Download to read offline
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
Module 2 - Networking on AWS -Animated.pdf
- 1. © 2022, AmazonWeb Services, Inc. or its Affiliates. Networking in AWS Wong Voon Wong Partner Solutions Architect 29 Apr 2022
- 2. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Table of contents • Regions and Availability Zones (AZs) • VPC Overview • Subnets and AZs • Route Tables • Internet Access • NAT Gateways • Multi-AZ Best Practices • Security Groups • Network Access Control Lists (NACLs) • VPC Peering • VPN Connectivity • Direct Connect • Direct Connect Gateway • Transit Gateway • AWS Client VPN • Route 53 • CloudFront
- 3. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Regions and Availability Zones (AZs) AWS Cloud Region – us-east-1 AZ us-east-1a AZ us-east-1b AZ us-east-1c Region – us-west-2 AZ us-west-a AZ us-west-b AZ us-west-c
- 4. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. AWS VPC - Overview AWS Cloud VPC Account 123456789 Region US-EAST-1 EC2 Instances Amazon RDS instance Elastic Load Balancing Amazon Simple Storage Service (S3) Amazon DynamoDB Amazon Route 53 AWS Identity and Access Management
- 5. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Subnets and AZs VPC Region us-east-1 10.0.0.0/16 Subnet 1 10.0.1.0/24 Availability Zone us-east-1a Subnet 2 10.0.2.0/24 Availability Zone us-east-1b EC2 Instances Amazon RDS instance
- 6. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. AZ ID
- 7. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Route Tables – Internal VPC Traffic VPC 10.0.0.0/16 Subnet 1 10.0.1.0/24 Route Table 1 Subnet 2 Route Table 1 Destination Target 10.0.0.0/16 local 10.0.2.0/24 Route Table 1 - Rules EC2 Instance EC2 Instance 10.0.1.1 10.0.2.1 10.0.2.1
- 8. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Route Tables – Internet Traffic VPC 10.0.0.0/16 Subnet 1 10.0.1.0/24 Route Table 1 Subnet 2 Route Table 1 Destination Target 10.0.0.0/16 local 10.0.2.0/24 Route Table 1 - Rules EC2 Instance EC2 Instance 10.0.1.1 10.0.2.1 1.2.3.4 1.2.3.4 Internet
- 9. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Route Tables – Internet Traffic VPC 10.0.0.0/16 Subnet 1 10.0.1.0/24 Route Table 1 Destination Target 10.0.0.0/16 local 0.0.0.0/0 Igw-12345 Route Table 1 - Rules EC2 Instance 10.0.1.1 Subnet 2 Route Table 1 10.0.2.0/24 EC2 Instance 10.0.2.1 1.2.3.4 1.2.3.4 Internet Internet gateway Destination Target 10.0.0.0/16 local
- 10. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Public subnet 1 Public vs. Private Subnet VPC 10.0.0.0/16 Private Subnet 1 10.0.1.0/24 Private Route Table Public Route Table 10.0.2.0/24 EC2 Instance EC2 Instance 10.0.1.1 10.0.2.1 Internet gateway Destinatio n Target 10.0.0.0/16 local Private Route Table Destination Target 10.0.0.0/16 local 0.0.0.0/0 Igw-12345 Public Route Table
- 11. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Public subnet 1 Public IPs VPC 10.0.0.0/16 Route Table 10.0.2.0/24 EC2 Instance Private IP: 10.0.2.1 Internet gateway Destination Target 10.0.0.0/16 local 0.0.0.0/0 Igw-12345 Public Route Table Public IP: 1.2.3.4
- 12. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Public subnet 1 VPC - DNS & DHCP VPC 10.0.0.0/16 10.0.2.0/24 EC2 Instance Private IP: 10.0.2.1 Public IP: 1.2.3.4 VPC DNS VPC DHCP Private DNS: ip-10.0.2.1.us-west-2.compute.internal Public DNS: ec2-1.2.3.4.us-west-2.compute.amazonaws.com Reserved for AWS use: 10.0.0.0 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.255
- 13. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Public subnet 1 Internet Access for Private Subnets – NAT Gateway VPC 10.0.0.0/16 Private Subnet 1 10.0.1.0/24 Private Route Table Public Route Table 10.0.2.0/24 Private instance Private IP: 10.0.1.1 Internet gateway Destination Target 10.0.0.0/16 local Private Route Table Destination Target 10.0.0.0/16 local 0.0.0.0/0 Igw-12345 Public Route Table NAT gateway 1.2.3.4 Internet Destination Target 10.0.0.0/16 local 0.0.0.0/0 ngw-345 Ngw-345 EIP: 2.3.4.5 1.2.3.4
- 14. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Multi-AZ Best Practices VPC Region us-east-1 10.0.0.0/16 AZ (us-east-1a) Private Subnet 1 10.0.2.0/24 Public subnet 1 10.0.1.0/24 Web Server Database server AZ (us-east-1b) Private Subnet 2 10.0.4.0/24 Public subnet 2 10.0.3.0/24 Web Server Database standby IGW Load balancer Sync replication
- 15. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Security Groups – Default Group Rules VPC 10.0.0.0/16 Subnet 1 10.0.1.0/24 Availability Zone us-east-1a EC2 Security group 1 Protocol Port Source Security Group 1 Protocol Port Destination All All 0.0.0.0/0 Inbound Rules Outbound Rules
- 16. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Security Groups – Web Server Example VPC 10.0.0.0/16 Subnet 1 10.0.1.0/24 Availability Zone us-east-1a EC2 Security group 1 Protocol Port Source TCP 80 0.0.0.0/0 Security Group 1 Protocol Port Destination All All 0.0.0.0/0 Inbound Rules Outbound Rules
- 17. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Subnet 1 Security Groups – Reference other groups VPC 10.0.0.0/16 10.0.1.0/24 Availability Zone us-east-1a EC2 Webserver security group Protocol Port Source TCP 80 0.0.0.0/0 Web server security group Protocol Port Destination All All 0.0.0.0/0 Inbound Rules Outbound Rules EC2 Database security group Protocol Port Source TCP 3306 sg-webserver Database security group Protocol Port Destination All All 0.0.0.0/0 Inbound Rules Outbound Rules
- 18. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Security Groups – Self-referencing rules VPC 10.0.0.0/16 Subnet 1 10.0.1.0/24 Availability Zone us-east-1a EC2 Hadoop security group Protocol Port Source TCP 80 sg-hadoop Hadoop Security Group Protocol Port Destination All All 0.0.0.0/0 Inbound Rules Outbound Rules EC2 Hadoop security group EC2 Hadoop security group EC2 Hadoop security group
- 19. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Network Access Control Lists (NACLs) VPC Region us-east-1 10.0.0.0/16 Subnet 1 10.0.1.0/24 Availability Zone us-east-1a Rule # Protocol Port Source Effect 1 All All 0.0.0.0/0 Allow NACL Configuration Inbound Rules Outbound Rules Network access control list Rule # Protocol Port Source Effect 1 All All 0.0.0.0/0 Allow
- 20. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Private Subnet 1 VPC Building Blocks - Summary Public subnet 1 VPC 10.0.0.0/16 10.0.1.0/24 Private Route Table Public Route Table 10.0.2.0/24 Database EC2 Internet gateway NAT gateway EC2 webserver NACL NACL Database security group Web server security group
- 21. © 2022, AmazonWeb Services, Inc. or its Affiliates.. Public subnet Stay on AWS network: VPC Endpoints • Connect your VPC to: • Supported AWS services • VPC endpoint services powered by PrivateLink • Doesn’t require public IPs or Internet connectivity • Horizontally scaled, redundant, and highly available • Robust access control • Metrics for traffic visibility VPC Endpoint VPC Internet gateway Private subnet EC2 Instance EC2 Instance VPC Endpoint VPC Service Amazon VPC PrivateLink Network Load Balancer (NLB) VPC Endpoint Amazon Simple Storage Service (S3) AWS Key Management Service
- 22. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. VPC Peering VPC 1 10.0.0.0/16 Private Subnet 1 10.0.0.0/24 Route Table 1 Private instance 10.0.0.1 Destination Target 10.0.0.0/16 local Route Table 1 Destination Target 192.168.0.0/16 local Route 2 Table Destination Target 10.0.0.0/16 local VPC 2 192.168.0.0/16 Private Subnet 2 192.168.0.0/24 Route Table 2 Private instance 192.168.0.1 Peering connection VPX-123 Destination Target 10.0.0.0/16 local 192.168.0.1 VPX-123 Destination Target 192.168.0.0/16 local 10.0.0.0/16 VPX-123
- 23. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. VPC Peering – No Transitive Routing VPC 1 VPC 2 VPC 3 Peering connection Peering connection • VPC 1 can reach VPC 2 • VPC 1 cannot reach VPC 3
- 24. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. VPC Peering – No Transitive Routing VPC 1 VPC 2 VPC 3 Peering connection Peering connection • VPC 1 can reach VPC 2 • VPC 1 can reach VPC 3 Peering connection
- 25. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. AWS Site-to-Site VPN On-prem data center 172.16.0.0/16 VPC 10.0.0.0/16 Virtual Private Gateway VGW-123 Customer gateway IPSec Route Table VPC Route Table Destination Target 10.0.0.0/16 local 172.16.0.0/16 VGW-123 • One VGW per VPC • BGP or static routes • Redundant IPSec tunnels • Redundant routers across two AZs Destination Target 10.0.0.0/16 local
- 26. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. AWS Site-to-Site VPN On-prem data center 172.16.0.0/16 VPC 10.0.0.0/16 Virtual Private Gateway VGW-123 Customer gateway IPSec Route Table VPC Route Table Destination Target 10.0.0.0/16 local 172.16.0.0/16 VGW-123 Destination Target 10.0.0.0/16 local On-prem data center 172.17.0.0/16 Customer gateway On-prem data center 172.18.0.0/16 Customer gateway IPSec IPSec
- 27. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. AWS Direct Connect Direct Connect Location AWS Cloud VPC Region us-east-1 Customer Data Center Customer or partner cage AWS cage Customer or partner router AWS Direct Connect Endpoint Private VIF Public VIF Amazon S3 Amazon DynamoDB EC2 VGW Customer router Equinix DA1 • 1 or 100 Gbps (50 Mbps+ via partners) • Consistent performance • May lower data transfer cost • Redundant connections optional (recommended)
- 28. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. VPN & Direct Connect - Mesh Topology VPC VPC VPC Data center Data center Data center VPN VPN VPC Peering Direct Connect
- 29. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Transit Gateway & Direct Connect Gateway VPC VPC VPC Data center Data center Data center AWS Transit Gateway AWS Direct Connect Gateway and/or Direct Connect VPN VPN & Direct Connect
- 30. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. AWS Client VPN On-prem data center 172.16.0.0/16 VPC 10.0.0.0/16 VGW-123 Customer gateway IPSec Route Table User 1.2.3.4 Subnet 1 Availability Zone 1 AWS Client VPN Endpoint AWS Cloud TLS TCP or UDP Client VPN Network Interface 10.0.0.1 192.168.0.1/24 EC2 10.0.0.2 Security group Security group Route Table Authorizations With OpenVPN Client
- 31. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. DNS with Amazon Route 53 • Global DNS service • 100% Availability SLA • Domain registrar • Public and private DNS zones • Supports • Health checks • DNS failover • Round-robin routing • Weighted routing • Geolocation • Latency-based routing Amazon Route 53 Region us-east-1 (N. Virginia) Web Service Elastic Load Balancer GET example.com
- 32. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. DNS with Amazon Route 53 • Global DNS service • 100% Availability SLA • Domain registrar • Public and private DNS zones • Supports • Health checks • DNS failover • Round-robin routing • Weighted routing • Geolocation • Latency-based routing Amazon Route 53 Region us-east-1 (N. Virginia) Web Service Elastic Load Balancer Web Service Elastic Load Balancer A/B Testing App Version A 95% Traffic App Version B 5% Traffic GET example.com
- 33. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. DNS with Amazon Route 53 • Global DNS service • 100% Availability SLA • Domain registrar • Public and private DNS zones • Supports • Health checks • DNS failover • Round-robin routing • Weighted routing • Geolocation • Latency-based routing Amazon Route 53 Region us-east-1 (N. Virginia) Region us-west-2 (Oregon) Web Service Elastic Load Balancer Web Service Elastic Load Balancer Web Service Elastic Load Balancer Main Site Healthy GET example.com A/B Testing App Version A 95% Traffic App Version B 5% Traffic App DR Yes No
- 34. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Hybrid DNS Resolution - Route 53 Resolvers On-prem data center 172.16.0.0/16 VPC 10.0.0.0/16 VGW Customer gateway dns.corp.com Subnet 1 app1.corp.com database.example.com Route 53 Resolver 10.0.2.1, 10.0.2.2
- 35. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Amazon CloudFront • Global CDN • 220+ Points of Presence 1. User makes request 2. Routed to edge location 3. Edge gets from origin 4. Origin returns to edge 5. Edge caches response 6. Edge returns to user
- 36. © 2021, AmazonWeb Services, Inc. or its Affiliates. © 2022, Amazon Web Services, Inc. or its Affiliates. Hands-on Lab - VPC Up Next