AWS Networking Fundamentals

When creating an AWS account, you are assigned a default VPC. You also get a CIDR, subnet, security group, network access control list (NACL) and default gateway to build your network.

Choosing IP address for the VPC

The default ip address is 172.31.0.0/16 with the first 16 bits representing network portion and the last 16 bits representing host portion. For instance, /16 means there are 2^16 (65, 536) addresses. This depends on the size of the network.

This is based on RFC1918 range. The private address in this case is as follows.

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

Connecting with other VPC require careful attention to ensure no duplicate address. Incase this happens, IP conflict is likely to occur.

VPC and Availability Zones

AZ – separate risk domains for the sake of network redundancy.

The AZ require subnets so that they talk to one another using same CIDR range.

IPv4 and IPV6 run on dual stack.

Routing in VPC implies where the packets are destined based on the route table.

Connecting to the internet requires a public address and internet gateway which provide inbound and outbound access.

The private subnet implies traffic is routed outside the network using NAT gateway. Only traffic from inside is allowed using allow ACL’s.

Network Security

Comprise of Security Groups, NACL and Flog Logs.

SG – AWS stateful distributed firewall that is requests from one side creates a response on the side in terms of inbound and outbound access.

They usually follow a defined application structure on how traffic is permitted using a specific ID.

Differences between SG and NACL

Security Group

Applicable at instance level

Support allow rules only

Stateful – return traffic is always permitted

NACL

Operates at subnet level

Supports allow and deny rules

Stateless – return traffic is explicitly permitted

-Flow logs operate in both VPC, subnet and instance level and write the output in S3 bucket or cloud watch log.

Flow logs provide network visibility making it possible to perform troubleshooting and analyze traffic flow.

DNS in a VPC

Performs two functions

-Provide DNS resolution.

--Ensure EC2 auto assign DNS host names to instances.

Options for connecting to VPCs (Higher level services)

VPC Peering

Allow connectivity between 2 VPCs using one to one relationship.

It can be done for VPCs in different regions and accounts.

The CIDR range should not overlap.

Establishing VPC peering involves initiating a request and accepting it to create a route.

Transit Gateway

Help to address the challenge of VPC peering in terms of the number which can be connected to one another.

Allows VPCs to talk to each other using centralized IP connectivity while on the same region. The VPCs can also be in different accounts.

The difference between VPC peering and Transit gateway depends on the number of connections needed.

For more information on VPC sharing, VPC endpoints, AWS Private Link and Amazon Global Accelerator visit https://www.youtube.com/watch?v=hiKPPy584Mg

?

?

?

?