AWS ‐ CP Module 5 - rFronteddu/general_wiki GitHub Wiki

Module 5

Introduction to networking

  • Virtual private cloud (VPC) lets you provision a logically isolated section of the Cloud where you can launch resources in a VNET that you define.
  • A subnet is used to organize your resources and can be made publicly (internet) or privately accessible.
  • The AWS Cloud is the outermost box in most diagrams.
  • Region is the next box. Regions are separate geographic areas chosen based on your users' geographic location for lower latency, compliance and data residency requirements, available services, and cost.
  • A VPC (solid boxes) represents your isolated, logically segmented network within AWS. A VPC helps you to control your network resources and security.
  • AZ (separate boxes across a region), they consist of one or more discrete data centers, each with redundant power, networking, and connectivity housed in separate facilities. Using multiple AZs can protect your applications from the failure of a single location in the Region.
  • Subnets are VPC segments, allowing you to divide your VPC into smaller, manageable sections. A subnet is a range of IP addresses in your VPC.
  • Private subnets (solid boxes) are designed to isolate resources that shouldn't be directly exposed to the public internet.
  • Public subnets (dashed boxes) are designed to provide direct internet access to resources placed inside them. To allow access, they are connected with an internet gateway. You will learn more about internet gateways in a later lesson.

Organizing AWS Cloud Resources

  • Virtual private GW: With a VPGW, you can establish a VPN connection between your VPC and a private network, such as an on-premises data center or internal corporate network.
  • VPC core components:
  • Internet GW: To allow public traffic from the internet to access your VPC, you attach an internet gateway to the VPC. An internet gateway is a connection between a VPC and the internet.

When organizing your resources in the AWS Cloud, you need to be able to group certain functions together and isolate them from the public, or make them available to the public. With Amazon VPC, you can provision an isolated section of the AWS Cloud. In this isolated section, you can launch resources in a VNET that you define. It provides three main benefits.

  • It helps increase security because you can secure and monitor connections,
  • screen traffic, and
  • restrict instance access.

Amazon VPC gives you full control over your resource placement, connectivity, and security.

Within an Amazon VPC, you can organize your resources into subsections or subnets. A subnet is a section of an Amazon VPC that can contain resources, such as EC2 instances. To allow public traffic from the internet to access your VPC, you attach an internet gateway to the VPC. An internet gateway is a connection between a VPC and the internet.

With a VPGW, you can establish a VPN connection between your VPC and a private network, such as an on-premises data center or internal corporate network. A VPGW allows traffic into the VPC only if it is coming from an approved network.

  • Amazon Virtual Private Cloud (VPC): Amazon VPC is used to establish boundaries around your AWS resources.
  • Virtual private gateway (VPGW): A virtual private gateway allows protected internet traffic to enter into the VPC.
  • Virtual private network (VPN): A VPN encrypts your internet traffic, helping protect it from anyone who might try to intercept or monitor it.

More ways to connect to AWS Cloud

  • AWS Client VPN: Fully managed, elastic VPN service to securely connect a remote workforce and on-premises networks to AWS Cloud resources.
  • AWS Site-to-Site VPN: Site-to-Site VPN creates secure connections between data center or branch offices and AWS Cloud resources. Good for migration and secure communication between remote locations.
  • AWS PrivateLink: Securely connect resources, even in other VPCs as if they were in your VPC. You do not need to use an internet gateway, NAT device, public IP address, Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with AWS services or resources from your private subnets. Instead, you control the specific API endpoints, sites, services, and resources that are reachable from your VPC. It is used for connecting your clients in your VPC to resources, other VPCs, and endpoints.

Even though the preceding connections are highly available and scalable, traffic jams are possible because you’re using the same connection as other clients. For some use cases, you might need a dedicated private connection with a lot of bandwidth => AWS Direct Connect

  • AWS Direct Connect: AWS Direct Connect is a private, dedicated AWS connection to your data center or office. For latency-sensitive applications. Large scale data migration or transfer. For hybrid cloud architectures.

There are several different types of gateways you can use to connect your AWS resources.

  • AWS Transit GW: Used to connect VPCs and on-premises networks through a central hub. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.
  • NAT GW: A NAT gateway is a NAT service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services can't initiate a connection with those instances.
  • Amazon API GW: AWS service for creating, publishing, maintaining, monitoring, and securing APIs at any scale.

Subnets, security groups, and network access control lists

  • Describe how network traffic works in a VPC.
  • Describe how security groups work (stateful).
  • Describe how network access control lists (network ACLs) work (stateless).
  • Describe who is responsible for securing subnets with security groups and network ACLs according to the AWS Shared Responsibility Model.

A subnet is a section of a VPC in which you can group resources based on security or operational needs. Subnets can be public or private.

  • Public subnets contain resources that need to be accessible by the public, such as an online store’s website.
  • Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories.

In a VPC, you can define rules to allow resources in different subnets to communicate with each other.

Network Traffic in a VPC

When a customer requests data from an application hosted in the AWS Cloud, this request is sent as a packet.

It enters into a VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet, it will run into several checks for permissions, one being a network ACL associated with the subnet the packet is being routed to. The permissions defined by the network ACLs indicate what is allowed or denied. It is based on who sent the packet and how the packet is trying to communicate with the resources in a subnet. The VPC component that checks packet permissions for subnets is a network ACL.

  • A network Access Contro List is a virtual firewall that controls inbound and outbound traffic at the subnet level. By default, ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules. For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic to allow. Additionally, all network ACLs have an explicit deny rule. This rule makes sure that if a packet doesn’t match any of the other rules on the list, the packet is denied.

Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

After a packet has entered a subnet, it must have its permissions evaluated for resources within the subnet, such as Amazon EC2 instances. A security group is the VPC component that checks packet permissions for an Amazon EC2 instance. It is a virtual firewall that controls inbound and outbound traffic for specific AWS resources. By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic should be allowed; any other traffic would then be denied

Security Groups are stateful, they have some memory regarding who to allow. ACL are stateless, they check any packet regardless of circumstances (checks if the sender is on the access list).

By default all traffic is allowed going out of a security group. At the ACL boundary the packet has to make it through the ACL similarly when it enters the second networks it has to make it through the other ACL and then through the security group of the other ec2 instance. On the way back the ACL being stateless will check the response packet for compliance, the source Security Group instead is stateful and will remember than the local EC2 generated the first packet towards the destination

Note: If you have multiple Amazon EC2 instances within the same VPC, you can associate them with the same security group or use different security groups for each instance.

Feature Security Groups Network ACLs
Scope Instance level (attached to EC2 instances) Subnet level (associated with subnets)
State Stateful (remembers state) Stateless (doesn't remember state)
Rule types Only allow type rules Both allow and deny type rules
Return traffic Return traffic is automatically allowed if inbound traffic is allowed Return traffic must be implicitly allowed in both directions
Uses Fine-grained control of traffic for individual EC2 instances Broad control of traffic in and out of subnets

When it comes to securing the subnets and resources in your VPC with network ACLs and security groups, that is your responsibility. These components make up networking traffic protection and are critical defenses in protecting your applications IN the cloud.

Global Networking

  • Define what Domain Name System (DNS) is and what it does.
  • Describe benefits and use cases of Amazon Route 53: Amazon DNS service.
  • Describe benefits and use cases of Amazon CloudFront: Amazon CDN.

Edge networking is the process of bringing information storage and computing abilities closer to the devices that produce that information and the users who consume it. Edge computing is important because organizations often need lower latency access to their data and content. By performing tasks or caching data locally or closer to users, organizations can deliver faster, more responsive experiences while maintaining better control over their infrastructure.

For example, suppose that you want to visit AnyCompany’s website.

  1. When you enter the domain name into your browser, this request is sent to a customer DNS resolver.
  2. The customer DNS resolver asks the company DNS server for the IP address that corresponds to AnyCompany’s website.
  3. The company DNS server responds by providing the IP address for AnyCompany’s website, 192.0.2.0.
  • Route 53 is Amazon DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS. Route 53 connects user requests to infrastructure running in AWS (such as Amazon EC2 instances and load balancers). It can route users to infrastructure outside of AWS.

Route 53 can also manage the DNS records for domain names. You can register new domain names directly in Route 53. You can transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location.

It supports:

  • Latency-based routing:
  • Geolocation DNS:
  • GeoProximity routing:
  • Weighted Round Robin:

You can also use this service to buy domain names.

  • Amazon CloudFront: CloudFront is a Content Delivery Network (CDN). It uses a network of edge locations to cache content and deliver content to customers all over the world.

Instead of all requests traveling back to one central warehouse (your original server), CloudFront stores copies of your content at locations closer to your users

Global Accelerator

Global Accelerator is a service that uses the AWS global network to improve application availability, performance, and security. It uses intelligent traffic routing and fast failover if something goes wrong in one of your application locations.

Instead of your users' requests taking the regular, sometimes congested internet routes, Global Accelerator directs traffic through the AWS private global network—getting your users to your application faster and more reliably.

Global Architectures

  • Identify examples of when to use a VPN or Direct Connect.
  • Describe at a high level how a VPC with a virtual private network (VPN) connection and Direct Connect work together.
  • Describe how a multi-Region architecture works with CloudFront and Route53.

  • Amazon Virtual Private Cloud: Amazon VPC is a service to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

  • Subnet: A subnet is a section of a VPC that can contain resources and is used to organize your resources. They can contain be either public or private.

  • Internet gateway: An internet gateway is a connection between a VPC and the internet. It allows public traffic from the internet to access your VPC.

  • Virtual private gateway: A virtual private gateway is the component that allows protected internet traffic to enter into the VPC. It allows a connection between your VPC and a private network only if it is coming from an approved network.

  • AWS Client VPN: Amazon Client VPC is a networking service you can use to connect your remote workers and on-premises networks to the cloud. It is a fully managed, elastic VPN service that automatically scales up or down based on user demand.

  • AWS Site-to-Site VPN: AWS Site-to-Site VPN creates a secure connection between your data center or branch offices and your AWS Cloud resources.

  • AWS PrivateLink: AWS PrivateLink is a highly available, scalable technology that you can use to privately connect your VPC to services and resources as though they were in your VPC.

  • AWS Direct Connect: AWS Direct Connect is a service that provides a dedicated private connection between your data center and a VPC.

  • Network Access Control List (network ACL): A network ACL allows or denies specific inbound or outbound traffic at the subnet level using stateless packet filtering.

  • Security groups: Security groups control the inbound and outbound traffic for a resource at the instance level using stateful packet filtering.

  • Domain Name System (DNS): DNS translates human readable domain names to machine readable IP addresses (for example, 192.0.2.0).

  • Amazon Route 53: Route 53 is a scalable and reliable DNS web service that helps developers and businesses route end users to internet applications, whether they’re hosted in AWS or elsewhere. It also supports domain registration, health checks, and advanced traffic routing policies.

  • Amazon CloudFront: CloudFront is a web service that speeds up distribution of your web content to your users through a worldwide network of data centers called edge locations. It securely delivers content with low latency and high transfer speeds.

  • AWS Global Accelerator: Global Accelerator is a networking service that helps improve the availability and performance of applications for global users by routing traffic through the AWS global network. It helps improve application availability, performance, and security.

  • Amazon Transit Gateway: Amazon VPC Transit Gateways is a network transit hub used to interconnect VPCs and on-premises networks.

  • NAT Gateway: Network Address Translation (NAT) gateway allows instances in a private subnet to connect with services outside your VPC. External services can't initiate a connection with those instances.

  • API Gateway: The Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing APIs at any scale. It handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls.