AWS Cloud Fundamentals

AWS Networking
 A Day in the Life of a Cloud Consultant

You're a cloud consultant for a Fortune 500 company. Your client wants
to transition to the cloud and needs networking solutions for:

• A virtual network in the AWS cloud

• The rules to direct network traffic from the subnet or gateway
• A content delivery network (CDN) service for secure, fast, and global
data delivery in a developer-friendly environment
• An alternative to using the internet to utilize AWS cloud services
 A Day in the Life of a Cloud Consultant

The client also requires:

• A highly available and scalable cloud Domain Name System (DNS)

web service
• A service to control network access to and from AWS resources
• A service that can secure their network and protect against
unauthorized access

Now, your task is to find the relevant solutions. This lesson will provide
you with the necessary concepts to meet these requirements.
 Learning Objectives

By the end of this lesson, you will be able to:

Explain AWS networking, AWS VPC, and VPC peering

List Amazon Virtual Private Cloud Routing options

Apply the features of Amazon VPC security

Comprehend network firewall options and DDoS attack mitigation

AWS Virtual Private Cloud
 Networking in AWS

AWS scalable networking services provide diverse networking solutions that are on-demand and
accessible with a click. Users can quickly access, develop, and alter building blocks to handle any
workload they choose.
 Networking in AWS

Users can use AWS networking services to:

Separate the cloud infrastructure

Boost workload requests

Connect virtual private networks to a physical

network
 Amazon Virtual Private Cloud

Amazon Virtual Private Cloud helps launch AWS resources into a virtual network. This virtual
network closely matches a typical network that runs in the user’s data center, with the added
benefit of AWS' scalable infrastructure.

By default, a user can only have five Amazon VPCs in a region.

 Elements of Amazon VPC

IPv4 and
IPv6
address
blocks
Other Subnet
networking creation
services

Network
Route
or
tables
subnet
security

Elastic IP Internet
addresses connectivity
 Elements of Amazon VPC

IPv4 and IPv6 address blocks

The VPC can communicate over IPv4 or IPv6, or both, in dual-stack mode. IPv4 and
IPv6 addresses are different and must be configured independently in your VPC.

Subnet

A subnet is a range of IP addresses in your VPC. You can launch AWS resources, such
as EC2 instances, into a specific subnet.
 Elements of Amazon VPC

Route table

A default route table comes with a user’s VPC. It is responsible for routing subnets not
explicitly linked to another route table.

Internet connectivity

An EC2 instance requires internet connectivity within an Amazon Web Services (AWS)
Virtual Private Cloud (VPC). Internet access is enabled by default in the default VPC.
 Elements of Amazon VPC

Elastic IP address

A static public IPv4 address created for dynamic cloud computing is known as an
Elastic IP address. An Elastic IP address can be assigned to any instance or network
interface in any VPC in a user’s account.

Network or subnet security

Security groups and network ACLs are two capabilities that AWS offers to help
secure users’ VPCs. Security groups manage inbound and outbound traffic for the
instances.
 Subnets

A subnet is a collection of IP addresses within a user’s VPC. A VPC can contain all available
subnets or a mix of public and private subnets.

Image source: https://www.learnitguide.net/2019/01/aws-vpc-create-new-vpc-subnets-internet.html

 Types of Subnets

Subnets can be classified as public, private, or VPN-only, depending on how the VPC is configured.

Image source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

 Types of Subnets

Public Subnet

Traffic is routed to an internet

gateway, providing internet
connectivity.

Private Subnet VPN-only Subnet

It does not route traffic to an There is no route to the internet

internet gateway; hence, there is no gateway, but the system has a
public internet access. virtual private gateway for VPN
connections.
 Understanding VPC Peering

VPC Peering refers to a network connection linking two VPCs, enabling routing between them via
private IPv4 or IPv6 addresses.

Image source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

 VPC Peering Scenarios

One use case is granting complete access to resources through peering with multiple VPCs.

For example:

• A company has several IT departments, each operating

its own VPC. These VPCs may exist within the same or
different AWS accounts.

• They wish to enable full resource access across

departments, so they decide to establish peering
between all VPCs.
 VPC Peering Scenarios

Another scenario involves granting access to centralized resources by peering with a single VPC.

For example:

• An organization wishes to share a particular VPC with its

clients.

• Clients can establish a VPC peering connection with the

organization's VPC. However, they cannot route traffic to
other VPCs peered with the organization's VPC, nor can
they access the routes of other clients.
 Internet Gateway

An internet gateway is a service that facilitates internet traffic flow through a VPC. It's a logical
connection bridging an AWS VPC and the internet.

Resources cannot be accessed from the internet without an internet gateway attached to the VPC.
Internet Gateway

An internet gateway serves two main functions:

• It provides a target in your VPC route tables for

internet-routable traffic.

• It performs network address translation (NAT) for

instances with public IPv4 addresses.
 Amazon API Gateway

• It is a fully managed service that enables developers to

create, publish, monitor, and secure APIs effortlessly.

• It serves as the front door for applications to access

data, business logic, or functionality from backend
services.

API Gateway allows you to create RESTful APIs and WebSocket APIs that enable real-time two-
way communication.
 Amazon CloudFront

Amazon CloudFront is a fast content delivery network (CDN) service that securely distributes
data, videos, applications, and APIs to customers globally.
Features of Amazon CloudFront

• CloudFront caches copies of content near end-

users, resulting in lower latency, high data transfer
speeds, and reduced network congestion.

• Users pay only for what they use, with no hidden

costs or upfront expenses.

• Users can limit access to their content using

CloudFront's geo-restriction capability.
 AWS Direct Connect

AWS Direct Connect provides a networking service that enables users to connect to AWS by
bypassing the internet.

Traffic that would have typically passed over the internet now traverses a private data pathway
between the premises and AWS through Direct Connect.
 Amazon Route 53

• Amazon Route 53 routes user requests to various AWS

services, such as Amazon EC2 instances, Elastic Load
Balancing load balancers, Amazon S3 buckets, and resources
outside AWS.

• Amazon Route 53 is an always-available and scalable cloud

Domain Name System (DNS) web service.
Assisted Practice

Virtual Private Cloud (VPC) Duration: 20 Min.

Problem Statement:

You have been assigned a task to create and configure the VPC (Virtual Private Cloud) in AWS
Assisted Practice: Guidelines

Steps to be followed:

1. Create an AWS VPC

2. Configure the AWS VPC
Amazon VPC Routing
 Amazon VPC Routing

The VPC router directs traffic within the VPC and to external subnets based on the specified
route tables.
 Amazon VPC Routing: Examples

Amazon VPC offers various routing options, such as:

• Routing to the Internet gateway

• Routing to a VPC Peering Connection
• Routing to a gateway VPC endpoint
• Routing to a virtual private gateway
 Amazon VPC Route Table

A route table is a set of rules or routes that dictate where network traffic from your subnet or
gateway is directed.

Image source: https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/

Amazon VPC Security
 Amazon VPC Security

At AWS, cloud security is a paramount priority. As an AWS user, you gain access to a data center and
network architecture that cater to the needs of the most security-sensitive organizations.

Traffic that would have typically passed over the internet now traverses a private data pathway
between the premises and AWS through Direct Connect.
 Amazon VPC Security: Features

Amazon VPC offers several features to enhance and monitor security such as:

• Flow Logs
• IP Addressing
• Ingress Routing
• Network Access Analyzer and Control List
• Reachability Analyzer
• Security Groups
 VPC Feature: Flow Logs

1. Flow Logs

• Flow Logs track traffic entering and leaving instances, identifying the direction of traffic flow
to and from network interfaces.
• These must be configured independently in your VPC.
 VPC Feature: IP Addressing

2. IP Addressing

• It enables resources within a VPC to connect with one another and with resources on the
internet.
• When creating a VPC, users can assign it an IPv4 CIDR block (a group of private IPv4
addresses), an IPv6 CIDR block, or both (dual stack).
 VPC Feature: Ingress Routing & Network Access Analyzer

3. Ingress Routing

Organizations can use Amazon VPC Ingress Routing to facilitate the integration of network
and security appliances into their network topology.

4. Network Access Analyzer and Control List

• Helps identify network setups leading to unauthorized network access

• Offers ways to bolster security posture while maintaining agility and flexibility
 VPC Feature: Reachability Analyzer

5. Reachability Analyzer

• It is a configuration analysis tool that enables connectivity verification between a

source and a destination resource in your VPCs.

• It provides hop-by-hop details when the destination is reachable and identifies the
blocking component when the destination is unreachable.
 VPC Feature: Security Groups

6. Security Groups

• It functions as a virtual firewall for your instance, controlling inbound and outbound
traffic. Up to five security groups can be assigned to an instance when it's launched in
a VPC.

• It operates at the instance level, not the subnet level. Thus, each instance in a VPC
subnet can be assigned to a different set of security groups.
 Network Traffic Control: Traffic Mirroring

Traffic Mirroring is a feature of Amazon VPC that enables the replication of network traffic from
an Amazon EC2 instance's Elastic Network Interface (ENI).
Network Traffic Control: Features

Traffic Mirroring facilitates:

• Capturing and inspecting network traffic

• Detecting network and security anomalies
• Gaining operational insights
• Implementing compliance and security
controls
• Troubleshooting issues
 Network Routing

Network routing refers to the process of determining a path across one or more networks.

Network 1 Network 3 Network 5

System A Router System B

Network 2 Network 4
 AWS Network Firewall

The AWS Network Firewall is a managed service that simplifies the setup of essential network
security across your Amazon VPCs.

This distributed firewall across all VPC networks

aids in:
• Scaling network loads and managing
numerous connections
• Handling thousands of custom rules
supported by a highly flexible rules engine
• Monitoring firewall activities in real time
Network Firewall: Uses

• Ensures high availability and automated scaling

• Provides stateful firewall protections
• Implements web filtering measures
• Offers intrusion prevention mechanisms
• Enables central management and visibility of
firewall activities
 DDoS Mitigation

DDoS mitigation refers to the process of effectively protecting a targeted server or network
from a Distributed Denial-of-Service (DDoS) attack.
 DDoS Attack Mitigation: Stages

The mitigation stages during a DDoS attack include:

Detection

Response

Routing

Adaptation
 DDoS Attack Mitigation: Stages

Detection

To thwart a distributed attack, a website needs to distinguish between an attack and

a large volume of legitimate traffic.

Response

Upon detecting a DDoS attack, the DDoS protection network intelligently discards
malicious bot traffic while absorbing the rest of the traffic.
 DDoS Attack Mitigation: Stages

Routing

A successful DDoS mitigation solution breaks down the remaining traffic into
manageable chunks, intelligently routing traffic to prevent service disruption.

Adaptation

An effective network looks for traffic patterns such as repeated offending IP blocks,
specific attacks from certain countries, or the misuse of certain protocols.
 Key Takeaways

AWS's scalable networking services offer a diverse set of on-demand

solutions accessible with a click.

A subnet within your VPC is a set of IP addresses, and a VPC can

contain all available subnets or a mix of public and private ones.

A route table comprises rules that dictate where network traffic

from your subnet or gateway goes.

As an AWS user, you gain access to a data center and network

architecture designed to meet the needs of the most security-
conscious organizations.
Knowledge Check
Thank You