Back to Subject
Practice MCQ

Unit 2 - Notes

INT364

Unit 2: Networking and Connectivity in AWS

This unit focuses on the foundational elements of AWS networking, specifically the Amazon Virtual Private Cloud (VPC), securing network traffic, managing connectivity between VPCs, establishing hybrid cloud connections, and adhering to architectural best practices.

1. Amazon VPC and Subnet Design

Amazon Virtual Private Cloud (Amazon VPC) is a logical isolation of the AWS Cloud dedicated to your AWS account. It provides complete control over the virtual networking environment.

Core Components

  • VPC (Virtual Private Cloud): A virtual network dedicated to your account. It is regionally scoped.
    • CIDR Block: When creating a VPC, you assign an IPv4 Classless Inter-Domain Routing (CIDR) block (e.g., 10.0.0.0/16).
    • Size Limits: The allowed block size is between /16 (65,536 IPs) and /28 (16 IPs).
  • Subnets: A range of IP addresses in your VPC. Subnets map to a single Availability Zone (AZ) to provide physical isolation and high availability.
    • Public Subnet: Has a direct route to an Internet Gateway (IGW). Used for web servers, load balancers.
    • Private Subnet: No direct route to the IGW. Used for databases, backend logic. Accesses the internet via a NAT Gateway.
    • Reserved IPs: AWS reserves the first 4 and the last 1 IP address in every subnet block.
  • Route Tables: Contains a set of rules (routes) that permit traffic flow.
    • Local Route: Automatically added to allow communication between all resources within the VPC CIDR. Cannot be deleted.
    • Destination/Target: e.g., 0.0.0.0/0 -> igw-xxxxxxxx.

Gateways

  1. Internet Gateway (IGW): Horizontally scaled, redundant, and highly available component that allows communication between instances in your VPC and the internet.
  2. NAT Gateway: Managed service allowing instances in a private subnet to connect to the internet (e.g., for updates) but preventing the internet from initiating connections with those instances.
  3. Egress-Only Internet Gateway: Similar to NAT Gateway but specifically for IPv6 traffic.

Design Principles for Subnets

  • Multi-AZ Deployment: Always create subnets in at least two Availability Zones to ensure high availability.
  • Tiered Architecture:
    • Web Tier (Public): Hosts ALBs or Bastion hosts.
    • App Tier (Private): Hosts application logic.
    • Data Tier (Private): Hosts RDS/DynamoDB; usually restricted to access only from the App Tier.

2. Securing Network Resources

AWS provides two layers of firewalls to control traffic: Security Groups (Instance level) and Network ACLs (Subnet level).

Security Groups (SG)

  • Scope: Applied to Network Interfaces (ENIs) attached to EC2 instances.
  • Type: Stateful. If an inbound request is allowed, the outbound response is automatically allowed, regardless of outbound rules.
  • Rules:
    • Supports ALLOW rules only (cannot create DENY rules).
    • All inbound traffic is blocked by default; all outbound traffic is allowed by default.
  • Reference: You can reference other Security Groups as a source (e.g., Allow traffic on Port 3306 only from the "Web-Server-SG").

Network Access Control Lists (NACLs)

  • Scope: Applied at the Subnet level. Acts as a firewall for all instances within that subnet.
  • Type: Stateless. Return traffic must be explicitly allowed by rules.
  • Rules:
    • Supports both ALLOW and DENY rules.
    • Processed in numbered order (lowest number first). If rule #100 denies traffic and rule #110 allows it, traffic is denied.
    • Default NACL allows all inbound/outbound traffic. Custom NACLs deny everything by default.

Comparison Summary

Feature Security Group Network ACL
Level Instance (ENI) Subnet
State Stateful Stateless
Rules Allow only Allow and Deny
Evaluation All rules evaluated Numbered order
Use Case First line of defense Block specific IPs/Subnets

3. Connecting to Managed AWS Services

When resources in a private subnet need to access public AWS services (like S3 or DynamoDB), routing traffic over the public internet (via NAT Gateway) introduces cost and security risks. VPC Endpoints solve this by keeping traffic within the AWS network.

Gateway Endpoints

  • Supported Services: Amazon S3 and Amazon DynamoDB only.
  • Mechanism: Updates the Route Table with a prefix list (e.g., pl-xxxx) pointing to the service.
  • Cost: Free of charge.
  • Connectivity: Does not require an ENI or private IP address.

Interface Endpoints (AWS PrivateLink)

  • Supported Services: Most other AWS services (EC2 API, SNS, SQS, Kinesis, etc.).
  • Mechanism: Creates an Elastic Network Interface (ENI) in your subnet with a private IP address. Traffic is directed to this IP.
  • Cost: Billed per hour and per GB of data processed.
  • Security: Allows you to access services privately without an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect connection.

4. VPC Peering and AWS Transit Gateway

As organizations scale, they often require multiple VPCs (e.g., per environment or department). Connecting them requires specific strategies.

VPC Peering

  • Definition: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
  • Characteristics:
    • Non-Transitive: If VPC A peers with VPC B, and VPC B peers with VPC C, VPC A cannot talk to VPC C. You must create a separate peering connection between A and C.
    • CIDR Overlap: VPCs with overlapping CIDR blocks cannot be peered.
    • Scope: Works across accounts and across regions (Inter-Region Peering).
  • Use Case: Simple, 1-to-1 connections where full mesh connectivity is not required.

AWS Transit Gateway (TGW)

  • Definition: A central hub that connects VPCs and on-premises networks.
  • Characteristics:
    • Transitive Routing: Acts as a router. VPC A can talk to VPC C via the Transit Gateway.
    • Hub-and-Spoke: dramatically simplifies network topology compared to Peering Mesh.
    • Scale: Supports thousands of VPC attachments.
    • Route Tables: TGW has its own route tables to control traffic flow between attachments.
  • Use Case: Complex network architectures, multiple accounts, and hybrid environments requiring centralized traffic management.

5. Remote Connectivity (Hybrid Cloud)

Connecting on-premises data centers to AWS VPCs.

AWS Site-to-Site VPN

  • Technology: Uses IPsec (Internet Protocol Security) over the public internet.
  • Components:
    • Virtual Private Gateway (VGW): Attached to the VPC (AWS side).
    • Customer Gateway (CGW): Physical or software appliance on the customer side.
  • Performance:
    • Quick to provision (minutes).
    • Bandwidth is limited (approx 1.25 Gbps per tunnel).
    • Latency is variable due to internet routing.
  • Redundancy: AWS automatically provisions two tunnels per connection for HA.

AWS Direct Connect (DX)

  • Technology: Dedicated physical fiber connection from your premises to an AWS location (bypassing the public internet).
  • Performance:
    • High bandwidth (1 Gbps, 10 Gbps, or 100 Gbps dedicated).
    • Consistent, low latency.
    • High reliability.
  • Components:
    • Direct Connect Location: A co-location facility where AWS equipment resides.
    • Cross Connect: Physical cable connecting your router to AWS router.
  • Direct Connect Gateway: Allows a single Direct Connect connection to access VPCs in multiple distinct Regions.
  • Implementation Time: Can take weeks to provision (physical cabling required).

6. Monitoring and Well-Architected Principles

Network Monitoring Tools

  1. VPC Flow Logs:
    • Captures information about the IP traffic going to and from network interfaces in your VPC.
    • Data includes: Source/Dest IP, Port, Protocol, Packet counts, and Action (ACCEPT/REJECT).
    • Use Case: Debugging Security Group rules (identifying blocked traffic).
  2. VPC Traffic Mirroring:
    • Copies inbound and outbound traffic from an ENI and sends it to a monitoring appliance (like an IDS/IPS) or Load Balancer.
    • Use Case: Deep packet inspection, threat detection, and troubleshooting.
  3. VPC Reachability Analyzer:
    • A static configuration analysis tool. It does not send packets but analyzes network configurations (Routes, SGs, NACLs) to determine if connectivity is possible between two points.

Well-Architected Framework (Networking Lens)

  • Operational Excellence:
    • Use Infrastructure as Code (IaC) (CloudFormation/Terraform) to deploy networks.
    • Tag all network resources for cost allocation and management.
  • Security:
    • Implement Defense in Depth: Use both Security Groups and NACLs.
    • Use VPC Endpoints to keep traffic off the public internet.
    • Enable Flow Logs for auditing.
  • Reliability:
    • Span VPCs across multiple Availability Zones.
    • Use redundant VPN tunnels or Direct Connect with a VPN backup.
  • Performance Efficiency:
    • Use Placement Groups (Cluster) for low-latency EC2-to-EC2 communication.
    • Enable Jumbo Frames (MTU 9001) for high throughput within the VPC.
  • Cost Optimization:
    • Use VPC Endpoints (Gateway type) to avoid NAT Gateway data processing charges.
    • Analyze data transfer costs across AZs and Regions.