Advanced VPC Connectivity Patterns - Level 400 (United States)

Hi, my name's Brett, Global Solutions. Architect with Amazon web services. Today, we're going to be talking about Advance, BBC, connectivity patents. Is a question, is it a lot of my customers come up with a lot of the time? And my colleagues also say the same sort of thing. So hopefully this ring a bell and you'll get some value out of this. What are we going to talk about today? Festival, connecting you and it with the iws second of all, what you do when you get in there. So I had to wrap inside iws, how do you enforce the glue? That holds it all together, the danis.

Don't talk about connecting to a w s. a long time ago we lost direction and you can still use this today and customers have been using it for years and this is how you would traditionally connect your on-premises network to you of a PCA in iws Project, Within the Vicky, see you Friday, even better product from your own premises Network. You order I direct connect service and that's pretty much it just works and it's all good. Now this is important or lighter with age product list that you created on that Direct Connect service has a single

villain and has a single-digit, a session will come back to that in a moment. Back in the day, customers use the first connect they want promises Network to AWS using a VPN, why? Because it was very fast. So I didn't have to worry about forgetting any network. Customer also use BP in as a backup to their direct. Connect service works exactly the same way as Direct Connect accepted of the internet, rather than a private Network, have your own premises Network and you build a tunnel. So secure is very good

just like we connect, you can use the jeep a routing or you can use static and just like a direct connect, there is a single VPN have a BC. Now if you're going to use VPN as a backup to a direct connect, I would strongly recommend that you use. Did you pay? Because it gives you greater control over how wrapping happens in a file or environment. Now the new and shiny with, I was going to send you any more is directing it back by Network, you order a drink in it and in the middle you stick a direct necktie way different.

We look at it under the hood, from your own premises Network 3. Direct connect to the direct connect. I try when you connect a VPC, we build a connection to the DirecTV guy and Anna, big ePay session to deliver all the information down. When you have another baby C, or 1/3 BBC voice, retract, one that they land, and the bgp station site the same. And this is a big difference between Direct Connect and using Direct Connect guy why you get Wonderland for all of the baby sees, you get a single beep. A session with me, is it all happens when we add and remove the

ABCs? Is that the pgp title gets updated? And the other big Edition here is it? You can now be within one reason or in multiple reasons. So if you're using me for example, one of your baby sees could quite happily leave in a different rage inside in Virginia. What is a happens under the skin on the network? And this is a topic that we just got through customs all the time. So I thought, I'd like it a lot here in to direct connect, somewhere. Close to your network, you'll have a route if it's owned and operated by you. With Direction

X, when you add event, you say, we stand up a villain and a bgp session. When you add a second baby, see there's another deal and in another bgp session and when you stand up and said, you can't exactly the same way, you could choose to Transit police bail and directly through to you on premises Network. So you need to do some tacos 04 outing day. Or if you wanted to, you could collapse it down to single day land, that's completely up to you. Weed. Rick's next guy why it's much simpler. We bring an instant mix and you always have a single valent and a single-digit, a session

and it should be noted that this is the sign with Transit guy. Like I'm going to talk about in a little while. Some customers lock to put on their own premises Network, to God them against potential external threats and depending on particularly in the scenario, you just make sure that you'll follow handles other single or multiple vlans. You might also be connecting to ask my partner. Many stimulus Network the pain of March him at the BP station for you and they might not it's up to them what they do on their Network time. I also decided in the direct NAT type 2

TranZit all of those villains across to you. So you may need a load to oral ass tree service from them. You'll need to discuss that with him. So that handles private connectivity. And iws, what about public hunting tivity? We have an Autumn cold. I publicly, why would you want to use one of those? Well, you might want to be with services. Not over the Internet, your internet link might be congested. It might offer too much of their evil agencies are too much, did it to BBC bar VPN but not over the internet. But why wouldn't

you do this? It requires another. They land and it'll be paid session. You're probably going to want to fly while you're probably going to want to use mad and you're not necessarily just can have access to the services that you work. Why? There's a lot more in there? Let me tell you a diagram to explain So you have our own premises Network and we have the item this region. Normally you would connect to that by the internet. Fantastic. And you have access to all of these Services. I think any of the public API endpoints Bike riding a

direct connection publicly. If we can connect to all those services and we can connect it to on-premises Newark and just like with a probably if you're still going to need a ride at the BP in the end of the Big E Pizza. Now it should be noted that they sold public lipase. I got it is complete public IP address bites in there. You're going to receive a number of routes from us, possibly in the thousands and said that routing needs to be sized for that. What that does mean is that you're going to have to do some sort of network address translation. The

network people out there who run public, I pay since I didn't it work now, so most people will be doing that to accomplish this. Now, if you have a VPC on the west side that has an internet gateway, it will have public IP is associated with it. These will be reachable by that link so you can access it across that link rather than across the internet simile. If there's a second V PC with an internet cable, you can get that one to the well but it might not be owned by you. That could be I'm buying another customer just with a

standard electrical public lipase associated with it. Similarly, if you or someone else has a vacancy with a VPN attached to it, it has a public IP as well. So now, you can run a VPN across that link. The public via and into IW is therefore increasing traffic from your own premises Network, into the DCCC, in the diagram. Now the thing is, you might not want to have all these services in case you might want to protect yourself from them and we would normally say you didn't have a file on your internet late. Let's put a follow on this link as well. So we want to be very careful about what

we allow in and out of that link bear in mind. That this is a fairly sizable chunk of the internet connection to and depending on what you do from a route filtering perspective that you're going to receive quite a number of restaurants. I'm speaking about Phil, think there's a couple different ways in which you could do this. First of all, you can specify and communities, which region are you want to receive from us? We tag all those rats with communities. And, secondly, we haven't filed. You can dye my coat, IP ranges. Jason it lists. The IP ranges are in use by various AWS or services.

So you could say, I only want to receive the F3 routes, which then gives you a semi-private way of connecting across some mpls circuit to iws to use S3 and i w s or trying to pull a lot of data out. Okay, once again, I was what do we do next? Originally, we gave me Billy to pay the ABCs to this. We have a nice to see them together and we'll talk to each other. Notably these bpc's cannot have overlapping IP address blocks. Okay? They have to all be unique. Otherwise, you just copy them together.

Inside BBC play. We have a route table. The right title says, this is how to get to things. And in this case, it says definition to be as logical destination. For I is lie. Connection one and it's nice and Percy is my parent connection to. Now, I want you to think about the recycle here as carnival, look up for submit when a packet leaves an instant and comes on to the submit. It look up the Rob Thomas's. Where am I going to go? There can only be one route to Able Freight something it because that really make sense, right? You can't look up into places where the package is

going to be just a reminder that concept ate something at 10, having an egg without title, if you want mostly PCS have one that you can have mold. Here's the problem disappear in let's add another baby. See we have a problem. We have lots and lots of BBC, caring connections, every single V PC in order to make sure everything for this is that it's a lot of work. How many Perry connections do you need? If you want, have a full mesh, So we have a simple formula let's imagine that we have 10 PCS

right? That 45. Connections like a lot about 45. Connections and 45 route title update. At least seems like a big thing. What happens if you have a hundred bpc's and believe me, lots of customers have more than that. That's 4500 connections, this is bad for lots of reasons and not just for your head. We have limits. You can only have 100 Ralph in a BBC round table. You can actually only have 125. Connections. So clearly this is not viable. So what are we going to do about this?

Transit gateway to the rescue as being a cloud skyle router connect things to it route. Actively tried throwing our example from the four. Let's take out three baby seats that we have less at an on-premises Network into the mix. Let's make sure they're all connected to Transit driveway. So now we have a heck of a lot simpler again, which is this is all the local routes. We also have a concept of a route table in transit Gateway. And just like a baby say Round Table. They were outside. When you were saved a packet for

this particular, go down this particular attachment, Turn this guy. We got a big greasy food and so on their own premises Network that can be connected via a VPN or a wife, which is why we kept that bit earlier. And every time we have had more of this, we don't have to go in and update the route table for the ABC buddy. Just like me, the BBC round tables, you can only assign a single Transit. Gateway route table to a VPC because again, as the package is leaving the VPC, we look it up in the round table and

that's where we decide to go. What's interesting is it you can have multiple rap titles in transit Gateway. So you can have a set up where route type of one allows V PCS. I invaded talk to each other and to allow vaping CC two-stroke on premises and back that I didn't say for example, talk to each other and be cannot communicate. Let's look at some of the terminology that you're going to need to use you as an attachment is where we connect ABC a VPN or Direct Connect into Transit Gateway. Jason is the route

table that is associated. With that particular attachment. And propagation is where we automatically type the routes from a VPN from Direct Connect, open with a PC and install it into the route table. Example, and this is what the route titles are going to look like. The vpci unless I see you some real IP addresses. Has 10. 1. 020 / 16 When we associate bpci, that comes across connection X. We propagate the routes from Vicki CIA across eggs into the router table. And if we've learned how to get to 10. 1. 0. 0, / 16 and it is Vol II Association X

Maybe he plays the same way. Everything is now from why on this is 10. 2 + 53 is 10. Three. A route table Invicta. CIA is actually really, really simple if I think he says that everything cuz there's only one link out on that school. So very, very simple and again, as I said earlier, when we add more Vicky says, we don't have to change the route table in bpci. Now, what about a 50cc? What? Say we put an internet gateway in the, we can't really have the default route pointing to Transit Gateway that just went in instead of pointing

to you. So how do we get to Transit, Gateway? In this case, it's pretty easy. We just do it at 10.00 is like a trout. And we push that to Transit, Gateway, that's pretty straightforward. Earlier I said the routes coming, automatic propagated into round tables, you can turn this on or off. Generally speaking to any simple topology, you probably want it turned on. So that when you Associated baby, say when the transit Gateway, those route to pier in the round table is associated with that baby State, that's pretty easy. If you have any

complex, apologies as anyone I just told him to eat but not to say, for example, you probably want to turn off automatic propagation of routes. You probably want to do that. I'm by manually engineer at school by having some automation do that for you. So these are the advantages of trying to get why. You can't write isolated tips of the only have costume as he really like to do this. I have production babies. That can talk back to you on premises Network. You have Devin text via PCS, that can Talk Amongst each other, and doctor on premises, but the production

and the Devon test it with, can't talk to each other and is relatively simple to set up, apologies. One of the engine things, as I mentioned before about disappearing, is it, you kind pivot PCS that have the same IP address block. In the traffic. I will. You can attach the ABCs to Transit Gateway that have the same overlapping IP address blocks. However, I still cannot talk to each other by a Transit Gateway. You would need to wrap that traffic to another VPC that does some static or double-sided Nat in order. For

those two, I'm thinking States talk to each other, but it does allow you to set up a list apple juice. If you like, Navigate down that sharing services in iws. I want to do if you want to reach resources and applications and services that are in another day or on premises, okay, but how do we do that without exposing. If the internet can do it without peer in a routing, the answer is private link and we can take a service has presented another VPC and insert it

into a vape. You say that his ass, I can give me the PC and it just appears at the local IP. The great thing about this. We don't actually care whether the services they can stay in a consumer BBC have overlapping IP address. We just do some double-sided net for you and it's only magic can also be in different accounts which is great. If you're setting up a multi-account environment where some people offering services and other people acting as consumers of those accounts, Tennis is a simple diagram on the right. We have a service provided they are not provide a VPC

on the left and we use it to expose the balance. But in the provider BBC, into an interface VPC endpoint in the consumer via PC. We decided we wish to present our public IP inside of a PC to basically the public IP addresses on the title bureau service from me. What this means is the instances in that they do not need an internet guy or any other sort of public internet access in order to access the services that are presented by private link. This is ideal for self

providers and a PC and are an account that can represent services in two customers accounts. And again, we don't have to worry about whether the IP addresses, are the laughing. All I need to do is set up a network light. Balancer present that to my private link and we delivered traffic into the instances that are connected to and registered with the network load balancing. Something has to be said he is it because of the PCM Point appears as an elastic network interface as the provider need to make sure that you're presenting and eyes into the rights of a liability signs for

your containers. So we encourage you to be very, very highly available here and put in eyes into every single availabilities on route from your perspective. When you launch into which you want to present an anti It turns out the biggest city in points, erasable from on the premises, out of our Direct Connect Boulevard ATM. What this means is that your own premises service can reach through direct, connect to the BBC employee and then onwards into the service part of APA. So it really is a great Harbin solution. One of the other

tricks with network load balancing is it, you can use MLB to be low balance across on-premises service because using an anal bead to do this, you can now present on-premises Services by the MLB, and private link to BBC, consumers from a V PC perspective. They think the service is just a little, in the face. It looks like it's in the behind the traffic across identify Direct Connect ovpn, and provided, a b c's in a different region. We can use cross-region VPC peering to connect to

bb8 together. And then allowed the BBC. In this case, in USA, one to connect to Something in ID, Southeast service to create into reason, dependencies are the highway, but we appreciate their customers that have applications to Sibley, because of more than one region. Then you can use some private like magic here to load balance across instances that are in a different region. So this is a slightly different patterns are doing this. Again, I would encourage you not to create into reason dependencies, if you don't

have to what are the common? Pantry state is the creation of a shared services, V PC and lots. And lots of private links, and many consumers, V PCS. I'm on many things on premises that want to consume stuff inside iws, you might find a creating lots and lots of a PC in points is kind of hard work. Rob him through that same points in a single shared services, BBC and consume them all day just once As I mentioned earlier, available via Direct Connect VPN.

I always encourage you to use at least two availability times. Please consider using danis names to look up things and we're going to talk about that in a moment, okay? And make sure that if you're using a nobody to present your resources, across South Riverdale, do designs that you don't try and cross availability zones are on the way through the consumer, V PC. And lastly, please avoid building intervision dependencies. If it all possible, Route 53 has been available

and iws for a long time and they had a bunch of different names depending on who you were talking to it. Where is it was in the documentation. So you know what? We got an official name and here it is. Amazon Route, 53 resolver. What is a rapidly 3 result of the one that's by Cinavia PC. Then this bit too, if you'll be busy address. It's 129. It will be at 130 and its built-in redundancy. The inside of baby safe from outside and that was pretty hot. I had to go and build or any instructions to do that.

The Route 53 was always fixes oldest across the option to resolve when you and I but you can look up private rapid resigns. You can look up the biggest seed in it and you can continue to look up public DNS records. So here's an example. There are two stalks of resolving in points with an inbound and outbound and I do pretty much what you would expect the Inn down in point is used for things outside of a piece. A pretty much stuff that's on premises to look at things inside of a PC. So you can read an inbound Route, 53 resolver. You point your own premises DNS

at it, and then, you can look up things inside of a PC and outbound in point does exactly the opposite of an inside of a PC. And it means that Services inside of a PC and then can look things up and then forwarded to your corporate DNS server. That can evolve Leafeon or direct connect with online and again this built-in redundancy and the one thing you've got to Beware of the game because he has kind of delivered by private line. Is it 1 in point equals a multiple and has any of the APC, there is a limit of 10,000 clearest II, that sounds

like a lot but if you just watch out for that I am we do have a cloudwatch metrics if it will help you with that. When you can see it, you'll Route 53 was over. There are two types of rules that they were folding rules and system roles. The 14 rules. Say for this particular design. I want you to send it to this remote DNS resolver, and we have to put static IP addresses on those Danish resolve. This please don't have the move around the network system automatically inside the APC. Sorry, that when you send something to resolve, it can find Dennis nice

and resolve them inside out Route, 53 itself. Tahir is a not complicated Patton. We have a corporate dentist that talks to an inbound and outbound rrezova in point. And then we share that across multiple baby sees. What this means is that your own premises Network can now reach into all of those businesses and find things and those babies can also resolve names and IP addresses inside the corporate DNS server. The best practices operating inside of a PC, use the. Arizona.

If it's there, it's simple and it doesn't have that ten thousand per second. Boys put endpoint in. I've been multiple abilities on again. This is the same rule as with private link. Use conditional, formatting for on premises between, only send the queries on premises to have to go there. Avoid using. I record when you're referencing and I live inside of it, he say always use an alias or a stanine record because you just don't know when I'm going to Alpine Inn points at in Bonham points. Yes, you can do that. That's probably not very smart.

And again, look at the cloud watch alarms on those little bit in points to find out when you're approaching those limits. And finally, our mission is before 9 * 6, IP addresses for your outbound result of pockets. Play some K takeaways from this presentation, private link and point the Halley Bible, put them in multiple availability Vines. Use the traffic to do was over. If you have challenges between on premises and inside your baby say, looking at 9 and using privately, and you can create some very, very

interesting. It flows between client and services in AWS, or on premises. Back to beginning, directnet Gateway, nice, adding, and removing bpcc. And it was pretty easy. Public goes to bed, but be aware of what you're getting into. It is definitely a public connection and Transit. Gateway the most use cases is, definitely way better than BBC. Now, I snuff butterfly in for you and outpost if you don't know what Outpost is, it's basically where do you get a rack of equipment from us? If

you and put it in your data center, it is the same equipment that we use in our facilities. Delivered to you. Why would you do that? You might want to run an application. Luckily, you might have latency sensitive applications or you might want to have something, we're cutting the network to it and back to the region is an unarmed. So you need local the possibility. This is Asha and I apologize. I am not going to read all these things to you. I'm too important things. One, you can't use the Outpost as traffic transit to a reason, so if you can bring traffic into the Outpost and then on to

the reason you're still going to need your direction until you'll VPN service. The Outpost can access. Local networks, virus thing, be cold, a local Gateway, and act, just like an internet. Gateway stretched, BBC from the region out to fuel premises. Finally think I could have been a valley, have a great day.