Amazon Virtual Private Cloud Practical VPC for small organizations what we write … bioteam-1.jpg Warnings Getting Practical VPC deployment demo using Juniper SSG-5 Amazon Virtual Private Cloud http://aws.amazon.com/vpc/ Securely extend your datacenter into the Amazon Cloud End-to-end encryption Your own subnets and IP address schemes Use existing LDAP or Active Directory systems for identity management, authorization & access control Tightly control & manage internet access from cloud-based systems VPC_Diagram.gif Image source: aws.amazon.com/vpc/ bursting” from our datacenter to AWS Unifying a fragmented EC2 environment Dealing with EC2 instance IP & naming schemes Solution: VPN “overlay” network neatly solves these issues Why VPC? The problem: EVERYONE has discovered that VPNs solve a lot of problems Software-based App-by-app VPN methods do not scale and represent a significant operational burden Why VPC? Amazon VPC: Solves the “connect to the cloud” issue at a central level with app-by-app VPN implementations Users & developers do not have to be routing, encryption and VPN experts & IP address space into the Amazon cloud Use existing LDAP or Active Directory systems for identity management, authorization & access control Address concerns of legal and network security staff regarding internet data loss/leakage from cloud based systems VPC for Small Organizations When Amazon VPC initially launched only a few very large (and very expensive) gateway devices were officially supported Practically speaking this meant that VPC was only open to large enterprise customers This is no longer true VPC for Small Organizations What has changed? VPC now officially supported on gateway devices more readily accessible to small organizations and groups Amazon VPC web console will even generate custom device configuration files for you Including SSG-series devices from Juniper Networks Our demo will use: Juniper SSG-5 (128mb version) List price: approx $500 USD ssg_5e_180x95.jpg Some Advice: Internet & Data When using VPC, critical to understand: EC2 instances can’t directly get to Amazon S3 EC2 instances can’t directly get to the internet ALL of this traffic flows down your VPC tunnel, through your gateway and {potentially} through your firewall before existing out through YOUR internet connection … returning traffic takes the same path in reverse This has non-trivial performance and cost implications Some Advice: Internet & Data VPC internet blocking is “by design” Design Goal: satisfy people who want to firewall or otherwise carefully examine & control any use of the internet by cloud-based systems Only path to the internet is through the gateway that you own, manage and control End Result: This makes lawyers, CIOs and network security people very happy This makes developers and users very unhappy This makes heavy S3 users cry Future: Amazon has stated that direct S3 access from within VPC is a priority and something they are currently working on Some Advice: VPC Recurring Cost AWS prides itself on “pay for what you use” pricing model. When you are not using it, you are not paying for it This is not strictly true for VPC Once you create a VPC Gateway within AWS the $.05/hour clock starts ticking There is no way to “stop” or “pause” this process today Deleting & recreating the VPC gateway will require you to load new settings into your hardware VPN appliance Some Advice: VPC Recurring Cost The $.05/hour clock is always ticking What are the alternatives? Live with a $35/month baseline recurring cost Automate the VPC construction/deletion process: VPC like all other AWS services has a well documented API API can be used to programmatically create and destroy VPC configurations on-demand Router/device reconfiguration can be automated to load in the new configuration parameters