Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 5:AWS Cloud Networking and Content delivery - Coggle Diagram
Module 5:AWS Cloud Networking and Content delivery
Networking basics
Classless Inter-Domain routing (CIDR)
192.0.2.0/24
after / shows how many bits of the routing prefix must be fixed or allocated for the network identifier
CIDR is a way to express a group of IP addresses that are consecutive to each other.
There are two special cases:
a single IP address (for example, 192.0.2.0/32).
The internet, in which every bit is flexible, is represented as 0.0.0.0/0
IP addresses are available for the network, which range from 192.0.2.0 to 192.0.2.255
The Open Systems Interconnection (OSI) model is a conceptual model that is used to explain how data travels over a network.
Amazon Virtual Private Cloud(Amazon VPC)
amazon VPC
is a service that lets you provision a logically isolated section of the AWS Cloud (called a virtual private cloud, or VPC) where you can launch your AWS resources.
VPC gives you control over your virtual networking resources,
the selection of your own IP address range
the creation of subnets
the configuration of route tables and network gateways
you can create a public subnet for your web servers that can access the public internet
You can place your backend systems (such as databases or application servers) in a private subnet with no public internet access.
, you can use multiple layers of security, including
security groups and network access control lists
(networkACLs), to help control access to Amazon Elastic Compute Cloud (Amazon EC2) instances in each subnet.
VPC and subnets
A VPC is a virtual network that is logically isolated from other virtual networks in the AWS Cloud
A VPC is dedicated to your account
VPCs belong to a single AWS Region and can span multiple Availability Zones
After you create a VPC, you can divide it into one or more subnets
A Subnet is a range of IP addresses in a VPC. Subnets belong to a single Availability Zone.
Subnets are generally classified as public or private.
Public subnets have direct access to the internet, but private subnets do not.
IP adressing
When you create a VPC, you assign an IPv4 CIDR block (a range of private IPv4 addresses) to it
After you create a VPC, you cannot change the address range
CIDR block might be as large as /16 (which is 65,536 addresses) or as small as /28 (which is16 addresses).
The CIDR block of a subnet can be the same as the CIDR block for a VPC (a single subnet in the VPC)
If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap. You cannot have duplicate IP addresses in the same VPC.
the CIDR block of a subnet can be a subset of the CIDR block for the VPC
AWS reserves five IP addresses within that block, and these addresses are not available for use. AWS reserves these IP addresses for:
Network address
10.0.0.0 (for example)
VPC local router (internal communications)
10.0.0.1
Domain Name System (DNS) resolution
10.0.0.2
Future use
10.0.0.3
Network broadcast address
10.0.0.255
Public IP Adress type
public IP address
When you create a VPC, every instance in that VPC gets a private IP address automatically
You can also request a public IP address to be assigned when you create the instance by modifying the subnet’s auto-assign public IP address properties
An Elastic IP address
An Elastic IP address is a static and public IPv4 address that is designed for dynamic cloud computing
With an Elastic IP address, you can mask the failure of an instance by rapidly remapping the address to another instance in your VPC.
You can move all of the attributes of the network interface from one instance to another in a single step.
Additional costs might apply when you use Elastic IP addresses
Elastic Network Interface
is a virtual network interface that you can attach or detach from an instance in a VPC.
its interface's attributes follow it when it is reattached to another instance
Each instance in your VPC has a default network interface
You can create and attach an additional network interface to any instance in your VPC
Route Tables and routes
A route table contains a set of rules(called routes) that directs network traffic from your subnet.
The destination is the destination CIDR block where you want traffic from your subnet to go
The target is the target that the destination traffic is sent through
By default, every route table that you create contains a local route for communication in the VPC
A subnet can be associated with only one route table at a time, but you can associate multiple subnets with the same route table
Each route specifies a destination and a target.
VPC Networking
internet gateway
VPC component that allows communication between instances in your VPC and the internet.
provides a target in your VPC route tables for internet-routable traffic
perform network address translation for instances that were assigned public IPv4 addresses
To make a subnet public, you attach an internet gateway to your VPC and add a route to the route table to send non-local traffic through the internet gateway to the internet (0.0.0.0/0).
NAT Gateway (Network Adress Translation)
(NAT) gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside
You must also specify an Elastic IP address to associate with the NAT gateway when you create it.
you must update the route table that is associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway
You can also use a NAT instance in a public subnet in your VPC instead of a NAT gateway
VPC Sharing
VPC sharing enables customers to share subnets with other AWS accounts in the same organization in AWS Organizations
enables multiple AWS accounts to create their application into shared, centrally managed VPCs
After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets that are shared with them.
Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.
Benefits
Separation of duties
Centrally controlled VPC structure
Application owners continue to own resources, accounts, and security groups
Security groups –VPC sharing participants can reference the security group IDs of each other
efficient use of VPNs and AWS Direct Connect
Optimized costs through the reuse of NAT gateways, VPC interface endpoints, and intra-Availability Zone traffic
VPC Peering
is a networking connection between two VPCs that enables you to route traffic between them privately
Instances in either VPC can communicate with each other as if they are within the same network
You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.
VPC peering has some restrictions:
IP address ranges cannot overlap
Transitive peering is not supported
You can only have one peering resource between the same two VPCs.
AWS site to site VPN
To connect your VPC to your remote network
1.Create a new virtual gateway device (called a virtual private network (VPN) gateway) and attach it to your VPC
2 Define the configuration of the VPN device or the customer gateway
3 Create a custom route table to point corporate data center-bound traffic to the VPN gateway
Establish an AWS Site-to-Site VPN (Site-to-Site VPN) connection to link the two systems together.
Configure routing to pass traffic through the connection
AWS Direct Connect
AWS Direct Connect enables you to establish a dedicated, private network connection between your network and one of the DX locations
can reduce your network costs, increase bandwidth throughput
VPC end points
A VPC endpoint is a virtual device that enables you to privately connect your VPC to supported AWS services and VPC endpoint services that are powered by AWS PrivateLink.
Traffic between your VPC and the other service does not leave the Amazon network.
There are two types of VPC endpoints:
An interface VPC endpoint Hourly usage rates and data processing rates apply
Gateway endpoints Standard charges for data transfer and resource usage apply
AWS Transit Gateway
With AWS Transit Gateway, you only need to create and manage a single connection from the central gateway into each VPC, on-premises data center, or remote office across your network.
A transit gateway acts as a hub that controls how traffic is routed among all the connected networks
each network only needs to connect to the transit gateway and not to every other network
Amazon Route 53
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service
Amazon Route 53 effectively connects user requests to infrastructure running in AWS
can also be used to route users to infrastructure that is outside of AWS.
can route traffic to healthy endpoints or independently monitor the health of your application and its endpoints
Amazon Route 53 also offers Domain Name Registration—you
combined with DNS failover to enable various low-latency, fault-tolerant architectures.
Route 53 supports several types of routing policies
Simple routing (round robin)–
Weighted round robin routing
Latency routing (LBR)
Geolocation routing
Geoproximity routing
Multivalue answer routing
Multi-Region deployment
the user is automatically directed to the Elastic Load Balancing load balancer that’s closest to the user.
DNS Failove
r
Configuring backup and failover scenarios for your own applications.
Enabling highly available multi-Region architectures on AWS.
Creating health checks to monitor the health and performance of your web applications web servers, and other resources.
Amazon CloudFront
CloudFront, which is a content delivery network (CDN) service.
(CDN) is a globally distributed system of caching servers.
A CDN caches copies of commonly requested files (HTML; CSS; JavaScript; and image files)
The CDN delivers a local copy of the requested content from a
cache edge
or
Point of Presence
CDNs also deliver dynamic content that is unique to the requester and is not cacheable.
Amazon CloudFront is a fast CDN service that securely delivers data, videos, applications, and application programming interfaces (APIs) to customers globally with low latency and high transfer speeds.
delivers files to users over a global network of edge locations and Regional edge caches.
Amazon CloudFront is a self-service offering with pay-as-you-go pricing
CloudFront
edge locations
are designed to serve popular content quickly to your viewers.
Regional edge caches
are CloudFront locations that are deployed globally and are close to your viewers. They are located between your origin server and the global edge locations that serve content directly to viewers.
Regional edge caches stock content which is not popular enough to stay in an edge location
A Regional edge cache
has a larger cache than an individual edge location
, so objects remain in the Regional edge cache longer
benefits:
Fast and Global
Security at the edge
–Amazon CloudFront provides both network-level and application-level protection
Highly programmable
–Amazon CloudFront features can be customized for specific application requirements.
Deeply integrated with AWS
Cost-effective
–Amazon CloudFront is cost-effective because it has no minimum commitments and charges you only pay for what you use
Data transfer out
–You are charged for the volume of data that is transferred out from Amazon CloudFront edge locations
HTTP(S) requests
–You are charged for the number of HTTP(S) requests that are made to Amazon CloudFront for your content.
Invalidation requests
– Beyond the first 1,000 paths You are charged per path in your invalidation request
Dedicated IP custom Secure Sockets Layer (SSL)
–You pay $600 per month for each custom SSL certificate that is associated with one or more CloudFront distributions that use the Dedicated IP version of custom SSL certificate support. This monthly fee is prorated by the hour.
VPC security
security groups
A security group acts as a virtual firewall for your instance, and it controls inbound and outbound traffic
Security groups act at the instance level, not the subnet level
Security groups have rules that control the inbound and outbound traffic
By default, a security group includes an outbound rule that allows all outbound traffic
Security groups are stateful
if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules
Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules
you can specify allow rules, but not deny rules
All rules are evaluated before the decision to allow traffic.
network access control lists (network ACLs).
It acts as a firewall for controlling traffic in and out of one or more subnets.
Acts at Subnet Level
You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time
A network ACL has separate inbound and outbound rules, and each rule can either
allow or deny traffic
Network ACLs are stateless, which means that no information about a request is maintained after a request is processed.
return traffic must be explicitely allowed by rules
By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
A network ACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule.
