EU-Vietnam Business Network (EVBN) > Noindex > Networking for the AWS Solutions Architect Exam | AWS in Plain English

Networking for the AWS Solutions Architect Exam | AWS in Plain English

INTRODUCTION TO IPs

Before talking about networking in AWS, we must be very clear about the concept of IP. We should already know this, although we will explain it in this introduction in case someone needs a refresher. If this is not your case, I invite you to move directly to the next section.

IPs are numerical labels used for network interface identification and location addressing. The IPv4 protocol, which is the one that we usually use, defines an IP address as a 32-bit number. It’s also important to know the Classless Inter-Domain Routing (CIDR), the standard for representing IP addresses and routing properties. It has two components:

  • Base IP
  • Subnet Mask → Number of bits that can change the IP. A /28 subnet mask means that 28 digits are fixed, so we can only modify 4 bits.

Let’s put some examples:

74.125.227.0/30

What is the representation of 74.125.227.0 in binary?

1) 74: 01001010

2) 125: 01111101

3) 227: 11100011

4) 4: 00000100

74.125.227.4/30 means that we can only modify 2 bits, so we can have the following CIDR range [74.125.227.4 – 74.125.227.7]:

1) 01001010 01111101 11100011 00000100 → 74.125.227.4

2) 01001010 01111101 11100011 00000101 → 74.125.227.5

3) 01001010 01111101 11100011 00000110 → 74.125.227.6

4) 01001010 01111101 11100011 00000111 → 74.125.227.7

AMAZON VPC

Until now, our AWS Cloud contained all the resources we have launched, such as EC2s instances, Load Balancers, and Security Groups in a VPC that AWS automatically created for us, a default VPC. But, what is a VPC?

A Virtual Private Cloud (VPC) is a virtual network dedicated to your AWS account, logically isolated from other virtual networks in the AWS Cloud. Amazon VPC enables you to launch AWS resources into a virtual network that you’ve defined. It’s like a big container where your AWS resources will live.

A VPC spans all of the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. But, what is a subnet?

A VPC spans all the AZs in the region.A VPC spans all the AZs in the region.

SUBNETS

A subnet is a range of IP addresses in your VPC where you can launch AWS resources. Each subnet MUST reside within one Availability Zone. When creating the subnet, you specify the IPv4 CIDR block, with an allowed block size between /16 and /28 netmasks. Why does this rule apply? AWS reserves 5 IPs for each subnet; that’s why the minimum is /28. This is a typical question in the exam.

- 10.0.0.0 --> Network address. 
- 10.0.0.1 --> Reserved by AWS for the VPC router.
- 10.0.0.2 --> Reserved by AWS for mapping to the Amazon DNS.
- 10.0.0.3 --> Reserved by AWS for future use.
- 10.0.0.255 --> Network broadcast address.

We can have different subnets in an Availability Zone, but the CIDR range cannot overlap.

There are two different types of subnets:

  • Public subnets → Instances from public subnets are accessible through the Internet. The subnet’s traffic is routed to an Internet Gateway (we’ll see this concept soon).
  • Private subnets → The subnet doesn’t have a route to the Internet Gateway.

Subnets inside Availability Zones.Subnets inside Availability Zones.

INTERNET GATEWAY

After creating the VPC and the subnets, we want our instance to connect to the Internet. Even if we create a public IP for the instance, it won’t work. Why? We also need an Internet Gateway.

An Internet Gateway enables the communication between the VPC and the Internet. It helps your VPC instances connect with the Internet. It must be created separately from the VPC, then attached. 1 VPC is going to be associated with just 1 Internet Gateway.

Internet Gateway in a VPC.Internet Gateway in a VPC.

Are we finally able to establish a connection with the Internet? Not yet! We also need one more thing.

ROUTE TABLES

A route table contains a set of rules (routes) used to determine where to redirect the network traffic from your subnet. Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet.

When you associate a CIDR block with your VPC, a route is automatically added to your VPC route tables to enable routing within the VPC. In order to connect with the Internet, you need a route from your subnet to the Internet Gateway, the final step.

Example of Route Table (via docs.aws.amazon.com).Example of Route Table (via docs.aws.amazon.com).

The previous example shows how to route the IPv4 traffic (0.0.0.0/0) to our Internet Gateway (“igw-12345…”).

Route Table connected to the Internet Gateway.Route Table connected to the Internet Gateway.

Now you might be thinking, what if I want my Private Subnet to connect to other services outside our VPC? Let’s see how to do that.

NAT GATEWAYS

To allow instances from Private Subnets to connect to services outside our VPC (using the Internet), but external services cannot initiate a connection with our instances, there are two different ways to do it:

  • NAT Instances → Old method. We launched an EC2 instance in a public subnet to enable instances in the private subnet to connect to the Internet. We don’t usually use them anymore, but they can ask you about this definition in the exam.
  • NAT Gateways → Using NAT Gateways, Amazon will do everything for us; we don’t have to create instances or anything, just routing the traffic from the NAT Gateway to the Internet Gateway. They are created in the public subnets, and we route the traffic from the private subnet to this NAT Gateway. We can see this in the following diagram:

VPC NAT Gateway.VPC NAT Gateway.

NETWORK ACLs

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They are similar to the Security Groups but at a network level. Security Groups work at the instance level. A typical case where we can use Network ACLs would be to block a specific IP.

NACLs in a Subnet.NACLs in a Subnet.

A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic. A custom NACL denies all traffic, both inbound and outbound, by default.

Security Groups vs. Network ACLs

In the following table, we can see the differences between Security Groups and Network ACLs.

Security Group vs Network ACL (via docs.aws.amazon.com).Security Group vs. Network ACL (via docs.aws.amazon.com).

  • Network ACL operates at the subnet level, whereas security groups operate at the instance level, as mentioned before.
  • Network ACL supports allow and deny rules. This is important, and they usually ask about it in the exam. Security Groups don’t accept deny rules; only allow rules.
  • Network ACLs are stateless. The rules will be evaluated both in the incoming and outgoing traffic. In the case of Security Groups, if the Inbound rule is allowed, the Outbound will always be allowed. That’s why security groups are stateful.
  • Network ACLs process rules in order. We could create new rules and assign a value to them in this case. The lower this number is, the more priority the rule will have. For example:
    – RULE 100 ALLOW IP 74.125.227.4
    – RULE 200 DENY IP 74.125.227.4
    In this case, IP 74.125.227.4 is allowed in the subnet as rule 100 has more priority than the 200.

And these would be the significant differences between NACLs and Security Groups. Let’s finish this chapter with a picture of the current state of our VPC, taking into account all the services we have seen:

NACLs in the AWS Cloud.NACLs in the AWS Cloud.

This topic is quite complex, and we still have several services to learn. See you in part 2 of the Networking chapter!

Bài viết liên quan
Bài viết mới
Thể Thao nổi bật