AWS Network Services Part.1

This article is reserved for the engineers focused on the AWS network services

Today I am going to write about the Network services in Amazon web services and will take a brief about each services individually and how AWS can help you to have a success transformation journey , This article will include a summery for the below address :

• ·???????AWS Global infrastructure .
• ·???????AWS Region.
• ·???????AWS Availability Zone.
• ·???????AWS Virtual private cloud.
• ·???????VPC Addressing CIDR.
• ·???????Public and Private Subnets .
• ·???????VPC subnets.
• ·???????VPC Route Table.
• ·???????Elastic Network Interfaces.
• ·???????Security Groups.
• ·???????Network Access List (ACLs).
• ·???????AWS Elastic Compute Cloud (EC2).
• ·???????AWS internet Gateway (IGW).
• ·???????AWS Virtual private network (VPN).
• ·???????AWS virtual private gateway (VGW).
• ·???????AWS Site-to-site VPN Connection.
• ·???????AWS client VPN Endpoint.
• ·???????AWS transit gateway (TGW).
• ·???????AWS transit gateway attachments (Attach).
• ·???????AWS transit gateway Policy table.
• ·???????AWS transit gateway Route table.
• ·???????Aws Reachability Analyzer.
• ·???????AWS transit gateway peering.

Aws Global Infrastructure :-

AS we know Amazon web services is leaders of the cloud provider around the world and server more than 1 million clients around the world , ??Based on this Aws deliver their services with Low latency and highly throughput to help their clients to achieve their goals without any issue , as this demand Aws providing and extending their infrastructure to meets their global requirements , AWS global infrastructure placed in multiple region and each?region has their Availability Zones .

·???????To learn more about the global region up to date, please check out this link :

????https://aws.amazon.com/about-aws/global-infrastructure/

??AWS Region:-

A region is a geographic location where does the cloud resources are located and run, AWS has 31 Regions around the world and Each Amazon Region is designed to be completely isolated from the other Amazon Regions. And this isolation achieves the greatest possible fault tolerance and stability, each Region has there availability zone each Az is isolated but they have inter connect through low latency link and highest Bandwidth.

·???????To learn more about the global region up to date, please check out this link:

?https://aws.amazon.com/about-aws/global-infrastructure/

??AWS Availability zone:-

Availability Zones consist of one or more discrete data centers, each availability zone has redundant power, networking, and connectivity. These Availability Zones offer you to run your applications and your services ?with more highly available and resiliency , scalability Etc...

·???????To learn more about the global region up to date, please check out this link :

·???????https://aws.amazon.com/about-aws/global-infrastructure/

??Virtual private cloud :-

Amazon VPC is Networking services ?that helping you to create a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you created .this services include BYOIP, Subnets, Route table , internet Gateway , DHCP options , Elastic IP for Public purpose , Nat gateway , Endpoints services , Etc..... ?, You have to customize your vpc based on your solution and case .

For Example :

Deploy application with modernization ?architecture and migrate from monolithic (old fashion) Create VPC for WEB , VPC for APP , VPC for Database and create subnet for each VPC include private and subnet and create IGW for the public subnet to provide the internet access to the VPC , we will discuss more about this in future with hands-on.

??VPC Addressing CIDR :-

CIDR is Classless Inter-Domain Routing and is a methodology of assigning IP-Address network uses , The subnet masks basically allow part of the underlying IP to get additional from the base IP .

? /0 allows for all IPs = 2^32

? /24 allows for 256 IP = 2^8

? /16 allows for 65,536 IP = 2^16

For Example, VPC-A has CIDR 10.10.0.0/16 and inside the VPC-A there is multiple subnets include private and subnet , Private subnet-1 ( 10.10.1.0/24) , Private subnet-2 ( 10.10.2.0/24) , Private subnet-3 (10.10.3.0/24) , Public Subnet ( 10.10.100.0/24) and this public subnet will route their traffic to the AWS IGW to reach to the internet .

?VPC Subnets :-

A subnets a range of IP addresses in your VPC. It is logically isolated from other virtual networks in the AWS Cloud

What are Public and Private subnets :-

(IANA) established certain blocks of IPV4 addresses for the use of private and public . We are using private subnet for internal connection in the vpc, and public subnets are using to reach to internet by route all the traffic of the public subnet to IGW 0.0.0.0/0 -à IGW .

?VPC Route Table :-

??The route table contains Routes , Subnet association even public or private , Edge association , route propagation , you can create multiple route table for each VPC

Example : ?VPC A – has 2 subnets ( private and subnet ) , so we can create 2x route table one RTB for private subnet and other for Public subnet with default route to IGW to reach to the internet.

??Elastic Network Interface :-

ENI ( Elastic network interface ) is a logical components in the vpc which’s represent the virtual network card , you can create the ENI and attach it to the EC2 instance , ENI can support for primary and secondary private ?IP , one public Ip address , ENI support more Security group is not limited to one , We are using the ENI for the EC2 need dual home or High availability solution .

??AWS ?Security Group :-

AWS security Groups act as virtual firewalls for the Elastic compute cloud ( EC2) to controlling the traffic for it , Security Group is specifying the inbound & Outbound of the EC2 instance with restriction include Port number , authorized Ip address to access , Protocol , Source and destination , security group can attach to multiple instances , security group working closely for the region , All inbound traffic is blocked by default .

AWS ?Network Access List :-

AWS Network Access list (NACL) is working on the subnet level to control the traffic and allow or deny the specific traffic for whole subnet , Each vpc has default NACL and you can used it , you can create your own NACL and assign to the Specific subnet in the VPC , Each subnet can only associate with one NACL , The Default NACL allow all the inbound and outbound traffic , NACL specific the traffic based on Protocol , Traffic type , Port number , Source ?& Destination , NACL has two actions ( Allow , Deny ) .

AWS Elastic Compute Cloud :-

Amazon EC2 is a web service that provides ?compute capacity in the cloud. It is designed to make computing easier for developers.

The simple web interface of Amazon EC2 allows you to have the operating system up and running with few minutes which ‘s reflet to the dev team and reduce the headache , It provides you with complete control of your computing resources, allowing you to quickly scale capacity, both up and down , AWS Ec2 has multiple types such as Spot instances , Reserved instances , On-Demand instances , Dedicated Host .

AWS internet Gateway (IGW) :-

IT’s AWS services enable the VPC to communicate to the internet with redundance and highly available , the internet gateway is support for IPv4 & ipv6 , IGW it’s help the Ec2 instance run in the Public subnet to reach to the internet , IGW should be attached in the route table of the public subnet and route all the unknown traffic (Public internet) to the IGW .

AWS virtual private gateway (VGW) :-

AWS virtual private gateway (VGW) It’s VPN connector on AWS when running site to site VPN , VGW is high availability ?VPN solution because It’s created 2x tunnels endpoints in different availability zone , VGW can be attached for one VPC only , VGW support for the Dynamic routing and here I mean BGP only , VGW also support Static route , VGW is supporting encryption and data integrity.

AWS Site-to-site VPN Connection :-

It’s secure connection between the on-premises and AWS resources using IPsec tunnels , SITE to SITE VPN can connect to both VPC & Transit Gateway and as we mentioned before It’s created through tunnels for redundancy and availability purpose .

AWS client VPN Endpoint :-

AWS Client VPN Endpoint is services helping the clients to securely the connection between remote and AWS resources , with the client VPN you can connect to AWS services from any where , AWS client VPN is managed services by AWS , It’s recommend to deploy in high availability mode , With AWS client VPN ?you have to 2x option to connect to internet even locally or through IGW so If you are looking to use IGW internet you have to disable the Split tunneling as default behavior and If you are looking to segregate the connection for known (AWS Resources) & unknown(Internet) so you have to enable split tunneling at the client VPN.

AWS transit gateway (TGW) :-

Transit Gateway is AWS services that helping to connect multiple VPC together without any complexity like vpc peering for large connection , TGW allow the customer to inter-Connect the VPC’s and on-Premises network , TGW supporting for attaching multiple vpc , Direct connect connection , SD-wan connection , Each VPC or VPN attachment is associated with a single route table. That route table decides the next hop for the traffic coming from that resource attachment, When you attach a VPC or create a VPN connection on a transit gateway, the attachment is associated with the default route table of the transit gateway, You can create additional route tables inside the transit gateway and change the VPC or VPN association to these route tables, this helping the customer to segment the network .

AWS transit gateway attachments (Attach) :-

It enables you to attach the VPC or VPN, Each attachment is associated with a single route table. A route table inside the transit gateway allows for both IPv4 or IPv6 CIDRs and targets. The targets are VPCs and VPN connections. When you attach a VPC or create a VPN connection on a transit gateway, the attachment is associated with the default route table of the transit gateway, but you can customize the individual route table as per the solution and you can segregate the whole network based on this route tables attach .

Aws Reachability Analyzer :-

Reachability Analyzer is an analysis tool that enables you to perform the test between source and destination , to use the Reachability analyzer you have to specify the SRC & DST , source or destination can be EC2 , IGW, ENI, TGW, VPC endpoint , Etc... , AWS Reachability Analyzer support only Ipv4 address , AWS Reachability Analyzer doesn’t support network firewall rules , Reachability analyzer can specify the packet header details of your traffic to evaluate its network reachability based on sources & destination ip and sources & Destination port number and appropriate protocol even TCP or UDP .

Time to go for Hands-on

Login to AWS account -> https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com

There are two option to sign in Option1- through Root user of your organization (Account owner that performs tasks requiring unrestricted access.) . Option2 IAM user and this’s with rustication based on the IAM role which’s you create for each account separately and IAM user have a limit access for specific resources which’s define inside the role .

Create VPC’s as per the main Topology ?, Start by AWS-EU-West-2-Region

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-A-EU-West-2)

CIDR: (192.168.0.0/24)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-A-Private Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 192.168.0.0/24)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-A-Private-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-B-EU-West-2)

CIDR: (192.168.10.0/24)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-B-Private Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 192.168.1.0/24)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-B-Private-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-C-EU-West-2- this's for the VPN

CIDR: (10.20.101.0/28)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-C-VPN Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 10.20.101.0/28)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-C-VPN-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Create Internet Gateway

Internet Gateways => Create internet gateway

Attach Internet Gateway to VPC

Select Internet gateway => Actions => Attach to VPC => Select your VPC

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-D-EU-West-2

CIDR: (192.168.3.0/24)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-D- Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 192.168.3.0/24)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-D-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Now we have done the EU-West-2-Region (London) and we are going to start with (Eu-Centeral-1-Region) Frankfurt

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-A-EU-Central-1

CIDR: (192.168.10.0/24)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-A-Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 192.168.10.0/24)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-A-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-B-EU-Central-1

CIDR: (192.168.20.0/24)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-B-Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 192.168.20.0/24)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-B-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-C-EU-Central-1 (VPN)

CIDR: (10.30.102.0/28)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-C-Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 10.30.102.0/28)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-C-VPN-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .

Create Internet Gateway

Internet Gateways => Create internet gateway

Attach Internet Gateway to VPC

Select Internet gateway => Actions => Attach to VPC => Select your VPC

Create another VPC’s as per the main Topology

?Go to VPC service => Your VPCs => Create VPC

NOTE : you have 2x option when creating the VPC Option-1(VPC Only ) , Option-2 (VPC and more ) which’s give more details about the AWS virtual network including the graphic flow for the network

Name: VPC-D-EU-Central-1

CIDR: (192.168.3.0/24)

Choose the Tenancy ( Default )

Choose the Option for the IPV-6 block if solution require this ( IPAM-allocated IPv6 CIDR block, Amazon-provided IPv6 CIDR block, IPv6 CIDR owned by me)

• Create Subnet for each vpc

Subnets => Create subnet (Name: VPC-D-Subnet, VPC: My VPC , AZ: Select first AZ - ap-south-1a, CIDR: 192.168.30.0/24)

Select Subnet => Action => Modify Auto Assign Public IP => Enable => Save

• Create Route table

Route Tables => Create Route Table (Name: VPC-C-VPN-RTB , VPC: MyVPC) Select Route table => Association and Associate the subnet with RTB .