Networking

Read more on VPCs from AWS CSAA

  • AWS does not allow multicast (unicast vs multicast)
  • TCP - stateful, connection based with acknowledging receipt
  • UDP - stateless, no retransmission delays
  • ICMP - used by network devices to exchange info (e.g. traceroute, ping)

Ephermal Ports

  • Short-lived transport protocol ports used in IP communication
  • Above the well-know ports (> 1024)
  • Refered to as “Dynamic Ports”
  • Suggested range 49152 to 65535
    • Linux kernels use 32568 to 61000
    • Windows platform default from 1025
  • NACL and Security Group implications
    • Client defines the Ephermal port to use for response

Reserved IP Addresses in VPC

  • 10.0.0.0 - Network address
  • 10.0.0.1 - Reserved by AWS for VPC Router
  • 10.0.0.2 - Reserved by AWS for Amazon DNS
  • 10.0.0.3 - Reserved by AWS for future use
  • 10.0.0.255 - VPCs don’t support broadcast so AWS reserves this address

Network to VPC Connectivity

AWS Managed VPN

  • Managed IPSec VPN connection
  • Quick and simple way to establish secure tunneled connection to a VPC; Redundant link for Direct Connect or other VPC VPN
  • Support static routes or BGP peering and routing
  • Dependent on your internet connection

AWS Direct Connect

  • Direct connection to AWS backbone
  • May require additional telecom and hosting provider relationships and/or new network circuits
  • Work with your existing Data Networking Provider; Create Virtual Interfaces (VIF) to connect to VPCs or other AWS service like S3 or Glacier (public VIF)
  • Direct Connect connections consist of a single connection between your network and AWS with no inherent redundancy (by default it’s not HA)
  • Traffic coming from on-prem via a Direct Connect connect is restricted from internet access

AWS Direct Connect Plus VPN

  • IPSec VPN connection over private lines
  • Extra layer of security through encrypted tunnel over AWS Direct Connect

AWS CloudHub VPN

  • Connect locations in a “Hub and Spoke” manner using AWS’s Virtual Private Gateway
  • Link remote offices for backup or primary WAN access to AWS resources and each other

Hub and Spoke Network

  • Network topology in which nodes are connected through spokes to a hub
  • Minimizes the number of direct connections required between nodes
  • Reduced cost in comparison to exhaustive point to point connections
  • Introduces “Hub” as a point of failure
  • Increased latency due to round trip via Hub in case of sending traffic between 2 networks in the topology

Software VPN

  • Provide your own VPN endpoint and software (e.g. OpenVPN)
  • Useful when you want to manage both ends of the VPN connection for compliance reasons or you want to use VPN option not supported by AWS
  • You must build and design the VPN architecture for redundancy and availability

Transit VPC

  • Common strategy for geographically disperse VPCs in order to create a global network transit center
  • Locations and VPC-deployed assets across multiple regions that need to communicate with one another
  • Cisco, Juniper Networks and Riverbed have offerings which work with their equipment and AWS VPC

VPC to VPC Connectivity

VPC Peering

  • AWS-provided network connectivity between two VPCs
  • Uses AWS Backbone without touching the Internet
  • Transitive peering is not supported
    • A connected to B and B connected to C, doesn’t mean that A is connected to C via B
  • VPC peering request is made from Originator to Accepter
  • AWS-provided network connectivity between VPCs and AWS Services
  • Use AWS backbone to reach other services, without going through the Internet

VPC Endpoints

  • Interface Endpoint
    • Elastic Network Interface with Private IP
    • Uses DNS entries to redirect traffic
    • API Gateway, CloudFormation, CloudWatch, etc…
    • Secured by Security Groups
  • Gateway Endpoint
    • The gateway which is a target for a specific route
    • Uses prefix lists in the route table to redirect traffic
    • Amazon S3, DynamoDB
    • VPC Endpoint Policies

Internet Gateways

Internet Gateway

  • Horizontally scaled, redundant and highly available component
  • No AZ risk or bandwidth constraints
  • Provides route table target for Internet-bound traffic
  • Perform NAT for instances with public IP addresses

Egress-Only Internet Gateway

The purpose of an “Egress-Only Internet Gateway” is to:

  • Allow IPv6 based traffic within a VPC to access the Internet

  • Denying any Internet based resources the possibility of initiating a connection back into the VPC

  • IPv6 addresses are globally unique and are therefore public by default

  • Provides outbound Internet access for IPv6 addressed instances

  • Prevents inbound access to those IPv6 instances

  • Stateful - forwards traffic from instance to internet and then sends back the response

  • Must create a custom route for ::/0 to the Egress-Only Internet Gateway

  • Use Egress-Only Internet Gateway instead of NAT for IPv6

NAT Instance

  • EC2 instance from a special AWS-provided AMI
  • Translates traffic from many private IP instance to a single public IP and back
  • Doesn’t allow public internet initiated connections into private instances
  • Not supported for IPv6 (use Egress-Only Gateway)
  • NAT instance must live on a public subnet with route to Internet Gateway
  • Private instances in private subnet must have route to the NAT instance, usually the default route destination of 0.0.0.0/0

NAT Gateway

  • Fully-managed NAT service that replaces need for NAT instances on EC2
  • Must be created in a Public subnet
  • Uses an Elastic IP for public IP for the life of hte gateway
  • Private instances must have route to the NAT gateway, usually to destination 0.0.0.0/0
  • Created in a specified AZ with redundancy in that zone
  • For multi-AZ deployment, create NAT Gateways in each AZ with routes for private subnets to use the local Gateway
  • Up to 5Gbps bandwidth that can scale up to 45 Gbps

NAT Instances vs. Nat Gateways

  • NAT Instances allow you to detach and attach EIPs while NAT Gateways do not allow you to detach
  • NAT Instances can use security groups as they are just EC2 instances
  • NAT Instances also can be configured to support port forwarding while NAT Gateways do not support this

Routing

Routing Tables

  • VPCs have an impicity router and main routing table
  • You can modify the main routing table or create new tables
  • Each route table contains a local route for the CIDR block
  • Most specific route for an address wins
  • Taffic to VPC Endpoints is routed through the routing tables

Border Gateway Protocol (BGP)

  • Popular protocol for the Internet
  • BGP is the only protocol supported by AWS
  • Propagates information about the network to allow dynamic routing
  • Required for Direct Connect and optional for VPN
  • Alternative of not using VGP with AWS VPC is static routes
  • AWS Supports BGP community tagging as a way to control traffic scope and route preference
  • Required TCP port 179 + ephemeral ports
  • Autonomous System Number (ASN) = Unique point identifier
  • Weighting is local to the router and higher weight is preferred path for outbound traffic

BGP is a protocol designed to connect Autonomous Systems (CloudFlare):

  • Autonomous system is large network or group of networks that has a unified routing policy. Every computer or device that connects to the Internet is connected to an AS.
  • BGP is the protocol that makes the Internet work
  • BGP enables data routing on the Internet
  • BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems

Enhanced Networking

  • Generally used for High Performance Computing use-cases
  • Uses single root I/O vritualization (SR-IOV) to deliver higher performance than traditional virtualized network interfaces
  • Might have to install driver if other than Amazon Linux HVM AMI
  • Interface Options
    • Intel 82599 VF Interface (10 Gbps)
    • Elastic Network Adapter (25 Gbps)

Placement Groups

  1. Cluster placement group
    • Packs instances close together inside an Availability Zone
    • Required for low network latency and/or high network throughput
    • Pros: Get the most out of Enhanced Networking Instances
    • Cons: Finite capacity: recommend launching all you might need up front
  2. Spread placement group
    • Instances spread across underlying hardware
    • Required to reduce risk of simultaneous failure if underlying hardware fails
    • Pros: Can span multiple AZ’s
    • Cons: Max of 7 instances running per group per AZ
  3. Partition placement group
    • Instances are grouped into partitions and each partition is spread across racks
    • Partitions do not share underlying hardware
    • Required to reduce risk of correlated hardware failure for multi-instance workloads
    • Pros: Better for large distributed or replicated workloads than Spread
    • Cons: Not supposed for Dedicated Hosts

Route 53

  • Register domain names
  • Check the health of your domain resources
  • Route internet traffic for your domain
  • Route 53 currently supports 13 different DNS record types including; AAAA, CNAME and SPF
  • Route 53 does not currently support any of DNSSEC related records, such as DNSKEY

Route 53 Routing Policies

  • Simple
  • Failover
    • Health check of the primary route will lead to failover to secondary route
  • Geolocation
  • Geoproximity
    • Closer proximity to the region is specified. Bias value ranging between -99 and +99 is used to control the proximity radius
  • Latency
    • Traffic will be routed to the region that provides the best latency
  • Mutlivalue Answer
    • respond to DNS queries with up to eight healthy records selected at random
    • not good for distributing the traffic - DNS client may cache the IP for some time which may lead to unexpected results
  • Weighted
    • Traffic is distributed respecting the weights of the routes.

CloudFront

SSL and TLS

  • 1995: SSLv2 first public release
  • 1996: SSLv3 released to fix security design flaws
  • 1999: TLSv1.0 with SSL backwards
  • 2005: TLSv1.2
  • Present: TLSv1.3

CF Settings

  • CF Security Policy
    • Defines the protocols and ciphers that CloudFront uses
  • CloudFront supports both SNI and dedicated IP for serving SSL certificate
    • Dedicated IP reservation in each edge location will be significantly costlier
    • Server Name Indication (SNI)
      • Allows CloudFront distribution instances to server content over HTTPS to clients that support SNI. Older browsers will not have access to content over HTTPS.

Server Name Indication (SNI)

  • No dedicated IP for each SSL certificate
  • Each SSL certificate is served corresponding to server name, indicated in the requests
  • SNI is supported by all recent browsers
  • Some old browsers required dedicated IP per SSL certificate

Elastic Load Balancer

  • Application Load Balancer (Layer 7)
    • Supports VPC
    • HTTPS / HTTP
    • Path, Method, Query string or Host-based Routing
    • Web Sockets
    • SNI
    • Sticky Sessions
    • Static IP, Elastic IP (through AWS Global Accelerator)
    • User Authentication
  • Network Load Balancer (Layer 4)
    • Supports VPC
    • TCP / UDP / TLS
    • Web Sockets
    • SNI, as of 2019
    • Static IP, Elastic IP
  • Classic Load Balancer (Layer 4 /7)
    • Supports EC2-Classic or VPC
    • Sticky Sessions