最近在幫公司規劃 VPC，遇到以下的狀況與需求的組合：Cross Regions、Multiple VPCs、Multiple AWS Accounts、PCI DSS 的需求，另外畫了一個 VPC 給 Vault (保險櫃) 單獨使用，加上因為開發環境與正式環境的 AWS 帳號，形成相當複雜的環境。整理有以下要考慮：

• VPC CIDR 的規劃
  • Multiple VPCs
  • VPC for PCI DSS Vault
  • 如果有其他 Cloud, e.g. Azure, GCP, 也要考慮
• Routing, Connections, and Network Topologies:
  • VPC between different Region：BGP or Static Route
  • Site to Site VPN, including HA and Failover
  • VPC to On-Premises: VPN and Transit VPC
  • VPC to VPC: VPC Peering
  • Routing Policy
• 控管問題: Network ACL 以及 Security Group 的規範
  • 異動管理 (Change Management)
  • IPv6 與 IPv4 的管理規範
  • 異動流程
• 多個 AWS Account 的管理
  • 形成 AWS IAM 多帳號的管理問題
  • IAM Role and Policy in Cross Account 的管理

AWS re:Invent 有個 Session 專門在說明這樣的需求：From One to Many: Evolving VPC Design (ARC302), Slideshare，整理一些重點：

One VPC

• VPC IPv4 Space Design
• VPC Subnet Design
• Routing Policy, including IPv6
• NAT Gateway and Secure Access

One VPC to Two VPC

• Why not 1 big VPC? Why not 1 AWS Account?
• Consideration for one to many VPC
  • Prod, Not Prod
  • PCI Apps, Non Regulated Apps
  • Prod, DR
• VPC to S3 access control: VPC Endpoint
• HA VPN to VPC
• VPC Peering
• Shared Services Hub:
  • Create IAM to restrict spoke AWS accounts from altering network
  • Create a NetOps IAM role in all accounts
  • Enable Cloudtrail, Config, VPC Flog Logs for all accounts
  • Integrate Cloudtrail and CloudWatch log and create alarm.

Many VPC, Many AWS Accounts, Many Regions

• VPC Mass Transit
• Transit VPC: built using Cisco Cloud Service Router (CSR) 1000V
• Laverage corporate network: MPLS / IPVPN
• Going Global: Multiple Region DX

相關文章

AWS re:Invent 2016 有幾篇跟網路有關係，整理如下：

• AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals (NET201), Slideshare
• AWS re:Invent 2016: DNS Demystified: Amazon Route 53, featuring Warner Bros. (NET202), Slideshare
• AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302), Slideshare
• AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud (NET303), Slideshare
• AWS re:Invent 2016: NEW LAUNCH IPv6 in the Cloud: Virtual Private Cloud Deep Dive (NET307), Slideshare
• AWS re:Invent 2016: Extending Datacenters to the Cloud (NET305), Slideshare
• AWS re:Invent 2016: Another Day, Another Billion Packets (NET401), Slideshare
• AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402), Slideshare
• AWS re:Invent 2016: Making Every Packet Count (NET404), Slideshare
• Transit VPC

後來

後來我整理了規劃的心得與筆記：Plan and Design Multiple VPCs in Different Regions

這篇大概把規劃要考慮的、實踐原則都寫了。

延伸閱讀 (站內)

• Plan and Design Multiple VPCs in Different Regions
• Study Notes - VPC IPv6 Support
• Study Notes - AWS VPC (Virtual Private Cloud)
• Study Notes - VPC in GCP
• AWS Study Roadmap