Networking

Regions, Availability Zones and Local Zones

Amazon cloud computing resources are hosted in multiple locations world-wide. These locations are composed of AWS Regions, Availability Zones, and Local Zones.
Each AWS Region is a separate geographic area.
Each AWS Region has multiple, isolated locations known as Availability Zones (AZ).
By using Local Zones, you can place resources, such as compute and storage, in multiple locations closer to your users.

Arch Amazon Virtual Private Cloud 48 Virtual Private Cloud

Virtual Private Cloud (VPC) is a secure and isolated network segment, used to segregate resources in an AWS account.
VPCs are specific to a region.
They act as a network boundary.
Every VPC is allocated a range of IPs called a CIDR block.

A default VPC is configured by AWS in every region.
Internet connectivity is enabled by default in a default VPC via the Internet Gateway.
Each default VPC uses a /16 CIDR block range of 172.31.0.0/16 = 65,536 addresses.

A default subnet is created in each Availability Zone (AZ) and is allocated a /20 CIDR block range = 4,096 addresses.

A default security group allows outbound traffic.

A default Network Access Control List (NACL) allows both outbound and inbound traffic.

Subnets

Subnets are a group of IP addresses within a VPC.
They are bound to an availability zone (AZ).
Subnets can be either public or private.

Internet traffic is not routed to a private subnet.A common architectural pattern is to place database instances in private subnets.When you place DB instances in a private subnet, you add a layer of security.

A Subnet block size is between /16 and /28.
The first 4 IP addresses and the last IP are reserved.

There is an option to auto-assign public addresses to resources created in a subnet.

Routing

Every VPC has a VPC Router.
The router has a router interface in every subnet of the VPC.
The Router is allocated the (network IP Address + 1) as its address.

Role of the router is to route traffic between subnets and in/out of the VPC.

A route table controls the router.

Multiple subnets can use the same route table.
However, 1 subnet can have only 1 route table.

Res Amazon VPC Internet Gateway 48 Internet Gateways

By default, subnets are private, that means they are not connected to the public internet.

Internet Gateways make a subnet public.

Internet Gateways have a 1:1 relationship with a VPC.

The following steps can be performed to make a subnet accessible over the public internet.

  1. Create an Internet Gateway

  2. Attach it to a VPC

  3. Create a custom route table

  4. Configure a default route to point to the Internet Gateway

  5. Point the subnet to this route table

Internet Gateways are region resilient.

NAT Instances

NAT instances are deprecated and NAT Gateways should be used instead. However, this topic can still appear in the exam.

NAT = Network Address Translation

A NAT Instance allows EC2 instances in private subnets to connect to the internet.

The NAT instance must be launched in the public subnet.

It must disable the EC2 settings for Source / Destination Check.

It must have an Elastic IP attached to it.

NAT instances can have their own security groups attached.

Res Amazon VPC NAT Gateway 48 NAT Gateway

A NAT Gateway is an AWS managed NAT that allows internet access only if the communication is initiated from within AWS.
NAT Gateways still need an Internet Gateway to have access to the Internet.
They provide high bandwidth, high availability and need no administration.

NAT Gateways are subnet and AZ specific (they are not region resilient)

NAT Gateways are always deployed on public subnets.

The route table for private subnets should be configured with a route to the NAT gateway for internet traffic.

NAT Gateways can offer a bandwidth of 5 Gbps to 100 Gbps and you need to pay per hour for usage and bandwidth.

They cannot be used by EC2 instances from within the same subnet.

To provide internet access to EC2 instances in multiple AZs without compromising application’s availability, a NAT Gateway should be deployed in each Availability Zone and the application’s internet traffic should be routed through these NAT Gateways.
Security Groups can be attached to NAT instances directly but not to NAT Gateways.
NAT instance can be used as a bastion server, NAT Gateway cannot.
NAT instance supports port forwarding whereas a NAT Gateway does not.

DNS in VPCs

Domain name for private IP = private IP + .ec2.internal

AWS DNS = 169.254.169.253 or the second IP address of the VPC CIDR

enableDnsHostnames option allows public addresses to get a DNS host name.
enableDnsSupport determines whether the VPC supports DNS resolution through Amazon DNS server.

Res Amazon EC2 Elastic IP Address 48 Elastic IP

An Elastic IP is a static IP address reserved for your account.It can be attached to an EC2 instance to have a constant public IP address.

Res Amazon VPC Network Access Control List 48 NACLs

Network Access Control Lists (NACLs) are stateless firewalls.
They operate at the subnet level.
They are used to configure both inbound and outbound rules in order to filter traffic entering and leaving a subnet.

Every subnet has a NACL.

NACL does not handle traffic within a subnet.

NACL rules can either allow or deny traffic.

A default NACL is associated with all new subnets.

Ephemeral port

A random port to accept response to a request.The ephemeral port range must be properly configured on the subnet through NACL.

Security Groups

Security Groups are stateful firewalls.It means that if a request is permitted then the response is automatically permitted.
Security Groups act as a firewall for individual resources.
Security Groups have a default deny policy and allow only what is needed.
By default, Security Groups allow all outbound traffic.
Security Groups are specific to a VPC.
Rules in different security groups are merged.

One Security Group can be attached to many instances. One instance can be attached to multiple security groups.

Security Groups do not filter traffic for:

  • Amazon Domain Name Services (DNS)

  • Amazon Dynamic Host Configuration Protocol (DHCP)

  • Amazon EC2 instance metadata

  • Amazon ECS task metadata endpoints

  • License activation for Windows instances

  • Amazon Time Sync service

  • Reserved IP addresses used by the default VPC router

Arch Elastic Load Balancing 48 Elastic Load Balancers

Res Elastic Load Balancing Classic Load Balancer 48 Classic Load Balancers

Old generation of load balancers, deprecated.They cannot handle more than 1 SSL certificate.

Res Elastic Load Balancing Application Load Balancer 48 Application Load Balancers

ALBs serve web based applications.
They can handle HTTP/S and web-socket protocols and, operate at application layer 7.
ALBs can route based on URL Path conditions, Host domain, HTTP fields such as header, method, query, IP.
ALBs supports HTTP redirects and custom HTTP responses.
They can perform health checks.
HTTPS traffic is terminated on an ALB.

Res Elastic Load Balancing Network Load Balancer 48 Network Load Balancers

NLBs are based on TCP/UDP and operate at network layer 4.
NLB forwards TLS connections AS-IS, i.e. there is no TLS termination.
Health checks are based on ICMP/TCP connections.

Routing using instance ID

traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance.

Routing using IP addresses

traffic can be routed to an instance using any private IP address from one or more network interfaces.
Cross-Zone Load Balancing

can be used for equal distribution of traffic across AZs.

Public Load Balancers

a.k.a. internet-facing load balancers have a public IP address and a publicly resolvable DNS name.

Private Load Balancers

a.k.a. internal load balancers have only private IP addresses.

Listeners

Process that checks for connection requests. Listeners can configure rules. Listeners forward requests to Target Groups.

Target Groups

Group of EC2, ECS, Lambda functions or other Load Balancers. Health checks can be performed per target in a Target Group

Arch AWS Client VPN 48 AWS Client VPN

AWS Client VPN is an AWS Managed IPSec VPN Connection service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Res Amazon VPC VPN Gateway 48 A Virtual Private Gateway is deployed on AWS side

Res Amazon VPC Customer Gateway 48 A Customer Gateway is deployed on customer side.

An IP SEC tunnel is established over the public internet between the Virtual Private Gateway and the Customer Gateway.

Connection can be of two types:

  1. Static: through AWS routing table

  2. Dynamic: exchange routes dynamically using a routing protocol called the Border Gateway Protocol (BGP)

You are charged for each endpoint association and each VPN connection on an hourly basis.
You are charged for data transfer out from Amazon EC2 to the internet.

1.25 Gbps is the maximum bandwidth per VPN tunnel
Maximum of 140,000 packets can be transmitted per second
Maximum transmission unit (MTU) is 1,466 bytes

Arch AWS Direct Connect 48 Direct Connect

Direct connect is a physical connection from on-premise to AWS

A Direct Connect Location (DX) is a rack on a data center. In the DX, both the customer and AWS have a dedicated router. Purchasing Direct Connect means purchasing a port on AWS’s router.

AWS router to public AWS services can connect directly.
AWS router to private AWS services must go through a VPN Gateway.

The connection between the AWS Router in DX to AWS is over the AWS backbone (not internet).

Dedicated: 1 Gbps, 10 Gbps and 100 Gbps options available
Hosted: 50 Mbps, 500 Mbps to 10 Gbps
Charged per port hour and outbound data transfer

The main pricing parameter while using the AWS Direct Connect connection is the Data Transfer Out (DTO) from AWS to the on-premises data center.

ETA to set up a Direct Connect connection is 1 month.

See Encryption in AWS Direct Connect
AWS Direct Connect does not encrypt your traffic that is in transit by default. To encrypt the data in transit that traverses AWS Direct Connect, you must use the transit encryption options for that service.
With AWS Direct Connect and AWS Site-to-Site VPN, you can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.

Direct Connect can have High Resiliency by having multiple AWS Direct Connect Locations.

Maximum resilience can be achieved by separate connections terminating on separate devices in more than one location

If Direct Connect Primary Connection fails, then Site to Site connection can be used as a backup to connect through public Internet.

Res Amazon VPC Peering Connection 48 VPC Peering

By default, resources in one VPC cannot talk to resources in another VPC. To enable this connection we need VPC Peering.

The constraint to enable VPC peering is that the VPCs cannot have overlapping CIDRs.

VPC Peering can be cross region or even cross account.

Setting up VPC Peering is at no additional cost.

Data transfer within an AZ is free, whereas data transfer across AZs is charged.

A peering request has to be sent and accepted.

Route tables need to be updated.

Transitive VPC peering is not possible. This should be noted as it is a common exam question.

Security groups can be referenced across VPCs.

Res Amazon VPC Endpoints 48 VPC Endpoint

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink (not over the internet).

AWS PrivateLink uses Network Load Balancers to connect interface endpoints to services.

VPC Endpoints remove the need for an Internet Gateway or a NAT Gateway to access AWS services

Interface endpoints

Interface endpoints enable connectivity to services over AWS PrivateLink. They provision an ENI (private IP address) as an entry point. They must attach security groups. They are charged per hour and per GB of data processed

Gateway endpoints

Res Amazon VPC Endpoints 48 A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list.
It is used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3).
Gateway endpoints do not enable AWS PrivateLink.
Gateway endpoints are at no additional cost.
They do not use security groups.

For S3 and DynamoDB, the Gateway endpoint should be chosen as the preferred option in the exam. An Interface endpoint will be chosen only if the access is needed from on-premises, a different VPC or a different region.

Res Amazon VPC Flow Logs 48 VPC Flow Logs

VPC Flow Logs capture information about IP traffic going into your interfaces.

Flow logs can be captured at the VPC, Subnet or Elastic Network Interface (ENI) level.

The main use of VPC Flow Logs is to help monitor and troubleshoot connectivity issues.

Flow Logs can be saved to S3, CloudWatch Logs or Kinesis Data Firehose.

They can capture network information from AWS managed interfaces like ELB, RDS, ElastiCache, Redshift, WorkSpaces, NAT Gateway, Transit Gateway etc.

VPC FLow Logs can be analyzed using Athena on S3 through SQL queries and visualized using Amazon QuickSight. Another option is to view them through CloudWatch Logs by using CloudWatch Contributor Insights or CloudWatch Alarms.

Site to Site VPN

Site to Site VPN is similar to a Direct Connect, but the connection between the Customer Gateway and the Virtual Private Gateway is via the public internet.

AWS VPN CloudHub

If you have multiple AWS Site-to-Site VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. This enables your remote sites to communicate with each other, and not just with the VPC. Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub.

Arch AWS Transit Gateway 48 Transit Gateway

As the number of VPCs increases, establishing a connectivity between them becomes complex.
The Transit Gateway is used to have a transitive peering between thousands of VPCs and on-premise environments. It works on a hub-and-spoke (star) model. The VPCs have to peer with the Transit Gateway and then all the VPCs can connect to each other.

One subnet from each AZ is used by the transit gateway to route traffic.

This is great for on-premise environments to connect to AWS. In case of a Direct Connect connection, a connection with the Transit Gateway can be established so on-premise environments have connectivity to all VPCs. Similarly, if a Site to Site VPN connection is used, a VPN connection can be set between the Customer Gateway and the Transit Gateway giving the customer the access to all VPCs.

AWS Transit Gateways can peer with other Transit Gateways even from other accounts using Resource Access Manager.

All communication is governed through route tables.

Transit Gateway is the only service that supports IP Multicast. This can be an exam question.

Transit Gateways can be used to increase bandwidth of Site to Site connection using ECMP (Equal-cost multi-path routing).

VPN to virtual private gateway

1 to 1 connection with a maximum throughput of 1.25 Gbps
Maximum of 2 tunnels

VPN to transit gateway

1 to many VPC connection with 2.5 Gbps, 5 Gbps, 7.5 Gbps using ECMP
It is a costly option.

Transit Gateway can help to share Direct Connect connections between multiple accounts

Res Amazon VPC Traffic Mirroring 48 VPC Traffic Mirroring

VPC Traffic Mirroring allows you to capture and inspect network traffic in your VPC. The traffic can be routed to security appliances that you manage. Traffic gets mirrored into a NLB.

Arch AWS PrivateLink 48 Private Link

AWS Private Link helps AWS resources within a VPC to have direct access to public services like S3, or other services as if the services were in the same VPC.

Arch Amazon CloudFront 48 Amazon CloudFront

Edge locations are small sites hosted all over the world. Amazon has a total of 216 points of presence.

CloudFront is a Content Delivery Network (CDN). It speeds up delivery of static and dynamic content.

Origin

Origin is the source location for the content cached by CloudFront (e.g. S3).
CloudFront takes files from Origin and caches it on Edge locations.
Any http backend can be used as an Origin.

Origin Access Control (OAC)

is used to secure the origin.

CloudFront can be used as a Ingress

Geo Restriction is restricting access based on countries.

Distribution

is a configuration that defines the location of the file or object to cache. CloudFront creates a domain name for the file or object.

Cached content remains set for a TTL (default 24 hours)

Expiry can be defined per file or object.

Cache invalidation can invalidate content in the edge location at a distribution level.

TLS is enabled by default. Custom certificates can be created by ACM.

CloudFront publishes metrics to CloudWatch and can enable extra metrics as well.

CloudFront works very well for static websites, video on demand and streaming services.

Using a CloudFront distribution in front of the Application Load Balancer can make an application more resilient to periodic spikes in request rates.

Res Amazon CloudFront Functions 48 CloudFront Functions and Lambda@Edge

CloudFront Functions and Lambda@Edge enable us to run lightweight functions at edge locations.

CloudFront functions can run when:

  1. CF receives a request from a viewer

  2. Before CF returns the response to the viewer

Lambda@Edge can run when:

  1. CF receives request

  2. Before CF forwards request to the origin

  3. When CF receives response from the origin

  4. Before CF returns the response to the viewer

CF Functions use-cases:

  • Cache key normalization

  • Header manipulation

  • URL redirects or rewrites

  • Request authorization

Lambda@Edge use-cases:

  • Used for long-running functions

  • Functions that need configurable CPU and memory function

  • Functions having dependencies on third party libraries

  • Network dependent functions

  • File system or http request access functions

Arch AWS Global Accelerator 48 Global Accelerator

The Global Accelerator service has access to all the edge location of AWS. Global accelerator facilitates connections to go through the AWS backbone.

Global Accelerator is used for routing users to edge locations, so they can immediately get on to the AWS network and optimize the time taken to reach the applications.

It provides two static anycast IP addresses that act as a fixed entry point to your application endpoints in single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers, Elastic IP addresses or Amazon EC2 instances.

AWS Global Accelerator uses endpoint weights to determine the proportion of traffic that is directed to endpoints in an endpoint group, and traffic dials to control the percentage of traffic that is directed to an endpoint group (an AWS region where your application is deployed).

Global Accelerator is a great option for blue/green deployments as you can shift traffic gradually or all at once between the blue and the green environment and vice-versa without being subject to DNS caching on client devices. Internet resolvers, traffic dial and endpoint weight changes are effective within seconds.
Global Accelerator is used to provide a low latency way to distribute live sports results.

Arch Amazon Route 53 48 Route 53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. Route 53 connects user requests to internet applications running on AWS or on-premises.

It is a Global Service.

It is an Authoritative DNS, which means the customer can update the DNS records.

Route 53 can be used to purchase domain names.

Records

Records define how you want to route traffic for a domain.

Record Types

The following are the important record types in Route 53.

A

maps a hostname to IPv4

AAAA

maps a hostname to IPv6

CNAME

maps a hostname to another hostname.
The target is a A or AAAA record.
Cannot be created for the top level nodes of a DNS namespace (Zone Apex).

Alias

maps a hostname to an AWS Resource

NS

Name servers for the Hosted Zone

Res Amazon Route 53 Hosted Zone 48 Hosted Zones

A Hosted Zone is a container for records that define how to route traffic to a domain and its subdomain.
The cost is $0.50 per month per hosted zone.
A hosted zone has 4 name servers reserved.

Public Hosted Zones

contain records that specify how to route traffic on the internet.

Private Hosted Zones

contain records that specify how you route traffic within one or more VPCs.

Health Checks

help to determine the health of underlying resources to know if traffic can be routed to them

Simple Health Checks

monitor an endpoint

Calculated Health Checks

monitor other health checks

Health checks monitoring CloudWatch Alarms

e.g. throttles of DynamoDB, alarms on RDS, custom metrics etc.

Routing Policies

define how Route53 responds to DNS queries

Simple

route traffic to a single resource

Weighted

control the percentage of requests that go to each specific resource

Latency based

redirect to the resource that has the least latency, means closest to us.

Failover

active-passive, route to the healthy record

Geolocation

based on user’s location, example a specific continent or country.

Geoproximity

route traffic based on the geographic location of users

IP-based

based on client’s IP addresses

Multi-Value Answer

routing traffic to multiple resources

Res Amazon Route 53 Route 53 Application Recovery Controller 48 Route 53 Application Recovery Controller

Application Recovery Controller is a service that continuously monitors an application’s ability to recover from failures.

A Cell is collection of resources that operate independently.
Recovery group is a collection of cells to ensure high availability.
Resource Set has resources that can span multiple cells.

IPv6

IPv4 can provide 4.3 billion unique IP addresses, this number will be exhausted very soon.
IPv6 can provide 3.4 x 1038 unique IP addresses.
IPv6 addresses are by default public and internet routable.

Egress-only Internet Gateway

Egress-only Internet Gateway is similar to NAT Gateway but used only for IPv6.
It allows instances in your VPC to have outbound connections to the internet, at the same time preventing internet to initiate connection to your instances.

Networking Cost

As far as possible, it is advised to use private IPs for networking to reduce costs.
Communication across AZs is charged.

Arch AWS Network Firewall 48 AWS Network Firewall

Protects your entire VPC From Layer 3 to Layer 7