Introduction to Amazon Cloud

Networking in AWS

Mr. Mana Tongpol

Solution Architecture, NT Cloud

© 2022, Amazon Web Services, Inc. or its affiliates. © 2022, Amazon Web Services, Inc. or its affiliates.
What is AWS?

AWS provides a highly reliable, scalable, low-cost infrastructure

platform in the cloud that powers millions of businesses in over 240
countries and territories around the world.

Benefits
§ Low Cost
§ Elasticity & Agility

§ Open & Flexible

§ Secure
§ Global Reach
© 2022, Amazon Web Services, Inc. or its affiliates.
© 2022, Amazon Web Services, Inc. or its affiliates.
 Availability Zones
• Each AWS Region consists of multiple, isolated, and physically separate AZs
within a geographic area
• An Availability Zone (AZ) is one or more discrete data centers with redundant
power, networking, and connectivity in an AWS Region
• High throughput, low latency (<10mS) network between Availability Zones
• All traffic between AZ’s is encrypted
• Physical separation with 100 km Region
us-east-1 (N.Virginia)
(60 miles)
Availability Zone Availability Zone Availability Zone

us-east-1a us-east-1b us-east-1c

© 2022, Amazon Web Services, Inc. or its affiliates.

Networking in AWS

© 2022, Amazon Web Services, Inc. or its affiliates.

Regions and Availability Zones (AZs)
AWS Cloud

Region – us-east-1 Region – us-west-2

AZ us-east-1a AZ us-east-1b AZ us-west-a AZ us-west-b

AZ us-east-1c AZ us-west-c

© 2022, Amazon Web Services, Inc. or its affiliates.

AWS VPC - Overview

AWS Cloud

Account 123456789

Region US-EAST-1

VPC AWS Identity and Access

Management

Amazon Simple Storage

Service (S3)
EC2 Instances

Elastic Load Balancing Amazon Route 53

Amazon RDS Amazon DynamoDB

instance

© 2022, Amazon Web Services, Inc. or its affiliates.

Subnets and AZs

Region us-east-1

VPC 10.0.0.0/16

Availability Zone us-east-1a Availability Zone us-east-1b

Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24

EC2 Instances
Amazon RDS
instance

© 2022, Amazon Web Services, Inc. or its affiliates.

Route Tables – Internal VPC Traffic

VPC 10.0.0.0/16
Route Table 1 - Rules
Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24
Destination Target
10.0.0.0/16 local
EC2 Instance EC2 Instance
10.0.1.1 10.0.2.1

Route Table 1 Route Table 1

10.0.2.1

© 2022, Amazon Web Services, Inc. or its affiliates.

Route Tables – Internet Traffic
Route Table 1 - Rules
VPC 10.0.0.0/16
Destination Target
Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24 10.0.0.0/16 local

EC2 Instance EC2 Instance

10.0.1.1 10.0.2.1

Route Table 1
Route Table 1

1.2.3.4
Internet 1.2.3.4

© 2022, Amazon Web Services, Inc. or its affiliates.

Route Tables – Internet Traffic
Route Table 1 - Rules
VPC 10.0.0.0/16
Destination Target
Subnet 2 10.0.2.0/24 10.0.0.0/16 local
Subnet 1 10.0.1.0/24
0.0.0.0/0 Igw-12345

EC2 Instance
EC2 Instance
10.0.1.1 10.0.2.1

1.2.3.4

Route Table 1 Route Table 1

Internet Internet 1.2.3.4

gateway

© 2022, Amazon Web Services, Inc. or its affiliates.

Public vs. Private Subnet

VPC 10.0.0.0/16
Private Route Table Public Route Table

Destination Target Private Subnet 1 Public subnet 1 Destination Target

10.0.1.0/24 10.0.2.0/24 10.0.0.0/16 local
10.0.0.0/16 local 0.0.0.0/0 Igw-12345

EC2 Instance EC2 Instance

10.0.1.1 10.0.2.1

Private Route Public Route

Table Table
Internet
gateway

© 2022, Amazon Web Services, Inc. or its affiliates.

Public IPs

VPC 10.0.0.0/16
Public Route Table
Public subnet 1 10.0.2.0/24 Destination Target
10.0.0.0/16 local
0.0.0.0/0 Igw-12345

EC2 Instance
Private IP: 10.0.2.1
Public IP: 1.2.3.4
Internet
gateway

Route Table

© 2022, Amazon Web Services, Inc. or its affiliates.

VPC - DNS & DHCP
VPC 10.0.0.0/16
Reserved for AWS use:
10.0.0.0
10.0.0.1
10.0.0.2
10.0.0.3
VPC DHCP VPC DNS 10.0.0.255

Public subnet 1 10.0.2.0/24

EC2 Instance
Private IP: 10.0.2.1
Private DNS: ip-10.0.2.1.us-west-2.compute.internal

Public IP: 1.2.3.4

Public DNS: ec2-1.2.3.4.us-west-2.compute.amazonaws.com

© 2022, Amazon Web Services, Inc. or its affiliates.

 Internet Access for Private Subnets – NAT Gateway

VPC 10.0.0.0/16
Private Route Table Public Route Table

Destination Target Private Subnet 1 Public subnet 1 Destination Target

Destination
10.0.0.0/16 Target
local 10.0.1.0/24 10.0.2.0/24 10.0.0.0/16 local
10.0.0.0/16
0.0.0.0/0 local
ngw-345 0.0.0.0/0 Igw-12345

Private instance
Private IP: 10.0.1.1 NAT
gateway

1.2.3.4 Ngw-345
EIP: 2.3.4.5

Private Route Public Route

Table Table Internet
Internet 1.2.3.4
gateway

© 2022, Amazon Web Services, Inc. or its affiliates.

Multi-AZ Best Practices
Region us-east-1

VPC 10.0.0.0/16
IGW

AZ (us-east-1a) AZ (us-east-1b)

Public subnet 1 Load Public subnet 2

10.0.1.0/24
balancer 10.0.3.0/24

Web Server Web Server

Private Subnet 1 Private Subnet 2

10.0.2.0/24 10.0.4.0/24

Database server Sync Database standby

replication

© 2022, Amazon Web Services, Inc. or its affiliates.

Security Groups – Default Group Rules

VPC 10.0.0.0/16 Security Group 1

Availability Zone us-east-1a Inbound Rules

Subnet 1 10.0.1.0/24 Protocol Port Source

Security group 1

Outbound Rules
EC2
Protocol Port Destination
All All 0.0.0.0/0

© 2022, Amazon Web Services, Inc. or its affiliates.

Security Groups – Web Server Example

VPC 10.0.0.0/16 Security Group 1

Inbound Rules
Availability Zone us-east-1a
Protocol Port Source
Subnet 1 10.0.1.0/24 TCP 80 0.0.0.0/0

Security group 1

Outbound Rules

EC2 Protocol Port Destination

All All 0.0.0.0/0

© 2022, Amazon Web Services, Inc. or its affiliates.

Security Groups – Reference other groups

Web server security group

VPC 10.0.0.0/16
Inbound Rules
Availability Zone us-east-1a Protocol Port Source

Subnet 1 10.0.1.0/24 TCP 80 0.0.0.0/0

Outbound Rules
Webserver security group Protocol Port Destination
All All 0.0.0.0/0

EC2
Database security group
Inbound Rules
Database security group
Protocol Port Source
TCP 3306 sg-webserver

EC2 Outbound Rules

Protocol Port Destination
All All 0.0.0.0/0

© 2022, Amazon Web Services, Inc. or its affiliates.

Security Groups – Self-referencing rules

VPC 10.0.0.0/16

Availability Zone us-east-1a Hadoop Security Group

Subnet 1 10.0.1.0/24
Inbound Rules

Hadoop security group Hadoop security group Protocol Port Source

TCP 80 sg-hadoop

EC2 EC2 Outbound Rules

Protocol Port Destination

Hadoop security group Hadoop security group
All All 0.0.0.0/0

EC2 EC2

© 2022, Amazon Web Services, Inc. or its affiliates.

Network Access Control Lists (NACLs)
Region us-east-1 NACL Configuration

VPC 10.0.0.0/16 Inbound Rules

Rule # Protocol Port Source Effect
Availability Zone us-east-1a
1 All All 0.0.0.0/0 Allow

Subnet 1 10.0.1.0/24

Outbound Rules
Rule # Protocol Port Source Effect
1 All All 0.0.0.0/0 Allow
Network
access
control list

© 2022, Amazon Web Services, Inc. or its affiliates.

VPC Building Blocks - Summary

VPC 10.0.0.0/16

Private Subnet 1 Public subnet 1

10.0.2.0/24
10.0.1.0/24

Database security group Web server security group

Database EC2 EC2 webserver

NAT Internet
gateway gateway

NACL
NACL
Private Route Public Route
Table Table

© 2022, Amazon Web Services, Inc. or its affiliates.

 VPC Peering

VPC 1 VPC 2
10.0.0.0/16 192.168.0.0/16
Route Table 1 Route 2 Table
Private Subnet 1 Private Subnet 2
Destination Target 10.0.0.0/24 192.168.0.0/24 Destination Target
10.0.0.0/16 local 192.168.0.0/16 local
192.168.0.1 VPX-123 10.0.0.0/16 VPX-123

Peering
Private instance connection Private instance
VPX-123
10.0.0.1 192.168.0.1

Route Table 1 Route Table 2

© 2022, Amazon Web Services, Inc. or its affiliates.

VPC Peering – No Transitive Routing

VPC 1 VPC 2 VPC 3

Peering Peering
connection connection

• VPC 1 can reach VPC 2

• VPC 1 cannot reach VPC 3

© 2022, Amazon Web Services, Inc. or its affiliates.

VPC Peering – No Transitive Routing

VPC 1 VPC 2 VPC 3

Peering Peering
connection connection

Peering
connection

• VPC 1 can reach VPC 2

• VPC 1 can reach VPC 3

© 2022, Amazon Web Services, Inc. or its affiliates.

AWS Site-to-Site VPN

On-prem data center VPC 10.0.0.0/16 VPC Route Table

172.16.0.0/16
Destination Target
10.0.0.0/16 local
172.16.0.0/16 VGW-123

Customer IPSec Virtual Route Table

gateway Private
Gateway
VGW-123

• One VGW per VPC

• BGP or static routes
• Redundant IPSec tunnels
• Redundant routers across two AZs

© 2022, Amazon Web Services, Inc. or its affiliates.

AWS Site-to-Site VPN

VPC VPC Route Table

10.0.0.0/16 Destination Target
Virtual
On-prem data center 10.0.0.0/16 local
Private Gateway
172.16.0.0/16 VGW-123
172.16.0.0/16 VGW-123

IPSec
Customer
gateway Route Table

IPSec
IPSec
On-prem data center
172.17.0.0/16
On-prem data center
172.18.0.0/16
Customer
gateway

Customer
gateway

© 2022, Amazon Web Services, Inc. or its affiliates.

 AWS Direct Connect

Customer Data Center Direct Connect Location AWS Cloud

Equinix DA1
Region us-east-1
Customer or AWS cage
partner cage VPC

Private VIF

Customer Customer or AWS Direct VGW EC2

router partner router Connect
Pu
Endpoint bli
cV
IF

• 1, 10, or 100 Gbps (50 Mbps+ via partners)

• Consistent performance
• May lower data transfer cost Amazon S3

• Redundant connections optional (recommended) Amazon DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates.

VPN & Direct Connect - Mesh Topology

VPC VPC
VPC Peering

VPC

VPN
Direct Connect
VPN

Data center Data center

Data center
© 2022, Amazon Web Services, Inc. or its affiliates.
Transit Gateway & Direct Connect Gateway

VPC VPC

VPC

and/or

AWS Transit Gateway AWS Direct Connect

Gateway

VPN Direct Connect

Data center Data center

VPN & Direct Connect

Data center
© 2022, Amazon Web Services, Inc. or its affiliates.
AWS Client VPN
AWS Cloud

VPC
10.0.0.0/16
On-prem data center
172.16.0.0/16 IPSec
Route Table
Customer VGW-123
gateway
Availability Zone 1

Subnet 1
Security group
TLS
TCP or UDP
User Client VPN
1.2.3.4 AWS Client VPN Network Interface
Endpoint 10.0.0.1
With OpenVPN Client
192.168.0.1/24
Security group

EC2
10.0.0.2

Route Table Authorizations

© 2022, Amazon Web Services, Inc. or its affiliates.
DNS with Amazon Route 53

• Global DNS service

• 100% Availability SLA Amazon Route 53

• Domain registrar
GET example.com
• Public and private DNS zones

• Supports Region us-east-1

(N. Virginia)
• Health checks
• DNS failover
• Round-robin routing
• Weighted routing
• Geolocation
• Latency-based routing
Elastic Load Balancer

Web Service

© 2022, Amazon Web Services, Inc. or its affiliates.

DNS with Amazon Route 53

• Global DNS service

• 100% Availability SLA Amazon Route 53

• Domain registrar
GET example.com
• Public and private DNS zones

• Supports Region us-east-1

(N. Virginia)
• Health checks App Version A App Version B
• DNS failover 95% Traffic A/B 5% Traffic
Testing
• Round-robin routing
• Weighted routing
• Geolocation
• Latency-based routing
Elastic Load Balancer Elastic Load Balancer
• IP/CIDR (June 2022)
Web Service Web Service

© 2022, Amazon Web Services, Inc. or its affiliates.

DNS with Amazon Route 53
GET example.com
• Global DNS service
• 100% Availability SLA Amazon Route 53

• Domain registrar Yes Main No

Site
• Public and private DNS zones Healthy

• Supports Region us-east-1

(N. Virginia)
Region us-west-2
(Oregon)
• Health checks App Version A App Version B App DR
• DNS failover 95% Traffic A/B 5% Traffic
Testing
• Round-robin routing
• Weighted routing
• Geolocation
• Latency-based routing
Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer
• IP/CIDR (June 2022)
Web Service Web Service Web Service

© 2022, Amazon Web Services, Inc. or its affiliates.

Hybrid DNS Resolution - Route 53 Resolvers

On-prem data center VPC

172.16.0.0/16 10.0.0.0/16

Subnet 1

app1.corp.com Customer VGW

gateway Route 53 Resolver
10.0.2.1, 10.0.2.2

dns.corp.com
database.example.com

© 2022, Amazon Web Services, Inc. or its affiliates.

Thank you!

© 2022, Amazon Web Services, Inc. or its affiliates. © 2022, Amazon Web Services, Inc. or its affiliates.