AWS - Network

• AWS networking and content delivery
  • HIGH AVAILABILITY APPROACHES FOR NETWORKING
  • Hybrid connectivity
  • AWS Partner Network (APN)
  • AWS GovCloud
  • Hardware VPN Connection:
  • Router:
  • Peering Connection:
  • VPC Endpoints:
  • VPC
    • Elastic Network Interface (ENI)
    • Flow Logs
    • Subnets
  • Shared Services VPCs
  • AWS VPN - Virtual Private Network
  • Amazon CloudFront
    • Regional edge caches
  • Gateway
    • Internet Gateway
      • NAT INSTANCES
      • NAT GATEWAYS
    • Virtual Private Gateway:
    • Customer Gateway:
    • Egress-only Internet Gateway:
    • Amazon API Gateway
    • AWS Transit Gateway connecting multiple VPCs
  • Route 53

---

AWS networking and content delivery

Module 5 Overview

HIGH AVAILABILITY APPROACHES FOR NETWORKING

• By creating subnets in the available AZs, you create Multi-AZ presence for the VPC.
• Best practice is to create at least two VPN tunnels into the Virtual Private Gateway.
• Direct Connect is not HA by default, so you need to establish a secondary connection via another Direct Connect (ideally with another provider) or use a VPN.
• Route 53’s health checks provide a basic level of redirecting DNS resolutions.
• Elastic IPs allow you flexibility to change out backing assets without impacting name resolution.
• For Multi-AZ redundancy of NAT Gateways, create gateways in each AZ with routes for private subnets to use the local gateway.

Hybrid connectivity

• AWS direct connect (for consistent and dedicated connection, this better)
• Virtual private network VPN
• Services like Classic Load Balancer, Auto Scaling, are not supported in a hybrid design. 

AWS Partner Network (APN)

• APN Consulting Partners
  • helps customers of all types and sizes design, architect, build, migrate, and manage their workloads and applications on AWS,
  • accelerating journey to the cloud. 
  • Consulting Partners include
  • System Integrators (SIs),
  • Strategic Consultancies,
  • Agencies,
  • Managed Service Providers (MSPs),
  • and Value-Added Resellers (VARs).
• APN Technology Partner
  • organizations that are developing their own products/services that they will deploy on top of AWS to sell it to the customers.
  • establish a secure and private tunnel from the network or device to the AWS global network.
• AWS VPN comprises two services:
  • AWS Site-to-Site VPN and AWS Client VPN.

AWS GovCloud

• an AWS Region specially designed to host sensitive data and regulated workloads from U.S. government agencies and customers.
• t addresses the most stringent U.S. government security and compliance requirements

Hardware VPN Connection: 

• A hardware-based VPN connection between the Amazon VPC and the datacenter, home network, or co-location facility.

Router: 

• Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.

Peering Connection: 

• to route traffic via private IP addresses between two peered VPCs.
  • can be created with VPCs in different regions (available in most regions now).

VPC Endpoints: 

• Enables private connectivity to services hosted in AWS, from within the VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.

---

VPC

Options for securely connecting to a VPC are:

• AWS managed VPN – fast to setup.
• AWS Direct Connect – high bandwidth, low-latency but takes weeks to months to setup.
• AWS Direct Connect plus a VPN
• AWS VPN CloudHub – used for connecting multiple sites to AWS. provide secure communication between sites using the AWS VPN CloudHub.
• Software VPN – use 3rd party software.
• Transit VPC
• VPC Peering
• AWS PrivateLink
• VPC Endpoints

Data sent between VPCs in different regions is encrypted (traffic charges apply).

VPC best practices.

• Choosing CIDR block or IP address ranges wisely
  • selecta range large enough for future growth (or run multiple VPCs). Start with /16.
• Use subnets to divide resources based on access, which is their primary purpose.
• Use Multi-AZ deployments in a VPC for high availability
• Use security groups to control traffic between EC2 instances and elastic load balancers. You can specify a granular security policy for Amazon EC2 instances by using a security group.
• Use VPC Flow Logs to track and monitor VPC traffic.
  • Store traffic logs for a particular VPC, VPC subnet, or Elastic Network Interface to CloudWatchLogs,
  • can be accessed by third-party tools for storage and analysis.
• Check the health of the VPN link via API calls or in the AWS Management Console.

VPC WIZARD The VPC Wizard can be used to create the following four configurations:

• VPC with a Single Public Subnet:
  • instances run in a private, isolated section of the AWS cloud with direct access to the Internet.
    • Public subnet instances use Elastic/Public IPs to access the Internet.
  • Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to the instances.
  • Creates a /16 network with a /24 subnet.
• VPC with Public and Private Subnets:
  • adds a private subnet whose instances are not addressable from the Internet.
    • Public subnet instances use Elastic IPs to access the Internet.
    • Private subnet instances access the Internet via the public subnet using Network Address Translation (NAT).
  • Creates a /16 network with two /24 subnets.
• VPC with Public and Private Subnets and Hardware VPN Access:
  • adds an IPsec Virtual Private Network (VPN) connection between the Amazon VPC and the data center
    • effectively extending the data center to the cloud while also providing direct access to the Internet for public subnet instances in the Amazon VPC.
    • One subnet is directly connected to the Internet
    • other subnet is connected to corporate network via an IPsec VPN tunnel.
  • Creates a /16 network with two /24 subnets.
• VPC with a Private Subnet Only and Hardware VPN Access:
  • instances run in a private, isolated section of the AWS cloud with a private subnet whose instances are not addressable from the Internet.
    • connect private subnet to corporate data center via an IPsec Virtual Private Network (VPN) tunnel.
  • Creates a /16 network with a /24 subnet and provisions an IPsec VPN tunnel between the Amazon VPC and the corporate network.

Elastic Network Interface (ENI)

• a logical networking component that represents a NIC.
• can be attached and detached from EC2 instances and the configuration of the ENI will be maintained.

Flow Logs

• capture information about the IP traffic going to and from network interfaces in a VPC.
• stored using Amazon CloudWatch Logs.
• can be created at the following levels:
  • VPC.
  • Subnet.
  • Network interface.

Subnets

• After creating a VPC, can add one or more subnets in each Availability Zone.
  • Subnets are created within a single AZ and do not get mapped to multiple AZs.
• When create subnet, specify the CIDR block for the subnet, a subset of the VPC CIDR block.
  • Each subnet must reside entirely within one Availability Zone and
  • subnet cannot span zones.
• Types of subnet:
  • If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.
  • If a subnet doesn’t have a route to the internet gateway, the subnet is known as a private subnet.
  • If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.

---

Shared Services VPCs

• allow other AWS accounts to create their application resources (EC2 instances, RDS databases, Redshift clusters, Lambda functions) into shared, centrally-managed Amazon VPCs.
• VPC sharing enables subnets to be shared with other AWS accounts within the same AWS Organization.
• Benefits include:
  • Separation of duties:
    • centrally controlled VPC structure, routing, IP address allocation.
  • Application owners continue to own resources, accounts, and security groups.
  • VPC sharing participants can reference security group IDs of each other.
  • Efficiencies:
    • higher density in subnets, efficient use of VPNs and AWS Direct Connect.
  • Hard limits can be avoided
    • for example, 50 VIFs per AWS Direct Connect connection through simplified network architecture.
  • Costs can be optimized
    • through reuse of NAT gateways, VPC interface endpoints, and intra-Availability Zone traffic.
• You can create separate Amazon VPCs for each account
  • the account owner being responsible for connectivity and security of each Amazon VPC.
  • With VPC sharing, the IT team can own and manage the Amazon VPCs and the application developers no longer have to manage or configure Amazon VPCs, but they can access them as needed.
• share Amazon VPCs to leverage the implicit routing within a VPC for applications that require a high degree of interconnectivity and are within the same trust boundaries.
  • reduces the number of VPCs that need to be created and managed, while you still benefit from using separate accounts for billing and access control.
• Customers can further simplify network topologies by interconnecting shared Amazon VPCs using connectivity features, such as AWS PrivateLink, AWS Transit Gateway, and Amazon VPC peering.
• Can also be used with AWS PrivateLink to secure access to resources shared such as applications behind a Network Load Balancer.

---

AWS VPN - Virtual Private Network

• provides a secure private tunnel from the network or device to the AWS global network.
• lets you establish a secure and private tunnel from the network or device to the AWS global network.
• AWS VPN comprises two services:
  • AWS Site-to-Site VPN
    • enables you to securely connect the on-premises network or branch office site to the Amazon Virtual Private Cloud (Amazon VPC).
  • AWS Client VPN
    • enables you to securely connect users to AWS or on-premises networks

Amazon CloudFront

• fast content delivery network (CDN) service
  • securely delivers data, videos, applications, and application programming interfaces (APIs) to customers globally,
• low latency and high transfer speeds. fast response time to frequently accessed data.
  • cache both static and dynamic content in points of presence
• This inclueds protections with AWS WAF and AWS Shield.
• Edge locations: the locations where the content is cached
• A CloudFront Origin can be an S3 bucket, ELB, or a valid domain name.

Regional edge caches 

• used by default with Amazon CloudFront.
• are used when you have content that is not accessed frequently enough to remain in an edge location.
• Regional edge caches absorb this content and provide an alternative to that content having to be fetched from the origin serve

---

Gateway

Internet Gateway

• a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the internet.

NAT INSTANCES

• NAT instances are managed by you.
• Used to enable private subnet instances to access the Internet.
• When creating NAT instances always disable the source/destination check on the instance.
• NAT instances must be in a single public subnet.
• NAT instances need to be assigned to security groups.

NAT GATEWAYS

• NAT gateways are managed by AWS.
• A highly available, managed Network Address Translation (NAT) service for the resources in a private subnet to access the Internet.
  • No need to patch.
  • preferred by enterprises.
  • Not associated with any security groups.
  • No need to disable source/destination checks.
  • Port forwarding is not supported.
  • Traffic metrics are not supported.
• Must be created in a public subnet.
  • Created in a specified AZ with redundancy in that zone.
  • For multi-AZ redundancy
    • create NAT Gateways in each AZ with routes for private subnets to use the local gateway.
  • Automatically assigned a public IP address.
    • Uses an Elastic IP address for the public IP.
  • Private instances in private subnets must have a route to the NAT instance, usually the default route destination of 0.0.0.0/0.
• NAT gateways are highly available in each AZ into which they are deployed.
  • Can scale automatically up to 45Gbps.
• They are preferred by enterprises.
• Can’t use a NAT Gateway to access VPC peering, VPN or Direct Connect, so be sure to include specific routes to those in the route table.
• Remember to update route tables and point towards the gateway.
• More secure
  • you cannot access with SSH and there are no security groups to maintain
• Egress only Internet gateways operate on IPv6 whereas NAT gateways operate on IPv4.
• Using the NAT Gateway as a Bastion host server is not supported.

Virtual Private Gateway: 

• The Amazon VPC side of a VPN connection.

Customer Gateway: 

• Your side of a VPN connection.
• Best practice to use custom route tables for each subnet, which enable granular routing for destinations.
• Route leads according to rules you set up, making sure they are going to those agents best suited to conversion

Egress-only Internet Gateway: 

• A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

Amazon API Gateway

• a fully managed service
• for developers to create, publish, maintain, monitor, and secure APIs at any scale.
  • in AWS Management Console
  • create an API that acts as a “front door” for applications to access data, business logic, or functionality from the back-end services,
    • such as workloads running on Amazon EC2,
    • code running on AWS Lambda, or any web application.
• Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

AWS Transit Gateway connecting multiple VPCs

• to connect Amazon VPCs and on-premises networks to a single gateway for connecting multiple VPCs and on-premises networks.
• enables customers to connect their Amazon VPCs and their on-premises networks to a single gateway.
• only have to create and manage a single connection from the central gateway in to each Amazon VPC, on-premises data center, or remote office across the network.
• Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes. 

Route 53

• a scalable cloud Domain Name System (DNS) web service
• Features: domain registration, DNS, traffic flow, health checking, and failover, “routing policies”. register domains and configure DNS records
  • give a reliable way to route end users to internet applications.
• does not support DHCP, IP routing or caching.
• Requests going to either one of these services will be routed to the nearest edge location automatically in order to lower latency.
• most useful in a disaster recovery situation
  • When have more than one resource performing the same function
  • for example, more than one HTTP server or mail server
    • you can configure Route 53 to check the health of resources and respond to DNS queries using only the healthy resources.
  • For example, suppose the website, example.com, is hosted on six servers, two each in three data centers around the world.
    • You can configure Route 53 to check the health of those servers and to respond to DNS queries for example.com using only the servers that are currently healthy.
    • You can also use Route 53 to switch DNS addresses.
•  Amazon Route 53 effectively connect user requests to ELB, S3, EC2.
• Purpose:
  • To populate external DNS servers with domain/IP address information for the ELB, so that inbound traffic can be load balanced by the ELB between the EC2 instances.