1 of 24

Scale Your Cloud Network to Infinity and Beyond

Du’An Lightfoot

Sr. Developer Advocate - Networking Specialist

AWS

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

2 of 24

Agenda

  • Multi-VPC Network Infrastructure

  • VPC Peering

  • AWS Transit Gateway

  • Terraform Overview

  • Demo - Deploy a Full Hub & Spoke Architecture With Terraform

© 2023, Amazon Web Services, Inc. or its affiliates.

3 of 24

Multi-VPC Network Infrastructure

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

4 of 24

From one VPC

Subnet

Availability Zone A

Subnet

Availability Zone B

Amazon VPC

© 2023, Amazon Web Services, Inc. or its affiliates.

5 of 24

To many VPCs

us-east-2

us-west-2

eu-west-1

PC

Branch

Branch

NA

HQ

Chicago

AP

HQ

London

ap-northeast-1

EU

HQ

Tokyo

AWS Direct Connect

AWS Direct Connect

AWS Direct Connect

AWS Transit Gateway

AWS Transit Gateway

AWS Transit Gateway

AWS Transit Gateway

© 2023, Amazon Web Services, Inc. or its affiliates.

6 of 24

Account and VPC segmentation

  • Less accounts and networks to setup
  • Tighter control within the account or VPC
    • Identity and Access Management (IAM)
    • Strict security groups and routing
    • Identifying resources with tags
    • Billing and ownership complexity
  • Larger account or VPC blast radius
    • User privileges, AWS service quotas

  • More accounts and infrastructure to setup
  • Tighter control of provisioning and standards
    • Automation of infrastructure
    • AWS Direct Connect and VPN standards
    • Subnet and routing standards
  • Simpler billing
  • Smaller blast radius for users and networks
    • Larger blast radius for shared infrastructure and services

Smaller VPCs or accounts

Larger VPCs or accounts

© 2023, Amazon Web Services, Inc. or its affiliates.

7 of 24

VPC Peering

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

8 of 24

Interconnecting VPCs

VPC A

VPC C

VPC B

AWS Cloud

10.0.0.0/16

192.168.0.0/16

172.31.0.0/16

Peering

Can be Intra-Region, Inter-Region, Same or different account

Peering

Peering

© 2023, Amazon Web Services, Inc. or its affiliates.

9 of 24

Intra-region VPC peering

VPC A

VPC C

AWS Cloud

10.0.0.0/16

10.2.0.0/16

Peering

© 2023, Amazon Web Services, Inc. or its affiliates.

10 of 24

VPC peering – transitive routing

VPC A

VPC C

VPC B

AWS Cloud

10.0.0.0/16

192.168.0.0/16

172.31.0.0/16

Peering

Peering

?

© 2023, Amazon Web Services, Inc. or its affiliates.

11 of 24

VPC peering – transit routing

VPC A

VPC C

VPC B

AWS Cloud

10.0.0.0/16

192.168.0.0/16

172.31.0.0/16

Peering

Peering

X

© 2023, Amazon Web Services, Inc. or its affiliates.

12 of 24

VPC peering – things to know

  • Can reference security groups from the peer VPC in the same region

  • Can enable DNS hostname resolution to return private IP addresses

  • Can peer for both IPv4 & IPv6 addresses

  • Cannot have overlapping IP addresses

  • Cannot have multiple peers between the same pair of VPCs�
  • Cannot use jumbo frames across inter-region VPC peering

© 2023, Amazon Web Services, Inc. or its affiliates.

13 of 24

Transit Gateway

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

14 of 24

AWS Transit Gateway

  • AWS Transit Gateway acts as a Regional virtual router for traffic flowing between VPCs.
    • Think Hub & Spoke style topology
    • Designed to overcome some of the restrictions with VPC Peering & transitive routing
  • A transit gateway provides a quota of up to 50Gbps per attachment
  • Simplifies connectivity with many
    • Amazon VPCs
    • On-premises data centers
    • Remote offices

© 2023, Amazon Web Services, Inc. or its affiliates.

15 of 24

Before Transit Gateway

AWS Cloud

Peering

VPC

VPC

VPC

Peering

Peering

VPC

VPC

Peering

VPC

Peering

Peering

Peering

Peering

© 2023, Amazon Web Services, Inc. or its affiliates.

16 of 24

With Transit Gateway

VPC

VPC

VPC

VPC

VPC

VPC

AWS Transit Gateway

AWS Cloud

© 2023, Amazon Web Services, Inc. or its affiliates.

17 of 24

Terraform Overview

17

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

18 of 24

Terraform Overview

Infrastructure is described using a high-level configuration syntax

Infrastructure as code

Builds a dependency graph of all your resources and parallelizes the creation and modification of any non-dependent resources

Resource graph

With support for service such as Amazon S3, Amazon EC2, and DynamoDB

200+ services supported

© 2023, Amazon Web Services, Inc. or its affiliates.

19 of 24

Terraform providers

A logical abstraction of an upstream API, associated with a specific infrastructure platform

Contain all the code needed to authenticate and connect to a service on behalf of the user

The provider defines resource types and/or data sources and �is responsible for managing their lifecycles

Amazon Inspector

AWS IoT Core

© 2023, Amazon Web Services, Inc. or its affiliates.

20 of 24

Terraform Concepts

Data Source

  • Fetch data from AWS during run-time

Resource

  • Declarative expression of an AWS resource
  • Written in domain specific language HCL

© 2023, Amazon Web Services, Inc. or its affiliates.

21 of 24

Modules

  • Opinionated grouping of resources
  • Reusable, flexible

© 2023, Amazon Web Services, Inc. or its affiliates.

22 of 24

Deploy a Full Hub & Spoke Architecture With Terraform

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

23 of 24

Resources

© 2023, Amazon Web Services, Inc. or its affiliates.

24 of 24

Du’An Lightfoot

@labeveryday

© 2023, Amazon Web Services, Inc. or its affiliates.

Thank you!

© 2023, Amazon Web Services, Inc. or its affiliates.