Please enable JavaScript.
Coggle requires JavaScript to display documents.
Networking :link:, Messages from the internet - Coggle Diagram
Networking
:link:
Amazon Virtual Private Cloud (Amazon VPC)
Provision a logically isolated section of the
AWS Cloud
You can launch
AWS resources
in a virtual network that you define
These resources can be
Private with no internet access
Usually for backend services like
Databases
Application servers
Public facing so they have access to the internet
Public and private grouping of resources
Known as subnets
Ranges of
IP addresses in your VPC
Connectivity to AWS
Amazon Virtual Private Cloud (Amazon VPC)
Enables you to provision an isolated section of the
AWS Cloud
You can
Launch resources in a virtual network that you define
Organize resources into
subnets
A section of a
VPC
that can contain resources such as
Amazon EC2 instances
Internet Gateway
Allow public traffic from the internet to access your
VPC
A connection between a
VPC
and the internet
Without an internet gateway
No one can access the resources within your
VPC
Virtual Private Gateway
The component that allows protected internet traffic to enter into the
VPC
Enables you to establish a
virtual private network (VPN)
connection
Between your
VPC
and a private network
Such as an
on-premises data center
Internal corporate network
Allows traffic into the
VPC
only if it is coming from an approved network
AWS Direct Connect
Service that enables you to establish a dedicated private connection
Between your data center and a
VPC
Helps you to reduce network costs
Increase the amount of bandwidth that can travel through your network.
Subnets and network access control lists
AWS
layer security tools
Network hardening
User identity
Application security
Authentication and authorization
Distributed denial-of-service
DDoS prevention
Data integrity
Encryption
Other tools
Network hardening
Use
subnets
in a
VPC
To control access to the gateways
Public subnets
Have access to the internet gateway
Contain resources that need to be accessible by the public
Private subnets
Do not have access to the internet gateway
Contain resources that should be accessible only through your private network,
Also control traffic permissions
Network traffic in a VPC
Packet
A unit of data sent over the internet or a network
It enters into a
VPC
through an internet gateway
Subnet
A section of a VPC
In which you can group resources based on
Security
Operational needs
Can communicate with each other
Global Networking
Domain Name System (DNS)
DNS
resolution is the process of translating a domain name to an
IP address
DNS
resolution involves a customer
DNS
resolver communicating with a company
DNS server
1 -
When you enter the domain name into your browser
This request is sent to a customer
DNS
resolver
2 -
The customer
DNS
resolver asks the company
DNS
server for the
IP address
That corresponds to the domain name website you enter into your browser
3 -
The company
DNS
server responds by providing the
IP address
For the domain name website you enter into your browser, like this 192.0.2.0
Amazon Route 53
Routing policies
Latency-based routing
Geolocation
DNS
Geoproximity routing
Weighted round robin
A
DNS
web service
A reliable way to route end users to internet applications hosted in
AWS
Connects user requests to infrastructure running in
AWS
Such as
Amazon EC2 instances
and
load balancers
Can route users to infrastructure outside of
AWS
Ability to manage the
DNS
records for domain names
You can register new domain names directly in
Route 53
You can also transfer
DNS
records for existing domain names
Managed by
other domain registrars
Enables you to
manage all of your domain names within a single location
How
Route 53
and
Amazon CloudFront
work together to deliver content to customers
Content Delivery Network CDN
Amazon CloudFront
Suppose that AnyCompany’s application is running on several
Amazon EC2 instances
These
instances
are in an
Auto Scaling group
That attaches to an
Application Load Balancer
1 -
A customer requests data from the application by going to AnyCompany’s website
2 -
Amazon Route 53
uses
DNS resolution
to identify AnyCompany.com’s corresponding
IP address
, 192.0.2.0
This information is sent back to the customer
3 -
The customer’s request is sent to the nearest
edge location
through
Amazon CloudFront
4 -
Amazon CloudFront
connects to the
Application Load Balancer
Which sends the incoming packet to an
Amazon EC2 instance
Messages from the internet
Every packet that crosses the
subnet
boundaries
Gets checked against
A network
access control list or Network (ACL)
List gets checked on the way into
Approved traffic can be sent
List gets checked on the way out
Potentially harmful traffic
get blocked before they ever touch the target
Only gets to
evaluate a packet if it crosses a subnet boundary
in or out
It doesn't evaluate
if a packet can reach a specific
EC2 instance
or not
Multiple EC2 instances
in the same subnet
Might have different rules around
Who can send them messages
What port those messages are allowed to be sent to
You need
instance level network security
as well
Security groups
EC2 instance
When it's launched,
automatically comes with a security group
By
default
1 more item...
Stateful Packet Filtering
:check:
Has some kind of a memory when it comes to who to allow in or out
Remember previous decisions made for incoming packets
1 more item...
A virtual firewall that controls inbound and outbound traffic for an
Amazon EC2 instance
By
default, a security group
denies all inbound traffic and allows all outbound traffic
You can add
custom rules to configure
which traffic to allow or deny
1 more item...
Stateless Packet Filtering
:red_cross:
Remembers nothing and checks every single
packet
That crosses its border inbound and outbound, regardless of any circumstances
VPC
component that checks packet permissions for
subnets
A virtual firewall that controls inbound and outbound traffic at the
subnet level
Each
AWS account
includes a
default network ACL
By default,
network ACL
allows all inbound and outbound traffic
You can modify it by adding your own rules
Custom
network ACLs
All inbound and outbound
traffic is denied until you add rules
to specify which traffic to allow
All
network ACLs
have an explicit deny rule
Ensures that if a
packet
doesn’t match any of the other rules on the list
The
packet
is denied