Please enable JavaScript.
Coggle requires JavaScript to display documents.
Networking - Coggle Diagram
VPC
- By default, every account gets one VPC
- More can be added later
- Think VPC as a local network and gateway as router
- Can be created in a selected region
- Can span across multiple AZs in the region, but not across regions
Route Tables
Main Route Table
- Default routing table for all subnets
- Subnet, however, can be associated with Custom Route Table
Custom Route Table
- User created route table that can be associated with the subnets
Subnets
- Range of ip addresses within VPC
- Subnet do not span across AZ. All cross-AZ communication must go through gateways
Public Subnet
- Resources inside Public Subnet can freely access internet gateway by default
NAT Gateway
- Installed in public subnet to allow private subnet to access internet
- Highly available only within the AZ where it is deployed
Private Subnet
- Resources inside Private Subnet cannot access internet gateway
- Private subnet can communicate with public subnet
-
VPN-Only Subnet
- Resources inside VPN-Only Subnet has access to on-premise through virtual private gateway
- Virtual private gateway is connected to on-premise with Site-to-Site VPN connection
Resource Sharing
AWS PrivateLink
- Privately connect VPCs and treat them as part of account
VPC Peering
- Connect two different VPCs and treat them as in a same network
- CIDR must not overlap
Transit Gateway
- Fully managed
hub and spoke model
- Provides bridge between multiple VPCs
- Has route table to control the flow between VPCs
VPC Endpoints
- Privately connect to supported AWS Services and VPC endpoint
Interface Endpoint
- ENI with private IP address is used as entry point to the services over internet (Kinesis, etc.)
- Pretty much every AWS service supports it except DyanmoDB and S3
Gateway Endpoint
- Prefix list is used to control which IP addresses can access the service
- Default prefix list is created to allow all IP addresses from the VPC
- Additional IP addresses can be added to the prefix list
- Resource policy (DyanmoDB or S3) can be applied to restrict access from the specific VPCs
aws:SourceVpce
Shared Service VPC
- Centrally managed VPC that can be shared across multiple AWS Accounts
Transit VPC
-
hub and spoke model
- Similar to Transit Gateway, but it's an architecture that has to be implemented manually
AWS Resource Access Manager
- Span a VPC across multiple accounts
- Resources within the same VPC can freely communicate through the private IP addresses
DNS
Route 53
Record Types
-
CNAME
- Convert hostname to hostname
- Target hostname must be either A or AAAA
- Immediate to the root is not allowed (NOTOK: xxx.com, ttt.org, ... OK: api.xxx.com, ...)
NS
- Another name-server to forward the query to
- Cannot be CNAME
Alias Record
- Only for AWS resources
- immediate to the root is allowed
- Has built-in health check
-
Time To Live (TTL)
- Hint clients to keep DNS record for certain amount of time
- Too low: up to date more often / costs more
- Too high: less traffic to route 53 / costs less
Traffic Flow
- Visual aid to easily configure DNS records
- Exported as Traffic Flow Policy and can be reused in another Route 53
Routing Policy
Simple
- One or more ip addresses returned
- Client randomly chooses one of them
Weighted
- Resolves to IP addresses of AWS resources splitted by the set percentage
- Has built-in health check
Latency Based
- IP resolves based on the latency between client and regions
Failover
- Built-in healthcheck resolve to ip addresses of AWS resources that are healthy
Geolocation
- Resolves to ip address in specific region based on the incoming IP addresses
- Default record must set, so if the address doesn't match any region, this record is used
Geo Proximity
- Resolves based on the destination
Equally dstributed
- Resolves based on the absolute distance
Biased
- Resolves based on the distance - threshold
Multi-Value
- Up to 8 healthy records selected at random
Hosted Zone
- Collection of DNS records
Public Hosted Zone
- Records for traffics from internet
Private hosted Zone
- Records for traffics within the VPC
Application Recovery Controller
- Supports recovering application on outage or disruption
Health Check
- Route 53 has built-in health check which is reported to CloudWatch
Endpoint Health Check
- Health checking HTTP request
- Response other than 2xx or 3xx are considered failure
CloudWatch Alarm
- Alarms can be monitored by the health check
- Useful for monitoring resources that doesn't support health check natively
Calculated Health Check
- Combine multiple health checks
- Rules can be created using OR, AND, NOT operations
Readiness check
- Health validation of the target service
- Does not route traffic automatically (read only)
Routing control
- Route traffic on cutover or failover
- Can be toggled by Lambda function
Route 53 Outbound Resolver
- Route 53 can be configured to forward DNS queries to DNS infrastructure in other place (could be other VPC or on-prem)
Hybrid DNS
- Integrate on-premise DNS infrastructure with AWS DNS infrastructure, such as Route 53
- On-premise must be already connected to VPC through VPN or DX
Inbound
- DNS resolver in on-premise can query Route 53
Outbound
- Resources in VPC can query Route 53, which is forwarded to DNS resolver of on-premise
- Forwarding Rules are configured to allow only the specific domain names
Regions
- Physical location in the world where AWS has data center(s)
Availability Zone (AZ)
- The data center in the region
- Physically isolated from each other
AWS Local Zones
- Deploy various resources close to large population/industry centers
- Comply with residency requirements
- Only available in specific areas, such as LA and Chicago
Load Balancer
Types
Application Load Balancer (ALB)
- Layer 7 (HTTP/S 1&2, WebSocket, HTTP 301 Redirects)
- About 400ms latency
- Distribute traffics to multiple machines (Target Groups)
- Distribute traffics to multiple application in a single machine (dynamic port mapping)
- Instances will see IP of ALB, not the actual IP of the client
- Has built-in health check
Network Load Balancer (NLB)
- Layer 4 (TCP, TLS, UDP)
- Handle millions of requests/sec
- About 100ms latency
- Instances will see actual IP of clients
Regional NLB Name
- Hostname that resolves to the public IP addresses assigned to the instances' ENI
my-nlb-12345.elb.us-east-1.amazon.aws.com
Zonal DNS Name
- Hostname that resolves as same as Regional NLB Name, except you can filter specific AZs
use-esast-1a.my-nlb-12345.elb.us-east-1.amazon.aws.com
-
Classical Load Balancer (CLB)
- Legacy load balancer developed in 2009
- Supports HTTP/S, TCP, SSL
Cross-Zone Load Balancer
- The load balancers accross different AZs become aware of instance capacities
- Instead of simply splitting traffic equally to the load balancers, the capacity is counted to how to distribute
-
Sticky Session
- Allow same client to be redirected to the same instance again
- Traffic may become imbalanced
API Gateway
- Simplistic request gateway solution with minimal operational overhead
- Can cache the request, so the load to backend can be minimized
- Cors Header
Staging
- Provides native staging ability to forward requests to the appropriate services
Integration
HTTP Endpoint
- Directly expose the HTTP endpoints provided by the service instances
- All API Gateway functions can be applied to it: rate limit, caching, user authentication, API keys
Lambda Function
- Invoke existing Lambda Functions
Other AWS Services
- Can activate other AWS Services if supported
-
Authentication
- Resource policy to prevent access
- IAM Roles
-
Lambda Authorizer
- Can be used to integrate with third-party auth provider (OAuth, SAML)
Cognito User Pool
- Client login through Cognito User Pool and retrieves token
- Client submit request to API Gateway with the token
- API Gateway verify token through Cognito
WebSocket
- Can be integrated using Lambda
- Each lambda function handles an event (onConnect, onMessage, OnDisconnect) with DynamoDB
Endpoint Types
Edge-Optimized (default)
- Requests are first routed to the nearest CloudFront Edge locations
- CloudFront Edge then sends the request through AWS network, which is more efficient
Regional
- Requests are routed straight to the Gateway API in the specific region
- If request is from the actual region, no round trip is necessary
Private
- Requests can reach the API Gateway only from inside the VPCs of the same account (or configure in resource policy)
Errors
4xx
-
-
429 Quota exceeded, Throttle
5xx
502 Bad Gateway
- incompatible output from backend
- out-of-order invocation
-
503 Integration Failure
- 29 seconds hard limit reached
Limits
Execution Time
- 29 seconds hard limit
- Includes any underlying jobs (if blocked)
-
Usage Limit
Per key limit
- Different threshold can be set for different set of customers
- This threshold cannot be higher than the per-account limits
API
Per API Method level
- Limit applied to certain request methods (GET, POST, etc.)
- If the limit is reached, it will return 429
Whole API level
- Limit applied for the entire API Gateway
- If this limit is reached, every API method will return 429
VPN
- Securely connect outside clients to VPC
AWS Stie-to-Site VPN
- VPN gateway is installed on-premise and AWS has managed VPN gateway service
- Connects on-premise and VGW directly
-
Virtual Private Gateway (VGW)
- Attached directly to the VPC
- On-premise's gateway connects to the VGW through VPN connection
AWS Direct Connect
- Allows real-time transmission with GB/s of throughput
- Higher cost
Virtual InterFace (VIF)
- The logical representation of AWS resources in VPC
Public Virtual Interface
- Access AWS services using public IP addresses
- Only the AWS services with public IP address can be accessed
Transit Virtual Interface
- Connects to Direct Connect locations, which connects to on-premise
- May access multiple Direct Connect locations
- Can then access the Transit Gateway through the interface
Private Virtual Interface
- Access to the AWS resources using private IP address
- Can access resources inside the VPC
AWS Direct Connect Gateway
- Dedicated, managed service by AWS
- Connect on-premise to multiple VPCs
- Establish transitive communication
Transit Gateway
- Connets to a Transit Gateway and also connects to Transit VIF #
Virtual Private Gateway #
- Connects to each VGW and also connects to any of Private VIF #
Direct Connect Location
- Bridge between on-premise and VGW
- Connect on-premise to the Direct Connect location
- The Direct Connect location have optimized route to connect to VGW
-