Module 5: Networking and Content Delivery

Section 1: Networking basics

Networks

• A network can be partitionned into subnets
• Requires a networking device (router/switch)

IP addresses

• Unique number assigned to a machine
• Four decimal number separated by dots
• Each number is 8 bits max (between 0 and 255)
  $\to$ total = 32 bits

IPv4 and IPv6 addresses

• IPv4 (32-bit) address: 192.0.2.0
• IPv6 (128-bit) address: 2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF
  • Adapt to more user
  • Each column is 16 bits (0 to FFFF)

Classless Inter-Domain Routing (CIDR)

• It's followed by a '/' character
  • The numer after is how many bits of the routing prefix must be steady
• Express a group of addresses

Open Systems Interconnection (OSI) model

Section 2: Amazon VPC

Amazon VPC

• Private space in Amazon Cloud
• Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
• Gives you control over your virtual networking resources
  • Selection of IP address range
  • Creation of subnets
  • Configuration of route tables and network gateways
• Enables you to customize the network configuration for your VPC
• Enables you to use multiples layers of security
• Can use IPv4 and IPv6

VPCs and subnets

• VPCs:
  • Logically isolated from other VPCs
  • Dedicated to your AWS account
  • Belong to a single AWS Region and can span multiple Availability Zones
• Subnets:
  • Range of IP addresses that divide a VPC
  • Belong to a single Availability Zone
  • Classified as public or private
  • Do not have a direct access to internet

IP addressing

• When you create a VPC, you assign it to an IPv4 CIDR block (range of private IPv4 addresses)
• You cannot change the address raneg after you create the VPC
• The largest IPv4 CIDR block size is /16
• The smallest IPv4 CIDR block size /28
• IPv6 is also supported (with a different block size limit)
• CIDR blocks of subnet cannot overlap

Reserved IP addresses

Example: A VPC with an PIv4 CIDR block of 10.0.0.0/16 has 65,636 total IP addresses. The VPC has four equal-sized subnets. Only 251 IP addresses are available for use by each subnet.

Public IP address type

Elastic network interface

• Its attributes follow when it is reached to a new instance
• Each instance in your VPC has a default network interface that is assigned a private IPv4 address from the IPv4 address range of your VPC

Route tables and routes

• Each route specifies a destination and a target
• By default, every route table contains a local route for communication within the VPC
• Each subnet must be associated with a route table (at most one)

Section 3: VPC networking

Internet gateway

Two purposes:

1. Provide a target in your VPC route tables for internet traffic
2. Perform network address translations for intances that were assigned public PIv4 addresses

To make a subnet public, you attach an internet gateway to your VPC and add a route entry to the route table.

To create a NAT Gateway:

• Must specify the public subnet in which NAT gateway should live
• Must specify an elastic IP address to associate with the NAT gateway

After NAT gateway is created:

• Update the private subnet route table

Can use a NAT instance in a public subnet in your VPC

VPC sharing

VPC peering

You can connect VPCs in your own AWS account, between AWS accounts, or between AWS Regions

Restrictions:

• IP spaces cannot overlap
• Transitive peering is not supported
• You can only have one peering resource between the same 2 VPCs.

AWS Site-to-Site VPN

• By default, Amazon VPC cannot communicate with your own remote network
• enable by
  • attaching a virtual private gateway to the VPC
  • creating a custom route table
  • updating security group rule
  • creating an AWS site-to-site VPN connection
  • configuring routing

AWS Direct Connect

• AWS direct connect
  • dedicated private connection between your network and one of the direct connect locations
  • uses open standard 802.1q virtual local area networks

VPC endpoints

AWS PrivateLink:

• Requires VPC interface endpoint
• Private connectivity between 2 VPCs, AWS services and on-premises app

Two types of endpoints:

• Gateway endpoints (Amazon S3 and Amazon DynamoDB)
• Interface endpoints (powered by AWS PrivateLink)

AWS Transit Gateway

Section 4: VPC security

Security groups

• Security groups have rules to manage instance traffic
• Default security groups are sealed shut to inbound traffic. we need to define rules.
• Security groups are stateful. The outbound traffic is always allowed.

Network access control lists (network ACLs)

• One-to-one relationship with subnet
• A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
• Default network ACLs allow all inbound and outbound IPv4 traffic
• Network ACLs are stateless

Security groups versus network ACLs

Section 5: Amazon Route 53

DNS resolution

Route 53

• Is highly available and scalable Domain Name System (DNS) web service
• Is used to route end users to internet applications by transalting names into numeric IP addresses
• Is fully compliant with IPv4 and IPv6
• Connects user requests to infrastructure running in AWS and also outside of AWS
• Is used to check the health of your resources
• Features traffic flow
• enables you to register domain name

Supported routing

• Simple routing
  • Use in single-server environments
• Weighted routing
  • Assign wights to resource record sets to specify the frequency
• Latency routing
  • Help improve your global app
• Geolocation routing
  • Route traffic based on location of your users
• Geoproximity routing
  • Route traffic based on locations of your resources
• Failover routing
  • Fail over to a backup site if your primary site becomes unreachable
• Multivalue answer routing
  • Respond to DNS queries with up to eight healthy records selected at random

Use case: Multi-region deployement

DNS failover

Improve the availablity of your applications that run on AWS by:

• Configuring backup and failover scenarios for your own app
• Enabling highly available multi-region architectures on AWS
• Creating health check

DNS failover for a multi-tiered web app

Section 6 Amazon CloudFront

Content delivery and network latency

Amazon CloudFront

• Fast, global and secure CDN service
• Global, network of edge locations and Regional edge caches
• Self-service model
• Pay-as-you-go pricing

Infrastructure

When a customer makes a demand, CloudFront respond with the IP address of the edge location closest to the customer. CloudFront obtains the data and copies it to the edge location.

• Edge locations
  • Network of data centers that Cloudfronts uses to serve popular content quickly to customer
• Regional edge cach
  • CloudFront location that caches content that is not popular enough to stay at an edge location. It is located between the origin server and the global edge location
  • When data become stale, it is removed from the cache of the edge location

Wrap-up

Which AWS networking service enables a company to create a virtual network within AWS?

1. AWS Config
2. Amazon Route 53
3. AWS Direct Connect
4. Amazon VPC