Week 3 AcademyCloudFoundations - Module - 05 - Networking
Week 3 AcademyCloudFoundations - Module - 05 - Networking
Topics Activities
• Networking basics • Label a network diagram
• Design a basic VPC architecture
• Amazon VPC
• VPC networking Demo
• VPC security • VPC demonstration
• Amazon Route 53
Lab
• Amazon CloudFront
• Build your VPC and launch a web
server
Knowledge
check 2
Module objectives
5
Networking
Subnet 1 Subnet 2
Router
17.0.1.1/24
• In this case the information is being sent from 17.0.0.1 via a router device which will decide where to send
the information to get it to 17.0.1.1
IP addresses
192 . 0 . 2 . 1
9
IP addresses
• Within the binary there are two parts which we are interested in
• Network identifier
• This will get you to the network where your device is located
• Host identifier
• Which is the device/computer the information is intended for
192 . 0 . 2 . 1
• S305
• Mellor Building
• Staffordshire
University Network Identifier - gets to the physical location
• College Road
• Stoke-on-Trent
Classless Inter-Domain Routing
(CIDR)
• Computers are no different - you just to know which bits are your network
identifier - in this case 24 bits
192 . 0 . 2 . 1 / 24
Tells you
how
many bits
11000000 00000000 00000010 00000000 are
to 11111111 fixed
Subnet 1 Subnet 2
Router
17.0.1.1/24
20
Amazon VPC Review
• Amazon VPCs can include resources in more than one Availability Zone.
• You can have multiple Amazon VPCs in the same account and region
and in multiple regions or accounts. AWS Region
Availability Zone A
Availability Zone B
eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16
eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16
10.0.0.0/24
Subnet A1
eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16
10.0.0.0/24
Subnet A1
Availability Zone A
eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16
10.0.0.0/24
Subnet A1
10.0.1.0/24
Subnet B1
Availability Zone A
eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16
10.0.0.0/24
10.0.1.0/24
Private Subnet B1
Availability Zone A
eu-west-2 (London)
IP addressing Overlap Example
VPC
172.16.1.0/24
172.16.1.0/24
• This is an example - where the network can not make a decision on where to
send the data
• Same addresses in both locations 28
Amazon VPC
30
IP addressing - Recommendation
• When you create a VPC, we recommend that you specify a CIDR block from
the private IPv4 address ranges as specified in RFC 1918:
• As recommendations you can also simply ignore as long as you meet the
slash notation rules
10.0.0.0 - 10.255.255.255 (10/8 prefix) Your VPC must be /16 or smaller, for example,
10.0.0.0/16.
172.16.0.0 - 172.31.255.255 (172.16/12 Your VPC must be /16 or smaller, for example,
prefix) 172.31.0.0/16.
33
Elastic network interface
Elastic network
interface
34
Route tables and routes
35
• A VPC is a logically isolated section of
the AWS Cloud.
Section 2 key • A VPC belongs to one Region and
takeaways requires a CIDR block.
• A VPC is subdivided into subnets.
• A subnet belongs to one Availability
Zone and requires a CIDR block.
• Route tables control traffic for a subnet.
• Route tables have a built-in local route.
• You add additional routes to the table.
• The local route cannot be deleted.
36
Module 5: Networking and Content Delivery
38
Internet Gateway - IGW
• An internet gateway is a scalable, redundant, and highly
available VPC component that allows communication between
instances in your VPC and the internet.
• To make a subnet public, you attach an internet gateway to
your VPC and add a route to the route table to send non-
local traffic through the internet gateway to the internet
(0.0.0.0/0).
39
Public/Private IP Addressing
• Unlike normal networking where certain addresses are
reserved as private addresses and the rest are public
• In AWS the difference is simply if the route table for that
subnet has access to a IGW
• Normally private IPv4 addresses are (RFC 1918)
• 10.0.0.0 /8
• 172.16.0.0 /12
• 192.168.0.0 /16
40
Internet gateway
AWS Cloud
Region
Availability Zone
VPC: 10.0.0.0/16
Public Subnet Route Table
Public subnet:10.0.1.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-id
41
Network Address Translation (NAT)
• In the IGW model each of the devices will have an address which is
public
• Simply communications will move between the Internet and the
device
• This does introduce a lot of security risks the same as you see in
your own home or the university
• To deal with this we can use a NAT gateway
• Using this technology your devices can connect to the Internet for
items such as patching the OS
• At the same time no one from the Internet can connect directly to
your device
42
Network address translation (NAT) gateway
AWS Cloud
Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24 Public Subnet Route Table
Public route Destination Target
table 10.0.0.0/16 local
NAT gateway
(nat-gw-id) 0.0.0.0/0 igw-id
43
Network Address Translation (NAT)
• Demonstration
44
VPC sharing
AWS Cloud
Region
Account D (participant)
Account B (participant) Account C (participant)
45
VPC peering
• In larger organisations you may want to share resources within VPC’s
• i.e. your French office wants to share information from the Ireland
office
• Originally you would connect in via something like a virtual Private
Network (VPN) to the VPC which had the resources you need
• This was going across public infrastructure though and an
element of risk was involved with this
• You can now use VPC peering to connect VPC’s together
• These can be in different regions and accounts
• All of the communications will be via the AWS infrastructure
which will make it more secure
46
VPC peering
AWS Cloud
You can connect VPCs in your
own AWS account, between
VPC A: 10.0.0.0/16 VPC B: 10.3.0.0/16 AWS accounts, or between
AWS Regions.
Peering
connection Restrictions:
(pcx-id) • IP spaces cannot overlap.
• Transitive peering is not
supported.
Route Table for VPC A Route Table for VPC B • You can only have one
Destination Target Destination Target
peering resource between
10.0.0.0/16 local 10.3.0.0/16 local
the same two VPCs.
10.3.0.0/16 pcx-id 10.0.0.0/16 pcx-id
47
VPC Peering Discussion Video
• Link to video
48
AWS Hybrid Model
• As we have seen most items so far we are connecting in from the Internet to get
access
• Let's assume though you have your database in AWS which stores all of your
customers details and you want to query to find out how many sales in the last
week
• You do not want to expose your database to the Internet as this is definitely a
good case of being prosecuted for GDPR
• A good password policy will help, but again this is not enough
• You need to be able to connect into your AWS infrastructure privately
• You also need to make it appear as though the AWS infrastructure is
simply part of your infrastructure
• If you are onsite at the university you are doing this all of the time as
everything you are doing on the desktop is running out of a cloud
provider 49
AWS Hybrid Model - Choices
• There are two choices
• In either of these the address space can not overlap with your office IP
addresses
• VPN - Virtual Private Network
• This an encrypted tunnel which is generated from your firewall to a AWS
firewall
• The communications are secure but are susceptible to the loss and delays
which are common on the Internet
• This is quick to setup and is cheap to operate
• The config for your physical corporate router will be created for you as well
• Direct Connect
50
AWS Site-to-Site VPN
AWS Cloud
Public subnet route table
Region Destination Target
Availability Zone 10.0.0.0/16 local
52
AWS Hybrid Model - Choices
• There are two choices
• In either of these the address space can not overlap with your office IP addresses
• VPN - Virtual Private Network
• Direct Connect
• In this model you have a private connection via a third party
• This does not go across the Internet and is private to you
• It is lower latency and is more secure
• This will take a lot longer to setup as a third party will be involved
• https://aws.amazon.com/directconnect/partners/
• Available in multiples of 1 Gbps, 10 Gbps or 100 Gbps
• This is a more expensive option
• There will be lots of companies though which need this performance
AWS Direct Connect
AWS Cloud
Region
Availability Zone Internet
VPC: 10.0.0.0/16
Public subnet:10.1.0.0/24
802.1q
VLAN AWS Direct
Connect
Region
Availability Zone
VPC: 10.0.0.0/16 Site-to-Site
Public subnet:10.1.0.0/24 VPN
connection
Internet
802.1q
VLAN
Corporate data center:
192.168.10.0/24 55
AWS Direct Connect
• Discussion Video
AWS VPC Endpoints
• For some of the services which are provided by AWS you need to connect to
these using a public IP address
• The issue for this is that your communications will be going into the public
Internet
• They will be encrypted, but it is still on public infrastructure
• You will need a public IP address, IGW or NAT Gateway
• To avoid this you can use VPC Endpoints which allow you to communicate with
services using private IP addresses
• Which is more secure
• The quality of the communications will be better with lower latency and higher
throughput as it is all within the AWS infrastructure
VPC endpoints
AWS Cloud Default DNS hostname or Public Subnet Route Table
endpoint-specific DNS
Destination Target
hostname
Region 10.0.0.0/16 local
Availability Zone
Amazon S3 ID vpcep-id
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24
AWS Direct
Customer VPN Amazon VPC Amazon
gateway connection VPC peering VPC
Connect
Amazon gateway Amazon
VPC VPC
VPN VPC VPC VPC AWS Direct
connection peering peering peering
Connect AWS
gateway Transit
VPN Amazon Gateway Amazon
connection Amazon VPC Amazon VPC VPC
VPC peering VPC
VPN
connection
61
AWS Transit Gateway
• Here is a deepdive into this technology if you are interested in
more information
Activity: Label this network diagram
AWS Cloud
?
?
? Public? subnet:10.0.1.0/24
? ? Internet
_?_ IP Q6
?
address
Destination Target
Private subnet: 10.0.2.0/24
? ? local
?
0.0.0.0/0 ?
?
_?_ IP 10.0.0.0/16
address
63
Activity: Solution
AWS Cloud
Region
Availability Zone
VPC Publicsubnet
subnet:10.0.1.0/24
Public
Internet Route table Internet
gateway
64
Recorded Amazon
VPC demonstration
65
• There are several VPC
Section 3 key networking options, which
takeaways include:
• Internet gateway
• NAT gateway
• VPC endpoint
• VPC peering
• VPC sharing
• AWS Site-to-Site VPN
• AWS Direct Connect
• AWS Transit Gateway
• You can use the VPC Wizard to
implement your design.
66
Module 5: Networking and Content Delivery
Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24
Security group
69
Security groups
• Security groups have rules that control inbound and outbound instance traffic.
• Default security groups deny all inbound traffic and allow all outbound traffic.
• Security groups are stateful.
70
Custom security groups
Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.0.0/24
73
Network ACLs
• A network ACL has separate inbound and outbound rules, and each rule
can either allow or deny traffic.
• Default network ACLs allow all inbound and outbound IPv4 traffic.
• Network ACLs are stateless.
74
Custom network ACLs
• Custom network ACLs deny all inbound and outbound traffic until you add
rules.
• You can specify both allow and deny rules.
• Rules are evaluated in number order, starting with the lowest number. 75
Security groups versus network ACLs
76
VPC Security
• The use of SG and NACL is in addition to your normal security policies on an
instance
• It is NOT a replacement
• i.e. OS firewalls
• Windows Firewall
• Linux IPTables
• Linux pfSense
• You can never be TOO secure !
Activity: Design a VPC
Scenario: You have a small business with a website that is hosted on an Amazon
Elastic Compute Cloud (Amazon EC2) instance. You have customer data that is
stored on a backend database that you want to keep private. You want to use
Amazon VPC to set up a VPC that meets the following requirements:
• Your web server and database server must be in separate subnets.
• The first address of your network must be 10.0.0.0. Each subnet must have 256
total IPv4 addresses.
• Your customers must always be able to access your web server.
• Your database server must be able to access the internet to make patch
updates.
• Your architecture must be highly available and use at least one custom firewall
layer.
78
• Build security into your VPC
Section 4 key architecture:
takeaways • Isolate subnets if possible.
• Choose the appropriate gateway
device or VPN connection for your
needs.
• Use firewalls.
• Security groups and network
ACLs are firewall options that you
can use to secure your VPC.
79
Lab 2:
Build Your VPC
and Launch a
Web Server
80
Lab 2: Scenario
In this lab, you use Amazon VPC to create your own VPC and add
some components to produce a customized network. You create a
security group for your VPC. You also create an EC2 instance and
configure it to run a web server and to use the security group. You
then launch the EC2 instance into the VPC.
Amazon Amazon
VPC EC2
81
Lab 2: Tasks
• Create a VPC.
82
Lab 2: Final product
AWS Cloud
Public Route
Region Table
Destination Target
Availability Zone A Availability Zone B
10.0.0.0/16 Local
VPC: 10.0.0.0/16
Internet
Public subnet 1: gateway Public subnet 2: 0.0.0.0/0 Internet gateway
10.0.0.0/24 10.0.2.0/24
Security group
NAT
gateway Web Private Route
server Table
Destination Target
Private subnet 1: Private subnet 2:
10.0.0.0/16 Local
10.0.1.0/24 10.0.3.0/24
0.0.0.0/0 NAT gateway
83
Build Your VPC and Launch a Web Server
~ 30 minutes
84
Lab debrief:
Key takeaways
85
Module 5: Networking and Content Delivery
Amazon
Route 53
87
Amazon Route 53
88
Amazon Route 53 DNS resolution
89
Amazon Route 53 supported routing
90
Use case: Multi-region deployment
Amazon Route
53
some-elb-name.us-west- User
2.elb.amazonaws.com
some-elb-name.ap-southeast-
2.elb.amazonaws.com
Name Type Value
example.com ALIAS some-elb-name.us-west-2.elb.amazonaws.com
91
Amazon Route 53 DNS failover
92
DNS failover for a multi-tiered web
application
Record Sets AWS Cloud
CNAME www
Primary
Amazon S3
static website 93
Amazon Route 53 Deep Dive
94
• Amazon Route 53 is a highly available
Section 5 key and scalable cloud DNS web service
takeaways that translates domain names into
numeric IP addresses.
• Amazon Route 53 supports several
types of routing policies.
• Multi-Region deployment improves
your application’s performance for a
global audience.
• You can use Amazon Route 53 failover
to improve the availability of your
applications.
95
Module 5: Networking and Content Delivery
Client
Router Hop
User 9
Content delivery network (CDN)
10
Amazon CloudFront
99
Amazon CloudFront infrastructure
Edge
locations
Multiple edge locations
Regional edge
caches
101
Amazon CloudFront benefits
102
Amazon CloudFront pricing
105
Module 5: Networking and Content Delivery
Module wrap-up
Module summary
108
Sample exam question
A. AWS Config
B. Amazon Route 53
C. AWS Direct Connect
D. Amazon VPC
109
Additional resources
110
Thank you
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
[email protected]. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.