AWS Module 5

Computer Network

two or more client machines are connected to share resources.

What can a network be logically partitioned into?

Subnets

What is required for networking?

Networking device (such as router or switch) to connect all the clients together and enable communication between them.

Client Machine

A device in the network with a unique Internet Protocol (IP) address that identifies it.

What is an IP Address?

A numerical label, in decimal format.

Machines can…

Convert that decimal number to a binary format

IPv4 Address

A 32-bit IP address used in networking.

IPv4 address…

Each of the four dot (.) separated numbers of the IP address represents 8 bits in octal number format. (anything from 0-255)

IPv6 Address

A 128-bit IP address that accommodates more user devices.

IPv6 address…

Composed of 8 groups of four letters and numbers that are separated by colons

(Each of the 8 groups represent 16 bits in hexadecimal number format)

CIDR (Classless Inter-Domain Routing)

A method for expressing IP addresses and their routing prefixes via a slash character and a number.

How is a CIDR expressed?

• An IP address (first address of the network)

• Slash Character (/)

• Number that tells you how many bits of the routing prefix must be fixed or allocated for the network identifier

What goes after the slash?

The number of bits that are fixed (how many bits are fixed)

Open Systems Interconnection (OSI) Model

A conceptual model used to understand data transmission over a network.

Open Systems Interconnection OSI model (layers and numbers):

Application - 7

Presentation - 6

Session - 5

Transport - 4

Network - 3

Data Link - 2

Physical - 1

Application

Means for an application to access a computer network

(Example: HTTP(S), FTP, DHCP, LDAP)

Presentation

Ensures that the application layer can read the data

Encryption

(Example: ASCI, ICA)

Session

Enables orderly exchange of data

(Example: NetBIOS, RPC)

Transport

Provides protocols to support host-to-host communication

(Example: TCP, UDP)

Network

Routing and packet forwarding (routers)

(Example: IP)

Data Link

Transfer data in the same LAN network (hubs and switches)

(Example: MAC)

Physical

Transmission and reception of raw bitstreams over a physical medium

(Example: Signals (1s and 0s or Binary))

Amazon VPC

Enables you to provision a logically isolated section of the AWS Cloud (known as a VPC) to launch AWS resources in a defined virtual network.

Gives you control over your virtual networking resources including:

• Selection of IP address range

• Creation of subnets

• Configuration of route tables and network gateways

Enables you to customize the network configuration for your VPC

• Create a public subnet for your web servers that can access the internet

Enables you to use multiple layers of security

• Security groups and network ACLs, to help control access to Amazon EC2 instances in each subnet.

You can use both IPv4 and IPv6 in your VPC for secure access to resources and applications

VPC:

• Virtual network that is logically isolated from other VPCs

• Dedicated to your AWS account

• Belong to a single AWS Region and can span multiple Availability Zones

• Requires a CIDR Block

Amazon VPC enables you to…

Provision VPCs and logically isolate them from other VPCs.

Subnet

• Range of IP addresses that divide a VPC

• Belong to a single Availability Zone

  • Create subnets in different Availability Zones for high availability.

• Classified as public or private

• Requires a CIDR Block

Public Subnet

A subnet configured with direct access to the internet.

Private Subnet

A subnet without direct internet access.

IP addressing

• When you create a VPC, you assign it to an IPv4 CIDR Block (range of private IPv4 addresses)

• You cannot change the address range after you create the VPC

  • The largest IPv4 CIDR block size is /16

  • The smallest IPv4 CIDR block size is /28

• IPv6 is also supported (with a different block size limit).

• CIDR blocks of subnets cannot overlap.

Reserved IP addresses

Example: A VPC with an IPv4 CIDR Block of 10.0.0.0/16 has 65,536 total IP addresses. The VPC has four equal-sized subnets. Only 251 IP addresses are available for use by subnet.

What is each CIDR Block’s IP address reserved for?

10.0.0.0 — Network Address

10.0.0.1 — VPC Local Router (Internal Communication)

10.0.0.2 — DNS Resolution

10.0.0.3 — Future Use

10.0.0.255 — Network Broadcast Address

For each CIDR block, AWS reserves 5 IP addresses within that block (not available for use):

• Network address

• VPC local router

• Domain Name System (DNS) resolution

• Future use

• Network broadcast address

Public IPv4 address

You can create this instance by modifying the subnet’s auto-assign public IP address properties

• Manually assigned through an Elastic IP address

• Automatically assigned through the auto-assign public IP address settings at the subnet level

Elastic IP Address

Elastic IP address is a static and public IPv4 address that is designed for dynamic cloud computing (additional costs)

• Associated with an AWS account

• Can be allocated and remapped anytime

  • Mask the failure of an instance by rapidly remapping

• Additional costs might apply

What is the advantage of attaching the Elastic IP address to the network interface (over directly to the instance)?

You can move all of the attributes of the network interface from one instance to another in a single step

Elastic Network Interface

• An elastic network interface is a virtual network interface that you can:

  • Attach to an instance

  • Detach from the instance, and attach to another instance to redirect network traffic

• Its attributes follow when it is reattached to a new instance

• Each instance in your VPC has a default network interface that is assigned a private IPv4 address from the IPv4 address range of your VPC.

  • You CANNOT detach a primary network interface from an instance

  • You CAN create and attach an additional network interface to any instance in your VPC

Route Table

Contains a set of rules (or routes) that you can configure to direct network traffic from your subnet (control traffic for subnet)

Each route specifies a destination and a target

By default, every route table contains a local route for communication within the VPC

Each subnet must be associated with a route table (at most one).

Destination

The destination CIDR block where you want traffic from your subnet to go

Target

The target that the destination traffic is sent through

Local Route

Every route table that is created contains a local route for communication in the VPC

Route tables have a built-in local route

You can customize the route tables by adding routes

Local Route Entry can NOT be deleted

Main Route Table

Automatically assigned to your VPC

Controls the routing for all subnets that are not explicity associated with any other route table

(A subnet can be associated with only one route table at a time, but you can associate multiple subnets with the same route table.)

Internet Gateway

Connects your VPC to the internet

Scalable, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet

igw-id

What purposes (2) do Internet Gateways serve?

1. To provide a target in your VPC route tables for internet-routable traffic

2. To perform network address translation for instances that were assigned public IPv4 addresses

To make a subnet public…

Attach an internet gateway to the VPC and a route to the route table (sends traffic through the gateway)

NAT Gateway (network address translation)

Enables instances in a private subnet to connect to the internet (or other AWS services)

A service that enables instances in a private subnet to connect to the internet, but prevents the internet from initiating a connection with those instances

nat-gw-id

To create a NAT gateway…

1. Specify the public subnet in which the NAT gateway resides

2. Specify an Elastic IP address to associate with the NAT gateway

3. Update the route table that is associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway

Private subnets can communicate with the internet

Advantages of a NAT Gateway over a NAT Instance:

Service that provides a better availability, higher bandwidth, and less administrative effort.

For common use: Use NAT Gateway

What is a VPC Endpoint?

Virtual device that enables you to privately connect your VPC to supported AWS services

Connection to these services does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection

Do not require public IP addresses to communicate with resources in the service

Traffic between your VPC and the other service does not leave the Amazon network

VPC Endpoint

Two types

Connects your VPC to supported AWS services

Two types:

• Interface endpoints (powered by AWS PrivateLink)

  • Costs money due to service provider to service consumer

  • Charged money for creating and using an Interface endpoint

• Gateway endpoints (Amazon S3 and Amazon DynamoDB)

  • Incurs no additional charge

VPC Peering

Connects your VPC to other VPCs (in your own AWS account, between AWS accounts, or between AWS Regions)

Restrictions:

• IP Spaces cannot overlap

• Transitive peering is not supported

• You can only have one peering resource between the same two VPCs

VPC Sharing

Allows multiple AWS accounts to create their application resources

(such as Amazon EC2 instances, Amazon Relational Database Service (Amazon RDS) databases, Amazon Redshift clusters, and AWS Lambda functions)

into shared, centrally-managed Amazon VPCs

Enables sharing of subnets

AWS Site-to-Site VPN

Connects your VPC to remote networks

1. Create a new virtual gateway device (called a virtual private network (VPN) gateway) and attach it to your VPC.

2. Define the configuration of the VPN device or the customer gateway. The customer gateway is not a device but an AWS resource that provides information to AWS about your VPN device.

3. Create a custom route table to point corporate data center-bound traffic to the VPN gateway. You also must update security group rules. (You will learn about security groups in the next section.)

4. Establish an AWS Site-to-Site VPN (Site-to-Site VPN) connection to link the two systems together.

5. Configure routing to pass traffic through the connection.

AWS Direct Connect

Connects your VPC to a remote network by using a dedicated network connection between your network and another location

Can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.

AWS Transit Gateway

A hub-and-spoke connection alternative to VPC peering (simplifies management)

Create and manage a single connection from the central gateway into each VPC, on-premises data center, or remote office across your network

Security Group

A virtual firewall for instances that controls inbound and outbound traffic.

Act at the instance level NOT the subnet level

Way for you to filter traffic to your instances

Security Groups

Security groups have rules that control inbound and outbound instance traffic

Default security groups deny all inbound traffic and allow all outbound traffic

Security groups are stateful

Stateful

State information is kept even after a request is processed

Custom security group examples

You can specify allow rules, but not deny rules

All rules are evaluated before the decision to allow traffic

View diagram of Custom Security Group examples

…

Network Access Control Lists (ACLs)

An optional security layer that controls traffic into and out of one or more subnets.

Automatically associated with a subnet

• You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time

Add another layer of security to your VPC

Network ACLs act at the subnet level

Network Access Control Lists

A network ACL groups has separate inbound and outbound rules, and each rules can either allow or deny traffic

Default network ACLs allow all inbound and outbound IPv4 traffic

Network ACLs are stateless

Stateless

No information about a request is maintained after a request is processed

Custom network ACLs example

Custom network ACLs deny all inbound and outbound traffic until you add rules

You can specify both allow and deny rules

Rules are evaluated in number order, starting with the lowest number

Security groups versus network ACLs

Security groups act at the instance level, but network ACLs act at the subnet level.

Security groups support allow rules only, but network ACLs support both allow and deny rules.

Security groups are stateful, but network ACLs are stateless.

For security groups, all rules are evaluated before the decision is made to allow traffic. For network ACLs, rules are evaluated in number order before the decision is made to allow traffic

Creating a VPC:

1. Create a VPC.

2. Create additional subnets.

3. Create a VPC security group.

4. Launch a web server

Amazon Route 53

Is a highly available and scalable Domain Name System (DNS) web service

Is used to route end users to internet applications by translating names into number IP addresses that computers use to connect to each other

Is fully compliant with IPv4 and IPv6

Connects user requests to infrastructure running in AWS and also outside of AWS

Is used to check the health of your resources

Features traffic flow

Enables you to register domain names (DNS)

See amazon route 53 DNS resolution

…

Amazon Route 53 supported routing

Simple Routing

Weighted Round Robin Routing

Latency Routing

Geolocation Routing

Geoproximity Routing

Failover

Multivalue answer routing

Simple Routing

Use in single-server environments

Weighted Round Robin Routing

Assign weights to resource record sets to specify the frequency

Latency Routing

Help improve your global applications

Routing your customers to the AWS endpoints for the fastest experience

Geolocation routing

Route traffic based on location of your users

Geoproximity routing

Route traffic based on location of your resources

Failover routing

Fail over to a backup site if your primary site becomes unreachable

Multivalue answer routing

Respond to DNS queries with up to eight healthy records selected at random

Use Case:

Multi-Region Deployment

The user is automatically directed to the Elastic Load Balancing load balancer that’s closest to the user.

The benefits of multi-region deployment of Route 53 include:

• Latency-based routing to the Region

• Load balancing routing tothe Availability Zone

Amazon Route 53 DNS failover

Improve the availability of your applications that run on AWS by:

• Configuring backup and failover scenarios for your own applications

• Enabling highly available multi-region architectures on AWS

• Creating health checks to monitor the health and performance of web applications

Content Delivery Network (CDN)

Is a globally distributed system of caching servers

Caches copies of commonly requested files (static content)

Delivers a local copy of the requested content from a nearby cache edge or Point of Presence

Accelerates delivery of dynamic content

Improves application performance and scaling

Amazon Cloudfront

• Fast, global, and secure CDN service

• Global network of edge locations and Regional edge caches

• Self-service model

• Pay-as-you-go pricing

Edge Locations

Network of data centers that CloudFront uses to serve popular content quickly to customers

Regional Edge Cache

CloudFront location that caches content that is not popular enough to stay at an edge location.

It is located between the origin server and the global edge location.

Amazon CloudFront benefits

Fast and global

Security at the edge

Highly programmable

Deeply integrated with AWS

Cost-effective

Amazon CloudFront pricing

Data Transfer Out

HTTP(S) requests

Invalidation Requests

Dedicated IP Custom SSL

Data transfer out

Charged for the volume of data transferred out from Amazon CloudFront edge location to the internet or to your origin

HTTP(S) requests

Charged for number of HTTP(S) requests

Invalidation requests

No additional charge for the first 1,000 paths that are requested for invalidation each month. Thereafter, $0.005 per path that is requested for invalidation

Dedicated IP custom SSL

$600 per month for each custom SSL certificate that is associated with one or more CloudFront distributions that use the Dedicated IP version of custom SSL certificate support.