it I think it's going to be expensive probably probably I might get a note uh from a manager about hey what's going on with these trn2 instances what you up to we'll see uh now those other instances are still on this Slide by the way they're there they're just really really really tiny in comparison they're like way down there um so anyway we're enabling uh generative AI through networking and inst es that can support that kind of networking and uh with our Ultra cluster 2.0 architecture we've basically got a whole new network design that we build our clone networking in our data centers and so we've flattened and widened our data center networking to allow this kind of connectivity um we've got a 10x bandwidth with non-blocking uh capacity through our our data centers and we've also uh again this Steven Kahan talk check it out uh we've got our own routing protocols now I think we call it cider where we're replacing things like bgp and LPF in the data center because they just weren't functioning in the ways that we wanted it's amazing stuff um now what does that mean for you folks well we've also built this protocol called SRD or scalable reliable datagram I think we released that last year uh we call it Ena Express and so if you look at a data center a typical uh path looks like this you could get some hotpots with TCP flow hashing we now do basically this oops uh that's a buildout we do this where we flow has flets through our data centers pretty amazing stuff and you don't need to do anything it's just an instance that supports SRD or Ena Express and this year we've actually expanded that by 58 instance types and so this is pretty huge for customers that want to get access to this this type of Technology uh pretty amazing stuff okay so now we get into what it looks like from a customer perspective Q support or network troubleshooting this is amazing I'm super excited by this so we've got an architecture here and things are broken so the network doesn't work and so we can't s h to instances in A1 uh app servers can't talk to each other let's jump in there and let's ask you and so basically this is uh now in preview so you can check this out yourselves on the right hand side of your console jump in on that little widget you'll get a a nice little uh text prompt here and you can basically ask questions like in this case we're going to ask why can't I SSH to my web server in A1 and so basically to get access into the the queue for Network troubleshooting console basically they'll say hey uh looks like you're trying to do some troubleshooting here let's check out the preview experience Alex you've played a bunch with this tool over the last you know couple weeks I did I did and uh you should check out a blog post uh we talk about why you can't SSH into your ac2 instances and why your app doesn't talk to uh the database with the help of uh of Amazon Q so the the integration with nric uh for nric troubles shooting with vbc reachability analyzer is essentially showing us a lot of interesting things that uh when we started playing with this we had no idea uh that they were there uh we just got a VPC that was configured um and we were tasked with solving these issues for the network blog post so check it out um so we've asked Q why we can't SSH and Q um is actually uh running the PC reachability analyzer behind the scenes means it understands what we're asking it about right app servers uh why can't I SSH into it and it shows us uh the uh the troubleshooting um steps that we need to take it shows us the actual security groups that don't have anything configured in them and uh for database access it also shows us um why uh the the app can't talk to the database so we ask it again and um it tells us after a couple of seconds that we have a netork AC that is not properly configured so that being said we've solved the network issues with uh Q um go read the blog and let us know uh what you think about it and now that we've solved uh the the nric issues a couple of considerations you'll find them as well in the blog um this is preview so you have a number of uh of questions that you can ask it and it resets every 24 hours thank you thank you yeah we're out of time thanks for joining us and don't forget to fill out the survey oh next next slide next Slide the survey
2023-12-12 08:29
