AWS ‐ CP Module 4 - rFronteddu/general_wiki GitHub Wiki

Learning objectives

In this module, you will learn how to:

  • Describe the basic concepts of networking.
  • Describe the difference between public and private networking resources.
  • Explain a virtual private gateway using a real life scenario.
  • Explain a virtual private network (VPN) using a real life scenario.
  • Describe the benefit of AWS Direct Connect.
  • Describe the benefit of hybrid deployments.
  • Describe the layers of security used in an IT strategy.
  • Describe the services customers use to interact with the AWS global network.
  1. Connectivity AWS
  2. Subnets and ACL
  3. Global Networking

Connectivity To AWS

Amazon Virtual Private Cloud (Amazon VPC) is a service that enables you to provision an isolated section of the AWS Cloud. In this isolated section, you can launch resources in a virtual network that you define. VPC is A networking service that you can use to establish boundaries around your AWS resources. It allows to launch AWS resources in a private virtual network internally defined. Service can be in public or private subnets.\

  • Amazon VPC enables you to provision an isolated section of the AWS Cloud. In this isolated section, you can launch resources in a virtual network that you define. Within a virtual private cloud (VPC), you can organize your resources into subnets. A subnet is a section of a VPC that can contain resources such as Amazon EC2 instances.

  • In order for public traffic to access a VPC you must attack to your VPC a Internet Gateway. An internet gateway is a connection between a VPC and the internet. You can think of an internet gateway as being similar to a doorway that customers use to enter the coffee shop. Without an internet gateway, no one can access the resources within your VPC.

  • You can use Virtual Private Gateways to only allow traffic coming from approved networks. It allows to create VPN between private networks and the VPC. The virtual private gateway is the component that allows protected internet traffic to enter into the VPC. Even though your connection to the coffee shop has extra protection, traffic jams are possible because you’re using the same road as other customers. A virtual private gateway enables you to establish a virtual private network (VPN) connection between your VPC and a private network, such as an on-premises data center or internal corporate network. A virtual private gateway allows traffic into the VPC only if it is coming from an approved network.

  • If you want to separate your traffic from the internet traffic you can use AWS Direct Connect to establish private dedicated and isolate connection between your private network and AWS VPC.

Do establish these connection you work with a Direct Connect partner in your area to establish a physical line.

Subnets and Network Access Control Lists

AWS has several tools that cover many layers of network security:

  • Network Hardening
  • Application Security
  • User Identity
  • Authentication and Authorization
  • Distributed denial of service protection
  • Data integrity
  • encryption and more

A subnet is a section of a VPC in which you can group resources based on security or operational needs. Subnets can be public or private.

  • Public subnets contain resources that need to be accessible by the public, such as an online store’s website.
  • Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories.

In a VPC, subnets can communicate with each other. For example, you might have an application that involves Amazon EC2 instances in a public subnet communicating with databases that are located in a private subnet.

Every packet that crosses a subnet boundary is checked against something called Network Access Control List(ACL) to see if the packet has permission to enter or leave the subnet based on who sent the packet and how is it trying to communicate.

A network ACL is a virtual firewall that controls inbound and outbound traffic at the subnet level.

Each AWS account includes a default network ACL. When configuring your VPC, you can use your account’s default network ACL or create custom network ACLs.

Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

By default, your account’s default network ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules. For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic to allow. Additionally, all network ACLs have an explicit deny rule. This rule ensures that if a packet doesn’t match any of the other rules on the list, the packet is denied. Security groups perform stateful packet filtering. They remember previous decisions made for incoming packets.

Once packets pass the ACL, you also have Instance security through Security Groups, by default ec2 security groups do not allow any traffic into the instance.

The VPC component that checks packet permissions for an Amazon EC2 instance is called Security Group. A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance. By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic should be allowed; any other traffic would then be denied

The key difference between Security Groups and Network ACL is that a Security Group is stateful, it has some kind of memory regarding who to allow. ACL is stateless check any packet regardless of circumstances (checks if the sender is on the access list).

By default all traffic is allowed going out of a security group. At the ACL boundary the packet has to make it through the ACL similarly when it enters the second networks it has to make it through the other ACL and then through the security group of the other ec2 instance. On the way back the ACL being stateless will check the response packet for compliance, the source Security Group instead is stateful and will remember than the local EC2 generated the first packet towards the destination

To practice recalling VPC components, select each of the following flashcards by choosing them.

  • Private Subnet: isolate databases containing customers' personal information.
  • Virtual Private gateway: Create a VPN connection between the VPC and the internal corporate network.
  • Public Subnet: Support the customer-facing website
  • AWS Direct Connect: Establish a dedicated connection between on-premises data centers and the VPC.

Global Networking

Suppose that AnyCompany has a website hosted in the AWS Cloud. Customers enter the web address into their browser, and they are able to access the website. This happens because of Domain Name System (DNS) resolution. DNS resolution involves a customer DNS resolver communicating with a company DNS server.

You can think of DNS as being the phone book of the internet. DNS resolution is the process of translating a domain name to an IP address.

For example, suppose that you want to visit AnyCompany’s website.

  1. When you enter the domain name into your browser, this request is sent to a customer DNS resolver.
  2. The customer DNS resolver asks the company DNS server for the IP address that corresponds to AnyCompany’s website.
  3. The company DNS server responds by providing the IP address for AnyCompany’s website, 192.0.2.0.

Amazon Route 53 is Amazon DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS. Amazon Route 53 connects user requests to infrastructure running in AWS (such as Amazon EC2 instances and load balancers). It can route users to infrastructure outside of AWS.

Another feature of Route 53 is the ability to manage the DNS records for domain names. You can register new domain names directly in Route 53. You can also transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location.

It supports:

  • Latency-based routing:
  • Geolocation DNS:
  • GeoProximity routing:
  • Weighted Round Robin:

You can also use this service to buy domain names.

Amazon CloudFront: Edge locations serve content to clients as close to them as possible, one part of that is the Content Delivery Network (CDN) (a network that delivers edge content to users based on their geographic location). Amazon CloudFront is a Content Delivery Service. It uses a network of edge locations to cache content and deliver content to customers all over the world.

image

Suppose that AnyCompany’s application is running on several Amazon EC2 instances. These instances are in an Auto Scaling group that attaches to an Application Load Balancer.

  1. A customer requests data from the application by going to AnyCompany’s website.
  2. Amazon Route 53 uses DNS resolution to identify AnyCompany.com’s corresponding IP address, 192.0.2.0. This information is sent back to the customer.
  3. The customer’s request is sent to the nearest edge location through Amazon CloudFront.
  4. Amazon CloudFront connects to the Application Load Balancer, which sends the incoming packet to an Amazon EC2 instance.