AWS From The Cloud Down
A Functional Overview of AWS VPC
Created by Laurence J MacGuire a.k.a. 刘建明 a.k.a Liu Jian Ming
ThoughtWorks Xi’An, 2016/11/07
Concepts
- Addressing
- Routing
- NAT
- Filtering
Concept: Addressing
IP Addresses
Examples:
- 127.0.0.1 == home / localhost
- 8.8.8.8 == Google’s DNS
- 169.254.169.254 == EC2 Meta-data Service
- $(ifconfig eth0) == your (linux) computer
IP Addresses
[8 bits] . [8 bits] . [8 bits] . [8 bits]
Kind of like a sea of 32bit integers that uniquely identify a network connected device.
IP Addresses
The Internet?
Networks
4 Billion+ IP Addresses
Internet
Inter-network
Multiple Inter-Connected Networks
Networks
$> ifconfig eth0
eth0 Link encap:Ethernet HWaddr c8:ff:28:b5:f9:a1
inet addr:192.168.123.52 Mask:255.255.255.0
Ohhh. Mask?
Networks
Examples:
192.168.1.0 - 192.168.1.255
192.168.1.[ 0..255 ]
Networks
192.168.1.0-255
^ ^ ^
+--------+----+
24 bits 8bits = 32 bits
192.168.1.0 - 192.168.1.255
Networks
10.0.0.0/8 # (10.0.0.0 - 10.255.255.255)
192.168.1.0/24 # (192.168.1.0 - 192.168.1.255)
172.16.0.0/16 # (172.16.0.0 - 172.16.255.255)
These are “subnetworks”.
Their address ranges can be called “CIDR blocks”
0.0.0.0 - 255.255.255.255 are divided in this way.
Networks
Special Cases
10.0.0.0/8 # (10.0.0.0 - 10.255.255.255)
192.168.1.0/24 # (192.168.1.0 - 192.168.1.255)
172.16.0.0/16 # (172.16.0.0 - 172.16.255.255)
These can be re-used inside bound networks. Which makes them inaccessible on the open internet.
Hence, they are private, or more accurately, publicly unroutable.
AWS::EC2::VPC
It’s a hosted private network
AWS::EC2::VPC
Cost: Free.
Regionality: Region specific
AWS::EC2::VPC
AWS::EC2::VPC
VPC:
Type: "AWS::EC2::VPC"
Properties:
CidrBlock: String
EnableDnsSupport: Boolean
EnableDnsHostnames: Boolean
InstanceTenancy: String
Tags:
- Key: "Tag Key"
Value: "Tag Value"
AWS::EC2::VPC
AWS:EC2::VPC.CidrBlock = “10.0.0.0/16”
The complete address range of your private network.
AWS::EC2::VPC
AWS::EC2::VPC.EnableDnsSupport = “true”
Enable DNS Name resolution within the VPC.
AWS::EC2::VPC
AWS::EC2::VPC.EnableDnsHostnames = “true”
Whether the VPC should assign internal DNS names to the instances within.
AWS::EC2::Subnet
It’s a further (logical) division of your VPC.
Usually for different security / access contexts.
AWS::EC2::Subnet
Cost: Free
Regionality: Availability Zone specific
AWS::EC2::Subnet
AWS::EC2::Subnet
Subnet1:
Type: "AWS::EC2::Subnet"
Properties:
VpcId: String
AvailabilityZone: String
CidrBlock: String
MapPublicIpOnLaunch: Boolean
Tags:
- Resource Tag
AWS::EC2::Subnet
AWS::EC2::Subnet.VpcId = vpc-123123123
Defines which VPC this subnet belongs to.
AWS::EC2::Subnet
AWS::EC2::Subnet.AvailabilityZone = “us-east-1a”
Subnets live in one availability zone. Defines which one.
AWS::EC2::Subnet
AWS::EC2::Subnet.CidrBlock = “10.0.1.0/24”
Defines the CIDR range for this particular subnet in the VPC.
AWS::EC2::Subnet
AWS::EC2::Subnet.MapPublicIpOnLaunch = “false”
A subnet can assign public IPs to instances inside it. Define the default behaviour.
Better set to false.
Concept: Routing
Routing
[host 1] >------------------( ???? )--------------------> [host 2]
Routing
192.168.1.0/24
[192.168.1.101] >------------( local )-----------> [192.168.1.102]
Routing
192.168.1.0/24 + 10.0.0.0/16
[192.168.1.101] >-------------( ????? )-------------> [10.0.0.123]
Routing Tables
| destination | route |
|---|---|
| 192.168.1.0/24 | eth0 |
| 172.132.0.0/16 | eth1 |
| 0.0.0.0/0 | 192.168.1.1 |
Each row is a route, and maps a CIDR to either
- a local network inteface
- a locally accessible gateway device
0.0.0.0/0 is the default route/gateway.
AWS::EC2::RouteTable
A routing table for your VPC.
AWS::EC2::RouteTable
Cost: Free
Regionality: Region Specific
AWS::EC2::RouteTable
AWS::EC2::RouteTable
RouteTable1:
Type: "AWS::EC2::RouteTable"
Properties:
VpcId: String
Tags:
- Resource Tag
AWS::EC2::RouteTable
AWS::EC2::RouteTable.VpcId
The VPC this routing table can apply to. However, routing is NOT determined on a VPC basis.
AWS::EC2::Route
A specific route / row in the routing table.
AWS::EC2::Route
Cost: Free
Regionality: Region specific
AWS::EC2::Route
AWS::EC2::Route
Route1:
Type: "AWS::EC2::Route"
Properties:
RouteTableId: String
DestinationCidrBlock: String
InstanceId: String
NetworkInterfaceId: String
NatGatewayId: String
GatewayId: String
VpcPeeringConnectionId: String
AWS::EC2::Route
AWS::EC2::Route.RouteTableId
Specifies the RouteTable in which this route will be inserted.
AWS::EC2::Route
AWS::EC2::Route.DestinationCidrBlock
Specifies the CIDR for which this route applies.
AWS::EC2::Route
AWS::EC2::Route.InstanceId AWS::EC2::Route.NetworkInterfaceId
Specifies an EC2 instance as route destination
(by instance id or network interface id)
AWS::EC2::Route
AWS::EC2::Route.NatGatewayId
Specifies a NAT Gateway as route destination
AWS::EC2::Route
AWS::EC2::Route.GatewayId AWS::EC2::Route.VpcPeeringConnectionId
Specifies routing to private networks outside of your VPC.
- VPN connections
- DirectConnect
- VPC Peering
AWS::EC2::SubnetRouteTableAssociation
N to 1 association N Subnets to 1 Route Table
AWS::EC2::SubnetRouteTableAssociation
AWS::EC2::SubnetRouteTableAssociation
SubnetRouteTableAssociation1:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
RouteTableId: String
SubnetId: String
Wait. Why bother with Subnets?
Why not just one big public subnet?
Security Contexts
- Which network services need to be exposed publicly?
- Most of the time, that’s only HTTPS
- SSH, Message Queues, Syslog etc, are private
- And it may be a legal requirement
- PCI/DSS, HIPAA, FISMA
Security Contexts
Security Contexts
Internet?
So far, all our devices are limited to the VPC’s local network. Pretty useless.
AWS::EC2::InternetGateway
One of the required parts for Internet connectivity.
AWS::EC2::InternetGateway
InternetGateway:
Type: "AWS::EC2::InternetGateway"
Properties:
Tags:
- Tag
AWS::EC2::VpcGatewayAttachment
Attach the device to your VPC
AWS::EC2::VpcGatewayAttachment
AWS::EC2::VpcGatewayAttachment
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
InternetGatewayId: String
VpcId: String
VpnGatewayId: String
Still No Internet :(
Unless you give devices public IP addresses, defeating the purpose of private subnets.
Why?!
[10.31.16.123] --------------> ( ??? ) -------------> [54.12.35.41]
[ private ] --------------> ( nope ) ------------> [ public ]
Remember that stuff about routable (public) and non-routable (private) IPs.
Your devices get only private IPs by default.
Concept: NAT
Concept: NAT
Network Address Translation
Concept: NAT
Essentially, sharing one publicly routable IP address between multiple devices.
Concept: NAT
AWS::EC2::NatGateway
AWS Managed NAT device
AWS::EC2::NatGateway
Cost:
- ~0.05$ per hour
- ~0.05$ per gigabyte
(this can be expensive!)
AWS::EC2::NatGateway
AWS::EC2::NatGateway
Type: "AWS::EC2::NatGateway"
Properties:
AllocationId: String
SubnetId: String
AWS::EC2::NatGateway
AWS::EC2::NatGateway.AllocationId
Essentially an ElasticIP reservation.
AWS::EC2::NatGateway
AWS::EC2::NatGateway.SubnetId
Which subnet this NAT device lives in.
AWS::EC2::NatGateway
And then you attach that to a Route.
Concept: Filtering
Filtering
Filtering
Look at Source IP/Port and Destination IP/Port. Apply rules to permit or deny the packets.
Filtering
| index | source ip | ports | direction | rule |
| 0 | 54.12.52.76/32 | 80 | incoming | allow |
| 1 | 54.12.52.76/32 | 443 | incoming | allow |
| 2 | 123.234.123.234/32 | 22 | incoming | allow |
| 1000 | 0.0.0.0/0 | * | incoming | deny |
It’s also table like. With a default.
AWS::EC2::NetworkACL
It’s that table.
AWS::EC2::NetworkACL
Type: "AWS::EC2::NetworkAcl"
Properties:
VpcId: String
Tags:
- Resource Tag
AWS::EC2::NetworkAclEntry
It’s a row. A rule.
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: String
Egress: Boolean
Icmp:
EC2 ICMP
NetworkAclId: String
PortRange:
EC2 PortRange
Protocol: Integer
RuleAction : String
RuleNumber : Integer
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry.NetworkAclId
Which NetworkAcl to attach this rule to.
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry.RuleNumber
In which order to apply this rule.
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry.Egress
Whether this rule applies to incoming or outgoing traffic.
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry.Protocol
Which IP protocol this rule applies to.
- 1 = ICMP
- 6 = TCP
- 17 = UDP
- -1 = ALL
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry.PortRange
Which ports this rule is meant to inspect.
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkAclEntry.RuleAction
- allow
- deny
Guess.
AWS::EC2::SubnetNetworkAclAssociation
Many Subnets to One NetworkACL association
AWS::EC2::SubnetNetworkAclAssociation
AWS::EC2::SubnetRouteTableAssociation
SubnetNetworkAclAssociation1:
Type: "AWS::EC2::SubnetNetworkAclAssociation"
Properties:
NetworkAclId: String
SubnetId: String
VPC Layout
- Subnets
- Public
- NAT
- Services
- Private
- Availability Zones
- Usually 2 or 3
Questions?
24 bits = network 8 bits = individual hosts in the subnet
Minimum subnet size = /30 total of 4 addresses
- Subnet network address (first address)
- Broadcast address (last address)
- two remaining usesable addresses
Maximum subnet size = /8 total of 2^24 addresses …
https://en.wikipedia.org/wiki/IPv4#Addressing
Special [[subnets]]:
IP addresses are a finite resource. However, certain ranges have been made re-useable. Which means it’s fine internally, so long as you don’t send such packets out beyond your network control.
Examples:
192.168.0.0/16 172.0.0.0/8 10.0.0.0/8 (127.0.0.0/8)
^ These things are also called CIDRs
https://en.wikipedia.org/wiki/Reserved_IP_addresses
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_blocks
You could also call these networks “private”
- Routes
- Firewalls
VPC
- Internet Gateway + Attachment
- NAT Gateway
- Elastic IP
- Subnet
- Route Table
- ACL + Entries
- SecurityGroups?