AWS Module 5 - Networking and Content Delivery

Lien de la note Hackmd

Section 1: Networking basics

Networks

A computer network is 2 or more machine connected together

• A network can be partitionned into subnets
• Requires a networking device (router/switch)

IP addresses

Each machine on the network has a unique Internet Protocol address (IP) assigned to it

• Unique number assigned to a machine
• Four decimal number separated by dots
• Each number is 8 bits max (between 0 and 255) $\rightarrow$ total = 32 bits

IPv4 and IPv6 addresses

• IPv4 (32-bit) address: 192.0.2.0
• IPv6 (128-bit) address: 2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF
  • Adapt to more user
  • Each column is 16 bits (0 to FFFF)

Classless Inter-Domain Routing (CIDR)

A CIDR adress is expressed as an IP address and is the first address of the network.

• It’s followed by a ‘/’ character
  • The numer after is how many bits of the routing prefix must be steady
• Express a group of addresses

Open Systems Interconnection (OSI) model

Section 2: Amazon VPC

Amazon VPC

• Private space in Amazon Cloud
• Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
• Gives you control over your virtual networking resources
  • Selection of IP address range
  • Creation of subnets
  • Configuration of route tables and network gateways
• Enables you to customize the network configuration for your VPC
• Enables you to use multiples layers of security
• Can use IPv4 and IPv6

VPCs and subnets

• VPCs:
  • Logically isolated from other VPCs
  • Dedicated to your AWS account
  • Belong to a single AWS Region and can span multiple Availability Zones
• Subnets:
  • Range of IP addresses that divide a VPC
  • Belong to a single Availability Zone
  • Classified as public or private
  • Do not have a direct access to internet

IP addressing

• When you create a VPC, you assign it to an IPv4 CIDR block (range of private IPv4 addresses)
• You cannot change the address raneg after you create the VPC
• The largest IPv4 CIDR block size is /16
• The smallest IPv4 CIDR block size /28
• IPv6 is also supported (with a different block size limit)
• CIDR blocks of subnet cannot overlap

Reserved IP addresses

Example: A VPC with an PIv4 CIDR block of 10.0.0.0/16 has 65,636 total IP addresses. The VPC has four equal-sized subnets. Only 251 IP addresses are available for use by each subnet.

Public IP address type

Public IPv4 address	Elastic IP address
Manually assigned through an Elastic IP address	Associated with an AWS account
Automatically assigned through the auto-assign public IP address settings at the subnet level	Can be allocated and remapped anytime
	Additional costs might apply

Elastic network interface

An elastic network interface is a virtual network interface that you can

• Attach to an instance
• Detach from the instance and attach ot another instance to redirect network traffic

• Its attributes follow when it is reached to a new instance
• Each instance in your VPC has a default network interface that is assigned a private IPv4 address from the IPv4 address range of your VPC

Route tables and routes

A route table contains a set of rules (or routes) that you can configure to direct network traffic from your subnet.

• Each route specifies a destination and a target
• By default, every route table contains a local route for communication within the VPC
• Each subnet must be associated with a route table (at most one)

Section 3: VPC networking

Internet gateway

An internet fateway is a scalable, redundant, and highly availble VPC, allows communication between VPC and public internet.

Two purposes:

1. Provide a target in your VPC route tables for internet traffic
2. Perform network address translations for intances that were assigned public PIv4 addresses

To make a subnet public, you attach an internet gateway to your VPC and add a route entry to the route table.

Network Address Translation (NAT) gateway enables intances in a private subnet to connect to the public internet and prevent it from initation a connection.

To create a NAT Gateway:

• Must specify the public subnet in which NAT gateway should live
• Must specify an elastic IP address to associate with the NAT gateway

After NAT gateway is created:

• Update the private subnet route table

Can use a NAT instance in a public subnet in your VPC

VPC sharing

Enables customers to share subnets with other AWS accounts (participant) in the same organization.

VPC peering

Enables you to privately route traffic between 2 VPCs.

You can connect VPCs in your own AWS account, between AWS accounts, or between AWS Regions

Restrictions:

• IP spaces cannot overlap
• Transitive peering is not supported
• You can only have one peering resource between the same 2 VPCs.

AWS Site-to-Site VPN

• By default, Amazon VPC cannot communicate with your own remote network
• enable by
  • attaching a virtual private gateway to the VPC
  • creating a custom route table
  • updating security group rule
  • creating an AWS site-to-site VPN connection
  • configuring routing

AWS Direct Connect

Performance can be negatively affected if your data center is located far away from your AWS region

• AWS direct connect
  • dedicated private connection between your network and one of the direct connect locations
  • uses open standard 802.1q virtual local area networks

VPC endpoints

A VPC endpoit is a virtual device that enable you to privately connect to Amazon regional services

AWS PrivateLink:

• Requires VPC interface endpoint
• Private connectivity between 2 VPCs, AWS services and on-premises app

Two types of endpoints:

• Gateway endpoints (Amazon S3 and Amazon DynamoDB)
• Interface endpoints (powered by AWS PrivateLink)

AWS Transit Gateway

A transit gateway is a network transit hub that you use to interconnect your VPCs and on-premises network.

Section 4: VPC security

Security groups

A security group acts as a virtual firewall that controls inboud and outbound traffic from your instance.

• Security groups have rules to manage instance traffic
• Default security groups are sealed shut to inbound traffic. we need to define rules.
• Security groups are stateful. The outbound traffic is always allowed.

Network access control lists (network ACLs)

Act at a subnet level.

• One-to-one relationship with subnet
• A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
• Default network ACLs allow all inbound and outbound IPv4 traffic
• Network ACLs are stateless

Security groups versus network ACLs

Attribute	Security Groups	Network ACLs
Scope	Instance level	Subnet level
Supported Rules	Allow rules only	Allow and deny rules
State	Stateful (return traffic is automatically allowed, regardless of rules)	Stateless (return traffic must be explicitly allowed by rules)
Order of Rules	All rules are evaluated before decision to allow traffic	Rules are evaluated in number order before decision to allow traffic

Section 5: Amazon Route 53

DNS resolution

It is the process of tranlsating an internal name to the corresponding IP address.

Route 53

• Is highly available and scalable Domain Name System (DNS) web service
• Is used to route end users to internet applications by transalting names into numeric IP addresses
• Is fully compliant with IPv4 and IPv6
• Connects user requests to infrastructure running in AWS and also outside of AWS
• Is used to check the health of your resources
• Features traffic flow
• enables you to register domain name

Supported routing

• Simple routing
  • Use in single-server environments
• Weighted routing
  • Assign wights to resource record sets to specify the frequency
• Latency routing
  • Help improve your global app
• Geolocation routing
  • Route traffic based on location of your users
• Geoproximity routing
  • Route traffic based on locations of your resources
• Failover routing
  • Fail over to a backup site if your primary site becomes unreachable
• Multivalue answer routing
  • Respond to DNS queries with up to eight healthy records selected at random

Use case: Multi-region deployement

DNS failover

Improve the availablity of your applications that run on AWS by:

• Configuring backup and failover scenarios for your own app
• Enabling highly available multi-region architectures on AWS
• Creating health check

DNS failover for a multi-tiered web app

Section 6 Amazon CloudFront

Content delivery and network latency

Challenge of network communication: network performance.

Latency can happen depending on the geographical location of the user.

Amazon CloudFront

• Fast, global and secure CDN service
• Global, network of edge locations and Regional edge caches
• Self-service model
• Pay-as-you-go pricing

Infrastructure

When a customer makes a demand, CloudFront respond with the IP address of the edge location closest to the customer. CloudFront obtains the data and copies it to the edge location.

• Edge locations
  • Network of data centers that Cloudfronts uses to serve popular content quickly to customer
• Regional edge cach
  • CloudFront location that caches content that is not popular enough to stay at an edge location. It is located between the origin server and the global edge location
  • When data become stale, it is removed from the cache of the edge location

Wrap-up

Which AWS networking service enables a company to create a virtual network within AWS?

1. AWS Config
2. Amazon Route 53
3. AWS Direct Connect
4. Amazon VPC

Answer

keyword:

• AWS networking service
• Create a virtual network

Answer 4.