NETWORKING IN AWS

SYSTEM OPERATIONS IN AWS - MODULE 2

Amazon VPC and Networking Fundamentals
Amazon VPC and Networking Fundamentals
Amazon VPC and Networking Fundamentals
Amazon VPC and Networking Fundamentals
Amazon VPC and Networking Fundamentals
Amazon VPC and Networking Fundamentals
Amazon VPC

 Choose a /16 CIDR block from RFC 1918

 This segment is treated as private
 VPC CIDR block can be /16 to /28
 VPC CIDR block cannot be changed
after VPC is created
 IPv6 are /56 and is assigned by Amazon
Amazon VPC – IPv4 vs IPv6
Amazon VPC – Components

 Subnets
 Route Tables
 IP Addressing
 Security Groups
 NACLs
 Internet Gateways
 Nat Gateways
 EIGWs
 VGWs, Customer Gateways and VPNs
 VPC Endpoints
 VPC Peering
 DHCP Option Sets
Subnets

 Maximum size is determined by VPC CIDR

range
 Smallest subnet size /28
 AWS reserves the first four and last IPv4
address of every subnet
 No broadcast and multicas traffic
supported
 IPv6 subnet is a fixed prefix length of /64
Subnets – IPv6

/56
2001:0db8:1234:1a 00 ::/64
2001:0db8:1234:1a 01 ::/64
2001:0db8:1234:1a 02 ::/64
Subnet Types

 Public – Route table targets IGW

 Private – No route to IGW, may contain

route to Nat Gateway or EIGW (IPv6)

 VPN Only – Route to VPCs VGW

Route Tables

 Each VPC has an implicit router

 Each VPC comes with a main route
table
 Additional route tables can be created
 Each subnet is associated with a route
table
 Each route table specifies a destination
CIDR and a target
Security Groups and NACLs
Internet Gateways

 Needed to provide Internet Access

 Associate a default route to IGW
 Configure NACL and SGs to allow
relevant traffic to and from your
instance
 Assign a public IPv4 or elastic IP to EC2
instances
 Assign and IPv6 GUA (if dual-stack)
NAT Gateway

 Needed to provide outbound internet

traffic to instances in private subnet
 Create a NAT Gateway in a public
subnet
 Allocate and associate and IPv4 Elastic
IP address with NAT Gateway
 Configure the route table associated
with the private subnet
Egress-Only Internet Gateway (EIGWs)

 Needed to provide outbound internet

traffic to IPv6 instances in private
subnet
 It is a VPC component
 It does not perform address translation
function
 Configure the route table associated
with the private subnet
VGWs, Customer Gateways, VPNs

 The VGW is the AWS end of the VPN

 The customer Gateway is hw or sw on
the remote end of the VPN
 VGW supports BGP and static routing
 VPN Connection consist of two tunnels
for HA to the VPC.
VPC Endpoint

 Used to connect to AWS services outside

the VPC
 Support IPv4 only
 There are two types, interface and
Gateway.
 Interface endpoint uses an elastic Network
interface (ENI)
 Gateway endpoint uses a route table (S3
and DynamoDB supported at this time)
Networking CLI Operations
 Create a VPC
aws ec2 create-vpc –cidr-block 10.0.0.0/16
 Create an Internet Gateway
aws ec2 create-internet-Gateway
 Attach an Internet Gateway to a VPC
aws ec2 attach-internet-gateway \
--vpc-id "vpc-06d09ad5e5f26f577" \
--internet-gateway-id "igw-006ebe7490b3dbfea" \
--region us-east-2
Lab 02 – VPC Networking Fundamentals
VPC Peering

A VPC Peering connection is a networking connection between two VPCs:

 You can create a VPC peering connection
between your own VPCs or with a VPC in
another AWS account.
 A VPC may have multiple peering
connections
 You cannot create a peering connection
between VPCs that have matching or
overlapping CIDR blocks.
 Amazon encrypts traffic between peers in
different regions
 VPC peering connections do not support
transitive routing
Placement Groups

 Logical groups of instances withing a single

Avalibility Zone, there are three types:
 Cluster (for HPC)
 Partition (for worloads like Hadoop)
 Distribuited (for Fault Tolerance)

 Placement Groups are confined to a single

Availability Zone
 Support both IPv4 and IPv6
Elastic Network Interface (ENI)

 ENI is a virtual Network interface that you can attach to an instance in a VPC
 Can be used to create Network and security appliances, create dual-homed instances
 Can be:
 Hot attach (running instances)
 Warm attach (Stopped instances)
 Cold attach (At instance launch)
 Multiple elastic Network interfaces cannot be used for NIC teaming
DHCP Options Set

 AWS automatically creates and associates a

DHCP options set for your VPC
 Each VPC must have exactly one DHCP
options set assigned to it
 Default DHCP Options Set resolves using
AmazonProvidedDNS
 Additinal DHCP Option Sets can be created
to assigned different domain name.
Amazon Domain Name Service (DNS) Server

 Amazon provides an integrated DNS server

 The Amazon DNS server runs on a reserved IP address at the base of the VPC IPv4
CIDR range, plus two (e.g. for VPC 172.16.0.0/16, DNS is available at 172.16.0.2)
 Amazon DNS server can integrate with Amazon Route 53 private hosted zones
 The Amazon VPC attribute enableDnsHostnames determines whether Amazon
EC2 instances receive hostnames.
Amazon VPC Flow Logs

 VPC Flow Logs is a feature of Amazon VPC that captures IP traffic Flow information in
a VPC
 The Flow data is stored in Amazon CloudWatch Logs
 Can be enabled at the VPC, subnet, or interface level
 The logs are published approximately every 10 min.
AWS Direct Connect
AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1-gigabit or
10-gigabit Ethernet fiber-optic cable

Benefits:
 Reduce bw cost
 Consistent Network performance
 Private connectivity to AWS
 Elasticity and scaling
AWS Direct Connect
Amazon Route 53

Amazon Route 53 enables three main functions:

 Register domain names
 Route Internet traffic to the resources for your domain
 Check the health of the resources
Amazon Route 53 – Routing Policy

 Simple Routing
 Weighted Routing
 Latency-Based Routing
 Geolocation Routing
 Failover Routing
Amazon Route 53 – Health Checks

There are three types of health checks that can be configured with Amazon Route 53:
 The health of a specified resource, such as a web server
 The status of an Amazon CloudWatch alarm
 The status of other health checks
Elastic Load Balancing

 The Elastic Load Balancing service allows you to distribute traffic across a group of
Amazon EC2 instances in one or more Availability Zones, enabling you to achieve high
availability in your applications
 Elastic Load Balancing supports routing and load balancing of Hypertext Transfer
Protocol HTTP, HTTPS, TCP, and Transport Layer Security (TLS) traffic to Amazon EC2
instances
 Elastic Load Balancing provides a stable, single DNS name for DNS configuration and
supports both Internet-facing and internal application-facing load balancers
Application Load Balancer

 Operates at L7 of the OSI Model

 Rules are evaluated in a priority order
 Ideal choice for:
 Path-based routing
 Routing requests to multiple services on
a single EC2 instance
 Containerized applications
 Monitoring the health of each service
independently
Network Load Balancer

 Operates at L4 of the OSI Model

 Has the following benefits:
 Handle volatile workloads
 Support for static IP addresses for the load
balancer
 Support for registering targets by IP address
 Support for routing requests to multiple
applications on a single EC2 instance
 Support for monitoring the health of each
service independently
Lab03 – ELB and Route 53
Resources to Review

For further review, check out the following URLs:

 Amazon EC2: https://aws.amazon.com/documentation/ec2/
 Amazon VPC: https://aws.amazon.com/documentation/vpc/