AWS - MacKittipat/note-developer GitHub Wiki

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/ https://docs.aws.amazon.com/quickstart/latest/vpc/architecture.html

Region

• Separate geographic areas that house AWS infrastructure
• Each Region have multiple, isolated locations that are known as Availability Zones
• Region consideration
  • Cost
  • Latency (Distance to customer)
  • Compliance
  • Service (New features)

Availability Zones (AZs)

• Logical building block that makes up an AWS Region
• For example, Region Singapore (ap-southeast-1) have 2 AZs
  • ap-southeast-1a
  • ap-southeast-1b

Network

VPC (Virtual Private Cloud)

• Used to isolate our application from the millions of other applications all running on AWS
• It is logically isolated from other virtual networks in the AWS Cloud.
• Spans all the Availability Zones in the Region
• VPC must be associated with a route table, which controls the routing for the subnet

Subnet

• It is a range of IP addresses in your VPC.
• Can be public and private
  • Public subnet has internet gateway attached to route table
• Each Subnet must reside entirely within one Availability Zone, and it can't span Availability Zones
• When you create a Subnet, you specify the CIDR block for the Subnet, which is a subset of the VPC CIDR block
• You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.

CIDR block

• 10.10.0.0/16 => Fix first 16 digit, 10.10.*.*
• 10.10.1.0/24 => Fix first 24 digit, 10.10.1.*

Route Table

• A set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.

NAT

• Enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances

Internet Gateway

• Allows communication between your VPC and the internet.
• Allows resources within your VPC to access the internet, and vice versa.

VPC Peering

• Allow us to connect 2 or more VPCs togethers as if they are a part of the same network.
• A Networking connection between two VPCs that enables you to route traffic between them privately
• You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account.
• The VPCs can be in different Regions

Transit Gateway

• Centralized solution for connecting multiple VPCs across regions, accounts, and on-premises network
• Connects VPCs and On-Premises networks through a central hub

VPC Endpoint

• Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
• Traffic between your VPC and the other service does not leave the Amazon network

AWS Private Link

• Establishes private connectivity between VPC and services hosted on AWS or on-premises, without exposing data to the internet.

Security

NACL

• Firewall of subnet
• Stateless, any change applied to an incoming rule isn’t automatically applied to an outgoing rule.

Security Group

• Firewall of AWS Resource such as EC2, Load Balancer, RDS
• Stateful, any changes which are applied to an incoming rule is automatically applied to a rule which is outgoing.

Services

• EC2
• ECS : Elastic Container Service
  • https://www.youtube.com/watch?v=eq4wL2MiNqo
• ELB : Elastic Load Balancing
• Lambda
• RDS
• SQS

EC2

• Compute service
• Allow us to provision virtual server on demand, called EC2 instance

IAM

• Use for manage access of user and resources
• Group :
  • A collection of IAM users
  • You can use groups to specify permissions for multiple users at a time
• User
  • Has credentials (Username, Password)
  • Allow access to AWS account
• Role
  • Does not has credentials (Username, Password)
  • Allow user or application access to AWS services
• Policy : Permission. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html
  • Identity base policy : Attached to an IAM user, group, or role. This policy let you specify what that identity can do with resource.
  • Resource base policy : Attached to a resource. This policy let you specify who has access to the resource and what actions they can perform on it.

RDS

• The basic building block of Amazon RDS is the DB instance.
• DB instance can contain multiple user-created databases.
• Each DB instance runs a DB engine. Amazon RDS currently supports the MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines.
• In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.
• With Read replica, the source DB instance becomes the primary DB instance. Updates made to the primary DB instance are asynchronously copied to the read replica. You can reduce the load on your primary DB instance by routing read queries from your applications to the read replica.

API Gateway

• There are 2 types

  • HTTP APIs

    • A collection of routes and methods that are integrated with backend HTTP endpoints or Lambda functions. Each route can expose one or more API methods that have unique HTTP verbs supported by API Gateway.
    • Lower latency and lower cost than REST APIs
    • Support private integration using an Application Load Balancer or Network Load Balancer

  • REST APIs

    • A collection of HTTP resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. Typically, API resources are organized in a resource tree according to the application logic. Each API resource can expose one or more API methods that have unique HTTP verbs supported by API Gateway.
    • Support private integration using an Network Load Balancer only.

• VPC Link, Enable you to create private integrations that connect your API to private resources in a VPC, such as Application Load Balancers or Amazon ECS container-based applications.

AWS Cognito

• User Pools
  • User directory
  • User pools are for authentication (identity verification).
  • With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP)
• Identity Pools
  • Identity pools are for authorization (access control) or Federated Identities
  • Provide AWS credentials to grant your users access to other AWS services.
  • Used to assign IAM roles to users who authenticate through a separate Identity Provider. Because these users are assigned an IAM role, they each have their own set of IAM permissions, allowing them to access AWS resources directly.

Sample use case

Let’s use an example to illustrate the distinction. Say you’re developing a serverless app using Cognito and Lambda. If you used User Pools to manage authentication, then you could configure API Gateway to pass through the user’s ID and group membership to your application. This would allow your code to determine if the user has sufficient permissions to access the requested functionality. However, the IAM permissions used to access the underlying AWS resources, like DynamoDB, would come from the Lambda execution role. All users who access your app would be operating under the same IAM role, and it would be up to you to make sure the right users get access to the right resources.

However, if your application was using Identity Pools, then AWS would assign the user to an IAM role, and you could flow the permissions associated with that role through the application. This would mean, for example, that the user could access DynamoDB with her own IAM permissions, rather than the application-wide permissions that come from the Lambda execution role.

Reference

• AWS VPC & Subnets
• AWS Networking Fundamentals
• AWS Essentials
• AWS Virtual Private Cloud: Subnets and Routing
• AWS Messaging : SQS, SNS, EventBridge, Kinesis
• Congnito User Pools vs Identity Pools (https://thenewstack.io/understanding-aws-cognito-user-and-identity-pools-for-serverless-apps/)