networking - kurt2439/wiki GitHub Wiki

Networking

VPC Peering

  • Allow you to route traffic between two VPCs -- can be peered within your accounts or other AWS accounts within the same region (so different AZ's are OK)

    • Neither a gateway nor a VPN connection -- no separate piece of hardware. No single point of failure.
    • No transient peering. In A<->B<->C A can route to B but not to C. (would have to peer between A<->C)
    • Cannot have same IP ranges in different VPCs
    • VPCs can having many peers (50 soft limit, up to 125?)
    • "Placement groups" can span peered VPCs but you will not get full bandwidth between instances in peered VPCs
  • Limits

    • Cannot reference a security group from the peer VPC as a source of destination, must use CIDR block.
    • Private DNS values cannot be resolved between VPC
  • Steps

    • One party sends request
    • 2nd party accepts
    • 1st party adds route to 2nd party
    • 2nd party adds routes back
    • Security groups in both VPCs have to allow traffic between each other (also Network ACLs)

Exam Tips

  • Steps to setup VPC peer
  • Troubleshooting VPC peering

Direct Connect

  • Establish a dedicated network from premises to AWS.
    • Increase bandwidth, more reliability, lower cost when dealing with large volumes of traffic
    • 802.1q VLANs
    • Allows Multiple Virtual Interfaces (VIFs)
      • Access public resources such as S3 and private resources like EC2 private IP space while maintaining network separation between environments
  • 10Gbps, 1Gpbs, sub 1Gbps through AWS partners (?)
  • NOT Redundant -- use BGP to fail over automatically from Direct Connect to Site to Site VPN OR a second Direct Connect
    • Reminder: Site to Site VPN uses Customer Gateway (customer side) to Virtual Private Gateway (AWS side) when setting up VPN connection

Virtual Interfaces

Key Points

  • If accessing public services using HTTPS endpoints (dynamodb, s3) use public vifs
  • If private IPs then use private vifs
  • In US you only need 1 direct connect to access all 4 US regions -- data between regions goes over AWS lines and not public internet
  • Layer 2 connections not supported

HPC (High Performance Compute) and Enhanced Networking

  • HPC involves

    • batch processing with large and compute intensive workloads
    • Demands high performance CPU, network, and storage
    • Usual jumbo frames are required (9000 bytes of payload): used in shared files systems frequently and HPC apps need lots of disk I/O on shared file systems so jumbo frames critical in many cases...
  • Jumbo Frames only supported on "enhanced networking" instances.

    • Enhanced Networking provided by using "single root I/O virtualization (SR-IOV) on supported instance types
    • C3, C4, D2, I2, M4, R3
    • Only on HVM (hardware virtualized) instances, not PV (paravirtual)
    • See Enhanced Networking Documentation on AWS Docs
  • Placement Groups are a logical grouping of instances within a single AZ.

    • Low latency, 10Gpbs network
    • Instance type must support Enhanced Networking
    • Placement Groups do NOT span AZ, but can span subnets in the same AZ (can span VPC but lots of performance degradation)
    • Use homogenous instance types so that your launch suceeds (??). May not be enough capacity to launch all your instances later on so size for peak load (??)

Exam Tips

  • Enhanced Networking available using SR-IOV with HVM
  • Can span subnets but not AZ
  • Cannot move existing instances into a placement groups
  • Use homogenous instance types
  • Provision your placement group for peak, may not be able to add instances later

Elastic Load Balancer

  • Automatically distributes incoming traffic across multiple instances

  • Know which ports ELB's support

    • SMTP
    • HTTP/S
    • 1024-65535
  • Cannot assign an elastic IP address to ELB (still true?)

  • IPv4 and IPv6 are supported (VPC's do not support IPv6 currently [still true?])

  • You can load balance to the "Zone Apex" of your domain name (using alias record)

  • You can get history of ELB API calls made on account for security analysis and operation troubleshooting purposes with CloudTrail

  • If you have multiple SSL certs you should use multiple ELBs (unless you have a wildcard, obviously)

Scaling NATs

⚠️ **GitHub.com Fallback** ⚠️