Networking in AWS
Cloud computing is nothing but accessing compute resources over the internet. In our previous articles, we have walked through most of the individual networking services AWS provides.
This article is a complete merge of all services, at the end you should be able to understand the importance of each service and choose the best suitable networking service for your requirement.
Networking is a lot like nutrition and fitness: we know what to do, the hard part is making it a reality.
Before we deep dive into each service, it is recommended you have a basic understanding of these terminologies - Physical layout of Availability Zones and Regions, VPC and how to create it, Public and Private subnet, what is NAT and disable source/destination checks means, Route table, IPv4 addressing and intermediate networking terminologies such as MAC address, port, gateway, and router.
What is the OSI model in Networking? (answer source Wikipedia)
The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols.
OSI model consists of 7 layers as seen below. In terms of the shared responsibility model, 1 and 2 are AWS responsibility whereas 3 to 7 are Customer responsibility.
TCP vs UDP vs ICMP
AWS Reserved IP addresses
AWS reserves 5 IP’s in every VPC subnet and these can not be used. For example in 10.0.0.0/24 first 4 IP’s 10.0.0.0,1,2,3 and last one 10.0.0.255 are reserved. Always keep this in consideration while choosing the number of IP’s.
Connecting on-premises network to AWS VPC
- AWS managed VPN - It’s an IPsec VPN connection over your existing internet. A quick and simple way to establish a secure tunneled connection to a VPC. A redundant setup can also be made for high availability.
2. AWS Direct connect - Dedicated network connection over private lines between AWS and On-prem. This method is best suitable when you require high security, needs resources, and services. It can provide up to 10Gbps connection speed.
3. AWS VPN CloudHub - It connects locations in a Hub and Spoke manner using AWS’s virtual private gateway. It reuses existing internet connections, supports BGP routes to direct traffic.
4. AWS Software VPN - It allows you to provide your own VPN endpoint and software. This method is suitable when you are required to manage both ends of the VPN connection for compliance reasons or you want to use a VPN option not supported by AWS.
5. AWS Transit VPC - Connecting multiple VPC’s and On-premises networks in a hub and spoke model. It gives ultimate flexibility and manageability but also AWS managed VPN hub and spoke between VPCs.
AWS VPC peering vs AWS PrivateLink
VPC peering is connecting two VPCs together. It is secure as it uses the AWS backbone without touching the internet. Please note transitive peering (means, if A is connected to B and B to C, does not mean A can talk to C) is not supported here.
PrivateLink is AWS-provided network connectivity between VPCs and AWS services using VPC endpoints. The best use case is when you want services in a Private subnet to talk to outside without reaching the internet.
VPC endpoints are Interface endpoint and Gateway endpoint. API gateway, Cloudformation, and Cloudwatch use Interface endpoints whereas AWS S3 and DynamoDB work on Gateway endpoints.
Internet access to AWS
Let us discuss the options we have to provide internet access to your AWS VPC.
- Internet Gateway (IGW)- Horizontally scaled, redundant, and highly available component that allows communication between your VPC and the Internet. Supports IPv4 and IPv6.
- Egress-only Internet Gateway - It provides outbound internet access for IPv6 instances. Prevents inbound access to those IPv6 instances. You must create a custom route for ::/0 to the Egress only IGW.
- NAT Instance - An EC2 instance from a special AWS-provided AMI. Translates traffic from many private instances to single public IP and back. NAT instance must be in a public subnet with a route to IGW.
- NAT Gateway - AWS fully managed NAT service that replaces NAT instances on EC2. Must live in a public subnet, uses an elastic IP for public IP. Private instances must have a route to NAT Gateway.
AWS Route 53
It is an AWS DNS service to register domain names, check the health of your domain resources, and route internet traffic for your domain.
Route 53 has different types of routing policies that are - Simple routing, Failover routing, Geolocation routing, Geoproximity routing, Latency based and Weighted routing policy.
AWS CloudFront
Distributed content delivery service for simple static asset caching up to 4k live and on-demand video streaming. It is integrated with the Amazon Certificate manager and supports SNI.
AWS Elastic Load Balancer
Distributes inbound connections to one or many backend endpoints. Three types Application LB (layer 7), Network LB(layer 4), and Classic LB (layer 4 or 7). These can be used for public or private workloads, it consumes IP address within a VPC subnet.
Conclusion
Cloud computing makes you keep all your data and resources in a public platform and access them when required. The challenge here is how we secure our data and make it reliable. AWS provides multiple services for each requirement we need to clearly understand the scope and choose the best suitable service.
Knowledge credits: A Cloud Guru
— — — — — — — — — — — — — — — — — — — — — — — — — —
I am happy to hear your feedback, suggestions, requests on any topics in my coming blogs.
LEARN and BE CURIOUS!!!!!
Happy Learning,
Yogendra
