Amazon Web Services

Let’s Cloud
 What Exactly is AWS ?
It is one of the public cloud service provider which has more than 140+ services.

knowledge portal
 Gartner’s Magic Quadrant

knowledge portal
 AWS Services
AWS has broad range of services available for compute, storage, database, analytics,
encryption, deployment and many more.

With pay as you go model, it reduces the overall costs and help you scale your applications.

knowledge portal
 AWS Services - Master Stroke
Real World Scenario - Storage :

Organizations used to invest tens of thousands of dollars in building their storage solutions
for backups. This used to take significant amount of time and high investment.

With AWS S3, in click of an upload button, you get 99.999999999% durability in little less
than a minute of work.

knowledge portal
 Pay as you go Model
● Pay as you consume model allows organizations to scale their resources well and only
pay for what they have used.

● Generally, the model works based on hourly costs.

● This model is terrific especially due to AWS Marketplace support.

Old Bill Utility Newer Bill

knowledge portal
AWS Global Infrastructure
Public Cloud Solutions
 AWS Data Centers

A single data center typically has 1000s of servers.

What if data center goes down ?

knowledge portal
 Real World Scenarios
In Mumbai, there were very heavy rains in 2005.

Lot of people were affected.

Lot of Data Centers were also affected.

knowledge portal
 Availability Zone
● AWS Data Centers are organized into Availability Zones (AZ)

● Each availability zone are located at lower-risk locations.

● There are multiple AZ and each of them is separate by geographic region

knowledge portal
 Availability Zone - Part 2

● Each AZ is designed for independent failure zone.

● Thus, they are physically separated.

● The AZ are inter-connected with high speed private links.

● Each availability zone are located at lower-risk locations.

knowledge portal
 AWS Regions

● Each region contains two or more availability zones.

● AWS has 22 number of regions worldwide and the number keeps increasing.

knowledge portal
 AWS Global Infrastructure
AWS currently operates on 22 regions across the world with 69 availability zones.

knowledge portal
Setting up the Lab
Let’s start Rolling !
 Let’s Start

i) Create a new AWS Account.

ii) Begin the course

knowledge portal
 Registering an AWS Account

knowledge portal
Setting Up SSH Client
Let’s Begin our Journey
 Connecting to a Server
After you have launched a server, you need to connect to it to perform administrative tasks.

Depending on OS of the server, tools to connect will change.

Hey, can you host my website?

Server

Definitely

knowledge portal
 Connecting to a Server
For Linux Server, you will need a SSH Client to connect.

For Windows Server, you will need an RDP client to connect.

knowledge portal
 Using MobaXterm
For our labs, we will be making use of MobaXterm which comes with SSH client.

Along with SSH client, it comes with various other useful commands like telnet, curl.

MAC and Linux comes with its own terminal which has SSH client. You can skip this step.
Key Based Authentication

Back to Security!
 Password Based Authentication
There can be multiple methods for authentication against a system.

Password based authentication is the simplest form.

My username is admin, I want to login

Hey there, what is your password?

Laptop Linux Server

knowledge portal
 Login with Credentials

My username is admin, my password is

12345. I want to login.

Login successful.
Laptop Linux Server

knowledge portal
 Challenges with Password Based Authentication
Password based authentication is generally considered to be less-secure.

Many users write down the passwords in notepad files or as part of sticky notes.

Most users would not create a complex password that is difficult to hack.

knowledge portal
 Key Based Authentication
In this type of authentication, there are two special keys that are generated.

One key is called as Public Key and second key is called as Private key.

If public key is stored in server and is used as authentication mechanism, only the
corresponding private key can be used to successfully authenticate.

knowledge portal
 Key Based Authentication

My username is admin, I want to login

Hey there, password is not allowed.

Laptop You need to authenticate via the key.
Linux Server

knowledge portal
Creating our First EC2 Instance

Let’s Start
 Overview of EC2
EC2 stands for Elastic Compute Cloud.

In-short, it's a name for a server that you launch in AWS.

Server EC2 Instance

knowledge portal
 Important Configuration
There are certain important configuration that you need to know while launching a new
EC2 instance in AWS

1. The CPU and Memory Size

2. Operating System (Linux, Windows)
3. Storage Capacity
4. Authentication Key
5. Security Group

EC2 Instance

knowledge portal
 Connecting to a Server
After you have launched a server, you need to connect to it to perform administrative tasks.

Depending on OS of the server, tools to connect will change.

Can you run my command?

Server

Definitely

knowledge portal
 Browser Based SSH Connection
Browser Based SSH Connection allows you to directly connect to EC2 instance from
browser.

No need to maintain keys or have SSH client.

knowledge portal
 MAC Terminal

knowledge portal
 Creating our First Website
We have our EC2 instance up and running.

Let’s go ahead and create our first website.

www.example.com

EC2 Instance

knowledge portal
 Requirements for Website
1. Server.

2. Software on server that web-browsers can interact with (web-server)

www.example.com

EC2 Instance

knowledge portal
Understanding Firewalls
Firewall without a Fire !
 Understanding Ports
A port is a logical entity which acts as a endpoint of communication to identify a given
application or process on an Linux operating system

Opening 22 SSH

Opening 80 HTTPD

User from Internet

knowledge portal
 Understanding Firewall
Firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules.

Connect to 22 Opening 22 SSH

Firewall
Opening 80 HTTPD

User from Internet

Deny connect to 22

Allow connect to 80
 Allow from Trusted Block from Hackers

knowledge portal
 Firewall in AWS
A security group acts as a virtual firewall for your instance to control inbound and
outbound traffic.

Inbound Connection
EC2

Outbound Connection

knowledge portal
 Understanding Firewalls
Firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules.

There can be both hardware based firewalls and software based firewalls.

knowledge portal
knowledge portal
 How does it do that ?
ssh serverA
Apache 80
SSH 22
IP : 10.0.5.57 FTP 21
SMTP 25
MySQL 3306

IP : 112.20.50.60
AWS Budgets
Free Tier is Important
 Overview of AWS Budgets

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or
usage exceed (or are forecasted to exceed) your budgeted amount.

Let’s understand this with an example:

John has created a new AWS account and want to be under free tier.

He wants to be notified whenever there is a charge of more then $1

knowledge portal
knowledge portal
Virtual Private Cloud
Do things the right way
 Let’s understand with a use-case
John works as Finance manager. He is migrating to a new city because of his job and plans to live
in an apartment.

House 1 House 2

knowledge portal
 Analogy in terms of servers

● 5 servers are planned to be migrated to cloud.

● The location where they can be launched in AWS is VPC.

VPC VPC

knowledge portal
 Let’s understand with a use-case
John has decided to buy a new house. For additional income, he has decided to rent part of hise
house .

John decides to partition his house.

Partition 1

Partition 2

knowledge portal
 Let’s understand with a use-case
Among the 5 servers, we have decided following architecture:

● Launch 3 servers in first partition (subnet 1)

● Launch 2 servers in second partition (subnet 2)

Subnet 1

Subnet 2
 Additional Layer of Security - Partition Wise

John can decide to have additional layer of security in each partition.

Partition 1

Partition 2

knowledge portal
 Additional Layer of Security - Partition Wise

John decides to build two entrance so that individuals in partition 1 can directly go out of the
house.

Hypothetically imagine that no doors for partition 2 so no one can go out.

Partition 1

Partition 2

knowledge portal
 Additional Layer of Security - Partition Wise

Solutions Architect creates a route so that servers from subnet 1 can connect to the internet.

For subnet 2, no routes has been created hence servers cannot reach the internet.

Subnet 1

Subnet 2

knowledge portal
 Inter-Communication

There can be a need for servers from two subnets to speak with each other.

So you can create a route that can allow communication between two subnets.

Subnet 1

Subnet 2

knowledge portal
 Inter-Communication

There can be a need for servers from two subnets to speak with each other.

So you can create a route that can allow communication between two subnets.

Subnet 1

Subnet 2

knowledge portal
 Important Learnings

Every EC2 instance that we create should be under a VPC.

EC2 instance launched in a VPC will be protected or not protected based on configuration of VPC.

Architecture changes when you go into more technical aspect.

Creating our first VPC

Let’s start!
 Revising Basics of VPC
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a
virtual network that you've defined.

EC2 instances inside VPC will be able to communicate to each other using private network.

10.77.0.5 10.77.0.6

VPC - 10.77.0.0/16

knowledge portal
 Today’s Practical
Name: demo-vpc

IPv4 CIDR Block: 10.77.0.0/16

knowledge portal
 Important Note

Every region in AWS has a default VPC with CIDR range of 172.31.0.0/16.

This allows customers to start launching EC2 without having to manually create a VPC.

knowledge portal
Creating Subnets
Let’s create Subnetworks
 Creating Subnetworks - Analogy

Each subnet has its own set of range that is derived from the larger VPC range.

Subnet 1 (1-50)

VPC (0-100) 1 15

Subnet 2 (51-100)

55 84

knowledge portal
 Creating Subnetworks - Technical

Subnet 1 (10.77.2.0/24)
10.77.2.5
VPC (10.77.0.0/16)
Subnet 2 (10.77.4.0/24)

10.77.4.5

/16 = 65536 IP Addresses /24 = 256 IP Addresses

knowledge portal
 Creating Subnet Process
When you create a subnet, following are some of the important setting that need to be
configured.

Setting Description

VPC The VPC ID to which subnet would be associated.

Availability Zone Availability zone in which subnet will reside in.

IPv4 CIDR Block Smaller CIDR block from the Main VPC Range.

Subnet Name Name of the Subnet.

knowledge portal
knowledge portal
Internet Gateway
Connect to Internet
 Simple Analogy
You have recently moved to a new house.

You have a laptop and you want to watch some Youtube videos.

But there is no Internet connectivity in your house.

knowledge portal
 VPC Network
The EC2 instances inside VPC will be able to communicate with each other.

They will NOT be able to connect to Internet.

Internet
10.77.0.5 10.77.0.6

VPC - 10.77.0.0/16

knowledge portal
 Internet Gateway
An internet gateway is a component that allows communication between your VPC and the
internet.

It allows both inbound as well as outbound communication.

IGW

10.77.0.5 10.77.0.6 Internet

VPC - 10.77.0.0/16

knowledge portal
Route Tables

Let’s Route
 Simple Analogy
Few years back, I had a trip from Coimbatore to Bangalore (~400 kms) in scooty.

Direction was a key factor here.

knowledge portal
 Direction Billboards
Direction Billboards are very useful to determine the next turning point to reach the
destination.

knowledge portal
 Overview of Routers
A router is a networking device that forwards data packets between networks.

Each router has a route table that contains the routing rules.

Connect to 10.77.0.5

Internet

Destination Next Hop

10.77.0.0/16 VPC

0.0.0.0/0 Internet
Route Table
 Route Table in AWS
A route table contains a set of rules, called routes, that determine where network traffic from
your subnet or gateway is directed.

By default, whenever a VPC is created, the route table is also created.

Towards Internet
VPN

VPC IGW

Route Table
 High-Level Working - Internet Route

knowledge portal
 High-Level Working - Local Route

10.77.2.5

knowledge portal
Public and Private Subnets

Important Architecture Concept

 Public Subnet
Public subnet is a subnet that is associated with an Internet Gateway.

This subnet is recommended if you want to run a public-facing web application.

Overall Security Risk: High

knowledge portal
 Private Subnet
Private subnets are the ones that do not have an Internet Gateway attached to it.

No New connections from the Internet can reach to the EC2 instances within the private
subnet.

knowledge portal
 Benefits of Private Subnet
Since internet connectivity is not present, it is much more difficult by an attacker to attack
the system in private subnet directly.

Attack Attack!

Oh No! EC2 is in Private Subnet

Attacker Private Subnet

knowledge portal
 Important Note
Even though the EC2 instance are in private subnet, the local level communication between
EC2 in public and private will still work using private IPs.

Attack Public Subnet EC2 Public Subnet

Attacker Private Subnet

knowledge portal
 The Network Architecture

knowledge portal
Configuring Public and Private Subnet
Better Architecture
 Public Subnet Configuration
Following is true for Public Subnet:

1. Internet Gateway is Attached to VPC

2. Route Table has route towards Internet Gateway.

Internet Gateway

Public Subnet
Destination Target

10.77.0.0/16 local

0.0.0.0/0 Internet Gateway

 Private Subnet Configuration
Following is true for Private Subnet:

Route Table does not have a route towards Internet Gateway.

Internet Gateway

Private Subnet
Destination Target

10.77.0.0/16 local
 Steps to Configure Public and Private Subnet
There will be 2 route tables: One for Public Subnet and Second for Private Subnet.

Destination Target

10.77.0.0/16 local

0.0.0.0/0 Internet Gateway

Public Subnet

Destination Target

10.77.0.0/16 local

Private Subnet
 NAT Gateway
Allow Outbound Internet Connectivity
 Challenge with Instance in Private Subnet

Since there is no Internet connectivity in Private subnet, the EC2 instance and application inside
it will not be able to perform any kind of patch updates, download new softwares etc.

Internet Gateway

Private Subnet

knowledge portal
 Overview of NAT Gateways
NAT Gateway allows instances in the private subnet to initiate a new connection towards the
Internet.

New connections from Internet cannot be established to instances in Private subnet.

NAT
Gateway

knowledge portal
 Working of NAT Gateway

Private EC2 NAT Internet Gateway Internet

knowledge portal
 Example 2 - NAT Gateway

Private EC2 NAT Internet Gateway Internet

knowledge portal
New VPC Create Experience
Create VPC Quickly
 Understanding Challenge
If you want to create a new VPC setup, there are multiple components that you have to
configure:

VPC, Subnets, Route Tables, NAT Gateway, Internet Gateways

knowledge portal
 New VPC Create Experience

AWS has released a new VPC Create Experience that allows us to quickly setup entire VPC
infrastructure with click of just few buttons.

knowledge portal
VPC Peering

Let’s Route
 VPC Peering
VPC peering is a network connection between two VPC that enables the communication
between instances of both the VPC.

172.31.0.0/16 10.77.0.0/16

knowledge portal
 Today’s Architecture - 1
First VPC - 172.31.0.0/16

Secondary VPC - 10.77.0.0/16

172.31.0.0/16 10.77.0.0/16

knowledge portal
 Today’s Architecture - 2

10.66.0.0/16
172.31.0.0/16

10.77.0.0/16
 Things to Remember
● VPC Peering is now possible between regions.

● VPC Peering does not act like a Transit VPC

knowledge portal
 Unsupported VPC Peering Configurations - 1

You cannot create a VPC peering connection between VPCs with matching or
overlapping IPv4 CIDR blocks.

knowledge portal
 Unsupported VPC Peering Configurations - 2

You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and
between VPC A and VPC C (pcx-aaaacccc).

There is no VPC peering connection between VPC B and VPC C. You cannot route
packets directly from VPC B to VPC C through VPC A.

knowledge portal
Network ACL
Multiple Layers for Defense
 Understanding the Basics
A network access control list (ACL) is an optional layer of security for your VPC that acts as a
firewall for controlling traffic in and out of one or more subnets.

● Security Group works at an EC2 instance level.

● Network ACL works at a Subnet Level.

Public/Private Subnets

Security Group Network ACL

knowledge portal
 Understanding with Use-Case
Company XYZ is getting lot of attacks from a random IP 128.190.12.32. The company has
more than 500 servers and Security team decided to block that IP in firewall for all the servers.

How to go ahead and achieve that goal ?

250 EC2

Network ACL

250 EC2

DENY 128.190.12.32
 Important Pointers

Each subnet in your VPC must be associated with a network ACL. If you don't explicitly
associate a subnet with a network ACL, the subnet is automatically associated with the
default network ACL.

Default NACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.

You can associate a network ACL with multiple subnets. However, a subnet can be
associated with only one network ACL at a time.

knowledge portal
Amazon Machine Image
Let’s Image
 Overview of AMI

Amazon Machine Image (AMI) is the master image from which new EC2 instances can be
launched.

Let’s understand with an example:

Security Hardening

Configure SELinux
Configure firewalld
Install IPS agent
Configure Auditd
Create Security user Amazon Linux

Hardened Amazon Linux

knowledge portal
 Hardened AMI
EC2 Instances

Hardened Amazon Linux

Prod AWS Account

knowledge portal
 Launch Templates

Launching EC2 The Easy Way

 Understanding the Challenge
When you launch an EC2 instance, there are various configurations that needs to be set.

Some of the common configuration includes:

● AMI ID
● Instance Type
● Security Group
● Key Pair
● Storage
● IAM Role
● VPC

Everytime when you intend to launch instance, going through process is time consuming,

knowledge portal
 Introduction to Launch Templates
Launch templates enable you to store launch parameters so that you do not have to specify
them every time you launch an instance.

knowledge portal
 EC2 Pricing

Cost Optimization
 Paying for EC2 Instances

There are fives primary ways in which we can pay for EC2 instance usage.

1. On-Demand
2. Savings Plan
3. Reserved Instances
4. Spot Instances
5. Dedicated Hosts

knowledge portal
 On-Demand Pricing
With On-demand instances, we pay for compute capacity per hour or per second
depending on the instances which is being run.

No upfronts payments are needed and we can increase or decrease the capacity whenever it
is needed.

knowledge portal
 On-Demand Can Lead to Unexpected Issues

Monday: 500 customers using 16GB RAM on-demand servers individually.

Wednesday: 30 customers using 16GB RAM on-demand servers individually.

A “Cloud Service Provider” will not have a clear picture on how many servers should the
provision. Too high → resources might unused and too low → money loss

knowledge portal
 Reserved Instance

Reserved Instance provides us with significant discount (upto 75%) compared to

on-demand instance pricing.

Reserved instance are assigned to a specific availability zone and provides capacity
reservation for AWS EC2 instances.

Example :

You know you will always be running 20 servers of m4.2xlarge type of 1 year, then buy
reserved instances for them.

knowledge portal
 Reserved Instance - Part 2
Example: g4dn.8xlarge instance type

Pricing Option Hourly Cost Total 3 year cost

On-Demand Instance $2.176 $57,276

3 year all up-front - Reserved - $21502

Savings ~62%

knowledge portal
 Spot Instance
Spot instances allows us to bid on spare Amazon EC2 computing capacity for up to 90%
of the on-demand cost.

Such instances are recommended for applications that can have flexible start and end times

knowledge portal
 Savings Plans
Savings Plans are a flexible pricing model that offer low prices on EC2 and Fargate usage,
in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a
1 or 3 year term.

knowledge portal
 Dedicated Host
A dedicated host is a physical EC2 server dedicated for your use.

It can be purchased on-demand as well as reserved instance.

knowledge portal
 Join us in our Adventure

kplabs.in/twitter

Be Awesome
kplabs.in/linkedin

[email protected]