2 Networking
2.1 Amazon Virtual Private Cloud
Basics:
- Virtual private cloud (VPC): A secure, logically isolated virtual network (also known as a private cloud) hosted within a public cloud.
- Route table: A set of rules that determines the direction of network traffic from a subnet or gateway.
- Subnet: A range of IP addresses in a VPC network reserved so that they're unavailable to anyone within the network.
- VPC endpoints: Allow you to privately connect a VPC to supported AWS services without the need for VPN connection, NAT device, internet gateway, or firewall proxies.
- Internet gateway: A virtual router that enables communication between the internet and the resources in a VPC.
Tips:
- Amazon VPC offer different endpoint types:
- interface
- gateway
- gateway load balancer
- AWS VPC administration: Query API, SDKs, CLI, Management Console
- The 4 different options for creating an Amazon VPC architecture include:
- ... with private and public subnets
- ... with a single public subnet
- ... with a private subnet only and AWS Site-to-Site VPN access
- ... with a private and public subnets and AWS Site-to-Site VPN access
AWS Transit Gateway is a network transit hub that allows cloud users to interconnect on-premises networks and VPCs without provisioning virtual appliances (e.g. Cisco CSRs.)
Key concepts:
- Transit Gateway maximum transmission unit: AWS Transit Gateway supports an MTU of 8500 bytes for traffic between Transit Gateway Connect, Amazon Direct Connect, peering attachments, and VPCs.
- Transit Gateway route table: A route table is a set of static and dynamic routes that determine where to direct a packet based on the destination IP address of the packet.
- Route propagation: Route propagation allows a virtual private gateway to propagate routes between a routing table and a VPN gateway. Different route propagation options on AWS include:
- Direct Connect gateways, VPNs, or VPC connections.
2.2.1 Amazon Transit Gateway (vs. Amazon Transit VPC)
- ... eliminates the need to manage and scale EC2-based software appliances. AWS provisions and controls all traffic-routing resources.
- ... decreases latency by eliminating the need for VPN encapsulation and removing EC2 proxies.
- ... minimizes user cost to a simple hourly rate per gigabyte transferred.
- ... eliminates the need to manage high availability by offering redundant and highly available Multi-AZ infrastructure.
- The maximum bandwidth per VPC connection for Transit Gateway is 50 Gbps. With VPC peering, there's no bandwidth bottleneck or single point of failure for communication.
- You only pay for data transfer costs when you use VPC peering, while Transit Gateway charges data transfer fees as well as an hourly fee per attachment.
- Intra-region VPC peering supports security-group referencing (for communication between security groups) using inbound or outbound rules, while Transit Gateway doesn't.
- Transit Gateway is a regional resource and doesn't support routing between AWS VPCs with overlapping CIDRs.
- Transit Gateway uses a hub and spoke model to reduce operational costs and simplify management, especially when connecting VPN and VPCs at scale.
- You can create multiple Transit Gateways per AWS region and connect thousands of VPCs within a given region.
- AWS enables hybrid connectivity by letting you connect up to 3 Transit Gateways over a single Direct Connect Connection.
- The various options for creating and managing AWS Transit Gateway include CloudFormation, Management Console, and CLI
- Application load balancers are best suited for load balancing of network and app traffic for containers and microservices at the application level (HTTP/HTTPS).
- Network load balancers handle routing at the transport layer (TCP/SSL). They're suitable for routing network traffic where extreme performance is required.
- Gateway load balancers enable you to manage, scale, and deploy virtual appliances. They're suitable for 3rd-party virtual appliances used for network analytics and security.
- Classic load balancers spread network or application traffic across multiple EC2 instances either at the application layer (HTTP/HTTPS) or the transport layer (TCP/SSL).
- Support for IPv4 and IPv6
- Flexible cipher support and automatic scaling
- Optional public key authentication
- Centralized management of SSL certificates
- Performing a health-check and stop routing traffic to unhealthy ECS instances
- ... is a global content delivery network (CDN) that securely delivers applications, APIs,videos and data to AWS users globally at high transfer speeds, low latency and minimal cost.
- ... offers HTTPS support and field-level encryption.
- ... works seamless with S3, EC2, ELB, and Amazon Shield Standard for DDoS mitigation, as the origin for your applications.
- ... is cost-effective because you don't incur costs for data transferred between CloudFront and AWS origins.
- ... can speed up delivery of a website.
- ... caches data in edge locations
- ... intelligently routes traffic to the most performant, regional AWS edge location to serve up dynamic or cached content.
2.5 Amazon Route 53
- Amazon Route 53 is a DNS web service.
- Amazon Route 53 Traffic Flow allows you to easily manage and route traffic globally based on several routing types and policies, including*:
- weighted round robin (WRR)
- Geo DNS
- failover routing
- latency-based routing
- Using the WRR policy, developers can specify the weights/frequency with which different DNS responses are returned to end users.
- Example: For a website with three records sets and weights 2:2:5 (total of 9), Route 53 will select the first two record sets 2/9 of the time and return the third 5/9 of the time.
- Typically, minimum weight of 0 and a maximum weight of 255 per resource record set.
- Latency-based routing allows a cloud user to route traffic to the AWS endpoint that provides the lowest network latency.
- Latency-based routing is suitable when you have AWS resources in multiple regions and you want to direct traffic to the region that provides the lowest response time based on user location and actual performance measurements.
- When Route 53 receives a DNS request, it automatically selects the latency record for the region that gives the user the fastest experience.
- With Geo DNS Routing, a cloud user can route traffic to specific endpoints based on the geographic location form where the requestor query originates.
- Amazon Route 53 returns a "no answer" response for queries originating from IP addresses that aren't mapped to geographic locations or don't belong to a default record.
- A cloud user is unable to create two geolocation resource sets specifying the same geographic location.
- Route 53 supports "edns-client-subnet" extension of EDNSO to improve accuracy.
- Failover Routing allows active-passive (standby) / primary-secondary failover.
- Route 53 automatically performs health checks on all resources and application endpoints.
- Available only for public-hosted zones.
- Domain Registration
- Domain name system service
- Health checks
2.6 Amazon API Gateway
- Functionalities involve: Cross-origin resource sharing (CORS) support, traffic management, monitoring, deployment, throttling, API version management, authorization, and access control.
- AWS API Gateway offers support for stateless (RESTful and HTTP) and stateful (WebSocket) APIs.
- HTTP APIs are suitable for serverless workloads
- RESTful APIs for workloads that require API management features
- WebSocket APIs for streaming dashboards and chat apps that require 2-way comms.
- For RESTful APIs, you can simultaneously run multiple versions of the same API.
2.7 AWS Virtual Private Network
Comparing AWS Direct Connect with AWS Managed VPN:
- Set up
- AWS VPN: Quick and easy to set up but sometimes unpredictable performance.
- AWS Direct Connect: Requires time to set up.
- Performance
- AWS VPN: Doesn't provide consistent throughput and predictable network performance.
- AWS Direct Connect: Consistent throughput and predictable network performance.
- Cost
- AWS VPN: Cost-effective.
- AWS Direct Connect: More expensive.
- Public Internet
- AWS VPN: Utilizes public internet
- AWS Direct Connect: Bypasses public internet
2.8 AWS Global Accelerators
AWS Global Accelerator is mainly used for improving availability and latency for single-region applications, resilience and simplified traffic routing for multi-region applications, running voice over IP and communication as a service on AWS, and enhanced network performance for gaming applications.
- Standard routing accelerators: you can route client traffic across regional application endpoints based on the health of the endpoint, geo-proximity, endpoint weights, and traffic dials.
- Custom accelerators: allow you to define custom logic for directing client traffic to a specific port and destination.
2.9 Private and Public Subnets
- A public subnet is associated with a custom route table with a route to an internet gateway.
- Instances in a public subnet can route traffic and communicate to the internet using public IP addresses.
- Note: It's impossible for an instance in a VPC to access the internet, even if it sits in a public subnet or has a public IP address.
- A private subnet doesn't have a direct route to an internet gateway.
- You need to create a NAT instance or gateway with a public IP, in order to access the internet.
2.10 AWS Security Groups (SGs) and Network Access Control Lists (NACLs)
- An AWS security group is a virtual firewall that allows a cloud user to secure an EC2 instance by specifying rules to filter incoming and outgoing traffic to and from an instance.
- A NACL is a stateless, optional security layer for controlling traffic that moves in and out of subnets and VPCs.
Differences AWS Security Groups (SGs) v Network Access Control Lists (NACLs):
- Evaluation
- SG: Evaluate all rules before allowing inbound or outbound traffic
- NACL: Process the specified rules in order, beginning from the lowest-numbered rule; traffic is allowed to pass as soon as it matches any of the rules, after which no further rules are evaluated.
- Stateful/stateless:
- SG: Stateful; if incoming traffic is allowed into an instance, outbound traffic for that request is automatically accepted regardless of the outbound rules defined and vice versa.
- NACL: Stateless; both incoming and outgoing requests must be explicitly allowed by rules.
- Level
- SG: Work at the instance level.
- NACL: Work at the subnet level.
- Allow/Deny:
- SG: Always permissive and support only "allow" rules; cloud user can't create rules to deny access.
- NACL: Support "allow" and "deny" rules.
- Association:
- SG: Can be bound with an instance of a service; an EC2 instance can be attached to more than one security group.
- NACL: Multiple subnets can be associated with a NACL, but a subnet can't be associated with more than one NACL.
- Layer:
- SG: Server as the first layer of defense for protecting AWS instances.
- NACL: Second and optional layer of defense, which adds additional security to AWS infrastructure.
- Assigning:
- SG: Must be deliberately associated with an instance after creation or at launch.
- NACL: Automatically associated with all instances in a subnet.
2.11 AWS Network Address Translation (NAT) Gateway and Network Address Translation (NAT) Instance
- AWS NAT gateway lets you connect instances in a private subnet to services outside a VPC using the gateway's IP address.
- NAT gateways support ICMP, UDP, and TCP protocols, as well as up to 55000 concurrent connections to a single destination port and address.
- AWS NAT instance lives in a public subnet and allows instances within a private VPC subnet to initiate outbound IPv4 traffic to AWS services and the internet.
Differences between NAT Gateway and NAT Instance:
- Availability:
- NAT Gateway: Highly available, scalable, and AWS-managed; each AZ implemented with redundancy in mind.
- NAT Instance: Use a script to manage failover or disruptions between instances.
- Maintenance:
- NAT Gateway: Managed by AWS
- NAT Instance: Cloud user responsible for managing, including operating system patches, software installation, and updates.
- Size and type:
- NAT Gateway: Uniform size and type of offering, no need to decide on size or type.
- NAT Instance: Can select suitable instance size and type based on predicted workloads.
- Port forwarding:
- NAT Gateway: Doesn't support port forwarding.
- NAT Instance: Cloud user can manually set configuration to support port forwarding.
- Cost:
- NAT Gateway: Total cost calculated based on number of NAT gateways used, amount of data sent through gateways, and usage duration.
- NAT Instance: Total cost calculated based on number of NAT instances used as well as instance type, size, and usage duration.
- Bandwidth:
- NAT Gateway: Scales up to 45 Gbps
- NAT Instance: Total bandwidth depends on instance type bandwidth
- Bastion servers:
- NAT Gateway: Do not support.
- NAT Instance: Use a bastion server.
- Private IP addresses:
- NAT Gateway: Private IP address automatically selected from subnet's IP address range when gateway created.
- NAT Instance: Cloud user can assign a specific private IP address within subnet's IP address range when instance is launched.
- Public IP addresses:
- NAT Gateway: Cloud user can choose Elastic IP address to attach to public NAT gateway when creating instance.
- NAT Instance: Cloud user can use public or Elastic IP address; public IP address can also be changed by attaching new Elastic IP address to instance.
- IP fragmentation:
- NAT Gateway: Only supports forwarding of IP fragmented packets for UDP protocol; fragmented packets for ICMP and TCP will be dropped.
- NAT Instance: Supports reassembling of IP fragmented packets for ICMP, TCP, and UDP.
Final note: To configure AZ independent architecture and achieve high availability, provision a NAT gateway in each AZ and customize routing to ensure each resource uses the gateway in the same AZ.
- AZ = Availability Zone
- KMS = Key Management Service {AWS Key Management Service}
Comments
Post a Comment