# Module 5: Networking and Content Delivery
# Section 1: Networking basics
## Networks
:::info
A computer network is 2 or more machine connected together
:::
* A network can be partitionned into subnets
* Requires a networking device (router/switch)
![](https://i.imgur.com/NImuVRm.png)
## IP addresses
:::info
Each machine on the network has a unique **Internet Protocol address (IP)** assigned to it
:::
* Unique number assigned to a machine
* Four decimal number separated by dots
* Each number is 8 bits max (between 0 and 255) $\rightarrow$ total = 32 bits
### IPv4 and IPv6 addresses
* IPv4 (32-bit) address: 192.0.2.0
* IPv6 (128-bit) address: 2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF
* Adapt to more user
* Each column is 16 bits (0 to FFFF)
## Classless Inter-Domain Routing (CIDR)
:::info
A CIDR adress is expressed as an IP address and is the first address of the network.
:::
* It's followed by a '/' character
* The numer after is how many bits of the routing prefix must be steady
* Express a group of addresses
![](https://i.imgur.com/lac9fP6.png)
## Open Systems Interconnection (OSI) model
![](https://i.imgur.com/AP0iEee.png)
# Section 2: Amazon VPC
## Amazon VPC
* Private space in Amazon Cloud
* Enables you to provision a **logically isolated** section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
* Gives you **control over your virtual networking resources**
* Selection of IP address range
* Creation of subnets
* Configuration of route tables and network gateways
* Enables you to **customize the network configuration** for your VPC
* Enables you to use **multiples layers of security**
* Can use IPv4 and IPv6
## VPCs and subnets
* VPCs:
* **Logically isolated** from other VPCs
* **Dedicated** to your AWS account
* Belong to a single **AWS Region** and can span multiple Availability Zones
* Subnets:
* **Range of IP addresses** that divide a VPC
* Belong to a single **Availability Zone**
* Classified as **public** or **private**
* Do not have a direct access to internet
![](https://i.imgur.com/atZysyS.png)
## IP addressing
* When you create a VPC, you assign it to an IPv4 **CIDR block** (range of *private* IPv4 addresses)
* You **cannot change the address raneg** after you create the VPC
* The *largest* IPv4 CIDR block size is /16
* The *smallest* IPv4 CIDR block size /28
* IPv6 is also supported (with a different block size limit)
* CIDR blocks of subnet **cannot overlap**
![](https://i.imgur.com/DPfpVkg.png)
## Reserved IP addresses
Example: A VPC with an PIv4 CIDR block of 10.0.0.0/16 has 65,636 total IP addresses. The VPC has four equal-sized subnets. Only 251 IP addresses are available for use by each subnet.
![](https://i.imgur.com/b0bQIIZ.png)
## Public IP address type
|Public IPv4 address|Elastic IP address|
|-|-|
|Manually assigned through an Elastic IP address|Associated with an AWS account|
|Automatically assigned through the auto-assign public IP address settings at the subnet level|Can be allocated and remapped anytime|
||Additional costs might apply
## Elastic network interface
:::info
An elastic network interface is a **virtual network interface** that you can
* Attach to an instance
* Detach from the instance and attach ot another instance to redirect network traffic
:::
* Its *attributes follow* when it is reached to a new instance
* Each instance in your VPC has a **default network interface** that is assigned a private IPv4 address from the IPv4 address range of your VPC
![](https://i.imgur.com/e1IaVct.png)
## Route tables and routes
:::info
A **route table** contains a set of rules (or routes) that **you can configure** to direct network traffic from your subnet.
:::
* Each *route* specifies a destination and a target
* By default, every route table contains a *local route* for communication within the VPC
* Each *subnet must be associated with a route table* (at most one)
![](https://i.imgur.com/EQQb45J.png)
# Section 3: VPC networking
## Internet gateway
:::info
An internet fateway is a scalable, redundant, and highly availble VPC, allows communication between VPC and public internet.
![](https://i.imgur.com/JxzJGQC.png)
:::
Two purposes:
1. Provide a target in your VPC route tables for internet traffic
2. Perform network address translations for intances that were assigned public PIv4 addresses
To make a subnet public, you attach an internet gateway to your VPC and add a route entry to the route table.
:::info
Network Address Translation (NAT) gateway enables intances in a private subnet to connect to the public internet and prevent it from initation a connection.
![](https://i.imgur.com/haOGaoN.png)
:::
To create a NAT Gateway:
* Must specify the public subnet in which NAT gateway should live
* Must specify an elastic IP address to associate with the NAT gateway
After NAT gateway is created:
* Update the private subnet route table
Can use a NAT instance in a public subnet in your VPC
## VPC sharing
:::info
Enables customers to share subnets with other AWS accounts (participant) in the same organization.
![](https://i.imgur.com/NxITvy9.png)
:::
## VPC peering
:::info
Enables you to privately route traffic between 2 VPCs.
![](https://i.imgur.com/kzCYnwf.png)
:::
You can connect VPCs in your own AWS account, between AWS accounts, or between AWS Regions
Restrictions:
* IP spaces cannot overlap
* Transitive peering is not supported
* You can only have one peering resource between the same 2 VPCs.
## AWS Site-to-Site VPN
![](https://i.imgur.com/QWjC04U.png)
* By default, Amazon VPC cannot communicate with your own remote network
* enable by
* attaching a virtual private gateway to the VPC
* creating a custom route table
* updating security group rule
* creating an AWS site-to-site VPN connection
* configuring routing
## AWS Direct Connect
![](https://i.imgur.com/M1hg5US.png)
:::warning
Performance can be negatively affected if your data center is located far away from your AWS region
:::
* AWS direct connect
* dedicated private connection between your network and one of the direct connect locations
* uses open standard 802.1q virtual local area networks
## VPC endpoints
:::info
A VPC endpoit is a virtual device that enable you to privately connect to Amazon regional services
![](https://i.imgur.com/RpTArF0.png)
![](https://i.imgur.com/CyzEF9X.png)
:::
**AWS PrivateLink**:
* Requires VPC interface endpoint
* Private connectivity between 2 VPCs, AWS services and on-premises app
Two types of endpoints:
* **Gateway** endpoints (Amazon S3 and Amazon DynamoDB)
* **Interface** endpoints (powered by AWS PrivateLink)
## AWS Transit Gateway
:::info
A transit gateway is a network transit hub that you use to interconnect your VPCs and on-premises network.
:::
![](https://i.imgur.com/V7Pdyp7.png)
# Section 4: VPC security
## Security groups
:::info
A security group acts as a virtual firewall that controls inboud and outbound traffic from your instance.
![](https://i.imgur.com/wimOiSl.png)
:::
* Security groups have **rules** to manage instance traffic
* Default security groups **are sealed shut** to inbound traffic. we need to define rules.
* Security groups are **stateful**. The outbound traffic is always allowed.
![](https://i.imgur.com/5hQ6RES.png)
## Network access control lists (network ACLs)
:::info
Act at a subnet level.
:::
![](https://i.imgur.com/79ohyY5.png)
* One-to-one relationship with subnet
* A network ACL has **separate inbound and outbound rules**, and each rule can either **allow or deny traffic**.
* **Default** network ACLs **allow** all inbound and outbound IPv4 traffic
* Network ACLs are **stateless**
![](https://i.imgur.com/4UPrnws.png)
## Security groups versus network ACLs
|Attribute|Security Groups|Network ACLs|
|-|-|-|
|Scope|Instance level|Subnet level|
|Supported Rules|Allow rules only|Allow and deny rules|
|State|Stateful (return traffic is automatically allowed, regardless of rules)|Stateless (return traffic must be explicitly allowed by rules)|
|Order of Rules|All rules are evaluated before decision to allow traffic|Rules are evaluated in number order before decision to allow traffic|
# Section 5: Amazon Route 53
## DNS resolution
:::info
It is the process of tranlsating an internal name to the corresponding IP address.
:::
![](https://i.imgur.com/EtzMl2N.png)
## Route 53
* Is highly available and scalable Domain Name System (DNS) web service
* Is used to route end users to internet applications by transalting names into numeric IP addresses
* Is fully compliant with IPv4 and IPv6
* Connects user requests to infrastructure running in AWS and also outside of AWS
* Is used to check the health of your resources
* Features traffic flow
* enables you to register domain name
## Supported routing
* Simple routing
* Use in single-server environments
* Weighted routing
* Assign wights to resource record sets to specify the frequency
* Latency routing
* Help improve your global app
* Geolocation routing
* Route traffic based on location of your users
* Geoproximity routing
* Route traffic based on locations of your resources
* Failover routing
* Fail over to a backup site if your primary site becomes unreachable
* Multivalue answer routing
* Respond to DNS queries with up to eight healthy records selected at random
## Use case: Multi-region deployement
![](https://i.imgur.com/gjoo5oT.png)
## DNS failover
Improve the availablity of your applications that run on AWS by:
* Configuring backup and failover scenarios for your own app
* Enabling highly available multi-region architectures on AWS
* Creating health check
### DNS failover for a multi-tiered web app
![](https://i.imgur.com/CjVPnuo.png)
# Section 6 Amazon CloudFront
## Content delivery and network latency
:::danger
Challenge of network communication: network performance.
:::
:::warning
Latency can happen depending on the geographical location of the user.
:::
## Amazon CloudFront
* Fast, global and secure CDN service
* Global, network of edge locations and Regional edge caches
* Self-service model
* Pay-as-you-go pricing
## Infrastructure
When a customer makes a demand, CloudFront respond with the IP address of the edge location closest to the customer. CloudFront obtains the data and copies it to the edge location.
* **Edge locations**
* Network of data centers that Cloudfronts uses to serve popular content quickly to customer
* **Regional edge cach**
* CloudFront location that caches content that is not popular enough to stay at an edge location. It is located between the origin server and the global edge location
* When data become stale, it is removed from the cache of the edge location
# Wrap-up
Which AWS networking service enables a company to create a virtual network within AWS?
1. AWS Config
2. Amazon Route 53
3. AWS Direct Connect
4. Amazon VPC
:::spoiler Answer
keyword:
* AWS networking service
* Create a virtual network
Answer 4.
:::