AH

AWS Module 5

Section 1 - Networking Basics


Computer Network - Two or more client machines that are connected together to share resources. A network can be logically partitioned into subnets. Networking requires a networking device (such as router or switch) to connect all the clients together and enable communication between them.



Client Machine - Network has a unique internet protocol (IP) address that identifies it. An IP address is a numerical label in decimal format. Machines convert that decimal number to a binary format.a

IPv4 address - 32-bit IP address 

IPv6 address - 128 bits

  • Accomodate more user devices

  • Composed of eight groups of four letters and numbers that are separated by colons.

    • Each group of the IPv6 represents 16 bits in hexadecimal number format

    • Each of the 8 groups can be anything from 0 to FFFF



Common method to describe CIDR (Classless Inter-Domain Routing) —

  1. An IP address

  2. Slash Character (/)

  3. A Number that tells you how many bits of the routing prefix must be fixed or allocated for the network identifier


Bits that are not fixed are allowed to change. CIDR is a way to express a group of ID addresses that are consecutive to each other.



Open Systems Interconnection (OSI) model is a conceptual model that is used to explain how data travels over a network.

  • 7 layers and shows the common protocols and adresses that are used to send data at each layer.

    • Hubs and switches work at the 2 layer (data link layer)

    • Routers work at the 3 layer (Network layer)

  • OSI model can be used to understand how communication takes place in a VPC



Section 2

Amazon VPC

  • Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

    • Gives you control over your virtual networking resources, including:

      • Selection of IP address range

      • Creation of subnets

      • Configuration of route tables and network gateways

    • Enables you to customize the network configuration for your VPC

    • Enables you to use multiple layers of security



VPCs and Subnets

  • VPC:

    • Logically isolated from other VPCs

    • Dedicated to your AWS account

    • Belong to a single AWS Region and can span multiple Availability Zones

  • Subnets:

    • After you create a VPC, you can divide it into one or more subnets.

    • Range of IP addresses that divide a VPC

    • Belong to a single Availability Zone

    • Classified as public or private

      • Public has direct access to the internet

      • Private subents do not


IP Addressing

  • When you create a VPC, you assign it to IPv4 CIDR block (range of private IPv4 addresses)

  • You cannot change the address range after you create the VPC

  • The largest IPv4 CIDR block size is /16

  • The smallest IPv4 CIDR block size is /28

  • IPv6 is also supported (with a different block size limit)

  • CIDR blocks of subnets CANNOT overlap


  1. Create a VPC and assign an IPv4 block (range of private IPv4 addresses) to it

    1. Cannot change the address range

  2. Could be as large as /16 or as small as /28

  3. You can associate with a VPC and subnet as well (assign IPv6 address to the resources)


Reserved IP addresses:

  • Example: A VPC with an IPv4 CIDR block of 10.0.0.0.0/16 has 65,536 total IP addresses. The VPC has four equal-sized subnets. Only 251 IP addresses are available for use by each subnet. (5 have been reserved by AWS)


When you create a subnet, and you use a CIDR Block, AWS reserves 5 ip addresses within that block, and these addresses are not available for use:

  1. Network address

  2. VPC local router

  3. Domain Name System (resolution)

  4. Future use

  5. Network broadcast address



Public IP address types:

Public IPv4 address

You can create this instance by modifying the subnet’s auto-assign public IP address properties

  • Manually assigned through an Elastic IP address

  • Automatically assigned through the auto-assign public IP address settings at the subnet level


Elastic IP address

Elastic IP address is a static and public IPv4 address that is designed for dynamic cloud computing (additional costs)

  • Associated with an AWS account

  • Can be allocated and remapped anytime

  • Additional costs might apply


Elastic Network Interface:

  • An elastic network interface is a virtual network interface that you can:

  • Attach to an instance

  • Detach from the instance, and then attach to another instance to redirect network traffic

  • Its attributes follow when it is reattached to a new instance

  • Each instance in your VPC has a default network interface that is assigned a private IPv4 address from the IPv4 address range of your VPC



Route tables and routes

  • A route table contains a set of rules (or routes) that you can configure to direct network traffic from your subnet

  • Each route specifies a destination and a target

  • By default, every route table contains a local route for communication within the VPC

  • Each subnet must be associated with a route table (at most one).



Destination - destination of CIDR block where you traffic from your subnet to go

Target - target that the destination traffic is sent through


Main route table - route table is automatically assigned to your VPC

  • Controls the routing for all subnets that are not explicitly associated with any other route table




Section 3

Internet gateway - scalable redundant, and highly available VPC component that allows communication between instances in your VPC and the internet

Serves two purposes:

  1. Provide a target in your VPC route tables for internet-routable traffic

  2. Perform network address translation for instances that were assigned public IPv4 addresses.

Public Subnet - attach an internet gateway to your VPC and add a route to the route table to send non-local traffic through the internet gateway to the internet


Network address translation (NAT) gateway - Enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.

  • Specify the public subnet

  • Specify an Elastic IP address to associate with the NAT gateway when you create it

  • Update the route table that is associated with one or more of your private subnets


Section 4

Security group - Acts as a virtual firewall for your instance, and it controls inbound and outbound traffic

  • Acts at the instance level, not the subnet level


Security Groups - 

  • Security groups have rules that control inbound and outbound instance traffic 

  • Default security groups deny all inbound traffic and allow all outbound traffic

  • Security groups are stateful


Custom security group examples - 

  • You can specify allow rules, but not deny rules

  • All rules are evaluated before the decision to allow traffic


Network Access Control Lists 

Network Access Control lists - optional layer of security for Amazon VPC

  • Acts as a firewall for controlling traffic in an our of one more subnets


Network Access Control Lists- 

  • A network ACL groups has separate inbound and outbound rules, and each rules can either allow or deny traffic 

  • Default network ACLs allow all inbound and outbound IPv4 traffic

  • Network ACLs are stateless


Custom Network ACLs examples

  • Custom network ACLs deny all inbound and outbound traffic until you add rules

  • You can specify both allow and deny rules

  • Rules are evaluated in number order, starting with the lowest number



Section 5

Amazon Route 53:

  • Is a highly available and scalable Domain Name System (DNS) web service

  • Is used to route end users to internet applications by translating names into number IP addresses that computers use to connect to each other

  • Is fully compliant with IPv4 and IPv6

  • Connects user requests to infrastructure running in AWS and also outside of AWS

  • Is used to check the health of your resources

  • Features traffic flow

  • Enables you to register domain names



Amazon Route 53 Support Routing 

  • Simple Routing - Use in single-server environments

  • Weighted round robin routing - Assign weights to resource record sets to specify the frequency

  • Latency routing - Help improve your global applications

  • Geolocation routing - Route traffic based on location of your resources

  • Failover routing - Fail over to a backup site if your primary site becomes unreachable

  • Multivalue answer routing - Respond to DNS queries with up to eight healthy record selected at random




Amazon Route 53 DNS failover:

  • Improve the availability of your applications that run on AWS by:

    • Configuring backup and failover scenarios for your own applications

    • Enabling highly available multi-region architectures on AWS

    • Creating health checks


Section 6