Please enable JavaScript.
Coggle requires JavaScript to display documents.
Networking - Coggle Diagram
Networking
Direct Connect (DX)
Features: (image)
- Provides dedicated private connection from a remote network to my VPC
- Dedicated connection must be setup between my DC and AWS Direct Connect locations
- Need to setup a Virtual Private Gateway on my VPC
- Can access public resource S3 or private resource EC2 on same connection
- Use Cases:
- Increase bandwidth throughput - working with large datasets - lower cost
- More consistent network experience - applications using real-time data feeds
- Hybrid environment (On-premise + Cloud)
- Supports both IPv4 and IPv6
- Direct Connect Gateway: setup Direct Connect to 1 or more VPC in different Regions (same account) (image)
2 Connection Types
Dedicated Connections:
- 1 Gbps and 10 Gbps capacity
- Physical ethernet port dedicated to a customer
- Request made to AWS first then completed by AWS Direct Connect Partners
Hosted Connections:
- 50Mbps, 500Mbps, to 10Gbps
- Connection requests are made via AWS Direct Connect Partners
- Capacity can be added or removed on demand
- 1, 2, 5, 10Gbps available at selected AWS Direct Connect Partners
-
-
Direct Connect Resiliency:
- High resiliency by multiple locations (image)
- Maximum resiliency with multiple connections in multiple locations (image)
Reduce Networking Costs
Networking Costs in AWS per GB:
- Use Private IP instead of Public IP for good savings and better network performance (image)
- Use same AZ for max savings (at the cost of HA)
Minimizing Egress Traffic Network Cost: (image)
- Egress traffic: outbound traffic (from AWS to outside)
- Ingress traffic: inbound traffic (from outside to AWS - typically free)
- Try to keep as much internet traffic within AWS to minimize costs
- Direct Connect location that are co-located in the same AWS Region result in lower cost for egress network
S3 Data Transfer Pricing Analysis: (image)
- S3 ingress: Free
- S3 to Internet: $0.09 per GB
- S3 Transfer Acceleration:
- Faster transfer times (50 to 500% better)
- Additional cost on top of Data Transfer Pricing: + $0.04 to $0.08 per GB
- S3 to CloudFront: $0.00 per GB
- CloudFront to Internet: $0.085 per GB (slightly cheaper than S3)
- Caching capability (Lower latency)
- Reduce costs associated with S3 Requests Pricing (7x cheaper with CloudFront)
- S3 Cross Region Replication: $0.02 per GB
-
VPC
Default VPC:
- All new accounts have a default VPC
2.New instances are launched into default VPC if no subnet is specified
- Default VPC have internet connectivity and all instances have Public IP
- Get a Public and a Private DNS name
VPC (Create my own) Features:
- Virtual Private Cloud
- Can have multiple VPCs in a Region (max 5 per Region)
- Max 5 CIDR per VPC
- For each CIDR:
- Min block size is /28 = 16 IP Addresses
- Max block size is /16 = 65536 IP Addresses
- VPC Private IP ranges are:
- 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
- VPC CIDR should not overlap with my other networks (eg. corporate)
Subnet - IPv4:
- AWS reserves 5 IPs address (first 4 and last 1 IP address) in each Subnet
- These 5 IPs are not available for use and cannot be assigned to an instance
- For example, if CIDR block 10.0.0.0/24, reserved IP are:
- 10.0.0.0: Network address
- 10.0.0.1: Reserved by AWS for the VPC router
- 10.0.0.2: Reserved by AWS for mapping to Amazon-provided DNS
- 10.0.0.3: Reserved by AWS for future use
- 10.0.0.255: Network broadcast address. AWS does not support broadcast in a VPC, therefore the address is reserved
- Exam Question:
- You cannot choose a Subnet of size /27 if you need 29 IP addresses for EC2 instances
- /27 = 2^(32-17) - 5 = 32 - 5 = 27
- /26 = 2^(32-26) - 5 = 59
Transit Gateway
Features: (image)
- For having transitive peering between 1000s of VPC and On-premises, hub-and-spoke (star) connection
- Regional resource, can work cross-region
- Share cross-accounts using Resource Access Manager (RAM)
- Can peer Transit Gateways across regions
- Route Tables: limit which VPC can talk with other VPC
- Works with Direct Connect Gateway, VPN connections
- Supports IP Multicast (not supported by any other AWS service)
Transit Gateway: Site-to-Site VPN ECMP (image)
- Equal-cost multi-path routing
- Routing strategy to allow to forward a packet over multiple best path
- Use Cases: create multiple Site-to-Site VPN connections to increase the bandwidth of my connection to AWS
- Transit Gateway throughput with ECMP (image)
-
CIDR
Features:
- Classless Inter-Domain Routing
- IPv4
- Uses for Security Groups rules, or AWS networking in general
- Helps to define IP address range
- Has 2 components:
- Base IP (XX.XX.XX.XX)
- Subnet Mask (/26)
- Base IP: IP contained in the range
- Subnet Masks: how many bits can change in the IP
- Subnet Masks example: (image)
- /32 allows for 1 IP = 2^(32-32) = 2^0
- https://www.ipaddressguide.com/cidr
Private vs Public IP (IPv4) allowed ranges:
- IANA established certain blocks of IPv4 addresses for the use of private (LAN) and public (Internet) addresses
- Private IP can only allow certain values:
- 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) for big networks
- 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) for default AWS
- 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) for home networks
- All the rest of the IP on the internet are Public IP
-
IPv6 for VPC
Features:
- IPv4 cannot be disabled for VPC and Subnets
- Can enable IPv6 to operate in dual-stack mode
- EC2 instances would get at least:
- a Private internal IPv4
- a Public IPv6
For exam (Why I cannot launch an instance in my Subnet?):
- Not because instance cannot acquire an IPv6 (the space is very large)
- Because there are no available IPv4 in my Subnet
- Solution: create new IPv4 CIDR in my Subnet
Internet Gateways
Features:
- Helps VPC instances connect to the internet
- Scales horizontally and is HA and redundant
- Must be created separately from VPC
4.1 VPC can only be attached to 1 Internet Gateway and vice versa
- Is also a NAT for the instances that have a Public IPv4
- Internet Gateways do not allow internet access on it own
- Route tables must also be edited
NAT Instances (outdated)
Features: (image)
- Network Address Translation
- Allows instances in Private Subnets to connect to the internet
- Must be launched in a Public Subnet
- Must disable EC2 flag: Source/ Destination Check
- Must have Elastic IP attached to it
- Route table must be configured to route traffic from Private Subnets to NAT Instance
- Amazon Linux AMI pre-configured are available
- Cons:
- Not HA/ resilient setup out of the box (need to create ASG in Multi-AZs + resilient user-data script)
- Internet traffic bandwidth depends on EC2 instance performance
- Must manage Security Groups and rules:
- Inbound:
- Allow HTTP/ HTTPS traffic coming from Private Subnets
- Allow SSH from my home network (access is provided through Internet Gateway)
- Outbound:
- Allow HTTP/ HTTPS traffic to the internet
- Is outdated
NAT Gateway
Features: (image)
- AWS managed NAT, higher bandwidth, better availability, no admin
- Pay by hour for usage and bandwidth
- NAT is created in a specific AZ, uses an Elastic IP
- Cannot be used by an instance in that subnet (only from other subnets)
- Requires an Internet Gateway (Private Subnet -> NAT Gateway -> Internet Gateway)
- 5 Gbps of bandwidth with automatic scaling up to 45 Gbps
- No Security Group to manage/ required
- To achieve NAT Gateway with HA
- NAT Gateway is resilient within a single AZ
- Must create multiple NAT Gateway in Multi-AZs for fault-tolerance
- No cross AZ failover needed (image)
DNS Resolution
Features:
- enableDnsSupport:
- = DNS Resolution setting
- Default True
- Decide if DNS resolution is supported for the VPC
- Queries the AWS DNS server at 169.254.169.253 if True
- enableDnsHostname:
- = DNS Hostname setting
- Default False for newly created VPC
- Default True for Default VPC
- Won't do anything unless enableDnsSupport=True
- If True, assign Public Hostname to EC2 instance if it has a Public IP
- If I use custom DNS domain names in a private zone in Route 53, I must set both to True
VPC Peering
Features: (image)
- Connect 2 VPC, privately using AWS network
- Make them behave as if they are in the same network
- Must not have overlapping CIDR
- VPC Peering connection is not transitive (must be established for each VPC that need to communicate with 1 another)
- VPC A peer with VPC B, VPC B peer with VPC C <> VPC A can talk to VPC C (image)
- Can do VPC peering with another AWS account
- Must update Route tables in each VPC Subnets to ensure instances can communicate
- Can work inter-Region, cross-account
- Can reference a Security Group of a peered VPC (works for cross account) (image)
VPC Endpoints
Features: (image)
- Allows me to connect to AWS Services using a private network instead of public network
- Scale horizontally and are redundant
- Remove the need of Internet Gateway, NAT, etc. to access AWS Services
- Interface: provisions an Elastic Network Interface ENI (private IP address) as an entry point (must attach Security Group) - most AWS Services
- Gateway: provisions as a target and must be used in a Route Tables - S3 and DynamoDB
- Check DNS Setting Resolution in VPC and Route Tables in case of issues
Flow Logs
Features:
- Capture information about IP traffic going into my interfaces:
- VPC Flow Logs
- Subnet Flow Logs
- ENI Flow Logs
- Monitor and troubleshoot connectivity issues
- Flow Logs data can go to S3/ CloudWatch Logs
- Captures network information from AWS managed interfaces: ELB. RDS. ElastiCache, Redshift, WorkSpaces
- Can be used for analytics on usage patterns or malicious behavior
- Query VPC flow logs using Athena on S3 or CloudWatch Logs Insights
- Flow Log syntax:
- <version> <account-id> <interface-id> <srcaddr><dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>
- <srcaddr><dstaddr>: helps to identify problematic IP
- <srcport> <dstport>: helps to identify problematic ports
- <action>: success or failure of the request due to Security Group/ Network ACL
Bastion Hosts
Features: (image)
- Can use Bastion Host to SSH into my private instances
- Bastion is in the Public Subnet which is then connected to all other Private Subnets
- Bastion Host Security Group must be tightened
- Make sure the Bastion Host only has port 22 traffic from the IP I need, not from Security Groups of my other instances
- Bastion Hosts High Availability with NLB (image)
Site to Site VPN
Features: (image)
- Virtual Private Gateway:
- Is a VPN concentrator on the AWS side of the VPN connection
- Virtual Private Gateway is created and attached to the VPC from which I want to create the Site 2 Site VPN connection
- Possibility to customize the Autonomous System Number (ASN)
- Customer Gateway:
- Software application or physical device on customer side of the VPN connection
- Use static, internet-routable IP address for my Customer Gateway device
- Use the Public IP address of the NAT, if behind a Customer Gateway behind NAT (with NAT-T)
- Tunnel
-
AWS Private Link: (image)
- Most secure and scalable way to expose a application service to 1000s of VPC (own or other accounts)
- Requires only a NLB (in Service VPC) and ENI (in Customer VPC)
- If the NLC and ENI are in Multi-AZs, the solution is fault tolerant
- AWS Private Link and ECS with NLB (image)
EC2-Classic and AWS ClassicLink: (deprecated)
- EC2-Class: instances run in a single network shared with other customers
- Amazon VPC: my instances run logically isolated to my AWS account
- AWS ClassicLink:
- Link EC2-Classic instances to a VPC in my account
- Must associate with a Security Group
- Enables communication using private IPv4 addresses
- Removes the need to make use of public IPv4 addresses or Elastic IP addresses
AWS VPN CloudHub: (image)
- Provide secure communication between sites, if I have multiple VPN connections
- Low cost hub-and-spoke model for primary or secondary network connectivity between locations
- A VPN connection goes over the public internet
VPC Recap:
- VPC Diagram (image)
- VPC section summary 1 to 3 (image)
Blocking an IP Address in AWS:
- Using Network ACL + Host firewall in EC2 (image)
- with an ALB using Network ACL (image)
- with a NLB using Network ACL, Passthrough, no Security Group (image)
- with an ALB + WAF (image)
- with ALB + CloudFront Geo Restriction + WAF (image)