IP address format
IPv4 4 chunks in 8 bit octal, 0-255, 32 bit
IPv6 8 groups of 4 letters and numbers (16 bits each, : separators), 128 bits
Classless inter-domain routing
IP address, /, how many prefix numbers are fixed
/32 fixed IP address
Open systems interconnection, OSI
Conceptual model explaining how data travels over network. 7 layers.
L2: data link layer, hubs and switches
L3: network layer, routers
VPC
- Logically isolated from other virtual networks
- Single AWS region
- Can span multiple availability zones
- Can divide into multiple subnets
Subnet
- Belong to single availability zone
- Can create multiple in different availability zones for high availability
- Public or private
- CIDR block of subnet subset of VPC’s
- CIDR cannot overlap with another subnet
IPv4 range
/16 (65536 addresses) to /28 (16 addresses)
Reserved CIDR addresses
First 5:
- Network address
- VPC local router
- DNS resolution
- Future use
- Network broadcast address
Elastic IP address vs public IP address
Remap address to another instance on VPC
Elastic network interface
Can be attached to another instance, but can’t be the primary one
Route table
- Controls traffic for a subnet
- Have a built in local route, cannot be deleted
- Can add additional routes
- Destination and target; destination is the CIDR block
Intenet gateway
Scalable, redundant, highly available VPC component
Communication between VPC and Internet
1. Target in route table
2. Network address translation for instances with public IP
To make subnet public
Attach internet gateway
Add route for non local traffic
VPC sharing
Can make application resources into shared, centrally managed VPCs. Benefits:
- Separation of duties: centrally controlled VPC structure, routing, IP address allocation
- Ownership: continue to own resources
- Security groups: an reference security groups in other VPCs
- Efficiencies: higher density in subnets, efficient use of VPNs and ĄWS direct connect
- No hard limits: combined
- Optimised costs: reuse Nat Gateways, endpoints
VPC peering
Networking connection that allows routing if traffic privately. Can even go to VPC in different region. Restrictions:
- IP address ranges cannot overlap
- Can’t transitive peer
- Only one peering resource between two VPCs
To connect VPC to remote network (VPN)
- Create and attach VPN gateway to VPC
- Configuration of VPN device or customer gateway.
- Custom route table & security group rules.
- Establish AWS site to site VPN connection
- Config routing
AWS direct connect
To overcome network performance issues, DX enables you to establish a dedicated, private network connection between your network and one of the DX locations. VLAN.
VPC endpoints
Interface VPC endpoint: enables you to connect to services powered by AWS PrivateLink, charged for creating and using, hourly and per data
Gateway endpoint: no charge
AWS Transit Gateway
Create and manage a single connection from central gateway to each VPC, rather than point to point
Differences between security groups and ACLs
- Security groups at network level, ACLs at subnet level
- Security groups allow rules only, ACLs allow and deny
- Security groups are stateful, ACLs stateless
- For security groups all rules are evaluated before decision made to allow traffic, for ACLs rules are evaluated in number order
Security group
Controls inbound and outbound traffic to instance
Stateful: state information kept after request processed. Ie response traffic is allowed to flow in regardless of inbound security group rules
ACL
Each subnet must be associated with a network ACL, default will be used in absence - allowing all inbound and outbound traffic
Stateless
Max rule 32,766
Amazon Route 53 routing policies
Simple routing: single resource, web server
Weighted routing: multiple resources in proportion, A/B testing
Latency routing: routes customers to the fastest endpoint to reduce latency
Geolocation routing: based on location of users, content in language
Geoproximity routing: route traffic based on location of resources
Failover routing: active - passive failover, can use health checks
Multivalue answer routing: returns up to 8 healthy records selected at random
Advantages of multi region deployment of route 53
Directed to the elastic load balancing load balancer closest to the user
Amazon Route 53 to ensure high availability
- Create two DNS records for CNAME www with failover routing. Primary points to load balancer for Web application, secondary to static S3 website.
- Use Route 53 health checks to ensure primary is running.
