From One to Many - Evolving VPC Design


最近在幫公司規劃 VPC,遇到以下的狀況與需求的組合:Cross Regions、Multiple VPCs、Multiple AWS Accounts、PCI DSS 的需求,另外畫了一個 VPC 給 Vault (保險櫃) 單獨使用,加上因為開發環境與正式環境的 AWS 帳號,形成相當複雜的環境。整理有以下要考慮:

  • VPC CIDR 的規劃
    • Multiple VPCs
    • VPC for PCI DSS Vault
    • 如果有其他 Cloud, e.g. Azure, GCP, 也要考慮
  • Routing, Connections, and Network Topologies:
    • VPC between different Region:BGP or Static Route
    • Site to Site VPN, including HA and Failover
    • VPC to On-Premises: VPN and Transit VPC
    • VPC to VPC: VPC Peering
    • Routing Policy
  • 控管問題: Network ACL 以及 Security Group 的規範
    • 異動管理 (Change Management)
    • IPv6 與 IPv4 的管理規範
    • 異動流程
  • 多個 AWS Account 的管理
    • 形成 AWS IAM 多帳號的管理問題
    • IAM Role and Policy in Cross Account 的管理

AWS re:Invent 有個 Session 專門在說明這樣的需求:From One to Many: Evolving VPC Design (ARC302), Slideshare,整理一些重點:

One VPC

  • VPC IPv4 Space Design
  • VPC Subnet Design
  • Routing Policy, including IPv6
  • NAT Gateway and Secure Access

One VPC to Two VPC

  • Why not 1 big VPC? Why not 1 AWS Account?
  • Consideration for one to many VPC
    • Prod, Not Prod
    • PCI Apps, Non Regulated Apps
    • Prod, DR
  • VPC to S3 access control: VPC Endpoint
  • HA VPN to VPC
  • VPC Peering
  • Shared Services Hub:
    • Create IAM to restrict spoke AWS accounts from altering network
    • Create a NetOps IAM role in all accounts
    • Enable Cloudtrail, Config, VPC Flog Logs for all accounts
    • Integrate Cloudtrail and CloudWatch log and create alarm.

Many VPC, Many AWS Accounts, Many Regions

  • VPC Mass Transit
  • Transit VPC: built using Cisco Cloud Service Router (CSR) 1000V
  • Laverage corporate network: MPLS / IPVPN
  • Going Global: Multiple Region DX

相關文章

AWS re:Invent 2016 有幾篇跟網路有關係,整理如下:

後來

後來我整理了規劃的心得與筆記:Plan and Design Multiple VPCs in Different Regions

這篇大概把規劃要考慮的、實踐原則都寫了。

延伸閱讀 (站內)


Comments