AWS Networking

PreviousAccessing AWS resources NextStorage

Last updated 4 months ago

AWS Networking

Amazon Virtual Private Cloud

A networking service that you can use to establish boundaries around your AWS resources is Amazon Virtual Private Cloud (Amazon VPC).
It is essentially a private cloud in AWS. It helps you to define a private IP address for your resources. For example, EC2 instances, ELBs, and other AWS resources inside this VPC.
A VPC allows to provision a logically isolated section of AWS cloud, where you can launch AWS resources in a virtual network which you have defined.
The above mentioned resources can belong to private or public .
How do you decide if something need to be public or private?
- Resources that need to be accessed by anyone in internet can be made public, and the ones that need not be accessed are made public
- For example, a service say a website that allows customer interaction can be made public and the backend of the service can be made private so the customers cannot directly interact with backend.
In a VPC, subnets can communicate with each other. For example, you might have an application that involves Amazon EC2 instances in a public subnet communicating with databases that are located in a private subnet.

Subnets

Subnets are chunks of IP addresses within your VPC, that allow to group resources together, based on security or operational needs.
Subnets can be public or private.
- Public subnets contain resources that need to be accessible by the public, such as an online store’s website.
- Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories.

Internet Gateway

This allows public traffic send over internet to enter our VPC.
Only public subnets have access to Internet gateway.

Virtual Private Gateway

This allows only private traffic (i.e from an approved network) and not public traffic to enter our VPC.
It is a encrypted VPN connection from a private network to VPC through internet.

AWS Direct Connect

This service allows to establish a dedicated fiber connection (physical connection) between your private network to AWS VPC.
The private connection that AWS Direct Connect provides helps you to reduce network costs and increase the amount of bandwidth that can travel through your network.

Understanding Traffic in a VPC

When a customer requests data from an application hosted in the AWS Cloud, this request is sent as a packet. A packet is a unit of data sent over the internet or a network.
Packet enters into a VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet, checks for permissions to enter and exit are done. These permissions indicate who sent the packet and how the packet is trying to communicate with the resources in a subnet.
The VPC component that checks packet permissions for subnets is a network access control list (ACL).

Network Access Control List (NACL)

A network access control list (ACL) is a virtual firewall that controls inbound and outbound traffic at the subnet level.
Each AWS account includes a default network ACL. When configuring your VPC, you can use your account’s default network ACL or create custom network ACLs.
By default, your account’s default network ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules.
For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic to allow.
Additionally, all network ACLs have an explicit deny rule. This rule ensures that if a packet doesn’t match any of the other rules on the list, the packet is denied.
Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

Security groups

The VPC component that checks packet permissions for an Amazon EC2 instance is a security group.
Every EC2 instance has their own security group.
A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.
By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic to allow or deny.
Security groups perform stateful packet filtering. They remember previous decisions made for incoming packets.

The Big Picture of VPC

AWS Domain Name Service

Amazon Route 53 is a DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS.
Amazon Route 53 connects user requests to infrastructure running in AWS such as Amazon EC2 instances and load balancers. It can route users to infrastructure outside of AWS.
Another feature of Route 53 is the ability to manage the DNS records for domain names. You can register new domain names directly in Route 53. You can also transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location.
It supports various routing policies such as,
- Latency-based routing
- Gelocation DNS
- Geoproximity routing
- Weighted round robin

PreviousAccessing AWS resources NextStorage

Last updated 4 months ago

Amazon Virtual Private Cloud

A networking service that you can use to establish boundaries around your AWS resources is Amazon Virtual Private Cloud (Amazon VPC).
It is essentially a private cloud in AWS. It helps you to define a private IP address for your resources. For example, EC2 instances, ELBs, and other AWS resources inside this VPC.
A VPC allows to provision a logically isolated section of AWS cloud, where you can launch AWS resources in a virtual network which you have defined.
The above mentioned resources can belong to private or public .
How do you decide if something need to be public or private?
- Resources that need to be accessed by anyone in internet can be made public, and the ones that need not be accessed are made public
- For example, a service say a website that allows customer interaction can be made public and the backend of the service can be made private so the customers cannot directly interact with backend.
In a VPC, subnets can communicate with each other. For example, you might have an application that involves Amazon EC2 instances in a public subnet communicating with databases that are located in a private subnet.

Subnets

Subnets are chunks of IP addresses within your VPC, that allow to group resources together, based on security or operational needs.
Subnets can be public or private.
- Public subnets contain resources that need to be accessible by the public, such as an online store’s website.
- Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories.

Internet Gateway

This allows public traffic send over internet to enter our VPC.
Only public subnets have access to Internet gateway.

Virtual Private Gateway

This allows only private traffic (i.e from an approved network) and not public traffic to enter our VPC.
It is a encrypted VPN connection from a private network to VPC through internet.

AWS Direct Connect

This service allows to establish a dedicated fiber connection (physical connection) between your private network to AWS VPC.
The private connection that AWS Direct Connect provides helps you to reduce network costs and increase the amount of bandwidth that can travel through your network.

Understanding Traffic in a VPC

When a customer requests data from an application hosted in the AWS Cloud, this request is sent as a packet. A packet is a unit of data sent over the internet or a network.
Packet enters into a VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet, checks for permissions to enter and exit are done. These permissions indicate who sent the packet and how the packet is trying to communicate with the resources in a subnet.
The VPC component that checks packet permissions for subnets is a network access control list (ACL).

Network Access Control List (NACL)

A network access control list (ACL) is a virtual firewall that controls inbound and outbound traffic at the subnet level.
Each AWS account includes a default network ACL. When configuring your VPC, you can use your account’s default network ACL or create custom network ACLs.
By default, your account’s default network ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules.
For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic to allow.
Additionally, all network ACLs have an explicit deny rule. This rule ensures that if a packet doesn’t match any of the other rules on the list, the packet is denied.
Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

Security groups

The VPC component that checks packet permissions for an Amazon EC2 instance is a security group.
Every EC2 instance has their own security group.
A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.
By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic to allow or deny.
Security groups perform stateful packet filtering. They remember previous decisions made for incoming packets.

The Big Picture of VPC

Read more about AWS VPC and .
Read about how VPC works

AWS Domain Name Service

Amazon Route 53 is a DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS.
Amazon Route 53 connects user requests to infrastructure running in AWS such as Amazon EC2 instances and load balancers. It can route users to infrastructure outside of AWS.
Another feature of Route 53 is the ability to manage the DNS records for domain names. You can register new domain names directly in Route 53. You can also transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location.
It supports various routing policies such as,
- Latency-based routing
- Gelocation DNS
- Geoproximity routing
- Weighted round robin