0% found this document useful (0 votes)
126 views110 pages

Week 3 AcademyCloudFoundations - Module - 05 - Networking

Module 5 of the AWS Academy Cloud Foundations course covers networking basics, Amazon VPC, and content delivery. It aims to equip learners with the knowledge to design and implement a virtual network using AWS services, including VPC architecture, security groups, and Route 53. Activities include labeling network diagrams, building a VPC, and understanding IP addressing and routing within the AWS infrastructure.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
126 views110 pages

Week 3 AcademyCloudFoundations - Module - 05 - Networking

Module 5 of the AWS Academy Cloud Foundations course covers networking basics, Amazon VPC, and content delivery. It aims to equip learners with the knowledge to design and implement a virtual network using AWS services, including VPC architecture, security groups, and Route 53. Activities include labeling network diagrams, building a VPC, and understanding IP addressing and routing within the AWS infrastructure.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 110

AWS Academy Cloud Foundations

Module 5: Networking and Content


Delivery
Module overview

Topics Activities
• Networking basics • Label a network diagram
• Design a basic VPC architecture
• Amazon VPC
• VPC networking Demo
• VPC security • VPC demonstration
• Amazon Route 53
Lab
• Amazon CloudFront
• Build your VPC and launch a web
server

Knowledge
check 2
Module objectives

After completing this module, you should be able to:


• Recognize the basics of networking
• Describe virtual networking in the cloud with Amazon VPC
• Label a network diagram
• Design a basic VPC architecture
• Indicate the steps to build a VPC
• Identify security groups
• Create your own VPC and add additional components to it to produce a
customized network
• Identify the fundamentals of Amazon Route 53
• Recognize the benefits of Amazon CloudFront
3
Module 5: Networking and Content Delivery

Section 1: Networking basics


Networking - To put your mind at ease

• If you have done networking in a previous course


• This is nowhere near as complex
• If you have NEVER done networking before
• A lot of this can simply be done Plug and Play
• In other words it is automatic for what you need for this course
• We will show you how it operates, but do not worry if you do not get it straight
away
• In a more advanced course we will need to ensure you understand this

5
Networking

• In this course we do not need a lot of networking, but some


knowledge is useful
• Every device will have a set of unique addresses which are needed to send
information to that device
• This is the same as when you send a letter, you define the address that letter is going to
• The addressing which is commonly used for logical addressing is the Internet Protocol
• IPv4 (most commonly known as simply IP) - RFC 791 (https://tools.ietf.org/html/rfc791)
• Still at the moment the most widely used logical addressing
• IPv6 - RFC 2460 (https://tools.ietf.org/html/rfc2460)
• Latest version which was designed to resolve a lot of the problems involved with IP
• Most commonly discussed in relation to the number of computers which can be
supported
• But is a lot more than simply just this
6
Networks - Computers Communicating
17.0.0.1/24

Subnet 1 Subnet 2

Router

17.0.1.1/24
• In this case the information is being sent from 17.0.0.1 via a router device which will decide where to send
the information to get it to 17.0.1.1
IP addresses

• Although the IP address (v4) do appear as though they just need to be


unique there is a hierarchy to these addresses
• The address you see is actually 32 bits of binary
• As shown below

192 . 0 . 2 . 1

11000000 00000000 00000010 00000001


8 Bits 8 Bits 8 Bits 8 Bits
IPv4 and IPv6 addresses

IPv4 (32-bit) address:


192.0.2.0

IPv6 (128-bit) address:


2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF

9
IP addresses

• Within the binary there are two parts which we are interested in
• Network identifier
• This will get you to the network where your device is located
• Host identifier
• Which is the device/computer the information is intended for

192 . 0 . 2 . 1

11000000 00000000 00000010 00000001


IP addresses - Example

• Take a university address as an example

• Dr Carolin Bauer Host Identifier - gets to the person

• S305
• Mellor Building
• Staffordshire
University Network Identifier - gets to the physical location
• College Road
• Stoke-on-Trent
Classless Inter-Domain Routing
(CIDR)
• Computers are no different - you just to know which bits are your network
identifier - in this case 24 bits

Network identifier (routing prefix) Host identifier

192 . 0 . 2 . 1 / 24

Tells you
how
many bits
11000000 00000000 00000010 00000000 are
to 11111111 fixed

Fixed Fixed Fixed Flexible


Classless Inter-Domain Routing
(CIDR) Example
• There are two methods to identify the Network section and in AWS they
use the slash notation
• This is popular as it is easy to read and document
• The number after the / tells you how many bits are the Network
Identifier
• Everything in BLUE is the Network Identifier
• 10000000.10000000.10000000.10000000 /24
• 10000000.10000000.10000000.10000000 /16
• 10000000.10000000.10000000.10000000 /18
• 10000000.10000000.10000000.10000000 /20
• 10000000.10000000.10000000.10000000 /26
Addressing Links
• If you want to try some more here is a very good website on this
• https://cidr.xyz/
• and a spreadsheet where you can try this
• IP Addresses
Networks - Computers Communicating
17.0.0.1/24

Subnet 1 Subnet 2

Router
17.0.1.1/24

• Now we can see this in a little more details


• The device with host address 1 is sending from the network 17.0.0 to
• The network 17.0.1 and to host 1 within that the network
• The router is making the decision which cable to send the information out of to get to the network
identifier 17.0.1
IP Address Talk
Module 5: Networking and Content Delivery

Section 2: Amazon VPC


Amazon Virtual Private Cloud (VPC)

• Enables you to provision a logically isolated section of the


AWS Cloud where you can launch AWS resources in a virtual
network that you define
• Gives you control over your virtual networking resources,
Amazon
including:
• Selection of IP address range
VPC
• Creation of subnets
• Configuration of route tables and network gateways
• Enables you to customize the network configuration for
your VPC
• Enables you to use multiple layers of security
• Think of this as YOUR data centre within the AZ 19
VPCs and subnets

• VPCs: AWS Cloud

• Logically isolated from other VPCs


Region
• Dedicated to your AWS account
Availability Zone 1 Availability Zone 2
• Belong to a single AWS Region and
can span multiple Availability Zones VPC

• Subnets: Subnet Subnet

• Range of IP addresses that divide a


VPC
• Belong to a single Availability Zone
• Classified as public or private

20
Amazon VPC Review
• Amazon VPCs can include resources in more than one Availability Zone.
• You can have multiple Amazon VPCs in the same account and region
and in multiple regions or accounts. AWS Region

Availability Zone A

Availability Zone B

Development Integration Pre-production Production


Amazon VPC Example

Decide on the Region

eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16

Decide on the address


range or accept the
default

eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16

10.0.0.0/24

Subnet A1

eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16

10.0.0.0/24

Subnet A1

Availability Zone A

eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16

10.0.0.0/24

Subnet A1

10.0.1.0/24

Subnet B1
Availability Zone A

eu-west-2 (London)
Amazon VPC Example
Test- VPC 10.0.0.0/16

10.0.0.0/24

Test- IGW Public Subnet A1

10.0.1.0/24

Private Subnet B1
Availability Zone A

eu-west-2 (London)
IP addressing Overlap Example

VPC

172.16.1.0/24

172.16.1.0/24

• This is an example - where the network can not make a decision on where to
send the data
• Same addresses in both locations 28
Amazon VPC

• Quick overview video of the previous VPC discussions


IP addressing

• When you create a VPC, you assign it to VPC


an IPv4 CIDR block (range of private
IPv4 addresses).
x.x.x.x/16 or 65,536 addresses (max)
• You cannot change the address range to
after you create the VPC. x.x.x.x/28 or 16 addresses (min)
• The largest IPv4 CIDR block size is /16.
• The smallest IPv4 CIDR block size is
/28.
• IPv6 is also supported (with a different
block size limit).
• CIDR blocks of subnets cannot overlap.

30
IP addressing - Recommendation

• When you create a VPC, we recommend that you specify a CIDR block from
the private IPv4 address ranges as specified in RFC 1918:
• As recommendations you can also simply ignore as long as you meet the
slash notation rules

RFC 1918 range Example CIDR block

10.0.0.0 - 10.255.255.255 (10/8 prefix) Your VPC must be /16 or smaller, for example,
10.0.0.0/16.

172.16.0.0 - 172.31.255.255 (172.16/12 Your VPC must be /16 or smaller, for example,
prefix) 172.31.0.0/16.

192.168.0.0 - 192.168.255.255 Your VPC can be smaller, for example


https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
(192.168/16 prefix) 192.168.0.0/20. 31
Reserved IP addresses
Example: A VPC with an IPv4 CIDR block of 10.0.0.0/16 has 65,536 total IP
addresses.
The VPC has four equal-sized subnets. Only 251 IP addresses are available for use
by each subnet. IP Addresses for
CIDR block Reserved for
VPC: 10.0.0.0/16 10.0.0.0/24

Subnet 1 (10.0.0.0/24) Subnet 2 (10.0.2.0/24) 10.0.0.0 Network address

251 IP addresses 251 IP addresses


10.0.0.1 Internal communication

Subnet 4 (10.0.1.0/24) Subnet 3 (10.0.3.0/24) Domain Name System


10.0.0.2
(DNS) resolution
251 IP addresses 251 IP addresses
10.0.0.3 Future use

10.0.0.255 Network broadcast address


32
Public IP address types

Public IPv4 address Elastic IP address


• Manually assigned through an • Associated with an AWS account
Elastic IP address • Can be allocated and remapped
• Automatically assigned through anytime
the auto-assign public IP address • Additional costs might apply
settings at the subnet level
• This address will remain static
• This may change when you
restart a device

33
Elastic network interface

• An elastic network interface is a virtual network interface that you can:


• Attach to an instance.
• Detach from the instance, and attach to another instance to redirect network
traffic.
• Its attributes follow when it is reattached to a new instance.
• Each instance in your VPC has a default network interface that is
assigned a private IPv4 address from the IPv4 address range of your
VPC.
Subnet: 10.0.1.0/24

Elastic network
interface

34
Route tables and routes

• A route table contains a set of rules (or


routes) that you can configure to direct Main (Default) Route Table
network traffic from your subnet. Destination Target
• Each route specifies a destination and a 10.0.0.0/16 local
target.
• By default, every route table contains a
local route for communication within the
VPC.
• These are configured statically VPC CIDR block
• Each subnet must be associated with a
route table (at most one).

35
• A VPC is a logically isolated section of
the AWS Cloud.
Section 2 key • A VPC belongs to one Region and
takeaways requires a CIDR block.
• A VPC is subdivided into subnets.
• A subnet belongs to one Availability
Zone and requires a CIDR block.
• Route tables control traffic for a subnet.
• Route tables have a built-in local route.
• You add additional routes to the table.
• The local route cannot be deleted.

36
Module 5: Networking and Content Delivery

Section 3: VPC networking


Outside of AWS Communications
• As we have seen AWS right now - really we have been
communicating inside of the AWS infrastructure
• We can change this and allow (depending on how we want this)
communication from outside
• To be clear this is not always the Internet
• In a lot of environments we will not want Internet access to the infrastructure
we want it to remain private and accessible from our company as an
example
• This is a decision which you need to make

38
Internet Gateway - IGW
• An internet gateway is a scalable, redundant, and highly
available VPC component that allows communication between
instances in your VPC and the internet.
• To make a subnet public, you attach an internet gateway to
your VPC and add a route to the route table to send non-
local traffic through the internet gateway to the internet
(0.0.0.0/0).

39
Public/Private IP Addressing
• Unlike normal networking where certain addresses are
reserved as private addresses and the rest are public
• In AWS the difference is simply if the route table for that
subnet has access to a IGW
• Normally private IPv4 addresses are (RFC 1918)
• 10.0.0.0 /8
• 172.16.0.0 /12
• 192.168.0.0 /16

40
Internet gateway
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16
Public Subnet Route Table
Public subnet:10.0.1.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-id

Private subnet: 10.0.2.0/24 Route Internet


table gateway
(igw-id)
Internet

41
Network Address Translation (NAT)
• In the IGW model each of the devices will have an address which is
public
• Simply communications will move between the Internet and the
device
• This does introduce a lot of security risks the same as you see in
your own home or the university
• To deal with this we can use a NAT gateway
• Using this technology your devices can connect to the Internet for
items such as patching the OS
• At the same time no one from the Internet can connect directly to
your device
42
Network address translation (NAT) gateway
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24 Public Subnet Route Table
Public route Destination Target
table 10.0.0.0/16 local
NAT gateway
(nat-gw-id) 0.0.0.0/0 igw-id

Private subnet: 10.0.2.0/24 Internet


Private route gateway Private Subnet Route Table
table (igw-id) Destination Target
Internet
10.0.0.0/16 local
0.0.0.0/0 nat-gw-id

43
Network Address Translation (NAT)
• Demonstration

44
VPC sharing

AWS Cloud
Region

VPC: Account A (owner)

Private subnet Public subnet


Router

Account D (participant)
Account B (participant) Account C (participant)

NAT gateway Internet


gateway
EC2 EC2 EC2 RDS Amazon
instance instance instance instance EC2 Redshift
instance

45
VPC peering
• In larger organisations you may want to share resources within VPC’s
• i.e. your French office wants to share information from the Ireland
office
• Originally you would connect in via something like a virtual Private
Network (VPN) to the VPC which had the resources you need
• This was going across public infrastructure though and an
element of risk was involved with this
• You can now use VPC peering to connect VPC’s together
• These can be in different regions and accounts
• All of the communications will be via the AWS infrastructure
which will make it more secure
46
VPC peering
AWS Cloud
You can connect VPCs in your
own AWS account, between
VPC A: 10.0.0.0/16 VPC B: 10.3.0.0/16 AWS accounts, or between
AWS Regions.
Peering
connection Restrictions:
(pcx-id) • IP spaces cannot overlap.
• Transitive peering is not
supported.
Route Table for VPC A Route Table for VPC B • You can only have one
Destination Target Destination Target
peering resource between
10.0.0.0/16 local 10.3.0.0/16 local
the same two VPCs.
10.3.0.0/16 pcx-id 10.0.0.0/16 pcx-id

47
VPC Peering Discussion Video
• Link to video

48
AWS Hybrid Model
• As we have seen most items so far we are connecting in from the Internet to get
access
• Let's assume though you have your database in AWS which stores all of your
customers details and you want to query to find out how many sales in the last
week
• You do not want to expose your database to the Internet as this is definitely a
good case of being prosecuted for GDPR
• A good password policy will help, but again this is not enough
• You need to be able to connect into your AWS infrastructure privately
• You also need to make it appear as though the AWS infrastructure is
simply part of your infrastructure
• If you are onsite at the university you are doing this all of the time as
everything you are doing on the desktop is running out of a cloud
provider 49
AWS Hybrid Model - Choices
• There are two choices
• In either of these the address space can not overlap with your office IP
addresses
• VPN - Virtual Private Network
• This an encrypted tunnel which is generated from your firewall to a AWS
firewall
• The communications are secure but are susceptible to the loss and delays
which are common on the Internet
• This is quick to setup and is cheap to operate
• The config for your physical corporate router will be created for you as well
• Direct Connect

50
AWS Site-to-Site VPN
AWS Cloud
Public subnet route table
Region Destination Target
Availability Zone 10.0.0.0/16 local

VPC: 10.0.0.0/16 Site-to-Site 0.0.0.0/0 igw-id


Public subnet:10.1.0.0/24 VPN
connection
Private subnet route table
Internet Destination Target
10.0.0.0/16 local

Private subnet: 10.0.2.0/24 192.168.10.0/24 vgw-id


Route Virtual Customer
table gateway gateway
(vgw-id)

Corporate data center:


192.168.10.0/24 51
Video for VPN connections
• VPN

52
AWS Hybrid Model - Choices
• There are two choices
• In either of these the address space can not overlap with your office IP addresses
• VPN - Virtual Private Network
• Direct Connect
• In this model you have a private connection via a third party
• This does not go across the Internet and is private to you
• It is lower latency and is more secure
• This will take a lot longer to setup as a third party will be involved
• https://aws.amazon.com/directconnect/partners/
• Available in multiples of 1 Gbps, 10 Gbps or 100 Gbps
• This is a more expensive option
• There will be lots of companies though which need this performance
AWS Direct Connect
AWS Cloud

Region
Availability Zone Internet

VPC: 10.0.0.0/16
Public subnet:10.1.0.0/24

802.1q
VLAN AWS Direct
Connect

Private subnet: 10.0.2.0/24 Route Virtual


table gateway Customer
gateway

Corporate data center:


192.168.10.0/24 54
AWS Redundancy
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16 Site-to-Site
Public subnet:10.1.0.0/24 VPN
connection

Internet

Private subnet: 10.0.2.0/24 Route Virtual Customer


table gateway gateway
(vgw-id)

802.1q
VLAN
Corporate data center:
192.168.10.0/24 55
AWS Direct Connect
• Discussion Video
AWS VPC Endpoints
• For some of the services which are provided by AWS you need to connect to
these using a public IP address
• The issue for this is that your communications will be going into the public
Internet
• They will be encrypted, but it is still on public infrastructure
• You will need a public IP address, IGW or NAT Gateway
• To avoid this you can use VPC Endpoints which allow you to communicate with
services using private IP addresses
• Which is more secure
• The quality of the communications will be better with lower latency and higher
throughput as it is all within the AWS infrastructure
VPC endpoints
AWS Cloud Default DNS hostname or Public Subnet Route Table
endpoint-specific DNS
Destination Target
hostname
Region 10.0.0.0/16 local
Availability Zone
Amazon S3 ID vpcep-id
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24

Two types of endpoints:


VPC
Amazon • Interface endpoints
Simple Storage
endpoint
Service (powered by AWS
Private subnet: 10.0.2.0/24 (vpcep-id)
(Amazon S3)
PrivateLink)
Elastic
• Gateway endpoints
Network Interface (Amazon S3 and
Amazon DynamoDB)
58
AWS VPC Endpoint
• Discussion Video
AWS Transit Gateway
• This technology is intended for larger organisations
• If you have a lot of VPN’s, peering and Direct connections
this can be difficult to manage
The more there is then ut is increasingly likely that there
will be some mistake which will cause an outage
• Transit Gateway
• Intended to a be a single location which everything
connects to
• You simply manage it all from one location
• This will act as router to move the data between
locations and monitor
AWS Transit Gateway
From this… To this…

AWS Direct
Customer VPN Amazon VPC Amazon
gateway connection VPC peering VPC
Connect
Amazon gateway Amazon
VPC VPC
VPN VPC VPC VPC AWS Direct
connection peering peering peering
Connect AWS
gateway Transit
VPN Amazon Gateway Amazon
connection Amazon VPC Amazon VPC VPC
VPC peering VPC

VPN
connection
61
AWS Transit Gateway
• Here is a deepdive into this technology if you are interested in
more information
Activity: Label this network diagram
AWS Cloud

?
?

? Public? subnet:10.0.1.0/24
? ? Internet

_?_ IP Q6
?
address
Destination Target
Private subnet: 10.0.2.0/24
? ? local
?
0.0.0.0/0 ?
?

_?_ IP 10.0.0.0/16
address

63
Activity: Solution
AWS Cloud

Region
Availability Zone

VPC Publicsubnet
subnet:10.0.1.0/24
Public
Internet Route table Internet
gateway

Private IP address NAT gateway


Route
Destination Target
Private
Privatesubnet
subnet: 10.0.2.0/24
10.0.0.0/16 local
Route table
0.0.0.0/0 igw-id
Elastic
network
interface
Private IP address 10.0.0.0/16

64
Recorded Amazon
VPC demonstration

65
• There are several VPC
Section 3 key networking options, which
takeaways include:
• Internet gateway
• NAT gateway
• VPC endpoint
• VPC peering
• VPC sharing
• AWS Site-to-Site VPN
• AWS Direct Connect
• AWS Transit Gateway
• You can use the VPC Wizard to
implement your design.
66
Module 5: Networking and Content Delivery

Section 4: VPC security


VPC Security
• At the moment we are making the assumption that all of the traffic is flowing into your VPC
and even within it
• This is not true any more than it would be within the physical infrastructure the packets
which are allowed to flow must meet the rules
• To solve this we can use two types of packet filtering technologies
• Security Group (SG)
• These are intended to protect instances and only allow defined traffic into
them
• They are stateful and as such any packet which is allowed to flow in will be
allowed to flow out
• For flexibility you can also allow members of other SG’s to communicate
• You can not explicitly block communications as by default everything is
blocked
• Network Access Control Lists (NACLS)
Security groups
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24

Security group

Security groups act at


Private subnet: 10.0.2.0/24

Security group the instance level.

69
Security groups

• Security groups have rules that control inbound and outbound instance traffic.
• Default security groups deny all inbound traffic and allow all outbound traffic.
• Security groups are stateful.

70
Custom security groups

• You can specify allow rules, but not deny rules.


• All rules are evaluated before the decision to allow
traffic.
71
VPC Security
• At the moment we are making the assumption that all of the traffic is flowing into
your VPC and even within it
• This is not true any more than it would be within the physical infrastructure
the packets which are allowed to flow must meet the rules
• To solve this we can use two types of packet filtering technologies
• Security Group (SG)
• Network Access Control Lists (NACLs)
• NACLs are intended to allow communications at the subnet level
• These are NOT stateful so you need to have rules to allow in and
out
• You can block communications using this as well as allow
• Default allows all communications
Network access control lists (network
ACLs)
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.0.0/24

Network ACLs act at


Private subnet: 10.0.4.0/22

the subnet level.

73
Network ACLs

• A network ACL has separate inbound and outbound rules, and each rule
can either allow or deny traffic.
• Default network ACLs allow all inbound and outbound IPv4 traffic.
• Network ACLs are stateless.
74
Custom network ACLs

• Custom network ACLs deny all inbound and outbound traffic until you add
rules.
• You can specify both allow and deny rules.
• Rules are evaluated in number order, starting with the lowest number. 75
Security groups versus network ACLs

Attribute Security Groups Network ACLs

Scope Instance level Subnet level

Supported Rules Allow rules only Allow and deny rules

Stateful (return traffic is automatically Stateless (return traffic must be explicitly


State
allowed, regardless of rules) allowed by rules)
All rules are evaluated before Rules are evaluated in number order
Order of Rules
decision to allow traffic before decision to allow traffic

76
VPC Security
• The use of SG and NACL is in addition to your normal security policies on an
instance
• It is NOT a replacement
• i.e. OS firewalls
• Windows Firewall
• Linux IPTables
• Linux pfSense
• You can never be TOO secure !
Activity: Design a VPC

Scenario: You have a small business with a website that is hosted on an Amazon
Elastic Compute Cloud (Amazon EC2) instance. You have customer data that is
stored on a backend database that you want to keep private. You want to use
Amazon VPC to set up a VPC that meets the following requirements:
• Your web server and database server must be in separate subnets.
• The first address of your network must be 10.0.0.0. Each subnet must have 256
total IPv4 addresses.
• Your customers must always be able to access your web server.
• Your database server must be able to access the internet to make patch
updates.
• Your architecture must be highly available and use at least one custom firewall
layer.
78
• Build security into your VPC
Section 4 key architecture:
takeaways • Isolate subnets if possible.
• Choose the appropriate gateway
device or VPN connection for your
needs.
• Use firewalls.
• Security groups and network
ACLs are firewall options that you
can use to secure your VPC.

79
Lab 2:
Build Your VPC
and Launch a
Web Server

80
Lab 2: Scenario

In this lab, you use Amazon VPC to create your own VPC and add
some components to produce a customized network. You create a
security group for your VPC. You also create an EC2 instance and
configure it to run a web server and to use the security group. You
then launch the EC2 instance into the VPC.

Amazon Amazon

VPC EC2

81
Lab 2: Tasks

• Create a VPC.

• Create additional subnets.


Security
group • Create a VPC security group.

• Launch a web server instance.

82
Lab 2: Final product
AWS Cloud
Public Route
Region Table
Destination Target
Availability Zone A Availability Zone B
10.0.0.0/16 Local
VPC: 10.0.0.0/16
Internet
Public subnet 1: gateway Public subnet 2: 0.0.0.0/0 Internet gateway
10.0.0.0/24 10.0.2.0/24
Security group
NAT
gateway Web Private Route
server Table
Destination Target
Private subnet 1: Private subnet 2:
10.0.0.0/16 Local
10.0.1.0/24 10.0.3.0/24
0.0.0.0/0 NAT gateway

83
Build Your VPC and Launch a Web Server
~ 30 minutes

Begin Lab 2: Build


Your VPC and
Launch a Web Server

84
Lab debrief:
Key takeaways

85
Module 5: Networking and Content Delivery

Section 5: Amazon Route 53


Amazon Route 53

Amazon
Route 53

87
Amazon Route 53

• Is a highly available and scalable Domain Name System (DNS) web


service
Amazon • Is used to route end users to internet applications by translating names
Route 53
(like www.example.com) into numeric IP addresses (like 192.0.2.1)
that computers use to connect to each other
• Is fully compliant with IPv4 and IPv6
• Connects user requests to infrastructure running in AWS and also
outside of AWS
• Is used to check the health of your resources
• Features traffic flow
• Enables you to register domain names

88
Amazon Route 53 DNS resolution

Requests Checks with Route


www.example.com 53 for IP address

User Returns IP address DNS resolver Returns IP address Amazon


192.0.2.0 192.0.2.0 Route 53

89
Amazon Route 53 supported routing

• Simple routing – Use in single-server environments


• Weighted round robin routing – Assign weights to resource record sets to
specify the frequency
• Latency routing – Help improve your global applications
• Geolocation routing – Route traffic based on location of your users
• Geoproximity routing – Route traffic based on location of your resources
• Failover routing – Fail over to a backup site if your primary site becomes
unreachable
• Multivalue answer routing – Respond to DNS queries with up to eight healthy
records selected at random

90
Use case: Multi-region deployment

Amazon Route
53
some-elb-name.us-west- User
2.elb.amazonaws.com

some-elb-name.ap-southeast-
2.elb.amazonaws.com
Name Type Value
example.com ALIAS some-elb-name.us-west-2.elb.amazonaws.com

example.com ALIAS some-elb-name.ap-southeast-2.elb.amazonaws.com

91
Amazon Route 53 DNS failover

Improve the availability of your applications that run on AWS by:


• Configuring backup and failover scenarios for your own applications
• Enabling highly available multi-region architectures on AWS
• Creating health checks

92
DNS failover for a multi-tiered web
application
Record Sets AWS Cloud
CNAME www

elastic_load_balancer Availability Zone A Availability Zone B


Routing Policy = Failover
Record Type = Primary

Amazon S3 website Auto Scaling group


Routing Policy = Failover
Record Type = Secondary Amazon EC2 Amazon EC2

Primary

User Amazon Relational Amazon Relational


Amazon Database Service Database Service
Route 53 (Amazon RDS) (Amazon RDS)
Secondary instance instance

Amazon S3
static website 93
Amazon Route 53 Deep Dive

• Here is a deepdive on Route 53

94
• Amazon Route 53 is a highly available
Section 5 key and scalable cloud DNS web service
takeaways that translates domain names into
numeric IP addresses.
• Amazon Route 53 supports several
types of routing policies.
• Multi-Region deployment improves
your application’s performance for a
global audience.
• You can use Amazon Route 53 failover
to improve the availability of your
applications.

95
Module 5: Networking and Content Delivery

Section 6: Amazon CloudFront


Content delivery and network latency
• In the Internet requests are passed through lots of device which you do
not control
• Each of these will add delays and will have rules on how your request is
processed
Hop
Router
Hop Hop
Origin
Hop server
Router
Router
Hop
Hop

Client
Router Hop
User 9
Content delivery network (CDN)

• Is a globally distributed system of caching servers


• Caches copies of commonly requested files (static content)
• Delivers a local copy of the requested content from a nearby cache
edge or Point of Presence
• Accelerates delivery of dynamic content
• Improves application performance and scaling

10
Amazon CloudFront

• Fast, global, and secure CDN service


Amazon
• Global network of edge locations and
CloudFront Regional edge caches
• Self-service model
• Pay-as-you-go pricing

99
Amazon CloudFront infrastructure
Edge
locations
Multiple edge locations

Regional edge
caches

• Edge locations – Network of data centers


that CloudFront uses to serve popular content
quickly to customers.

• Regional edge cache – CloudFront


location that caches content that is not
popular enough to stay at an edge location.
It is located between the origin server and
the global edge location.
100
Amazon CloudFront Example
• Performance Example
○ Amazon Web Services Network Te
st
○ This was taken on a PC with a
wireless connection to a 36 mbps
Internet connection
○ The full report can be found here
■ Amazon Web Services Networ
k Test _ CloudHarmony.pdf

101
Amazon CloudFront benefits

• Fast and global


• Security at the edge
• Highly programmable
• Deeply integrated with AWS
• Cost-effective

102
Amazon CloudFront pricing

Data transfer out


• Charged for the volume of data transferred out from Amazon CloudFront edge
location to the internet or to your origin.
HTTP(S) requests
• Charged for number of HTTP(S) requests.
Invalidation requests
• No additional charge for the first 1,000 paths that are requested for invalidation
each month. Thereafter, $0.005 per path that is requested for invalidation.
Dedicated IP custom SSL
• $600 per month for each custom SSL certificate that is associated with one or
more CloudFront distributions that use the Dedicated IP version of custom SSL
certificate support.
103
Amazon CloudFront: Video
• Longer Video on CloudFront
• A CDN is a globally distributed
Section 6 key system of caching servers that
takeaways accelerates delivery of content.
• Amazon CloudFront is a fast
CDN service that securely
delivers data, videos,
applications, and APIs over a
global infrastructure with low
latency and high transfer speeds.
• Amazon CloudFront offers many
benefits.

105
Module 5: Networking and Content Delivery

Module wrap-up
Module summary

In summary, in this module you learned how to:


• Recognize the basics of networking
• Describe virtual networking in the cloud with Amazon VPC
• Label a network diagram
• Design a basic VPC architecture
• Indicate the steps to build a VPC
• Identify security groups
• Create your own VPC and added additional components to it to produce a
customized network
• Identify the fundamentals of Amazon Route 53
• Recognize the benefits of Amazon CloudFront
107
Complete the knowledge check

108
Sample exam question

Which AWS networking service enables a company to create a virtual network


within AWS?

A. AWS Config
B. Amazon Route 53
C. AWS Direct Connect
D. Amazon VPC

109
Additional resources

• Amazon VPC overview page


• Amazon Virtual Private Cloud Connectivity Options whitepaper
• One to Many: Evolving VPC Design AWS Architecture blog post
• Amazon VPC User Guide
• Amazon CloudFront overview page

110
Thank you

© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
[email protected]. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.

You might also like