Networking Basics

Network → 2 or more computers connected to communicate. Can be logically partitioned into subnets.

A networking device is needed → Router or Switch.

IPs → Unique directions in the internet:

• IPv4 → 32 bits (4 groups of 8 bits separated by “.”)
• IPv6 → 128 bits (8 groups of 16 bits separated by “:”)

OSI Model

OSI Model

Classless Inter-Domain Routing (CIDR) → X.X.X.X/Y (Y bits of network, 32-Y bits of host)

Amazon Virtual Private Cloud (VPC)

Allows to provision logically isolated sections of AWS Cloud, you can control:

• IP Address Range (IPv4/IPv6) → Cannot change after created. Cannot disable IPv4.
• Subnets (public/private).
• Route Tables and Network Gateways.

VPCs → Virtual network, logically isolated section of the AWS cloud (isolated from other VPCs) (5 VPCs, per account, per region).

• Dedicated to account.
• Located in single region and can span multiple AZs.
• Can be shared with VPC Sharing between users of same organization.

Reserved IP addresses (per subnet)

Reserved IP addresses (per subnet)

Components

Subnets → Isolated segment of the VPC’s IP addressing.

• Range of IP addresses inside VPC, segment or partition.
• Located in single AZ.
• Public → Attach Internet Gateway + Route Table to make it public.
• Private → No record for Internet Gateway in Route Table.
• Not isolation boundaries inside VPC, just sections.
• IP Addressing → Minimum subnet /28, maximum subnet /16 (IPv4) (⚠️).
  • ❌ CIDR blocks cannot overlap.
  • AWS reserves 5 IP addresses per subnet (first 4 addresses + last one).
  • Elastic IP Address → Designed for dynamic cloud computing.
    • Static and public IP address.
    • Associated with AWS account.
    • Can be mapped to instances, if the instance fails the address can be remapped to other instance.
  • You can BYOIP for IP reputation, whitelisting, hardcoded dependencies, regulation & compliance, and networking policy.
  • Non-default VPC needs to enable DNS resolution and DNS hostnames to get a public DNS hostname.

Route Table:

• “Main” route table created by default when VPC is created.
• Configurable routes to/from subnet.
• Destination → CIDR block you want your subnet traffic to go to.
• Target → Processing resource where it is sent to.

Internet Gateway (IGW) → Amazon VPC side of a connection to the public internet. Allow resources in VPC to communicate with the internet.

• Horizontally scaled, highly-redundant, highly-available.
• Target for VPC route tables.
• Perform network address translation.
• Needed to make a subnet public.

Nat Gateway (NGW) → Allow private subnets to access the internet or other AWS services.

• Prevents internet to start connection with private subnet (⚠️ only in IPv4).
• Nat Gateway >> Nat Instance (EC2 instance acting as NAT) → Less administrative costs.
• Have to be created in a public subnet first and associate an Elastic IP Address.

Virtual Private Gateway (VPGW) → Amazon VPC side of a VPN connection.

• Needs a Customer Gateway with a public IP.

Peering Connection → Route traffic via private IPs between 2 peered VPCs.

VPC Endpoints → Private connectivity to services hosted in AWS from within the VPC, without using a IGW, VPN, NAT, or proxies.

Egress-Only Internet Gateway → Stateful GW for IPv6 traffic from the VPC to the internet.

Elastic Network Interface → Virtual network interface that can be attached to an instance.

• Each instance in VPC has by default a network interface.
• Useful when creating a management network, low-budget & high-availability solutions, and other networking-related cases.

Best design practices:

• Create one subnet per AZ for each group of hosts that have unique routing requirements.
• Divide VPC ranges evenly across all AZs.
• Reserve addresses for future use.
• Size subnets to allow for growth.
• Ensure CIDR blocks don’t overlap.

Use cases examples:

• One VPC → Small applications, HPC, and identity management.
• Multiple VPCs → Single team, single organizations, or limited teams, multiple VPCs inside an account.
• Multiple Accounts → Large/medium-sized organizations, organizations with multiple IT departments, one VPC per account.

Ideas for use cases → Data location, latency, price per service, and service availability.

Connectivity

How to connect VPC to the internet:

1. Create the Internet Gateway and attach it to VPC.
2. Update the Route Table for the subnet to be connected → Set 0.0.0.0/0 to the Internet Gateway.

Bastion Hosts → Server that provides access from an external network to a private network.

• Reduce risk when needing to access a private subnet.
• Typically runs in an EC2 instance in a public subnet of the VPC.

Security

AWS Network Firewall

Managed service to deploy essential protections to VPCs. Scales automatically with traffic.

Features:

• Stateful firewall → Incorporate context from traffic flows to enforce policies.
• Intrusion Prevention System (IPS, Suricata) → Active traffic flow inspections, perform Deep Packet Inspection.

VPC Peering

One to one networking connections between 2 VPCs, private connections. You can connect with VPC in other region/account via the AWS backbone and with no bottlenecks. Traffic remains in the private IP address space, but the CIDR blocks cannot overlap and transitive peering is not supported (DirectConnect or Site-to-Site VPN count as peering, so is not transitive).

Steps to enable: