5

AWS Networking and Content

Delivery
Introduction to AWS Networking
Networking is the first step for any organization to set up its landing zone and the entire IT workload built on top of
it. Networking is the backbone of the IT application and infrastructure workload. AWS provides various
networking services for building your IT landscape in the cloud. With a traditional on-premises IT workload, it
becomes challenging to scale globally and provide the same user experience across the globe. AWS helps solve
these problems through edge networking, and you will learn more about deploying your application for global
users without compromising their experience.

IP Address
Each client machine in a network has a unique Internet Protocol (IP) address that identifies it. An IP address is a
numerical label in decimal format. Machines convert that decimal number to a binary format. In this example, the
IP address is 192.0.2.0. Each of the four dot (.)-separated numbers of the IP address represents 8 bits in octal
number format. That means each of the four numbers can be anything from 0 to 255. The combined total of the
four numbers for an IP address is 32 bits in binary format.

IPv4 and IPv6 Addresses

• IPv4 Addresses
o A 32-bit IP address is called an IPv4 address.

• IPv6 Addresses
o IPv6 addresses, which are 128 bits, are also available. IPv6 addresses can accommodate more
user devices.

o An IPv6 address is composed of eight groups of four letters and numbers that are separated by
colons (:).

o Example: 2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF.
Chapter 3

o Each of the eight colon-separated groups of the IPv6 address represents 16 bits in
hexadecimal number format.

o That means each of the eight groups can be anything from 0 to FFFF.

o The combined total of the eight groups for an IPv6 address is 128 bits in binary format.

AWS Network Foundations

Networking concepts are the same when it comes to the cloud. Know about what networking is, but instead how
to set up your private network in the AWS cloud and establish connectivity between the different servers in the
cloud and from on-premises to an AWS cloud. First, let’s start with the foundation; the first step to building your
networking backbone in AWS is using Amazon VPC.

Amazon Virtual Private Cloud (VPC)

VPC is one of the core services AWS provides. VPC is your version of the AWS cloud, and as the name suggests,
it is “private,” which means that by default, your VPC is a logically isolated and private network inside AWS. VPC
as being the same as your own logical data centre in a virtual setting inside the AWS cloud, where you have
complete control over the resources inside your VPC. AWS resources like AWS servers, and Amazon EC2 and
Amazon RDS instances are placed inside the VPC, including all the required networking components to control
the data traffic as per your needs.

Creating a VPC could be a very complex task, but AWS has made it easy by providing Launch VPC Wizard. The
following screenshot shows the VPC network configuration across two AZs, us-east-1a and us-east-1b:

• VPCs spread across two AZs, where each AZ has two subnets – one public and one private.

• The highlighted flow shows the data flow of a server deployed into a private subnet of the us-east-1 AZ.

Before going into further details, let’s look at key VPC concepts to understand them better:

• Classless Inter-Domain Routing (CIDR) blocks

• Subnets

• Route tables

• Internet Gateway

• Network Address Translation (NAT) Gateway

• Security Groups (SGs)

• Network Access Control List (NACL)

• Egress-only IGWs

• DHCP

• VPC Flow Logs

Classless Inter-Domain Routing (CIDR)

Copyrighted Material
 AWS Networking and Content Delivery

CIDR blocks define the IP address range allocated to your VPC. When creating a VPC, specify its set of IP
addresses with CIDR notation, which is a simplified way of showing a specific range of IP addresses. For
example, 10.0.0.0/16 covers all IPs from 10.0.0.0 to 10.0.255.255, providing 65,535 IP addresses to use. All
resources in your VPC must fall within the CIDR range.

Open System Interconnection (OSI) Model

Note: The content for the OSI Model section appears to be duplicated and incomplete in the original notes.
Please provide the specific details if you want this section expanded.

VPC Components
Subnets
A subnet is the VPC CIDR block subset. Partitions of the network are divided by the CIDR range within the range
of IP addresses in your VPC. A VPC can have multiple subnets for different kinds of services or functions, like:

• Frontend Subnet: For internet access to a web page.

• Backend Subnet: For business logic processing.

• Database Subnet: For database services.

Subnets create trusted boundaries between private and public resources, organize your subnets based on
internet accessibility, and allow clear isolation between public and private resources. The majority of resources
can be hosted in private subnets.

Route Tables
A route table contains a set of rules called routes. Routes determine where the traffic will flow. By default, every
subnet has a routing table. You can manually create a new route table and assign subnets to it. For better
security, use a custom route table for each subnet.

Internet Gateway (IGW)

An Internet Gateway (IGW) sits at the edge of the VPC and provides connectivity between your VPC resources
and the public network (the internet). By default, internet accessibility is denied for internet traffic in your
environment. An IGW needs to be attached to your public subnet through the subnet’s route table, defining the
rules to the IGW.

Network Address Translation (NAT) Gateway

A NAT gateway provides outbound internet access to the private subnet and prevents connections from being
initiated from outside to your VPC resources. A private subnet blocks all incoming and outgoing internet traffic,
but servers may need outgoing internet traffic for software and security patch installation. A NAT gateway
enables instances in a private subnet to initiate outbound traffic to the internet and protects resources from
incoming internet traffic. All restricted servers (such as database and application resources) should be deployed
inside your private subnet.

Security Groups (SGs)

Security Groups (SGs) are the virtual firewalls for your instances to control inbound and outbound packets. Only
allow statements can be used in the SG, and everything else is denied implicitly. SGs control inbound and
outbound traffic as designated resources for one or more instances from the CIDR block range or another SG.

Copyrighted Material
Chapter 3

Network Access Control List (NACL)

A Network Access Control List (NACL) is another firewall that sits at the subnet boundary and allows or denies
incoming and outgoing packets. The main difference between a NACL and an SG is that the NACL is stateless –
therefore, you need to have rules for incoming and outgoing traffic. With an SG, you need to allow traffic in one
direction, and return traffic is, by default, allowed. SGs are commonly used as firewalls at the EC2 instance level,
while NACLs are used as firewalls at the subnet level. NACLs are useful when you want to control traffic at the
VPC level and deny specific IPs, as an SG cannot have a deny rule for network traffic coming from a particular IP
or IP range.

Egress-only IGWs
Egress-only IGWs provide outbound communication from Internet Protocol version 6 (IPv6) instances in your
VPC to the internet and prevent inbound connections from the internet to your instances on IPv6. IPv6, the sixth
iteration of the Internet Protocol, succeeds IPv4 and employs a 128-bit IP address. Like IPv4, it facilitates the
provision of unique IP addresses required for internet-connected devices to communicate.

DHCP Option Sets

DHCP option sets are a group of network information, such as DNS name servers and domain names, used by
EC2 instances when they launch.

VPC Flow Logs

VPC Flow Logs enable you to monitor traffic flow to your system VPC, such as accepted and rejected traffic
information for the designated resource to understand traffic patterns. Flow Logs can also be used as a security
tool for monitoring traffic reaching your instance. You can create alarms to notify you if certain types of traffic are
detected.

VPC Peering
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic
between them privately. Instances in either VPC can communicate with each other as if they are within the same
network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account,
or with a VPC in a different AWS Region. When setting up the peering connection, you must create rules in your
route table to allow the VPCs to communicate with each other through the peering resource.

AWS Transit Gateway (TGW)

As customers spin more and more VPCs in AWS, there is an ever-increasing need to connect various VPCs.
Before TGW, you could connect VPCs using VPC peering, but VPC peering is a one-to-one connection, which
means that resources within peered VPCs only can communicate with each other. If multiple VPCs need to
communicate with each other, which is often the case, it results in a complex mesh of VPC peering. For example,
as shown in the diagram below, if you have 5 VPCs, you need 10 peering connections.

Managing so many VPC peering connections will become challenging, and there is also a limit on the number of
peering connections per account. To overcome this challenge, AWS released TGW.

TGW needs one connection called an attachment to a VPC, and you can establish full- or partial-mesh
connectivity easily without maintaining so many peering connections.

Copyrighted Material
 AWS Networking and Content Delivery

AWS Transit Gateway (TGW) is a central aggregation service spanned within a Region, which can be used to
connect your VPCs and on-premises networks. TGW is a managed service that takes care of your availability and
scalability and eliminates complex VPN or peering connection scenarios when connecting with multiple VPCs
and on-premises infrastructure.

You can connect TGWs in different Regions by using TGW peering. TGW is a regional entity, meaning you can only
attach VPCs to the TGW within the same Region, and per VPC, the bandwidth reserved is 50 Gbps. However, one
TGW can have up to 5,000 VPC attachments.

Diagram Explanation
Any new VPC is connected to the transit gateway and is then automatically available to every other network that
is connected to the transit gateway. This ease of connectivity makes it easier to scale your network as you grow.

AWS Direct Connect

One of the challenges of network communication is network performance. Performance can be negatively
affected if your data centre is located far away from your AWS Region. For such situations, AWS offers AWS
Direct Connect, or DX. It enables you to establish a dedicated, private network connection between your network
and one of the DX locations. This private connection can reduce your network costs, increase bandwidth
throughput, and provide a more consistent network experience than internet-based connections. DX uses open
standard 802.1q VLANs.

Amazon CloudFront
Amazon CloudFront is a content delivery service that accelerates the distribution of both static and dynamic
content like image files, video files, and JavaScript, CSS, or HTML files, through a network of data centres spread
across the globe. These data centres are referred to as edge locations. CloudFront serves user requests from the
nearest edge location, providing lower latency and better performance. AWS has over 300 high-density edge
locations spread across over 90 cities in 47 countries. All edge locations are equipped with ample cache storage
space and intelligent routing mechanisms to increase the edge cache hit ratio.

Edge locations are connected with high-performance 100 GbE network devices and are fully redundant, with
parallel global networks with default physical layer encryption.

Example Scenario: Consider an image distribution website, www.example.com, hosted in the US, which serves
art images. Users can access the URL www.example.com/art.png, and the image is loaded. If your server is close
to the user, then the image load time will be faster. However, if users from other locations like Australia or South
Africa access the same URL, the request has to cross multiple networks before delivering the content to the
user’s browser.

CloudFront's Operational Mechanics:

• When a viewer requests access to page content from the origin server – in this case, www.example.com
– Route 53 replies with the CloudFront edge IP and redirects the user to the CloudFront location.

• CloudFront uses the following rules for content distribution:

o If the requested content is already in the edge data centre, which means it is a “cache hit,” it
will be served immediately.

Copyrighted Material
Chapter 3

o If the content is not at the edge location (a “cache miss”), CloudFront will request the content
from the original location (the web server or S3). The request flows through the AWS backbone,
is delivered to the customer, and a copy is kept for future requests.

o If you are using CloudFront, it also provides an extra layer of security since your origin server is
not directly exposed to the public network.

Security Enhancements with CloudFront:

• CloudFront eliminates the need to go to the origin server for user requests, and content is served from
the nearest location.

• CloudFront provides security by safeguarding the connection between end-users and the content edge,
as well as between the edge network and the origin.

• By offloading SSL termination to CloudFront, the performance of applications is improved since the
burden of processing the required negotiation and SSL handshakes is removed from the origins.

AWS Transit Gateway

You can configure your VPCs in several ways and take advantage of numerous connectivity options and
gateways. These options and gateways include AWS Direct Connect (via DX gateways), NAT gateways, internet
gateways, VPC peering, etc. It is not uncommon to find AWS customers with hundreds of VPCs distributed
across AWS accounts and Regions to serve multiple lines of business, teams, projects, and so forth. Things get
more complex when customers start to set up connectivity between their VPCs. All the connectivity options are
strictly point-to-point, so the number of VPC-to-VPC connections can grow quickly.

As you grow the number of workloads that run on AWS, you must be able to scale your networks across multiple
accounts and VPCs to keep up with the growth. Though you can use VPC peering to connect pairs of VPCs,
managing point-to-point connectivity across many VPCs without the ability to centrally manage the connectivity
policies can be operationally costly and difficult. For on-premises connectivity, you must attach your VPN to each
individual VPC. This solution can be time-consuming to build and difficult to manage when the number of VPCs
grows into the hundreds.

To solve this problem, you can use AWS Transit Gateway to simplify your networking model. With AWS Transit
Gateway, you only need to create and manage a single connection from the central gateway into each VPC, on-
premises data centre, or remote office across your network. A transit gateway acts as a hub that controls how
traffic is routed among all the connected networks, which act like spokes. This hub-and-spoke model
significantly simplifies management and reduces operational costs because each network only needs to connect
to the transit gateway and not to every other network.

Benefits of AWS Transit Gateway:

• Any new VPC is connected to the transit gateway and is then automatically available to every other
network that is connected to the transit gateway.

• This ease of connectivity makes it easier to scale your network as you grow.

Additional Features:
• AWS TGW is a central aggregation service spanned within a Region, which can be used to connect your
VPCs and on-premises networks.

Copyrighted Material
 AWS Networking and Content Delivery

• TGW is a managed service that takes care of your availability and scalability and eliminates complex
VPN or peering connection scenarios when connecting with multiple VPCs and on-premises
infrastructure.

• You can connect TGWs in different Regions by using TGW peering.

• TGW is a regional entity, meaning you can only attach VPCs to the TGW within the same Region, and per
VPC, the bandwidth reserved is 50 Gbps.

• One TGW can have up to 5,000 VPC attachments.

Diagram Explanation
Any new VPC is connected to the transit gateway and is then automatically available to every other network that
is connected to the transit gateway. This ease of connectivity makes it easier to scale your network as you grow.

Amazon CloudFront
Content Distribution Rules
When a viewer requests access to page content from the origin server – in this case, www.example.com – Route
53 replies with the CloudFront edge IP and redirects the user to the CloudFront location. CloudFront uses the
following rules for content distribution:

• Cache Hit: If the requested content is already in the edge data centre, it will be served immediately.

• Cache Miss: If the content is not at the edge location, CloudFront will request the content from the
original location (the web server or S3). The request flows through the AWS backbone, is delivered to the
customer, and a copy is kept for future requests.

Security Enhancements
If you are using CloudFront, it also provides an extra layer of security since your origin server is not directly
exposed to the public network. CloudFront eliminates the need to go to the origin server for user requests, and
content is served from the nearest location. CloudFront provides security by safeguarding the connection
between end-users and the content edge, as well as between the edge network and the origin. By offloading SSL
termination to CloudFront, the performance of applications is improved since the burden of processing the
required negotiation and SSL handshakes is removed from the origins.

Conclusion
This module establishes a strong foundation in AWS Networking and Content Delivery, covering essential
services and concepts such as Amazon VPC, Subnets, Route Tables, Security Groups, VPC Peering, AWS
Transit Gateway, AWS Direct Connect, and Amazon CloudFront. Understanding these components enables
you to build scalable, secure, and efficient cloud networks tailored to your organization's needs.

Copyrighted Material