Which AWS services can be used to provide network connectivity between on
This article covers AWS Networking which is a key technology area in the Cloud Practitioner exam blueprint Show
Amazon Virtual Private Cloud (VPC)A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. Analogous to having your own DC inside AWS. It is logically isolated from other virtual networks in the AWS Cloud. Provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. A VPC spans all the Availability Zones in the region. You have full control over who has access to the AWS resources inside your VPC. You can create your own IP address ranges, and create subnets, route tables and network gateways. When you first create your AWS account a default VPC is created for you in each AWS region. A default VPC is created in each region with a subnet in each AZ. By default you can create up to 5 VPCs per region. You can define dedicated tenancy for a VPC to ensure instances are launched on dedicated hardware (overrides the configuration specified at launch). A default VPC is automatically created for each AWS account the first time Amazon EC2 resources are provisioned. The default VPC has all-public subnets. Public subnets are subnets that have:
Instances in the default VPC always have both a public and private IP address. AZs names are mapped to different zones for different users (i.e. the AZ “ap-southeast-2a” may map to a different physical zone for a different user). Components of a VPC:
Options for securely connecting to a VPC are:
An Elastic Network Interface (ENI) is a logical networking component that represents a NIC. ENIs can be attached and detached from EC2 instances, and the configuration of the ENI will be maintained. Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC. Flow log data is stored using Amazon CloudWatch Logs. Flow logs can be created at the following levels:
Peering connections can be created with VPCs in different regions (available in most regions now). SubnetsAfter creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. Types of subnet:
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. FirewallsNetwork Access Control Lists (ACLs) provide a firewall/security layer at the subnet level. Security Groups provide a firewall/security layer at the instance level. The table below describes some differences between Security Groups and Network ACLs: Security GroupNetwork ACLOperates at the instance (interface) levelOperates at the subnet levelSupports allow rules onlySupports allow and deny rulesStatefulStatelessEvaluates all rulesProcesses rules in orderApplies to an instance only if associated with a groupAutomatically applies to all instances in the subnets its associated withVPC WizardThe VPC Wizard can be used to create the following four configurations: VPC with a Single Public Subnet:
VPC with Public and Private Subnets:
VPC with Public and Private Subnets and Hardware VPN Access:
VPC with a Private Subnet Only and Hardware VPN Access:
NAT InstancesNAT instances are managed by you. Used to enable private subnet instances to access the Internet. When creating NAT instances always disable the source/destination check on the instance. NAT instances must be in a single public subnet. NAT instances need to be assigned to security groups. NAT Gateways NAT gateways are managed for you by AWS. NAT gateways are highly available in each AZ into which they are deployed. They are preferred by enterprises. Can scale automatically up to 45Gbps. No need to patch. Not associated with any security groups. The table below describes some differences between NAT instances and NAT gateways: NAT InstanceNAT GatewayManaged by you (e.g. software updates)Managed by AWSScale up (instance type) manually and use enhanced networkingElastic scalability up to 45 GbpsNo high availability – scripted/auto-scaled HA possible using multiple NATs in multiple subnetsProvides automatic high availability within an AZ and can be placed in multiple AZsNeed to assign Security GroupNo Security GroupsCan use as a bastion hostCannot access through SSHAWS Direct Connect (DX)AWS Direct Connect is a network service that provides an alternative to using the Internet to connect a customer’s on-premises sites to AWS. Data is transmitted through a private network connection between AWS and a customer’s data center or corporate network. Benefits of Direct Connect:
Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs). Public VIFs allow access to public services such as S3, EC2, and DynamoDB. Private VIFs allow access to your VPC. From Direct Connect you can connect to all AZs within the Region. You can establish IPSec connections over public VIFs to remote regions. Direct Connect is charged by port hours and data transfer. Available in 1Gbps and 10Gbps. Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be purchased through AWS Direct Connect Partners. Each connection consists of a single dedicated connection between ports on the customer router and an Amazon router. for HA you must have 2 DX connections – can be active/active or active/standby. Route tables need to be updated to point to a Direct Connect connection. AWS Global AcceleratorAWS Global Accelerator is a service that improves the availability and performance of applications with local or global users. It provides static IP addresses that act as a fixed entry point to application endpoints in a single or multiple AWS Regions, such as Application Load Balancers, Network Load Balancers or EC2 instances. Uses the AWS global network to optimize the path from users to applications, improving the performance of TCP and UDP traffic. AWS Global Accelerator continually monitors the health of application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute. Details and BenefitsUses redundant (two) static anycast IP addresses in different network zones (A and B). The redundant pair are globally advertised. Uses AWS Edge Locations – addresses are announced from multiple edge locations at the same time. Addresses are associated to regional AWS resources or endpoints. AWS Global Accelerator’s IP addresses serve as the frontend interface of applications. Intelligent traffic distribution: Routes connections to the closest point of presence for applications. Targets can be Amazon EC2 instances or Elastic Load Balancers (ALB and NLB). By using the static IP addresses, you don’t need to make any client-facing changes or update DNS records as you modify or replace endpoints. The addresses are assigned to your accelerator for as long as it exists, even if you disable the accelerator and it no longer accepts or routes traffic. AWS OutpostsAWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, data residency, and migration of applications with local system interdependencies. AWS compute, storage, database, and other services run locally on Outposts, and you can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools. Outposts is available as a 42U rack that can scale from 1 rack to 96 racks to create pools of compute and storage capacity. Which AWS service can be used to provide network?Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 securely deliver your data with low latency and high throughput. Simplify and improve your application's network architecture with AWS application networking.
Which AWS service or feature allows a user to establish a dedicated network connection between a company's onAWS Direct Connect makes it easy to establish a dedicated connection from an on-premises network to one or more VPCs in the same region.
Which tool in Amazon is used to have a dedicated network connection between an on Prem network and the AWS platform?With AWS Direct Connect SiteLink, you can send data between AWS Direct Connect locations to create private network connections between the offices and data centers in your global network.
Which AWS service can you use to connect your AWS cloud with an onAWS Direct Connect enables you to securely connect your AWS environment to your on-premises data center or office location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic connection.
|