Scribd
Upload
21 views

Aws VPC

The document discusses Amazon Virtual Private Cloud (VPC) networking concepts including VPC and subnet architecture, route tables, internet and NAT gateways, and routing. It provides examples of public and private subnet designs and routing configurations to allow private resources access to the internet through NAT.

Uploaded by

yashika1587.be21
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

Aws VPC

The document discusses Amazon Virtual Private Cloud (VPC) networking concepts including VPC and subnet architecture, route tables, internet and NAT gateways, and routing. It provides examples of public and private subnet designs and routing configurations to allow private resources access to the internet through NAT.

Uploaded by

yashika1587.be21
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 75

AWS Pop-up Loft London

Amazon  Virtual  Private  Cloud


Andrew  Kane
Solutions  Architect
What  To  Expect  From  This  Session

• Fundamentals • Advanced  Topics


– VPC  Overview – VPC  Peering
– Picking  you  IP  Space – VPC  Flow  Logging
– Subnet  Design – VPC  Endpoints
– Routing  and  NATing
– VPC  Security • DC  Connectivity
– IPsec  VPN  Tunnel
– AWS  Direct  Connect
Amazon  VPC  Overview
What  is  a  Virtual  Private  Cloud?
• Your  own  logically  isolated  section  of  the  Amazon  Web  
Services  (AWS)  Cloud
• By  default,  your  VPC  has  no  access  to  the  internet  nor  
are  instances  addressable  from  the  internet
• You  have  complete  control  over  your  virtual  networking  
environment
• Proven  and  well-­understood  networking  concepts:
– User  defined  IP  address  range

– Subnets
– Route  Tables
– Access  Control  Lists
– Network  Gateways

• A  way  to  gain  agility as  well  as  additional  security


What’s  in  the  VPC  tool  box?
VPC -­ User-­defined  address  space  up  to  /16  (65,536  addresses)

Subnets -­ 200  user-­defined  subnets  up  to  /16

Route  Tables  – Define  how  traffic  should  be  routed  from/to  each  subnet

Access  Control  L ists  – Stateless  network  filtering  between  subnets

Internet  Gateway  – A  logical device  enabling  traffic  to  be  routed  to/from  the  public  internet

Managed  NAT – Provide  Network  Address  Translation  to  private  instances  for  10Gbps  traffic

Virtual  Private  Gateway  -­ The  Amazon  end  of  a  VPN  connection

Customer  Gateway  -­ The  router  at  the  customer  end  of  a  VPN  connection  
VPCs  span  an  entire  region
VPC  CIDR:   10.1.0.0  / 16

Availability  Zone  A Availability  Zone  B


Subnets  sit  in  a  single  VPC  in  a  single  AZ
VPC  CIDR:   10.1.0.0  / 16

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Availability  Zone  A Availability  Zone  B


Picking  Your  IP  Space
Plan  your  VPC  IP  space  before  creating  it

• Consider  future  AWS  region  expansion

• Consider  future  connectivity  to  your  internal  networks

• Consider  subnet  design

• VPC  can  be  /16  down  to  /28

• CIDR  cannot  be  modified  after  creation


Choosing  IP  address  ranges  for  your  VPC

172.31.0.0/16
Recommended:  
Recommended:  
/16
RFC1918  range
(64K  addresses)
Subnet  Design
Public  /  Private  Subnets
VPC  CIDR:   10.1.0.0  / 16

PUBLIC PUBLIC

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

PRIVATE PRIVATE

Subnet  (10.1.3.0/24) Subnet  (10.1.4.0/24)

Availability  Zone  A Availability  Zone  B


Public  /  Private  Subnets
VPC  CIDR:   10.1.0.0  / 16

Web Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Database Database
Subnet  (10.1.3.0/24) (private) Subnet  (10.1.4.0/24) (private)

Availability  Zone  A Availability  Zone  B


Public  /  Private  Subnets
VPC  CIDR:   10.1.0.0  / 16

Web Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Database Database
Subnet  (10.1.3.0/24) (private) Subnet  (10.1.4.0/24) (private)

Availability  Zone  A Availability  Zone  B


Routing  and  NATing
Public  Subnet  Routing
VPC  CIDR:   10.1.0.0  / 16

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Availability  Zone  A Availability  Zone  B


Public  Subnet  Routing
VPC  CIDR:   10.1.0.0  / 16

Web
(public)

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Availability  Zone  A Availability  Zone  B


Public  Subnet  Routing
VPC  CIDR:   10.1.0.0  / 16

Web
(public)

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Availability  Zone  A Availability  Zone  B


Public  Subnet  Routing  – Internet  Gateway
VPC  CIDR:   10.1.0.0  / 16

Web
(public)

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Availability  Zone  A Availability  Zone  B


Public  Subnet  Routing  – Internet  Gateway
VPC  CIDR:   10.1.0.0  / 16

Route  Table Web


(public)
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet  Gateway

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Availability  Zone  A Availability  Zone  B


Private  Subnet  Routing
VPC  CIDR:   10.1.0.0  / 16

Web Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Database Database
Subnet  (10.1.3.0/24) (private) Subnet  (10.1.4.0/24) (private)

Availability  Zone  A Availability  Zone  B


Private  Subnet  Routing
VPC  CIDR:   10.1.0.0  / 16

Route  Table
Destination Target
10.1.0.0/16 Local
Web
0.0.0.0/0 Internet  Gateway Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Route  Table
Destination Target
10.1.0.0/16 Local
Database Database
Subnet  (10.1.3.0/24) (private) Subnet  (10.1.4.0/24) (private)

Availability  Zone  A Availability  Zone  B


Private  Subnet  Routing  – NAT  Gateway
VPC  CIDR:   10.1.0.0  / 16

N
Web Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Database Database
Subnet  (10.1.3.0/24) (private) Subnet  (10.1.4.0/24) (private)

Availability  Zone  A Availability  Zone  B


Private  Subnet  Routing  -­ NATGateway
VPC  CIDR:   10.1.0.0  / 16

N
Web Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Route  Table
Destination Target
10.1.0.0/16 Local
Database Database
0.0.0.0/0
Subnet  (10.1.3.0/24) NAT  Endpoint Subnet  (10.1.4.0/24)
(private) (private)

Availability  Zone  A Availability  Zone  B


Private  Subnet  Routing
VPC  CIDR:   10.1.0.0  / 16

N
Web Web
Subnet  (10.1.1.0/24) (public) Subnet  (10.1.2.0/24) (public)

Database Database
Subnet  (10.1.3.0/24) (private) Subnet  (10.1.4.0/24) (private)

Availability  Zone  A Availability  Zone  B


Authorizing  Traffic:
Network  ACLs  and
Security  Groups
Network  ACLs  =  Stateless  Firewall  Rules
Can  be  applied  on  a  subnet  basis

English  translation:  Allow  all  traffic  in


Security  Groups  =  Stateful Firewall  Rules

In  English:  Hosts  in  this  group  are  reachable  


from  the  Internet  on  port  80  (HTTP)
Security  Group  Mutual  Trust

In  English:  Only  instances  in  the  MyWebServers  


Security  Group  can  reach  instances  in  this  
Security  Group
Security  Balancing  Act
Comparison between  S ecurity  Groups  a nd  Network  ACLs
Area of  Security Security Group Network ACL
Operational  L evel Instance  level Subnet  level
Supports  A LLOW  rules… …only …and  DENY  rules
State  Type Stateful Stateless
Evaluation  method All  rules evaluated Stop  o n  first  match
Applicability  to  Instances Only  if  SG  e xplicitly   Automatically  to all  
added  to  instance instances  in  subnet
Source  / Destination IP  CIDR and  o ther   IP CIDR  only
Security  Groups
VPC  Peering
Connecting  your  VPCs  (VPC  Peering)
• Creates  a  private  network  connection  between  any  two  VPCs  in  a  region

• You  can  connect  VPCs  together  within  a  Region  without  having  to
– Maintain  all  the  VPN  overhead between  multiple  VPCs
– Expose  the  destination  VPC  to  the  Internet  and  all  that  entails

• Including  cross-­account  VPC  Peering

• Often  used  for  Common/Core  services


– Authentication  /  Directory  Services
– Monitoring  /  Logging
– Security  Scanning
– Remote  Administration
Common  Design  – Shared  Services  VPC
• Move  shared  services  such  as  Active  
Directory,  Logging,  Monitoring  and  Service  
Buses  to  a  shared  services  VPC  (A) VPC  B VPC  C VPC  D
10.2.0.0/16 10.3.0.0/16 10.4.0.0/16

• None  of  the  other  VPCs  can  send  traffic  


directly  to  each  other  – they  must  go   pcx-­aaaacccc
through  VPC  A  (= app  isolation) pcx-­aaaabbbb pcx-­aaaadddd

• Only  VPC  A  has  direct  network  access  to   VPC  A


your  data  center  via  Direct  Connect 10.1.0.0/16

• Routing  Tables  define  which  subnets  are  


allowed  to  route  over  a  peer  connection

• Security  Groups  and  NACLs  still  apply,  and  


Security  Groups  in  VPC  A  can  be  defined  
to  mutually  trust  the  Security  Groups  in  the   10.0.0.0/16
other  VPCs
VPC  Flow  Logs
See  all  of  the  traffic  at  your  instances

• Ability  to  analyze  


traffic
• Troubleshooting  
network  connectivity
• Visibility  into  effects  
of  security  group  
rules
VPC  Flow  Logs

• Enabled   at  the  ENI,  subnet,   or  VPC  level


• Traffic  data  surfaced  as  “flow  log  records”  per  ENI
• Data  accumulated   and  published   to  CloudWatch
Logs  at  ~10  minute  intervals
• Exposed   as  CloudWatch log  groups  and  streams
• Normal  CloudWatch Logs  groups/streams  with  all  
related  features
– Create  custom  CloudWatch metrics  based  upon  log  filtering
– Create  CloudWatch alarms  based  upon  the  new  metrics
– CloudWatch Logs  -­>  Amazon  Kinesis  stream  integration
Flow  Log  record  (text,  space-­delimited)
Field Description
version The VPC Flow Logs version.
account-id The AWS account ID for the Flow Log.
interface-idThe ID of the network interface for which the log stream applies.
srcaddr The source IP address. The IP address of the network interface is always its private IP address.
dstaddr The destination IP address. The IP address of the network interface is always its private IP address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or
network ACLs.
REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:
OK: Data is logging normally to CloudWatch Logs.
NODATA: There was no network traffic to or from the network interface during the capture window.
SKIPDATA: Some flow log records were skipped during the capture window.
Example  record

• Inbound  SSH  traffic  on  port-­22  allowed

2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22


6 20 4249 1460667684 1460667744 ACCEPT OK
VPC  Endpoints
Service  Endpoints  need  Internet  Connectivity
Traffic  to  the  VPC’s  range  stays  
in  the  VPC

aws ec2 describe-route-tables --route-table-ids


rtb-c9d737ad

|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||| 0.0.0.0/0 | igw-5a1ae13f | active ||
+----------------------------------------------------+||

Everything  not  destined  for  the  


VPC  goes  to  the  Internet
VPC  Endpoints  Allow  Direct  Access  from  VPC

aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a

|+-------------------------------------------------------------------+|
||| Routes |||
||+-----------------------+-----------------------------------------+||
||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||
||+-----------------------+-------------------------+----------------||
||| 10.10.0.0/16 | | local ||
||| | pl-68a54001 | vpce-a610f4cf ||
+-------------------------+-------------------------+---------------+||
The  Amazon  S3  Prefix  list
aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001

--------------------------------------------------
| DescribePrefixLists |
+------------------------------------------------+
|| PrefixLists ||
|+---------------+------------------------------+|
|| PrefixListId | PrefixListName ||
|+---------------+------------------------------+|
|| pl-68a54001 | com.amazonaws.us-west-2.s3 ||
|+---------------+------------------------------+|
||| Cidrs |||
IP  range  for  Amazon  S3
||+--------------------------------------------+||
Changes  over  time  and  is  managed  by  
||| 54.231.160.0/19 |||
AWS
||+--------------------------------------------+||
Rich  security  controls

• New  route  entry  


– As  many  endpoints  per  VPC  as  you  like,  but  maximum  one  
assigned  route  per  subnet
• Policies  on  VPC  endpoints
– Constrain  principals,  actions,  destination  buckets,  paths  within  
buckets
• S3  bucket  policies  
– Constrain  source  VPCs  and/or  VPC  endpoints
• All  policies  ANDed together
– IAM,  VPC  endpoints  and  S3
VPC  endpoint  policy  example
{ "Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
In  English:  Calls  via  this  VPC  endpoint  are  
}
allowed  Get/Put  to  my_secure_bucket
S3  bucket  policy  example  #1
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” }
}
} In  English:  Deny  access  to  this  bucket  to  all  calls  
]
except  those  coming  via  this  VPC  endpoint
}
S3  bucket  policy  example  #2
{ "Version": "2012-10-17”,
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” }
}
}
In  English:  Deny  access  to  this  bucket  to  all  
]
calls  except  those  coming  from  this  VPC
}
A  Quick  Aside:
AWS  Marketplace
AWS  Marketplace

• Online  Store  for  Software  and  Services


– Software  pre-­built  into  AMIs  by  Vendors  or  other  Partners
– 1-­Click  deployment;;  some  AMIs  come  with  CloudFront templates
– Many  have  ”by-­the-­hour”  pricing  options  
– Any  billing/payment  for  licences  can  be  handled  in  your  AWS  bill
Connecting  to  Your  Network
Connect  to  your  data  center

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Subnet  (10.1.3.0/24) Subnet  (10.1.4.0/24)


192.168.0.0/16
Availability  Zone  A Availability  Zone  B

10.1.0.0/16

or
Connect  to  your  data  center

Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Internal  S erver

Subnet  (10.1.3.0/24) Subnet  (10.1.4.0/24)


192.168.0.0/16
Availability  Zone  A Availability  Zone  B

10.1.0.0/16

or
Connect  to  your  data  center

Route  Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/16 IGW
Subnet  (10.1.1.0/24) Subnet  (10.1.2.0/24)

Route  Table

Internal  S erver Destination Target


10.1.0.0/16 Local
192.168.0.0/16 VGW
Subnet  (10.1.3.0/24) Subnet  (10.1.4.0/24)
192.168.0.0/16 0.0.0.0/0 NAT  Endpoint
Availability  Zone  A Availability  Zone  B

10.1.0.0/16

or
AWS  Hardware  VPN
Static  VPN

10.0.0.0  /16 172.16.0.0  /16

10.0.0.0  /16
172.16.0.0  /16

172.16.0.0  /16
10.0.0.0  /16

• 1  unique  Security  Association  (SA)  pair  per  tunnel


• 1  inbound  and  1  outbound
• 2  unique  pairs  for  2  tunnels  – 4  SA’s CORP
Dynamic  VPN

10.0.0.0  /16 Tunnel  1 172.16.0.0  /16


IP  169.254.169.1   /30
Tunnel  1
BGP  AS  7224
IP  169.254.169.2   /30
BGP  AS  65001

Tunnel  2
IP  169.254.169.6   /30
Tunnel  2
BGP  AS  65001
IP  169.254.169.5   /30
BGP  AS  7224 Route  Table  (propagated)
Destination Target
10.0.0.0/16 Local
CORP
172.16.0.0/16 VGW
Resilient  Dynamic  VPN

10.0.0.0  /16 172.16.0.0  /16

OSPF
iBGP
eBGP

CORP
Resilient  Dynamic  VPN  – Multiple  VPC’s

CORP
AWS  Direct  Connect
What  is  AWS  Direct  Connect…
Dedicated,  private  pipes  into  AWS
Create  private  (VPC)  or  public  virtual  interfaces  to  AWS
Reduced data-­out  rates  (data-­in  still  free)
Consistent network  performance
At  least  1  location  to  each  AWS  region  
Option  for  redundant connections  
Multiple  AWS  accounts  can  share  a  connection
Uses  BGP to  exchange  routing  information  over  a  VLAN
At  the  Direct  Connect  Location
Demarcation

AWS  Backbone Cross   Customer   Access Customers  Network   Access


Network Connect Router Circuit Backbone Circuit

DX  Location

Colocation
Customer
`
Network

AWS  Direct Customer  


Connect   Router
Routers

CORP
Dedicated  Port  via  Direct  Connect  Partner
Demarcation

AWS  Backbone Cross   Partner Partner Access Customer  


Network Connect Equipment Network Circuit Router

DX  Location

Colocation
Partner  Network

AWS  Direct
Connect  
Routers

CORP

For  a  full  Direct  Connect  Partner  list  s ee  here: https://aws.amazon.com/directconnect/partners/


At  the  Direct  Connect  Location  – via  MPLS
Demarcation

AWS  Backbone Cross   Provider Partner  MPLS Access


Network Connect Edge Core Circuit  t o  CE

DX  Location

Colocation
MPLS  Core
` ` CE  Router

AWS  Direct Partner `

Connect   PE  Router
Routers

CE  Router

CORP
Dual  DX  – Single  Location

DX  Location

Colocation
Service  P rovider  
`
Network

Customer  
Router

AWS  Direct
Connect  
Routers

CORP
Dual  DX  – Single  Location  /  Dual  Routers

DX  Location

Colocation

Service  P rovider  
Network

AWS  Direct Customer  


Connect   Routers
Routers

CORP
Single  DX  – Dual  Location  /  Dual  Routers
DX  Location  1

Colocation

AWS  Direct Customer  


Connect  Routers Routers

Service  P rovider  
DX  Location  2 Network
Colocation

AWS  Direct Customer  


Connect  Routers Routers
CORP
Dual  DX  – Dual  Location  /  Dual  Routers
DX  Location  1

Colocation

AWS  Direct Customer  


Connect  Routers Routers

Service  P rovider  
DX  Location  2 Network
Colocation

AWS  Direct Customer  


Connect  Routers Routers
CORP
Things  to  remember

• All  Direct  Connect  locations  are  at  3rd party  data  centers
• You  will   have  to  work  with  at  least  one  other  organisation
– Could  be  just  the  Data  Center
– Could  be  a  Network  Provider  /  Direct  Connect  Partner
– Could  be  multiple  Network  Providers  AND  the  Data  Center
• There  are  a  number  of  possible  connection  speeds
– 1G  and  10G  links  can  connect  to  multiple  VIFs  (=>  multiple  VPCs)
– Sub-­1G  Hosted  Connections  from  Partners  support  just  a  single  VIF  (=>  single  VPC)
• VIFs  could  be  attached  to  other  accounts  in  the  same  AWS  Region
• Public  VIF’s  include  the  Hardware  VPN  Endpoints
– Use  Direct  Connect  to  transport  an  IPsec  VPN  connection
in  the  Cloud
AKA  “Video  Factory”
Sources:  
BBC  iPlayer Performance   Pack  August   2013
http://www.bbc.co.uk/blogs/internet/posts /Video-­Fac tory

• The  UK’s  biggest  video  &  audio  on-­demand  service


– And  it’s  free!

• Over  7  million  requests  every  day


– ~2%  of  overall  consumption  of  BBC  output

• Over  500  unique  hours  of  content  every  week


– Available  immediately  after  broadcast,  for  at  least  7  days

• Available  on  over  1000  devices  including


– PC,  iOS,  Android,  Windows  Phone,  Smart  TVs,  Cable  Boxes…
• Both  streaming  and  download  (iOS,  Android,  PC)

• >  20  million  app  downloads


Sources:  
AWS  re:Invent – November  2013   – MED302

Video  Factory  – Workflow https://www.youtube.com/watch?v=MjZdiDotRU8

Amazon  Elastic  
SDI  Broadcast Transcoder
Video  F eed
x  24 Broadcast  
Encoder Elemental
Cloud

SMPTE   RTP Amazon  S 3


Timecode Chunker Mezzanine
Time  Addressable DRM
Mezzanine  V ideo  Capture Media  Store

Amazon  S 3
Distribution  
Mezzanine Transcode   QC Renditions
Live  Ingest  
Abstraction  
Playout Video Logic
Layer Editorial  
Transcoded  V ideo
Clipping
Metadata
Playout
Data  F eed MAM
Sources:  
AWS  UK  UK  – 24/09/14   – Rachel  Evans,   BBC

Data  Transfer  Requirements


http://www.slideshare.net/rvedotrc/bbc-­ipl ayer-­
bigger-­better-­faster

• SD  Video  -­ 2.3TB/day


– 1.3MB/sec/channel  =  109GB/day/channel  x  21  channels
• HD  Video  – 2.9TB/day
– 4.2MB/sec/channel  =  365GB/day/channel  x  8  channels
• Daily  Video  – 5.2TB/day  per  copy  per  location
– 2  Copies  at  2  Locations
• DAILY  TRANSFER  =  21TB
Summary
Summary

• Fundamentals • Advanced  Topics


– VPC  Overview – VPC  Peering
– Picking  you  IP  Space – VPC  Flow  Logging
– Subnet  Design – VPC  Endpoints
– Routing  and  NATing
– VPC  Security • DC  Connectivity
– IPsec  VPN  Tunnel
– AWS  Direct  Connect
Thank  You.  Questions  ?

You might also like