Skip to content

Network

VPC

A virtual private cloud (VPC) is an isolated network that you create in the AWS Cloud, similar to a traditional network in a DC.

When you create an AWS account, default Amazon VPCs are created in each supported AWS Region.
Each default Amazon VPC creates a public subnet within each Availability Zone within the supported Region.
Only one default Amazon VPC per Region is permitted.

When you create a VPC(custom VPC), you must choose three main factors:

  • Name of the VPC.
  • Region where the VPC will live. Each VPC spans multiple Availability Zones within the selected Region.
  • IP range for the VPC in CIDR notation. This determines the size of your network. Each VPC can have up to four /16 IP ranges.

Reserved IPs : For AWS to configure your VPC appropriately, AWS reserves 5 IP addresses in each subnet.

VPC Scope

  • VPC is regional, It can't live in more than one Region.
  • VPC Subnet is zonal(AZ), restricted to one AZ.
  • VPC can span more than one Availability Zone within one Region.

If you route a subnet to an internet gateway, that subnet becomes a public subnet.

Gateway

Gateway

To enable internet connectivity for your VPC, you must create an internet gateway.
Attach an internet gateway to the VPC and Create a route in a route table to the internet gateway.

It is a regional resource and resides in VPC level. A VPC can have only 1 Internet Gateway attached at a time.

To connect your AWS VPC to another private network. Once you create and attach a virtual private gateway to a VPC,
the gateway acts as anchor on the AWS side of the connection.

  • IS regional resource.
  • Direct Connect : Virtual private gateway is the router on the Amazon side of the DIrect Connect connection.
  • VPN : Virtual private gateway is the router on the Amazon side of the VPN tunnel.
  • Multiple VPN connections to the same virtual private gateway are possible.

Enables instances in private subnet to connect to the internet or other AWS resources
but prevents the internet from initiation connection with those instances. (Outgoing connectivity)

  • Unlike Internet Gateway which resides in VPC level, NAT gateway resides in the public subnet level.
  • IS HA, regional resource, lives only in one specific AZ. Only IPv4 is suported.
  • Cannot route traffic to a NAT gateway through a VPC peering connection, Direct Connect, Site-to-Site VPN connection.
  • You can configure AWS System Manager Session Manager to access/connect to EC2 instance in private network and using NAT gateway.
  • NAT Gateway is not associated with security groups.

VPC Security

Use IAM to control who can configure and manage your Amazon VPCs.

There are two main security features available for your Amazon VPC: Network Access Control Lists (Network ACLs) and Security Groups.

Security Features

Use Network ACL to secure the subnets.
Network ACLs are a type of security filter like a firewall that can filter traffic attempting to enter or leave a subnet.
ACLs are associated with the subnet(attached at the subnet level), not with resources inside the subnet.

A default VPC come with a default network ACL, automatically associated with any subnets not associated with another network ACL.

ACLs only manage traffic that is crossing the subnet boundary.
So If two EC2 instances in a subnet are communicating, network ACLs will have no involvement.

Some key points

  • Network ACLs are stateless, which means if traffic is allowed in, the outbound response to that traffic is NOT allowed out by default.
  • Network ACLs only see the traffic going one way, so if there is an allow for an inbound rule, there must also be an allow for the outbound rule.
  • For network ACL rules, inbound and outbound address and port will need to be explicitly added.
  • Network ACL can be associated with multiple subnets BUT a subnet can be associated with only 1 network ACL.

Security groups are the other security feature of an Amazon VPC.
Unlike Network ACLs, security groups are attached to AWS resources specifically the elastic network interfaces(ENIs).

These offer a few advantages compared to network ACLs in that they can recognize AWS resources and filter based on them.
Security groups can reference other security groups and also reference themselves.
By default, all outbound traffic is allowed from a security group.
However, security groups are not capable of explicitly blocking traffic. If you need to block a certain IP address, use Network ACL

Some key points

  • Security groups are stateful, If traffic is allowed in, the outbound response to that traffic is allowed out automatically.
  • Security groups see both the inbound and outbound traffic as part of the same stream.
  • Unlike Network ACL, security groups recognize AWS resources.
  • So for an EC2 instance, the instance ID could be added to the security group rule for that instance to allow traffic from the instance.
  • Another big distinction is that security groups have a hidden explicit deny, which means that anything that is not explicitly allowed is denied.

VPC Endpoints

A VPC endpoint lets you privately connect your VPC to supported AWS services and VPC endpoint services.
With VPC endpoints, resources inside a VPC don't require public IP addresses to communicate with resources outside the VPC.

They are a security product first and a connectivity product second.
Endpoints don't allow traffic between your VPC and the other services to leave the Amazon network.

It doesn't require an internet gateway, virtual private gateway, NAT device, VPN connection or Direct Connect connection.

There are 2 types of VPC Endpoints: interface and gateway endpoints.

VPC Peering

VPC Peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4/Ipv6 regardless of whether they belong to the same AWS account, the same AWS region(inter-Region VPC peering connection).

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware.

There is no single point of failure for communication or a bandwidth bottleneck.

Some limitaions

  • You cannot overlap CIDR ranges.
  • One VPC can accept up to 125 peerings connections.
  • VPC Peering is not transitive.

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

A VPC Flow Log can be sent to CloudWatch Logs or an S3 bucket.
Flows are collected, processed, and stored in capture windows that are approximately 10 minutes long.

You can create up to 2 flow logs on one resource.
For network security, VPC Flow Logs can help to:

  • Detect network intrusions by tracking the movement of a compromised host, monitoring for port scanning, tracking network enumeration attempts and data exfiltration.

  • Monitor anomaly detection by using flow logs as a security tool to monitor the traffic that is reaching your instance, to profile your network traffic.

  • Monitor remote logins by flagging ports (SSH and RDP) used for administrative activity that should only be accessible from trusted sources.

AWS PrivateLink enables you to connect to some AWS services, services hosted by other AWS accounts via private IP addresses in your VPC.
Access to shared services in one VPC from multiple VPCs.

AWS PrivateLink connection setup:

  1. Create a load balancer.
  2. create a service-consumer role in IAM.
  3. Set up an endpoint connection in the shared services VPC and set it to automatically accept.
  4. Create consumer endpoints in each VPC that must access the shared VPC.
  5. Point to the Network Load Balancer in the shared services VPC.

Hybrid Connectivity

AWS provides services and hybrid connectivity solutions to link your on premises and AWS networks. This supports a wide range of hybrid architectures and use cases.

  • AWS Client VPN is a managed client-based VPN service that enables you to securely connect your remote team to AWS and your on premises resources.

    • AWS VPN CloudHub : if you have multiple sites, each with its own VPN connections, you can use VPN CloudHub to connect those sites together.

  • AWS Site-to-Site VPN if you want to connect remote offices to AWS.

  • AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable.

    • Is a global resource.
    • Connects/associates up to 10 virtual private gateways globally and cross account.
    • Allows north/south traffic flow, does not permit VPC-to-VPC connectivity.
    • Can be associated with a virtual gateway or transit gateway.

  • AWS Cloud WAN if you need to connect cloud routing and software-defined wide area networks(SD-WANs).

Transit Gateway

AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks as a fully managed service without requiring you to provision virtual appliances like the Cisco CSRs.

  • No VPN overlay is required, and AWS manages high availability and scalability.
  • Is a regional resource that resides outside of a VPC.
  • Connects VPCs and on-premises networks through a central hub.
  • Simplifies netorking by acting as a regional virtual router.
  • Encrypts data automatically.
  • Supports IP multicast (not supported by any other AWS service.)
  • Attachments types:
  • VPCs
  • VPN connections
  • Direct Connect gateways
  • Transit Gateway Connect atatchments
  • Transit Gateway peering connections

You can use VPC peering or transit gateway peering to establish communication between VPCs in different Regions.

Load Balancing

Load balancing refers to the process of distributing tasks across a set of resources.
It can distribute incoming application traffic across EC2 instances, containers, IP addresses, and AWS Lambda functions.
Other key features include the following:

  • Because ELB can load balance to IP addresses, it can work in a hybrid mode, which mean it also load balances to on-premises servers.
  • ELB is highly available. The only option you must ensure is that the LB is deployed across multiple Availability Zones.
  • In terms of scalability, ELB automatically scales to meet the demand of the incoming traffic.

The ELB service is made up of three main components:

  • Listener : The clients connects to the listeners / cliend-side, represents the frontend.
  • Rule : to associate a target group to a listener, to decide which target group to send the traffic to.
  • Target Group : The backend servers Or server-Side is defined in one or more target groups.
    • This is where you define the type of backend you want to direct traffic to: EC2, Lambda functions, IP : Target, Health Checks

Some Key points

  • ELB is a managed service and is highly available by default.
  • It can be internet facing or internal facing.
  • ELB an be used to route between resources in different subnets, AZs but NOT in different regions
  • With Predifined/Custom Security Policy, you can determine which protocols and ciphers are used when negotiations are occurring between the LB and the client.

Application Load Balancer

Some primary features of Application Load Balancer

  • ALB routes traffic based on request data. Routing decisions are based on the HTTP protocol like the URL path and host, HTTP headers and method and the source IP address of the client.
  • ALB uses TLS offloading. To pass HTTPS traffic through ALB, an SSL certificate is provided by either importing a certificate by way of IAM or AWS Certificate Manager (ACM) services...
  • ALB authenticates users. On the topic of security, ALB can authenticate users before they are allowed to pass through the load balancer.
  • ALB secures traffic. To prevent traffic from reaching the load balancer, you configure a security group to specify the supported IP address ranges.
  • ALB uses the round-robin routing algorithm. ALB ensures each server receives the same number of requests in general.
  • ALB uses sticky sessions. If requests must be sent to the same backend server because the application is stateful, use the sticky session feature.
  • ALB sends responses directly to the client. ALB has the ability to reply directly to the client with a fixed response.
  • It can also send a redirect to the client

Network Load Balancer

Some primary features of Network Load Balancer

  • NBL supports TCP, UDP and TLS protocols.
  • NLB uses a flow hash routing algorithm. The algorithm is based on Protocol, Source IP/port, Dest IP/port, TCP sequence number.
  • NLB has sticky sessions. Different from ALB, these sessions are based on the source IP address of the client instead of a cookie.

  • NLB supports TLS offloading. NLB understands the TLS protocol. It can also offload TLS from the backend servers similar to how ALB works.

  • NLB supports static and elastic IP addresses. if an app client needs to send requests directly to the load balancer IP address instead of using DNS

  • NLB handles millions of requests per second. While ALB can also support this number of requests, it needs to scale to reach that number.
    • This takes time. NLB can instantly handle millions of requests per second.
  • NLB preserves source IP address. NLB preserves the source IP address of the client when sending the traffic to the backend.
    • With ALB, if you look at the source IP address of the requests, you will find the IP address of the load balancer.

Network Load Balancer VS Application Load Balancer.

Classic Load Balancer

The Classic Load Balancer is the legacy load balancer for AWS.
Classic Load Balancers are not recommended for use unless you have legacy services or applications that need the Classic Load Balancer.

Gateway Load Balancer

Gateway Load Balancers are used for deploying and scaling virtual appliances(firewall, IDS/IPS) and system for deep packet inspection.
It operates at Layer 3 and 4 of the OSI model.

AutoScaling

Amazon EC2 Auto Scaling helps you maintain application availability and lets you automatically add or remove EC2 instances using scaling policies that you define

The ELB service integrates seamlessly with EC2 Auto Scaling. As soon as a new EC2 instance is added to or removed from the EC2 Auto Scaling group, ELB is notified.

Three main components of EC2 Auto Scaling are as follows:

  • Launch template or configuration: What resource should be automatically scaled?
  • EC2 Auto Scaling Group : Where should the resources be deployed? (VCP, subnets), types of instances to usee ? How many? (Min, desired, Max).
  • Scaling policies : When should the resources be added or removed?
    • Simple scaling policy : You use a CloudWatch alarm and specify what to do when it is triggered. A percentage of the group instead of using an amount of EC2 instances.
    • Step scaling policy : responds to additional alarms even while a scaling activity or health check replacement is in progress.(1 more instances when CPU utilization is at 85%).
    • Target tracking scaling policy : If the app scales based on average CPU utilization, average network utilization or request .