Networking Basics
Network → 2 or more computers connected to communicate. Can be logically partitioned into subnets.
A networking device is needed → Router or Switch.
IPs → Unique directions in the internet:
- IPv4 → 32 bits (4 groups of 8 bits separated by “.”)
- IPv6 → 128 bits (8 groups of 16 bits separated by “:”)
OSI Model
OSI Model
Classless Inter-Domain Routing (CIDR) → X.X.X.X/Y (Y bits of network, 32-Y bits of host)
Amazon Virtual Private Cloud (VPC)
Allows to provision logically isolated sections of AWS Cloud, you can control:
- IP Address Range (IPv4/IPv6) → Cannot change after created. Cannot disable IPv4.
- Subnets (public/private).
- Route Tables and Network Gateways.
VPCs → Virtual network, logically isolated section of the AWS cloud (isolated from other VPCs) (5 VPCs, per account, per region).
- Dedicated to account.
- Located in single region and can span multiple AZs.
- Can be shared with VPC Sharing between users of same organization.
Reserved IP addresses (per subnet)
Reserved IP addresses (per subnet)
Components
Subnets → Isolated segment of the VPC’s IP addressing.
- Range of IP addresses inside VPC, segment or partition.
- Located in single AZ.
- Public → Attach Internet Gateway + Route Table to make it public.
- Private → No record for Internet Gateway in Route Table.
- Not isolation boundaries inside VPC, just sections.
- IP Addressing → Minimum subnet /28, maximum subnet /16 (IPv4) (⚠️).
- ❌ CIDR blocks cannot overlap.
- AWS reserves 5 IP addresses per subnet (first 4 addresses + last one).
- Elastic IP Address → Designed for dynamic cloud computing.
- Static and public IP address.
- Associated with AWS account.
- Can be mapped to instances, if the instance fails the address can be remapped to other instance.
- You can BYOIP for IP reputation, whitelisting, hardcoded dependencies, regulation & compliance, and networking policy.
- Non-default VPC needs to enable DNS resolution and DNS hostnames to get a public DNS hostname.
Route Table:
- “Main” route table created by default when VPC is created.
- Configurable routes to/from subnet.
- Destination → CIDR block you want your subnet traffic to go to.
- Target → Processing resource where it is sent to.
Internet Gateway (IGW) → Amazon VPC side of a connection to the public internet. Allow resources in VPC to communicate with the internet.
- Horizontally scaled, highly-redundant, highly-available.
- Target for VPC route tables.
- Perform network address translation.
- Needed to make a subnet public.
Nat Gateway (NGW) → Allow private subnets to access the internet or other AWS services.
- Prevents internet to start connection with private subnet (⚠️ only in IPv4).
- Nat Gateway >> Nat Instance (EC2 instance acting as NAT) → Less administrative costs.
- Have to be created in a public subnet first and associate an Elastic IP Address.
Virtual Private Gateway (VPGW) → Amazon VPC side of a VPN connection.
- Needs a Customer Gateway with a public IP.
Peering Connection → Route traffic via private IPs between 2 peered VPCs.
VPC Endpoints → Private connectivity to services hosted in AWS from within the VPC, without using a IGW, VPN, NAT, or proxies.
Egress-Only Internet Gateway → Stateful GW for IPv6 traffic from the VPC to the internet.
Elastic Network Interface → Virtual network interface that can be attached to an instance.
- Each instance in VPC has by default a network interface.
- Useful when creating a management network, low-budget & high-availability solutions, and other networking-related cases.
Best design practices:
- Create one subnet per AZ for each group of hosts that have unique routing requirements.
- Divide VPC ranges evenly across all AZs.
- Reserve addresses for future use.
- Size subnets to allow for growth.
- Ensure CIDR blocks don’t overlap.
Use cases examples:
- One VPC → Small applications, HPC, and identity management.
- Multiple VPCs → Single team, single organizations, or limited teams, multiple VPCs inside an account.
- Multiple Accounts → Large/medium-sized organizations, organizations with multiple IT departments, one VPC per account.
Ideas for use cases → Data location, latency, price per service, and service availability.
Connectivity
How to connect VPC to the internet:
- Create the Internet Gateway and attach it to VPC.
- Update the Route Table for the subnet to be connected → Set 0.0.0.0/0 to the Internet Gateway.
https://lh3.googleusercontent.com/eX2MQI6hsJ8siyvHHJkZ5GNcUxeXlEB-TAIv5RnFoJLsHq7AakFKQzD8iIvlKsk4kPIhKrFolXpoMJBaKIcr4syPa_ZCW35zq7NSXZaypf6J4BlzYV_gTTfIw5PzrxmpBpUpLg0U
Bastion Hosts → Server that provides access from an external network to a private network.
- Reduce risk when needing to access a private subnet.
- Typically runs in an EC2 instance in a public subnet of the VPC.
Monitoring
The traffic of a VPC can be monitored using Traffic Mirroring and VPC Flow Logs.
- VPC Flow Logs → Capture information about IP traffic.
- Published to CloudWatch Logs or S3.
- Use: Troubleshoot connectivity and security issues.
- Traffic mirroring → Replicate network traffic and forward it to monitoring appliances.
- Captures traffic at the Elastic Network Interface.
- Use: Analyze traffic content.
Security
Security Groups
Virtual firewall to control inbound and outbound traffic to and from the instance. Acts at instance level. Stateful, request information is stored after processed.
Responses to allowed inbound communications are allowed out, regardless of outbound rules. Equivalent of firewalls to EC2 instances, closed to incoming traffic by default.
Default configuration (block all inbound, allow all outbound):
https://lh4.googleusercontent.com/R9q33IUpkP9DZIP1sssxiXuTKF6y61q2sDK-_TIonNH6Wc1Ln_k9MAveFqOiHm4bvLWtJRc8n8uupWFpURASUr36lRBaDdq82zxQTbcaZgCWSROw4L9Gjk_paLpBAYqv3cR3_BJL
Network Access Control Lists (NACLs)
Controls traffic in and out the subnet. Works at the subnet level. Stateless, no information about requests is maintained.
One subnet can only have one Network ACL. Lower number is given a bigger priority.
Default configuration (allow all inbound/outbound):
https://lh4.googleusercontent.com/NZVF2m8sQWy_uAABK7QIKhizpRWoMrmvCB5RuwXcmoxPJabDLn1-_JCmCUbRrF_lVKQ07yTZqoFB9ABN9NZIHOGcA2ugvWD5IdcwCl17D83j8oRs-dy8NWRxImex1gMci--wDHIb
https://lh5.googleusercontent.com/ipLsTFI7_r-hOHDNkFBQ7U3HWy7uNvWLgfdNL4HmWgRemJO31eLBAO-tLW4lREpyzB6f2PzfugQbPUjg8ZBBgjf_78mpgqsghVXys5GATV90EkQtMQepWxTYxkAFKKEyacVIKCHe
AWS Network Firewall
Managed service to deploy essential protections to VPCs. Scales automatically with traffic.
Features:
- Stateful firewall → Incorporate context from traffic flows to enforce policies.
- Intrusion Prevention System (IPS, Suricata) → Active traffic flow inspections, perform Deep Packet Inspection.
AWS Site-to-Site VPN
Highly available solution to connect on-premises network with VPC in a secure way. Uses IPSec to create VPN encrypted tunnels, charged by connection-hour. 2 tunnels per AZ maximum. The connection has 2 sides:
- AWS → Virtual Private Gateway (VPGW)
- On-Premises → Customer Gateway (CGW)
Can use AWS VPN CloudHub to establish multiple VPN connections from multiple CGW to one VPGW → More redundancy and failover.
Routing Types → Depends on model of VPN devices.