,

AWS Networking

Posted by

AWS Networking

Amazon Virtual Private Cloud: Amazon VPC is a virtual network service that lets you launch AWS resources in a logically isolated virtual network dedicated to your AWS account that you define. This virtual network closely resembles a traditional network that you would operate in your own data center, with the benefits of using the scalable infrastructure of Amazon. It is the networking layer for Amazon EC2. A VPC spans all of the Availability Zones in the Region. There is no additional charge for using a VPC. There are charges for some VPC components, such as NAT gateways, Reachability Analyzer, and traffic mirroring. Amazon VPC console can be access by using the following link − https://console.aws.amazon.com/vpc/.

The following are the key concepts for VPCs:

Virtual private cloud (VPC) — A virtual network dedicated to your Amazon account.

Subnet — A range of IP addresses in your VPC.

Route table — A set of rules, called routes, that are used to determine where network traffic is directed.

Internet gateway — A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.

VPC endpoint — Enables you to privately connect your VPC to supported Amazon services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

CIDR block —Classless Inter-Domain Routing. An internet protocol address allocation and route aggregation methodology.

Internet gateway: An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic. There is no additional charge for having an internet gateway in your account.

Egress-only internet gateways: It is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents the internet from initiating an IPv6 connection with your instances. An egress-only internet gateway is for use with IPv6 traffic only. An egress-only internet gateway is stateful: it forwards traffic from the instances in the subnet to the internet or other AWS services, and then sends the response back to the instances.

NAT gateway: It is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. NAT Gateway is for use with IPv4 traffic only.

The NAT gateway replaces the source IPv4 address of the instances with the private IP address of the NAT gateway. When sending response traffic to the instances, the NAT device translates the addresses back to the original source IPv4 addresses.

Accessing the Network

AWS VPC can optionally connect to your own corporate data center using an IPsec AWS managed VPN connection, making the AWS Cloud an extension of your data center. When a customer requests data from an application hosted in the AWS Cloud, this request is sent as a packet. A packet is a unit of data sent over the internet or a network.  It enters a VPC through an internet gateway. Before a packet can enter a subnet or exit from a subnet, it checks for permissions. These permissions indicate who sent the packet and how the packet is trying to communicate with the resources in a subnet. The VPC component that checks packet permissions for subnets is a network access control list (ACL).

A VPN connection consists of:

Virtual private gateway: It is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the Site-to-Site VPN connection.

Transit Gateways: A transit gateway is a transit hub that you can use to interconnect your virtual private clouds (VPC) and on-premises networks. It uses hub and spoke model to enable customers to connect their on-premises data centers and their Amazon Virtual Private Clouds (VPCs) to a single gateway. Your Site-to-Site VPN connection on a transit gateway can support either IPv4 traffic or IPv6 traffic inside the VPN tunnels. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. Your data is automatically encrypted and never travels over the public internet.

Customer Gateway: It is a physical device or software application on your side of the Site-to-Site VPN connection. You configure the device to work with the Site-to-Site VPN connection. It a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS.

Virtual Private Network: A VPN or Virtual Private Network creates a private, encrypted connection over the public, shared or private network. It provides data protection and privacy by using dedicated connections, traffic encryption or secure, virtual tunneling.

AWS VPN is comprised of two services:

AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC).

AWS Client VPN enables you to securely connect users to AWS or on-premises networks using a VPN software client.

AWS PrivateLink: It provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture. Since traffic between your VPC and any one of these services does not leave the Amazon network, an Internet gateway, NAT device, public IP address, or VPN connection is no longer needed to communicate with the service. To use AWS PrivateLink, create an interface VPC endpoint for a service in your VPC. This creates an Elastic Network Interface (ENI) in your subnet with a private IP address that serves as an entry point for traffic destined to the service. Service endpoints available over AWS PrivateLink will appear as ENIs with private IPs in your VPCs.

A VPC peering connection can be created between your VPCs, or with a VPC in another AWS account, and enable routing of traffic between the VPCs using private IP addresses. You cannot create a VPC peering connection between VPCs that have overlapping CIDR blocks.

Applications in an Amazon VPC can securely access AWS PrivateLink endpoints across VPC peering connections. The support of VPC peering by AWS PrivateLink makes it possible for customers to privately connect to a service even if that service’s endpoint resides in a different Amazon VPC that is connected using VPC peering.

AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering connections.

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using Private VIF on AWS Direct Connect, you establish a private connection between AWS and your datacenter, office, or colocation environment. This can increase bandwidth throughput and provide a more consistent network experience than internet-based connections. AWS Direct Connect is compatible with all AWS services accessible over the Internet, and lets you establish 1 Gbps or 10 Gbps dedicated network connections between AWS networks and one of the AWS Direct Connect locations. Amazon Direct Connect also supports AWS Transit Gateway, aside from configuring Site-to-Site VPN connections. With this feature, customers can connect thousands of Amazon VPCs in multiple AWS Regions to their on-premises networks. Pricing is per port-hour consumed for each port type. Data transfer out over AWS Direct Connect is charged per GB. Data transfer IN is $0.00 per GB in all locations.

Working of AWS Direct Connect:

Decide on an AWS Direct Connect Location and Connection Size

Create your connection request on the AWS Management Console.

Download Letter of Authorization (LoA) from the AWS Management Console

Provide LoA to an APN Partner and ask them to establish the connection on your behalf.

Configure Virtual interfaces to establish network connectivity.

Subnets: A subnet is a section of a VPC in which you can group resources based on security or operational needs. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. In a VPC, subnets can communicate with each other. To protect the AWS resources in each subnet, use security groups and network access control lists (ACL).

There are three types of Subnets:

Public Subnet: If a subnet’s traffic is routed to an internet gateway.

Private Subnet: If a subnet doesn’t have a route to the internet gateway.

VPN-only Subnet: If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a Site-to-Site VPN connection.

Network access control list (ACL): It is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.

Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.

You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

You can associate a network ACL with multiple subnets. However, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed.

A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. We recommend that you start by creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules where you need to later on.

A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.

Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

By default, your account’s default network ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules. For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic should be allowed. Additionally, all network ACLs have an explicit deny rule. This rule ensures that if a packet doesn’t match any of the other rules on the list, the packet is denied.

Security Groups: A security group is a virtual firewall. It has inbound and outbound security rules in which all inbound traffic is blocked by default in private on AWS EC2.

***Difference between Network ACLs and Security Groups

Network ACLsSecurity Groups
It supports both allow and deny rules, and by default, all the rules are denied. You need to add the rule which you can either allow or deny it.It supports only allow rules, and by default, all the rules are denied. You cannot deny the rule for establishing a connection
These are stateless, meaning any change applied to an incoming rule is not automatically applied to an outgoing rule.These are stateful, which means any changes which are applied to an incoming rule is automatically applied to a rule which is outgoing.
It is associated with a subnet.It is associated with an EC2 instance.
Rules are evaluated in order, starting from the lowest number.All the rules are evaluated before deciding whether to allow the traffic.
NACL has applied automatically to all the instances which are associated with an instance.Security group has to be explicitly assigned to an instance; it doesn’t associate itself to a subnet.
It is the second layer of defense, which helps protect AWS stackIt is the first defense layer that helps protect the Amazon Web Services infrastructure.

Amazon Route 53: It is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that, computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well. It connects user requests to infrastructure running in AWS (such as Amazon EC2 instances and load balancers) as well as can route users to infrastructure outside of AWS. AWS Route 53 takes its name with reference to Port 53, which handles DNS for both the TCP and UDP traffic requests. Route 53 is an Authoritative DNS service, which contains information about the mapping of IP addresses to domain names.

It can be used to perform three main functions:

Domain Registration: Route 53 lets you register a name for your website or web application, known as a domain name. You can also transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location.

DNS Routing: When a user opens a web browser and enters your domain name (example.com) or subdomain name (acme.example.com) in the address bar, Route 53 helps connect the browser with your website or web application. It uses a variety of routing types, including Latency Based Routing, Geo DNS, Geoproximity, and Weighted Round Robin—all of which can be combined with DNS Failover in order to enable a variety of low-latency, fault-tolerant architectures.

Health Checking: Route 53 sends automated requests over the internet to a resource, such as a web server, to verify that it’s reachable, available, and functional. You also can choose to receive notifications when a resource becomes unavailable and choose to route internet traffic away from unhealthy resources.

Amazon CloudFront: Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. The server from which Amazon CloudFront gets your files is known as origin. CloudFront offers the most advanced security capabilities, including field level encryption and HTTPS support, seamlessly integrated with AWS Shield, AWS Web Application Firewall and Amazon Route 53 to protect against multiple types of attacks including network and application layer DDoS attacks. These services co-reside at edge networking locations – globally scaled and connected via the AWS network backbone – providing a more secure, performant, and available experience for your users.

It delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so that content is delivered with the best possible performance.

If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.

If the content is not in that edge location, CloudFront retrieves it from an origin that you’ve defined.

For more content visit our website- https://www.techclick.in

[the-post-grid id=”9538″ title=””]

Leave a Reply

Your email address will not be published. Required fields are marked *

Visit Our Store and Buy All document (F5, Zscaler, ASA, Paloalto, Checkpoint,Forescout, Cisco ISE etc) only in  1600RS, click here on store - Store

X
error: Content is protected !!