Networking
Regions, Availability Zones and Local Zones
Amazon cloud computing resources are hosted in multiple locations world-wide. These locations are composed of AWS Regions, Availability Zones, and Local Zones.
Each AWS Region is a separate geographic area.
Each AWS Region has multiple, isolated locations known as Availability Zones (AZ).
By using Local Zones, you can place resources, such as compute and storage, in multiple locations closer to your users.
Virtual Private Cloud
Virtual Private Cloud (VPC) is a secure and isolated network segment, used to segregate resources in an AWS account.
VPCs are specific to a region.
They act as a network boundary.
Every VPC is allocated a range of IPs called a CIDR block.
A default VPC is configured by AWS in every region.
Internet connectivity is enabled by default in a default VPC via the Internet Gateway.
Each default VPC uses a /16 CIDR block range of 172.31.0.0/16 = 65,536 addresses.
A default subnet is created in each Availability Zone (AZ) and is allocated a /20 CIDR block range = 4,096 addresses.
A default security group allows outbound traffic.
A default Network Access Control List (NACL) allows both outbound and inbound traffic.
Subnets
Subnets are a group of IP addresses within a VPC.
They are bound to an availability zone (AZ).
Subnets can be either public or private.
A Subnet block size is between /16 and /28.
The first 4 IP addresses and the last IP are reserved.
There is an option to auto-assign public addresses to resources created in a subnet.
Routing
Every VPC has a VPC Router.
The router has a router interface in every subnet of the VPC.
The Router is allocated the (network IP Address + 1) as its address.
Role of the router is to route traffic between subnets and in/out of the VPC.
A route table controls the router.
Multiple subnets can use the same route table.
However, 1 subnet can have only 1 route table.
Internet Gateways
By default, subnets are private, that means they are not connected to the public internet.
Internet Gateways make a subnet public.
Internet Gateways have a 1:1 relationship with a VPC.
The following steps can be performed to make a subnet accessible over the public internet.
-
Create an Internet Gateway
-
Attach it to a VPC
-
Create a custom route table
-
Configure a default route to point to the Internet Gateway
-
Point the subnet to this route table
Internet Gateways are region resilient.
NAT Instances
NAT instances are deprecated and NAT Gateways should be used instead. However, this topic can still appear in the exam. |
NAT = Network Address Translation
A NAT Instance allows EC2 instances in private subnets to connect to the internet.
The NAT instance must be launched in the public subnet.
It must disable the EC2 settings for Source / Destination Check
.
It must have an Elastic IP attached to it.
NAT instances can have their own security groups attached.
NAT Gateway
A NAT Gateway is an AWS managed NAT that allows internet access only if the communication is initiated from within AWS.
NAT Gateways still need an Internet Gateway to have access to the Internet.
They provide high bandwidth, high availability and need no administration.
NAT Gateways are subnet and AZ specific (they are not region resilient)
NAT Gateways can offer a bandwidth of 5 Gbps to 100 Gbps and you need to pay per hour for usage and bandwidth.
They cannot be used by EC2 instances from within the same subnet.
DNS in VPCs
Domain name for private IP = private IP + .ec2.internal
AWS DNS = 169.254.169.253 or the second IP address of the VPC CIDR
enableDnsHostnames
option allows public addresses to get a DNS host name.
enableDnsSupport
determines whether the VPC supports DNS resolution through Amazon DNS server.
Elastic IP
An Elastic IP is a static IP address reserved for your account.It can be attached to an EC2 instance to have a constant public IP address.
NACLs
Network Access Control Lists (NACLs) are stateless firewalls.
They operate at the subnet level.
They are used to configure both inbound and outbound rules in order to filter traffic entering and leaving a subnet.
Every subnet has a NACL.
NACL does not handle traffic within a subnet.
NACL rules can either allow or deny traffic.
A default NACL is associated with all new subnets.
- Ephemeral port
-
A random port to accept response to a request.The ephemeral port range must be properly configured on the subnet through NACL.
Security Groups
Security Groups are stateful firewalls.It means that if a request is permitted then the response is automatically permitted.
Security Groups act as a firewall for individual resources.
Security Groups have a default deny policy and allow only what is needed.
By default, Security Groups allow all outbound traffic.
Security Groups are specific to a VPC.
Rules in different security groups are merged.
One Security Group can be attached to many instances. One instance can be attached to multiple security groups.
Security Groups do not filter traffic for:
-
Amazon Domain Name Services (DNS)
-
Amazon Dynamic Host Configuration Protocol (DHCP)
-
Amazon EC2 instance metadata
-
Amazon ECS task metadata endpoints
-
License activation for Windows instances
-
Amazon Time Sync service
-
Reserved IP addresses used by the default VPC router
Elastic Load Balancers
- Classic Load Balancers
-
Old generation of load balancers, deprecated.They cannot handle more than 1 SSL certificate.
- Application Load Balancers
-
ALBs serve web based applications.
They can handle HTTP/S and web-socket protocols and, operate at application layer 7.
ALBs can route based on URL Path conditions, Host domain, HTTP fields such as header, method, query, IP.
ALBs supports HTTP redirects and custom HTTP responses.
They can perform health checks.
HTTPS traffic is terminated on an ALB. - Network Load Balancers
-
NLBs are based on TCP/UDP and operate at network layer 4.
NLB forwards TLS connections AS-IS, i.e. there is no TLS termination.
Health checks are based on ICMP/TCP connections.
- Cross-Zone Load Balancing
-
can be used for equal distribution of traffic across AZs.
- Public Load Balancers
-
a.k.a. internet-facing load balancers have a public IP address and a publicly resolvable DNS name.
- Private Load Balancers
-
a.k.a. internal load balancers have only private IP addresses.
- Listeners
-
Process that checks for connection requests. Listeners can configure rules. Listeners forward requests to
Target Groups
. - Target Groups
-
Group of EC2, ECS, Lambda functions or other Load Balancers. Health checks can be performed per target in a Target Group
AWS Client VPN
AWS Client VPN is an AWS Managed IPSec VPN Connection service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
An IP SEC tunnel is established over the public internet between the Virtual Private Gateway and the Customer Gateway.
Connection can be of two types:
-
Static: through AWS routing table
-
Dynamic: exchange routes dynamically using a routing protocol called the Border Gateway Protocol (BGP)
You are charged for each endpoint association and each VPN connection on an hourly basis.
You are charged for data transfer out from Amazon EC2 to the internet.
1.25 Gbps is the maximum bandwidth per VPN tunnel
Maximum of 140,000 packets can be transmitted per second
Maximum transmission unit (MTU) is 1,466 bytes
Direct Connect
Direct connect is a physical connection from on-premise to AWS
A Direct Connect Location (DX) is a rack on a data center. In the DX, both the customer and AWS have a dedicated router. Purchasing Direct Connect means purchasing a port on AWS’s router.
AWS router to public AWS services can connect directly.
AWS router to private AWS services must go through a VPN Gateway.
The connection between the AWS Router in DX to AWS is over the AWS backbone (not internet).
Dedicated: 1 Gbps, 10 Gbps and 100 Gbps options available
Hosted: 50 Mbps, 500 Mbps to 10 Gbps
Charged per port hour and outbound data transfer
ETA to set up a Direct Connect connection is 1 month.
Direct Connect can have High Resiliency by having multiple AWS Direct Connect Locations.
Maximum resilience can be achieved by separate connections terminating on separate devices in more than one location
If Direct Connect Primary Connection fails, then Site to Site connection can be used as a backup to connect through public Internet.
VPC Peering
By default, resources in one VPC cannot talk to resources in another VPC. To enable this connection we need VPC Peering
.
The constraint to enable VPC peering is that the VPCs cannot have overlapping CIDRs.
VPC Peering can be cross region or even cross account.
Setting up VPC Peering is at no additional cost.
Data transfer within an AZ is free, whereas data transfer across AZs is charged.
A peering request has to be sent and accepted.
Route tables need to be updated.
Transitive VPC peering is not possible. This should be noted as it is a common exam question. |
Security groups can be referenced across VPCs.
VPC Endpoint
A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink (not over the internet).
AWS PrivateLink uses Network Load Balancers to connect interface endpoints to services.
VPC Endpoints remove the need for an Internet Gateway or a NAT Gateway to access AWS services
- Interface endpoints
-
Interface endpoints enable connectivity to services over AWS PrivateLink. They provision an ENI (private IP address) as an entry point. They must attach security groups. They are charged per hour and per GB of data processed
- Gateway endpoints
-
A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list.
It is used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3).
Gateway endpoints do not enable AWS PrivateLink.
Gateway endpoints are at no additional cost.
They do not use security groups.
For S3 and DynamoDB, the Gateway endpoint should be chosen as the preferred option in the exam. An Interface endpoint will be chosen only if the access is needed from on-premises, a different VPC or a different region. |
VPC Flow Logs
VPC Flow Logs capture information about IP traffic going into your interfaces.
Flow logs can be captured at the VPC, Subnet or Elastic Network Interface (ENI) level.
The main use of VPC Flow Logs is to help monitor and troubleshoot connectivity issues.
Flow Logs can be saved to S3, CloudWatch Logs or Kinesis Data Firehose.
They can capture network information from AWS managed interfaces like ELB, RDS, ElastiCache, Redshift, WorkSpaces, NAT Gateway, Transit Gateway etc.
VPC FLow Logs can be analyzed using Athena on S3 through SQL queries and visualized using Amazon QuickSight. Another option is to view them through CloudWatch Logs by using CloudWatch Contributor Insights or CloudWatch Alarms.
Site to Site VPN
Site to Site VPN is similar to a Direct Connect, but the connection between the Customer Gateway and the Virtual Private Gateway is via the public internet.
AWS VPN CloudHub
If you have multiple AWS Site-to-Site VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. This enables your remote sites to communicate with each other, and not just with the VPC. Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub.
Transit Gateway
As the number of VPCs increases, establishing a connectivity between them becomes complex.
The Transit Gateway is used to have a transitive peering between thousands of VPCs and on-premise environments. It works on a hub-and-spoke (star) model. The VPCs have to peer with the Transit Gateway and then all the VPCs can connect to each other.
One subnet from each AZ is used by the transit gateway to route traffic.
This is great for on-premise environments to connect to AWS. In case of a Direct Connect connection, a connection with the Transit Gateway can be established so on-premise environments have connectivity to all VPCs. Similarly, if a Site to Site VPN connection is used, a VPN connection can be set between the Customer Gateway and the Transit Gateway giving the customer the access to all VPCs.
AWS Transit Gateways can peer with other Transit Gateways even from other accounts using Resource Access Manager.
All communication is governed through route tables.
Transit Gateway is the only service that supports IP Multicast. This can be an exam question. |
Transit Gateways can be used to increase bandwidth of Site to Site connection using ECMP (Equal-cost multi-path routing).
- VPN to virtual private gateway
-
1 to 1 connection with a maximum throughput of 1.25 Gbps
Maximum of 2 tunnels - VPN to transit gateway
-
1 to many VPC connection with 2.5 Gbps, 5 Gbps, 7.5 Gbps using ECMP
It is a costly option.
Transit Gateway can help to share Direct Connect connections between multiple accounts
VPC Traffic Mirroring
VPC Traffic Mirroring allows you to capture and inspect network traffic in your VPC. The traffic can be routed to security appliances that you manage. Traffic gets mirrored into a NLB.
Private Link
AWS Private Link helps AWS resources within a VPC to have direct access to public services like S3, or other services as if the services were in the same VPC.
Amazon CloudFront
Edge locations
are small sites hosted all over the world. Amazon has a total of 216 points of presence.
CloudFront is a Content Delivery Network (CDN). It speeds up delivery of static and dynamic content.
- Origin
-
Origin is the source location for the content cached by CloudFront (e.g. S3).
CloudFront takes files from Origin and caches it on Edge locations.
Any http backend can be used as an Origin. - Origin Access Control (OAC)
-
is used to secure the origin.
CloudFront can be used as a Ingress
Geo Restriction
is restricting access based on countries.
- Distribution
-
is a configuration that defines the location of the file or object to cache. CloudFront creates a domain name for the file or object.
Cached content remains set for a TTL (default 24 hours)
Expiry can be defined per file or object.
Cache invalidation can invalidate content in the edge location at a distribution level.
TLS is enabled by default. Custom certificates can be created by ACM.
CloudFront publishes metrics to CloudWatch and can enable extra metrics as well.
CloudFront works very well for static websites, video on demand and streaming services.
CloudFront Functions and Lambda@Edge
CloudFront Functions and Lambda@Edge enable us to run lightweight functions at edge locations.
CloudFront functions can run when:
-
CF receives a request from a viewer
-
Before CF returns the response to the viewer
Lambda@Edge can run when:
-
CF receives request
-
Before CF forwards request to the origin
-
When CF receives response from the origin
-
Before CF returns the response to the viewer
CF Functions use-cases:
-
Cache key normalization
-
Header manipulation
-
URL redirects or rewrites
-
Request authorization
Lambda@Edge use-cases:
-
Used for long-running functions
-
Functions that need configurable CPU and memory function
-
Functions having dependencies on third party libraries
-
Network dependent functions
-
File system or http request access functions
Global Accelerator
The Global Accelerator service has access to all the edge location of AWS. Global accelerator facilitates connections to go through the AWS backbone.
Global Accelerator is used for routing users to edge locations, so they can immediately get on to the AWS network and optimize the time taken to reach the applications.
It provides two static anycast IP addresses that act as a fixed entry point to your application endpoints in single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers, Elastic IP addresses or Amazon EC2 instances.
AWS Global Accelerator uses endpoint weights
to determine the proportion of traffic that is directed to endpoints in an endpoint group, and traffic dials
to control the percentage of traffic that is directed to an endpoint group (an AWS region where your application is deployed).
Route 53
Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. Route 53 connects user requests to internet applications running on AWS or on-premises.
It is a Global Service.
It is an Authoritative DNS, which means the customer can update the DNS records.
Route 53 can be used to purchase domain names.
- Records
-
Records define how you want to route traffic for a domain.
- Record Types
-
The following are the important record types in Route 53.
- A
-
maps a hostname to IPv4
- AAAA
-
maps a hostname to IPv6
- CNAME
-
maps a hostname to another hostname.
The target is a A or AAAA record.
Cannot be created for the top level nodes of a DNS namespace (Zone Apex). - Alias
-
maps a hostname to an AWS Resource
- NS
-
Name servers for the Hosted Zone
- Hosted Zones
-
A Hosted Zone is a container for records that define how to route traffic to a domain and its subdomain.
The cost is $0.50 per month per hosted zone.
A hosted zone has 4 name servers reserved.- Public Hosted Zones
-
contain records that specify how to route traffic on the internet.
- Private Hosted Zones
-
contain records that specify how you route traffic within one or more VPCs.
- Health Checks
-
help to determine the health of underlying resources to know if traffic can be routed to them
- Simple Health Checks
-
monitor an endpoint
- Calculated Health Checks
-
monitor other health checks
- Health checks monitoring CloudWatch Alarms
-
e.g. throttles of DynamoDB, alarms on RDS, custom metrics etc.
- Routing Policies
-
define how Route53 responds to DNS queries
- Simple
-
route traffic to a single resource
- Weighted
-
control the percentage of requests that go to each specific resource
- Latency based
-
redirect to the resource that has the least latency, means closest to us.
- Failover
-
active-passive, route to the healthy record
- Geolocation
-
based on user’s location, example a specific continent or country.
- Geoproximity
-
route traffic based on the geographic location of users
- IP-based
-
based on client’s IP addresses
- Multi-Value Answer
-
routing traffic to multiple resources
Route 53 Application Recovery Controller
Application Recovery Controller is a service that continuously monitors an application’s ability to recover from failures.
A Cell
is collection of resources that operate independently.
Recovery group
is a collection of cells to ensure high availability.
Resource Set
has resources that can span multiple cells.
IPv6
IPv4 can provide 4.3 billion unique IP addresses, this number will be exhausted very soon.
IPv6 can provide 3.4 x 1038 unique IP addresses.
IPv6 addresses are by default public and internet routable.
Egress-only Internet Gateway
Egress-only Internet Gateway is similar to NAT Gateway but used only for IPv6.
It allows instances in your VPC to have outbound connections to the internet, at the same time preventing internet to initiate connection to your instances.