In this chapter, we studied the important concepts related to networking and networking in AWS. We refreshed networking concepts, studied how VPC works, and what are its functionalities and components. We explored Internet Gateway, route table, NAT Gateway, and connectivity options. 

We studied the difference between the security groups and network access control lists (NACLs) and saw how they work by exploiting a use case. 

Key takeaways

Below are the important concepts and key takeaways from this chapter.

Fundamentals of networking

  • Internet Protocol (IP): This defines a set of rules to address and route traffic on the internet. 

  • IPv4 and IPv6: IPv4 is a 32-bit address represented in four octets, while IPv6 uses a 128-bit address represented in hexadecimal notation, providing a much larger address space.

  • Classful IPv4 addressing: IPv4 addresses are divided into network and host parts, with Class A, B, and C addresses defining different network and host bits combinations.

  • Limitations of classful addressing: Classful addressing has limitations such as inefficient IP allocation and limited network design flexibility.

  • Subnet mask: A subnet mask is a binary representation indicating the network and host portions of an IP address, used by routers to determine network boundaries.

  • Classless Inter-Domain Routing (CIDR): CIDR addresses the limitations of classful addressing by allowing variable-length subnet masks (VLSM) and more flexible IP allocations.

  • CIDR notation: This includes the IP block followed by a slash and the number of selected network part bits, allowing for efficient network allocation and routing.

  • Subnetting: This enables dividing large network address spaces into smaller subnetworks, improving network routing efficiency.

Virtual Private Cloud

VPCs are the foundation of AWS infrastructure, providing isolated, secure, and customizable cloud spaces. Understanding VPCs is crucial for creating safe, expandable, and tailored cloud environments.

  • Key components of VPC: Subnets, route tables, Internet Gateways, and Elastic IP addresses are the key components of a VPC.

  • Default VPC: AWS creates a default VPC in each Region, pre-configured with default subnets, route tables, internet gateways, and security settings, simplifying resource launching.

  • Benefits of VPCs: VPC provides the following benefits:

    • Security: Network isolation and granular control over traffic using security groups and network ACLs.

    • Scalability: Supports horizontal scaling of resources, dynamically adding servers to handle high traffic.

    • Flexibility: Full control over IP addressing, routing, and network configuration within VPCs.

  • Subnet: Subnet is an essential component within AWS’s Virtual Private Cloud (VPC), organizing and segmenting resources effectively. They act as virtual divisions within the VPC, allowing precise control over network architecture and traffic flow.

  • Subnet IP address ranges: A subnet can be configures in the following way:

    • IPv4 Only: Resources within an IPv4-only subnet communicate exclusively using IPv4 protocols.

    • Dual Stack: Dual-stack subnets support communication over both IPv4 and IPv6 protocols, offering flexibility and future-proofing.

    • IPv6 Only: Resources within an IPv6-only subnet communicate exclusively using IPv6 protocols, accommodating environments prioritizing IPv6 adoption.

  • Types of subnets: There are four types of subnets – public, private, VPN-only and isolated subnets. 

Route Tables

Route tables guide network traffic within a VPC, determining where traffic from instances should be routed.

  • Rules for configuring route tables include adding specific routes, employing the most specific route selection principle, and avoiding reserved address ranges.

  • Reserved address ranges for AWS services should not be included in custom route configurations.

  • Middlebox appliances can be integrated into routing paths for VPCs.

Internet Gateway

An Internet Gateway facilitates communication between instances within a VPC and the internet.

  • It serves as a gateway for outbound and inbound traffic flows.

  • Outbound traffic enables instances to access resources outside the VPC, while inbound traffic permits access to instances from the internet.

  • Proper configuration of security groups and network access control lists enhances security.

  • In a typical setup, front-end instances are placed in a public subnet with internet access, while back-end instances are in a private subnet without direct internet access.

  • Configuration involves adding an internet gateway and updating route tables to direct traffic accordingly.

  • Benefits include enhanced security, scalability, and flexibility in managing application components.

NAT (Network Address Translation) gateway

NAT enables multiple devices to share a single public IP address, providing security and conserving IPv4 addresses. A NAT gateway is a managed AWS service facilitating outbound internet connectivity for instances in private subnets while maintaining security. It translates private IP addresses of instances into public ones for internet-bound traffic.

NAT gateway provides the following two types of connectivity:

  • Public Connectivity: Allows outbound internet access for instances in private subnets while blocking unsolicited inbound connections.

  • Private Connectivity: Facilitates secure connections between VPCs or on-premises networks without exposing instances to the internet.

VPC security

Below, we’ve jotted down important points of security groups and NACLs.

Security groups

Security groups are stateful firewalls operating at the EC2 instance level in the AWS environment.

  • They analyze incoming traffic data packets and maintain the state, automatically configuring outbound rules based on inbound rules.

  • Each EC2 instance must be associated with a security group for inbound traffic control; default security groups exist if none is specified.

  • The default security group allows all outbound traffic but has no inbound rules.

Network Access Control Lists (NACLs)

NACLs are stateless firewalls working at the subnet level, controlling ingress and egress traffic.

  • They require separate configurations for inbound and outbound rules and process rules in ascending order of rule numbers.

  • Each NACL has a default quota of 200 rules per VPC, expandable upon request.

  • The default NACL allows all inbound and outbound traffic but can be customized for specific requirements.

VPC connectivity

Below, we’ve jotted down important services and features to connect VPCs and resources.

VPC peering

VPC peering connects different VPCs securely, allowing their resources to communicate as if they were within the same VPC.

  • It utilizes the AWS global network, ensuring that communication happens through private IP addresses and never goes outside the private IP space or the internet.

  • No additional physical hardware is required for VPC peering connections, eliminating single points of failure or bandwidth bottlenecks.

AWS Transit gateway

AWS  Transit Gateway serves as a regional hub-and-spoke to efficiently connect thousands of VPCs and on-premises resources. It manages connections to Direct Connect, Site-to-Site VPNs, and custom gateways, simplifying network management and reducing complexity.

AWS PrivateLink

AWS PrivateLink is a VPC-based service facilitating private connections between VPCs, AWS services, and on-premises resources within the same AWS Region.

  • It allows connections across different AWS accounts and supports AWS partner-supported services.

  • Traffic communication occurs entirely within the AWS private network, eliminating the need for NAT gateways, Internet Gateways, or AWS Direct Connect.

Types of VPC Endpoints: There are three types of VPC Endpoints – Interface Endpoint (PrivateLink), Gateway Endpoint, and Gateway Load Balancer Endpoint (PrivateLink).

Bastion host setup

A bastion host is an intermediary between the internet and EC2 instances in a private subnet, facilitating SSH connections. The bastion host, provisioned in a public subnet, filters incoming traffic and allows SSH connections to private EC2 instances.

EC2 Instance Connect Endpoint (EIC Endpoint)

EIC Endpoint provides secure SSH access to private instances without requiring a public IP, NAT, or bastion host. It utilizes identity and network-based access control to meet security requirements.

AWS Site-to-Site VPN (S2S VPN)

An encrypted connection between on-premises resources and a VPC in the cloud. Its main components include the Virtual Private Gateway (VGW), Customer Gateway (CGW), and customer gateway devices on-premises.

AWS Client VPN

Managed service allowing client computers to connect securely to AWS resources in a VPC and on-premises network. It establishes encrypted end-to-end connections over the public internet.

AWS Direct Connect (DX)

Direct Connect provides a dedicated private connection from on-premises or remote networks to a VPC.

  • It utilizes AWS Direct Connect locations worldwide to establish connections.

  • It Supports access to private (EC2 instances) and public (S3, Glacier) resources over the same connection.

AWS Direct Connect Gateway

AWS Direct Connect Gateway Connects remote networks to multiple VPCs in different AWS Regions within the same account.

  • Direct Connect Gateway is added in the path from Direct Connect locations to AWS Regions through VIFs.

  • Facilitates connectivity between VPCs in different AWS Regions.

VPC monitoring

Below, we’ve summarized logging and monitoring services:

VPC Flow Logs

VPC Flow Logs monitor and capture IP traffic going to and from network interfaces in a VPC. They can be configured at the VPC, subnet, or network interface level.

VPC Traffic Mirroring

Traffic Mirroring captures and inspects traffic within a VPC, allowing monitoring appliances to analyze traffic. It mirrors traffic from source network interfaces to target instances or a network load balancer for content inspection and threat monitoring.

VPC Flow Logs vs. Traffic Mirroring

VPC Flow Logs collect logs without affecting traffic routes, while Traffic Mirroring copies traffic from source ENIs, potentially impacting network bandwidth.

Test your knowledge

Get hands-on with 1400+ tech skills courses.