Basic Networking

Subnet Subnet
1 2

Rout
er
 Contd.
192 . 0 . 2 . 0

11000000 00000000 00000010 00000000

IPv4 (32-bit) address:

192.0.2.0
IPv6 (128-bit) address:
2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF
 Classless Inter-Domain Routing (CIDR)
Network identifier Host
(routing prefix) identifier
192 . 0 . 2 . 0 / 24

Tells you
how
many
11000000 00000000 00000010 00000000 bits are
to 11111111 fixed

Fixed Fixed Fixed Flexible

 Protocol/
Layer Number Function
Address
Applicati Means for an application to access a HTTP(S), FTP,
7
on computer network DHCP, LDAP
• Ensures that the application layer can
Presentat
6 read the data ASCI, ICA
ion
• Encryption
Session 5 Enables orderly exchange of data NetBIOS, RPC
Provides protocols to support host-to-host
Transport 4 TCP, UDP
communication
Network 3 Routing and packet forwarding (routers) IP
Transfer data in the same LAN network
Data link 2 MAC
(hubs and switches)
Transmission and reception of raw Signals (1s and
Physical 1
bitstreams over a physical medium 0s)
 Amazon VPC
• Provisions a logically isolated section of the AWS Cloud
• The portion can be used to launch any AWS resources in
a virtual network that you define
• Gives control over your virtual networking resources
• Allows the owner to
• Selection of IP address range
• Creation of subnets
• Configuration of route tables and network gateways
• Owner can create own customization for the network
configuration for his VPC
• Provides options for multiple layers of security
 VPC and Subnets
AWS Cloud
• VPCs:
• Logically isolated from other Region
• Dedicated to a AWS account
Availability Availability
• Belong to a single AWS Zone 1 Zone 2
Region and can span VPC
multiple Availability Zones
• Subnets: Subnet Subnet
• Range of IP addresses that
divide a VPC
• Belong to a single
Availability Zone
• Classified as public or
private
 How IP addressing works?
• When you create a VPC, you assign it to an IPv4
CIDR block (range of private IPv4 addresses).
• You cannot change the address range after you
create the VPC.
• The largest IPv4 CIDR block size is /16.
• The smallest IPv4 CIDR block size is /28.
• IPv6 is also supported (with a different block size
limit).
• CIDR blocks of subnets cannot overlap.
 Example

VPC

x.x.x.x/16 or 65,536 addresses (max)

to
x.x.x.x/28 or 16 addresses (min)
 Reserved IP addresses
• Example: A VPC with an IPv4 CIDR block
of 10.0.0.0/16 has 65,536 total IP
addresses.
The VPC has four equal-sized subnets.
Only 251 IP addresses are available for
use by each subnet.
 VPC: 10.0.0.0/16

Subnet 1 Subnet 2
(10.0.0.0/24) (10.0.2.0/24)
251 IP 251 IP
addresses addresses

Subnet 4 Subnet 3
(10.0.1.0/24) (10.0.3.0/24)
251 IP 251 IP
addresses addresses

IP Addresses for
CIDR block Reserved for
10.0.0.0/24

10.0.0.0 Network address

10.0.0.1 Internal communication

Domain Name System

10.0.0.2
(DNS) resolution

10.0.0.3 Future use

Network broadcast
10.0.0.255
address
 Public IP address types
Public IPv4 address Elastic IP address
• This addresses are • Associated with an
manually assigned
AWS account
through an Elastic IP
address • Can be allocated
• Automatically and remapped
assigned through the anytime
auto-assign public IP • Additional costs
address settings at
the subnet level might apply
 Elastic network interface
• An elastic network interface is a virtual network interface that
you can:
• Attach to an instance.
• Detach from the instance, and attach to another instance to redirect
network traffic.
• Its attributes follow when it is reattached to a new instance.
• Each instance in your VPC has a default network interface that
is assigned a private IPv4 address from the IPv4 address range
of your VPC.
Subnet: 10.0.1.0/24

Elastic network interface

 Route tables and routes
• A route table contains a set of Main (Default) Route Table
rules (or routes) that you can
configure to direct network Destination Target
traffic from your subnet. 10.0.0.0/16 local
• Each route specifies a
destination and a target.
• By default, every route table
contains a local route for
communication within the
VPC. VPC CIDR
• Each subnet must be block
associated with a route table
(at most one).
Internet Gateway
NAT gateway
Security group
 Contd.
• Security groups have rules that control inbound and outbound
instance traffic.
• Default security groups deny all inbound traffic and allow all
outbound traffic.
• Security groups are stateful.
Inbound
Source Protocol Port Range Description
sg-xxxxxxxx All All Allow inbound traffic from network interfaces
assigned to the same security group.

Outbound
Destination Protocol Port Range Description
0.0.0.0/0 All All Allow all outbound IPv4 traffic.

::/0 All All Allow all outbound IPv6 traffic.

 Security Groups
• controls the traffic that is allowed to reach and leave the
resources that it is associated with.

• After you associate a security group with an EC2 instance,

it controls the inbound and outbound traffic for the instance.

• When you create a VPC, it comes with a default security

group. You can create additional security groups for a VPC,
each with their own inbound and outbound rules.

• You can specify the source, port range, and protocol for
each inbound rule. You can specify the destination, port
range, and protocol for each outbound rule.
 Security Groups
• Here a VPC with a subnet, an internet gateway, and a
security group.
• The subnet contains an EC2 instance. The security group
is assigned to the instance. The security group acts as a
virtual firewall. The only traffic that reaches the instance is
the traffic allowed by the security group rules.

• For example, if the security group contains a rule that

allows ICMP traffic to the instance from your network, then
you could ping the instance from your computer.

• If the security group does not contain a rule that allows

SSH traffic, then you could not connect to your instance
using SSH.
 Security Groups- Basics
• A security group only to resources created in the same
VPC as the security group. You can assign multiple security
groups to a resource.
The following rules apply:
• A security group name must be unique within the VPC.
• Names and descriptions can be up to 255 characters in
length.
• Names and descriptions are limited to the following
characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.
• When the name contains trailing spaces, we trim the space
at the end of the name. For example, if you enter "Test
Security Group " for the name, we store it as "Test Security
Group".
• A security group name cannot start with sg-.
 Custom security group examples
• You can specify allow rules, but not deny rules.
• All rules are evaluated before the decision to allow
traffic.
Inbound
Source Protocol Port Description
Range
0.0.0.0/0 TCP 80 Allow inbound HTTP access from all IPv4 addresses
0.0.0.0/0 TCP 443 Allow inbound HTTPS access from all IPv4 addresses
Your network's TCP 22 Allow inbound SSH access to Linux instances from
public IPv4 IPv4 IP addresses in your network (over the internet
address range gateway)

Outbound
Destination Proto Port Description
col Range
The ID of the security group TCP 1433 Allow outbound Microsoft SQL Server
for your Microsoft SQL Server access to instances in the specified
database servers security group
 Custom network ACLs examples
• Custom network ACLs deny all inbound and outbound traffic
until you add rules.
• You can specify both allow and deny rules.
• Rules are evaluated in number order, starting with the lowest
number.
Inbound
Rule Type Protocol Port Range Source Allow/Deny
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
120 SSH TCP 22 192.0.2.0/24 ALLOW
* All IPv4 traffic All All 0.0.0.0/0 DENY

Outbound
Rule Type Protocol Port Range Destination Allow/Deny
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
120 SSH TCP 22 192.0.2.0/24 ALLOW
* All IPv4 All All 0.0.0.0/0 DENY
traffic
Security groups do not filter traffic destined to
and from the following:

Amazon Domain Name Services (DNS)

Amazon Dynamic Host Configuration Protocol
(DHCP)
Amazon EC2 instance metadata
Amazon ECS task metadata endpoints
License activation for Windows instances
Amazon Time Sync Service
Reserved IP addresses used by the default VPC
router
 Security groups versus network ACLs

Attribute Security Groups Network ACLs

Scope Instance level Subnet level

Supported
Allow rules only Allow and deny rules
Rules
Stateful (return traffic is
Stateless (return traffic must
State automatically allowed,
be explicitly allowed by rules)
regardless of rules)
All rules are evaluated Rules are evaluated in
Order of
before decision to allow number order before decision
Rules
traffic to allow traffic
 VPC peering
You can connect VPCs
in your own AWS
account, between AWS
accounts, or between
AWS Regions.

Restrictions:
• IP spaces cannot
overlap.
• Transitive peering is
not supported.
• You can only have
one peering
resource between
the same two VPCs.
 VPC peering
• Instances in either VPC can communicate with each
other as if they are within the same network.
• You can create a VPC peering connection between your
own VPCs, or with a VPC in another AWS account.
• The VPCs can be in different Regions (also known as an
inter-Region VPC peering connection).
• A VPC peering connection helps you to facilitate the
transfer of data.
• For example, if you have more than one AWS account,
you can peer the VPCs across those accounts to create a
file sharing network.
• You can also use a VPC peering connection to allow
other VPCs to access resources you have in one of your
VPCs.
 VPC peering
• When you establish peering relationships between VPCs
across different AWS Regions, resources in the VPCs in
different AWS Regions can communicate with each other
using private IP addresses, without using a gateway,
VPN connection, or network appliance.

• The traffic remains in the private IP address space. All

inter-Region traffic is encrypted with no single point of
failure, or bandwidth bottleneck.

• Traffic always stays on the global AWS backbone, and

never traverses the public internet, which reduces threats
VPC sharing
 AWS Direct Connect
AWS Direct Connect makes it easy to establish a dedicated
connection from an on-premises network to one or more VPCs.

AWS Direct Connect can reduce network costs, increase bandwidth

throughput, and provide a more consistent network experience than
internet-based connections.

It uses industry-standard 802.1Q VLANs to connect to Amazon

VPC using private IP addresses.
 AWS Direct Connect

Region
Availability Zone Intern
et
VPC: 10.0.0.0/16
Public
subnet:10.1.0.0/24
802.1
q AWS
VLA Direct
Connect
Private subnet: Rout Virtual N
10.0.2.0/24 e Customer
gatew
tabl gateway
ay
e

Corporate data
center:
192.168.10.0/24
 AWS Direct Connect
The VLANs are configured using virtual interfaces (VIFs), and you
can configure three different types of VIFs:

Public virtual interface - Establish connectivity between AWS

public endpoints and your data center, office, or colocation
environment.

Transit virtual interface - Establish private connectivity between

AWS Transit Gateway and your data center, office, or colocation
environment. This connectivity option is covered in the section
AWS Direct Connect + AWS Transit Gateway.

Private virtual interface - Establish private connectivity between

Amazon VPC resources and your data center, office, or colocation
environment.
 AWS Direct Connect
You can establish connectivity to the AWS backbone using AWS
Direct Connect by establishing a cross-connect to AWS devices in a
Direct Connect location.

With AWS Direct Connect, you have two types of connection:

Dedicated connections, where a physical ethernet connection is

associated with a single customer. You can order port speeds of 1,
10, or 100 Gbps.

Hosted connections, where a physical ethernet connection is

provisioned by an AWS Direct Connect Partner and shared with
you. You can order port speeds between 50 Mbps and 10 Gbps
 Activity 2
Describe the steps to solve the scenario:
You have a small business with a website that is hosted on an Amazon
Elastic Compute Cloud (Amazon EC2) instance. You have customer
data that is stored on a backend database that you want to keep
private. You want to use Amazon VPC to set up a VPC that meets the
following requirements:
• Your web server and database server must be in separate subnets.
• The first address of your network must be 10.0.0.0. Each subnet
must have 256 total IPv4 addresses.
• Your customers must always be able to access your web server.
• Your database server must be able to access the internet to make
patch updates.
• Your architecture must be highly available and use at least one
custom firewall layer.
Activity: Label this network diagram
Activity: Label this network diagram
Content Delivery and Network Latency
 Content Delivery

• Is a globally distributed system of caching servers

• Caches copies of commonly requested files (static
content)
• Delivers a local copy of the requested content from a
nearby cache edge or Point of Presence
• Accelerates delivery of dynamic content
• Improves application performance and scaling
 What?
AWS CloudFront has helped users to request data
resulting in low latency, low network traffic, and
quick data access with minimal cost. Thus, making
it a very popular network.

AWS CloudFront is a globally-distributed network

offered by Amazon Web Services, which securely
transfers content such as software, SDKs, videos,
etc., to the clients, with high transfer speed.
Why?
 Benefits of AWS CloudFront
• It will cache your content in edge locations and decrease the
workload, thus resulting in high availability of applications.

• It is simple to use and ensures productivity enhancement.

• It provides high security with the ‘Content Privacy’ feature.

• It facilitates GEO targeting service for content delivery to specific

end-users.

• It uses HTTP or HTTPS protocols for quick delivery of content.

• It is less expensive, as it only charges for the data transfer.

 Pricing of AWS CloudFront
Data transfer out
• Charged for the volume of data transferred out from Amazon
CloudFront edge location to the internet or to your origin.
HTTP(S) requests
• Charged for number of HTTP(S) requests.
Invalidation requests
• No additional charge for the first 1,000 paths that are requested
for invalidation each month. Thereafter, $0.005 per path that is
requested for invalidation.
Dedicated IP custom SSL
• $600 per month for each custom SSL certificate that is
associated with one or more CloudFront distributions that use
the Dedicated IP version of custom SSL certificate support.
 How Does AWS CloudFront Work?
Step 1
The client accesses a website and requests to download a file (like
image file).

Client access

Step 2
Now, the DNS routes the client request to the nearest edge
location through CloudFront to serve the user request.

Serve user request

 How Does AWS CloudFront Work?
Step 3
At edge location, CloudFront looks for its requested cache file. Once the file is
found, CloudFront sends the file to the user.

Cache file - CloudFront

Step 4
But, if the file is not found then CloudFront compares the requirements with the
specifications and shares it with the respective server.

Web server - CloudFront

 How Does AWS CloudFront Work?
Step 5
The web server responds to the request by sending the files back to
the CloudFront edge location.

Share File

Step 6:
As soon CloudFront receives the file, it shares it with the client and
adds the file to the edge location.