AWS network offerings

• Virtual Private Cloud — Logically isolated section of AWS that provides complete control over IP address range, creation of subnets, route tables and network gateways.
• VPC houses subnets, multiple security groups and access controls.
• 5 VPCs allowed in a region by default.
• Default VPC faces internet.
• VPC peering – Within the same account or different account and in same region.
  • Supports only star topology.
• VPC could be set up in a dedicated hardware. Any AWS objects created within VPC will be dedicated. Dedicated hardware is expensive.
• VPC span across multiple AZ (Availability Zone).
  • Subnet is mapped to AZ and hence it has to be within AZ.
• An internet gateway could be attached to the VPC for internet access. Only one internet gateway per VPC.
• When a VPC is created, system automatically creates a route table.
• Default VPC when deleted needs a contact with customer support to get it back.
• EC2 instances in public subnet would have access to Internet only if they have public IP address or attached to ELB.
• VPC can be connected to customer datacenter through Virtual Private gateway providing VPN tunnelling between the data centers.
• if a deployment needs isolated environment for dev, test, prod – it is better to go with different VPCs.
• Possible to attach more than 1 (upto 2) elastic network interface. This allows an instance to be home of 2 addresses.
• Link
  • http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Subnet

• Range of IPs expressed in CIDR.
• Can be private or public.
• AWS reserves first 4 ip address and last 1 in all subnets.
• By default all EC2 instances within subnets can communicate to all other instances in the same VPC through main route table.
• 0.0.0.0/0 represents all instances in a subnet.

Route table

• Comprises of set of rules called routes that determines the traffic flow in a VPC.
• VPC comes with default route table which can be replaced with custom.
• Each subnet can be attached to 1 route table.

Access Control List (ACL)

• Allows / filters traffic at the subnet level.
• One subnet can have only one ACL.
• One ACL can be attached to multiple subnets.
• ACL has overriding effect over security groups which are usually attached to EC2 instances.
• ACL is more like firewall at subnet level.
• It’s stateless, meaning once ingress traffic is enabled, outgress traffic is not automatically enabled.

Security group

• Can attach any number of ec2 instances to the same security group.
• By default, all incoming traffic are blocked and outgoing traffic are allowed.
• Security group changes take immediate effect.
• Security group is stateful, meaning, once HTTP incoming is allowed, automatically the system allows outgoing for the same protocol.
• There is no deny option only allows option, that means, only blacklisting.

NAT – Network Address Translation

Bridge to provide internet connectivity from one network (subnet) to a private network (subnet). It’s remapping and routing of traffic.

• NAT uses EC2 with an Amazon community image.
• Source / destination check has to be disabled in NAT instance.
• Have NAT instance in public subnet with the security group that allows inbound and outbound HTTP(S) traffic.
• In private subnet, have a route table that routes the http traffic to the NAT instance.
• Have to assign an elastic IP address.

VPC peering

VPC peering – Allows Connecting between VPCs in the same region across the accounts using internal IP addresses.

• Transitive peering not supported.
• Shouldn’t have overlapping CIDR address.

• DNS
  • AWS support for IPV6 is limited.
  • For DNS migration, reduce the TTL to few mins and give it time to update. By default, it’s 2 days.
  • TLD – Top level domain. Example .com, .org
  • Second level domain – Example co in co.in
  • Zone file or Authority record – SOA – Details about the domain name.
  • NS Record – Nameserver record. Details of content server you set at the domain registrar.
  • A record – Address record. Maps domain name to ip address.
  • Cname – Canonical name. Maps one domain to another. Doesn’t work for primary domain name such as example.com
  • Alias record – Only used in AWS as they can’t use Cname in case of ELB. ELB exposes dns name not ip address and hence it has to create a new one called alias record and it is free.
• Called 53 as DNS service generally runs on port #53
• Capabilities
  • DNS registration
  • DNS service (Name resolution)
  • Health checks
• Supports
  • Latency based routing.
  • Geo based routing.
• To leverage DNS service
  • New domain name can be created with AWS
  • Existing domain can be migrated.
  • New sub-domain can be registered with AWS.
  • Existing sub-domain can be migrated to AWS.
• Routing policies
  • Simple
  • Weighed
  • Geo based routing
  • Latency based routing
  • Fail over routing
• Currently there is limit of 50 domain names per account. However it’s a soft limit that can be loosened by approaching AWS support.
• Supports MX (mail exchange) records
• Soft limit of 50 domains per account. Can be changed by contacting AWS support.

Goal

• Low latency.

Purpose

• Fault tolerance
• Scale.

Introduction

• Live & On demand streaming.
• Supports also dynamic website.
• Origin server – S3, Load balancer, EC2 or servers outside AWS.
• Use cloud watch to keep an eye on amazon cloud front distribution.
• Personalised content can be set with TTL.

Setup

• In cloud front, set up the origin server details.

Other details

• Autoscaling can be setup at ELB.

Link https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elastic-load-balancing.html Details

• RTMP – Media streaming used for Adobe flash media streaming.
• 50+ edge locations all over the world.
• 2 types of distribution
  • Web distribution
  • RTMP – Media streaming
• CDN can be used for write also.
• Single distribution can have multiple origins.
• Behavior options support REGEX to control what needs to be cached.
• Default  TTL 24 hrs, expressed in seconds.
• Supports signed URL and cookies to access restrict the content. Works based on encryption.
• Supports geo restrictions.
• Access restricting S3 content and serving only via CloudFront.
  • Create Origin Access Identity (OAI – Special cloud front user) and associate with distribution.
  • Attach permission in S3 for the above user.

• It’s elastic.
• Can be cross AZ (Availability Zone)
• Can be internet facing or internal.
• Internal load balancer will be within VPC. Often used to connect database servers.
• ELB can be external (web facing) or internal.
• Multiple EC2 can be attached to the ELB.
• ELBs can be distributing traffic across availability zones. Placement of EC2 determines the availability zones.
• ELBs require health checks with EC2s.
• ELBs are given DNS names and no public IPs.

• AWS Direct connect facilitates direct connection from corporate datacenter to AWS. Setting up a might require upto 4 months.