AWS Networking

Amazon Virtual Private Cloud: Amazon VPC is a virtual network service that lets you launch AWS
resources in a logically isolated virtual network dedicated to your AWS account that you define. This
virtual network closely resembles a traditional network that you would operate in your own data center,
with the benefits of using the scalable infrastructure of Amazon. It is the networking layer for Amazon
EC2. A VPC spans all of the Availability Zones in the Region. There is no additional charge for using a VPC.
There are charges for some VPC components, such as NAT gateways, Reachability Analyzer, and traffic
mirroring. Amazon VPC console can be access by using the following link −
https://console.aws.amazon.com/vpc/.
The following are the key concepts for VPCs:
Virtual private cloud (VPC) — A virtual network dedicated to your Amazon account.
Subnet — A range of IP addresses in your VPC.
Route table — A set of rules, called routes, that are used to determine where network traffic is directed.
Internet gateway — A gateway that you attach to your VPC to enable communication between
resources in your VPC and the internet.
VPC endpoint — Enables you to privately connect your VPC to supported Amazon services and VPC
endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN
connection, or Amazon Direct Connect connection. Instances in your VPC do not require public IP
addresses to communicate with resources in the service. Traffic between your VPC and the other service
does not leave the Amazon network.
CIDR block —Classless Inter-Domain Routing. An internet protocol address allocation and route
aggregation methodology.
Internet gateway: An internet gateway is a horizontally scaled, redundant, and highly available VPC
component that allows communication between your VPC and the internet.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-
routable traffic, and to perform network address translation (NAT) for instances that have been assigned
public IPv4 addresses.
An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth
constraints on your network traffic. There is no additional charge for having an internet gateway in your
account.
Egress-only internet gateways: It is a horizontally scaled, redundant, and highly available VPC
component that allows outbound communication over IPv6 from instances in your VPC to the internet
and prevents the internet from initiating an IPv6 connection with your instances. An egress-only internet
gateway is for use with IPv6 traffic only. An egress-only internet gateway is stateful: it forwards traffic
from the instances in the subnet to the internet or other AWS services, and then sends the response
back to the instances.
NAT gateway: It is a Network Address Translation (NAT) service. You can use a NAT gateway so that
instances in a private subnet can connect to services outside your VPC but external services cannot
initiate a connection with those instances. NAT Gateway is for use with IPv4 traffic only.
The NAT gateway replaces the source IPv4 address of the instances with the private IP address of the
NAT gateway. When sending response traffic to the instances, the NAT device translates the addresses
back to the original source IPv4 addresses.
Accessing the Network
AWS VPC can optionally connect to your own corporate data center using an IPsec AWS managed VPN
connection, making the AWS Cloud an extension of your data center. When a customer requests data
from an application hosted in the AWS Cloud, this request is sent as a packet. A packet is a unit of data
sent over the internet or a network. It enters a VPC through an internet gateway. Before a packet can
enter a subnet or exit from a subnet, it checks for permissions. These permissions indicate who sent the
packet and how the packet is trying to communicate with the resources in a subnet. The VPC component
that checks packet permissions for subnets is a network access control list (ACL).
A VPN connection consists of:
Virtual private gateway: It is the VPN concentrator on the Amazon side of the Site-to-Site VPN
connection. You create a virtual private gateway and attach it to the VPC from which you want to create
the Site-to-Site VPN connection.

Transit Gateways: A transit gateway is a transit hub that you can use to interconnect your virtual private
clouds (VPC) and on-premises networks. It uses hub and spoke model to enable customers to connect
their on-premises data centers and their Amazon Virtual Private Clouds (VPCs) to a single gateway. Your
Site-to-Site VPN connection on a transit gateway can support either IPv4 traffic or IPv6 traffic inside the
VPN tunnels. As your cloud infrastructure expands globally, inter-Region peering connects transit
gateways together using the AWS Global Infrastructure. Your data is automatically encrypted and never
travels over the public internet.

Customer Gateway: It is a physical device or software application on your side of the Site-to-Site VPN
connection. You configure the device to work with the Site-to-Site VPN connection. It a resource that
you create in AWS that represents the customer gateway device in your on-premises network. When
you create a customer gateway, you provide information about your device to AWS.
Virtual Private Network: A VPN or Virtual Private Network creates a private, encrypted connection over
the public, shared or private network. It provides data protection and privacy by using dedicated
connections, traffic encryption or secure, virtual tunneling.
AWS VPN is comprised of two services:
AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to
your Amazon Virtual Private Cloud (Amazon VPC).
AWS Client VPN enables you to securely connect users to AWS or on-premises networks using a VPN
software client.
AWS PrivateLink: It provides private connectivity between VPCs, AWS services, and your on-premises
networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect
services across different accounts and VPCs to significantly simplify your network architecture. Since
traffic between your VPC and any one of these services does not leave the Amazon network, an Internet
gateway, NAT device, public IP address, or VPN connection is no longer needed to communicate with
the service. To use AWS PrivateLink, create an interface VPC endpoint for a service in your VPC. This
creates an Elastic Network Interface (ENI) in your subnet with a private IP address that serves as an
entry point for traffic destined to the service. Service endpoints available over AWS PrivateLink will
appear as ENIs with private IPs in your VPCs.
A VPC peering connection can be created between your VPCs, or with a VPC in another AWS account,
and enable routing of traffic between the VPCs using private IP addresses. You cannot create a VPC
peering connection between VPCs that have overlapping CIDR blocks.
Applications in an Amazon VPC can securely access AWS PrivateLink endpoints across VPC peering
connections. The support of VPC peering by AWS PrivateLink makes it possible for customers to privately
connect to a service even if that service’s endpoint resides in a different Amazon VPC that is connected
using VPC peering.
AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering
connections.
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network
connection from your premises to AWS. Using Private VIF on AWS Direct Connect, you establish a
private connection between AWS and your datacenter, office, or colocation environment. This can
increase bandwidth throughput and provide a more consistent network experience than internet-based
connections. AWS Direct Connect is compatible with all AWS services accessible over the Internet, and
lets you establish 1 Gbps or 10 Gbps dedicated network connections between AWS networks and one of
the AWS Direct Connect locations. Amazon Direct Connect also supports AWS Transit Gateway, aside
from configuring Site-to-Site VPN connections. With this feature, customers can connect thousands of
Amazon VPCs in multiple AWS Regions to their on-premises networks. Pricing is per port-hour consumed
for each port type. Data transfer out over AWS Direct Connect is charged per GB. Data transfer IN is
$0.00 per GB in all locations.
Working of AWS Direct Connect:
Decide on an AWS Direct Connect Location and Connection Size
Create your connection request on the AWS Management Console.
Download Letter of Authorization (LoA) from the AWS Management Console
Provide LoA to an APN Partner and ask them to establish the connection on your behalf.
Configure Virtual interfaces to establish network connectivity.
Subnets: A subnet is a section of a VPC in which you can group resources based on security or
operational needs. When you create a subnet, you specify the CIDR block for the subnet, which is a
subset of the VPC CIDR block. In a VPC, subnets can communicate with each other. To protect the AWS
resources in each subnet, use security groups and network access control lists (ACL).
There are three types of Subnets:
Public Subnet: If a subnet's traffic is routed to an internet gateway.
Private Subnet: If a subnet doesn't have a route to the internet gateway.
VPN-only Subnet: If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a
virtual private gateway for a Site-to-Site VPN connection.
Network access control list (ACL): It is an optional layer of security for your VPC that acts as a firewall
for controlling traffic in and out of one or more subnets.
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound
and outbound IPv4 traffic and, if applicable, IPv6 traffic.
You can create a custom network ACL and associate it with a subnet. By default, each custom network
ACL denies all inbound and outbound traffic until you add rules.
Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a
subnet with a network ACL, the subnet is automatically associated with the default network ACL.
You can associate a network ACL with multiple subnets. However, a subnet can be associated with only
one network ACL at a time. When you associate a network ACL with a subnet, the previous association is
removed.
A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest
numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the
network ACL. The highest number that you can use for a rule is 32766. We recommend that you start by
creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules
where you need to later on.
A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the
rules for outbound traffic (and vice versa).
By default, your account’s default network ACL allows all inbound and outbound traffic, but you can
modify it by adding your own rules. For custom network ACLs, all inbound and outbound traffic is denied
until you add rules to specify which traffic should be allowed. Additionally, all network ACLs have an
explicit deny rule. This rule ensures that if a packet doesn’t match any of the other rules on the list, the
packet is denied.
Security Groups: A security group is a virtual firewall. It has inbound and outbound security rules in
which all inbound traffic is blocked by default in private on AWS EC2.
***Difference between Network ACLs and Security Groups
Network ACLs Security Groups
It supports both allow and deny rules, and by It supports only allow rules, and by default, all
default, all the rules are denied. You need to add the rules are denied. You cannot deny the rule for
the rule which you can either allow or deny it. establishing a connection
These are stateless, meaning any change applied These are stateful, which means any changes
to an incoming rule is not automatically applied which are applied to an incoming rule is
to an outgoing rule. automatically applied to a rule which is outgoing.
It is associated with a subnet. It is associated with an EC2 instance.
Rules are evaluated in order, starting from the All the rules are evaluated before deciding
lowest number. whether to allow the traffic.
NACL has applied automatically to all the Security group has to be explicitly assigned to an
instances which are associated with an instance. instance; it doesn’t associate itself to a subnet.
It is the second layer of defense, which helps It is the first defense layer that helps protect the
protect AWS stack Amazon Web Services infrastructure.
Amazon Route 53: It is a highly available and scalable cloud Domain Name System (DNS) web service. It
is designed to give developers and businesses an extremely reliable and cost-effective way to route end
users to Internet applications by translating names like www.example.com into the numeric IP
addresses like 192.0.2.1 that, computers use to connect to each other. Amazon Route 53 is fully
compliant with IPv6 as well. It connects user requests to infrastructure running in AWS (such as Amazon
EC2 instances and load balancers) as well as can route users to infrastructure outside of AWS. AWS
Route 53 takes its name with reference to Port 53, which handles DNS for both the TCP and UDP traffic
requests. Route 53 is an Authoritative DNS service, which contains information about the mapping of IP
addresses to domain names.
It can be used to perform three main functions:
Domain Registration: Route 53 lets you register a name for your website or web application, known as a
domain name. You can also transfer DNS records for existing domain names managed by other domain
registrars. This enables you to manage all of your domain names within a single location.
DNS Routing: When a user opens a web browser and enters your domain name (example.com) or
subdomain name (acme.example.com) in the address bar, Route 53 helps connect the browser with
your website or web application. It uses a variety of routing types, including Latency Based Routing, Geo
DNS, Geoproximity, and Weighted Round Robin—all of which can be combined with DNS Failover in
order to enable a variety of low-latency, fault-tolerant architectures.
Health Checking: Route 53 sends automated requests over the internet to a resource, such as a web
server, to verify that it's reachable, available, and functional. You also can choose to receive notifications
when a resource becomes unavailable and choose to route internet traffic away from unhealthy
resources.
Amazon CloudFront: Amazon CloudFront is a fast content delivery network (CDN) service that securely
delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds,
all within a developer-friendly environment. The server from which Amazon CloudFront gets your files is
known as origin. CloudFront offers the most advanced security capabilities, including field level
encryption and HTTPS support, seamlessly integrated with AWS Shield, AWS Web Application Firewall
and Amazon Route 53 to protect against multiple types of attacks including network and application
layer DDoS attacks. These services co-reside at edge networking locations – globally scaled and
connected via the AWS network backbone – providing a more secure, performant, and available
experience for your users.
It delivers your content through a worldwide network of data centers called edge locations. When a user
requests content that you’re serving with CloudFront, the user is routed to the edge location that
provides the lowest latency, so that content is delivered with the best possible performance.
If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
If the content is not in that edge location, CloudFront retrieves it from an origin that you’ve defined.