AWS Solutions architect 4 - Networking

Networking Fundamentals

OSI Model

Encapsulation model

Number	Name	Hardware
7	Application	Protocols HTTP, TLS, HTTPS
6	Presentation	Conversion/encryption, standards
5	Session	Requests, Stream
4	Transport	TCP (reliable) / UDP (fast), Segment
3	Network	IP address, Packet
2	Data link	MAC adresses, frame
1	Physical	Hardware, binary

IP Addressing Basics

• IPv4 -> communication at layer 4 and above on OSI model

  • Dotted decimal notation: 192.168,10.5

  • IPs are split in network part and node/host part, the netmask or suffix show where it happens (network part: 1s, node part = 0s)

    IP	192	168	10	5
    Binary	11000000	10101000	00001010	00000101
    Subnet	255	255	2555	0
    Prefix/24	11111111	11111111	11111111	__

• Reserved addresses

  Address (range)	Reserved for
  0.0.0.0	all IP addresses
  255.255.255.255	broadcast reveryone
  127.0.0.1	localhost
  169.254.0.1-168.254.255.254	autoconfigure with DHCP

• Classes (original, had ranges for private networking only)

  • A for large organizations

  • B for medium

  • Cfor small business

    Class	Range IP	Networks	Nodes in network
    Class A (/8)	1.0.0.0 - 126.255.255.255	126	17.777.214 (2 reserved)
    Class B (/16)	128.0.0.0 - 191.255.255.255	16.382	65.534 (2 reserved)
    Class C (/24)	192.0.0.0 - 223.255.255.255	2.097.150	254 (2 reserved)

• CIDS (Classless Inter-Domain Routing), used in IPv4 trather than class system

Subnetting

• Subnetting : process of breaking a network down into smaller subnetworks
• Adapt it to VPC, split into 2 smaller networks (increment the prefix, example …/16 can be split into to …/17 subnets)

IP Routing

• Local device-to-device communication takes place using L1 (physical) and L2 (data-link) using MAC addresses and physical 0’s and 1’s. This does not scale across LANs, so a method of network-to-network transit is needed.
• IP-routing: method of network-to-network transit is needed. IP-routing provides a scaling method, which depends on if the 2 devices are local, in a known remote network, or unknown network.

1. Local:

• IP-IP locally doesn’t use a router

• ARP translates IP addresses to MAC addresses

      graph LR
  A[Network1]
  B[Network2]
  
  A -- L3 package --> B;

2. Known:

• Use its IP mask to know if it is local, if not, use the default gateway (router), which will send it to the known network

      graph LR
  A[Network1]
  B(Router)
  C[Network2]
  
  A -- L2 connection --> B;
  B -- L2 connection --> C;
  A -- single L3 package --> C;

3. Unknown:

• If default gateway for A knows it is not local, then send it to next network

• Unchnaged packets being passed around form router to router each time using a new L” connection

      graph LR
  A[Network1]
  B(RouterA)
  C[Network2]
  D(RouterB)
  E((Internet))
  F(RouterC)
  G[Network3]
  
  A --> B;
  B --> C;
  C --> D;
  D --> E;
  E --> F;
  F --> G;

Firewalls

• Firewall: device which historically sits at different networks, and monitors traffic flowing between them

  • it is capable of reading packet data and either allow or deny traffic
  • stablish barrier between networks of different security levels

• What a data firewall can do depends on the OSI layer it operates at

  #Layer	Layer name	Actions
  3	Network	source/destination IP addresses or ranges
  4	Transport	protocol (TCP/UDP) and port numbers
  5	Session	as layer 4, but understand response traffic
  7	Application	application specifics (e.g. HTML paths, images)

Proxy Servers

• Proxy server: gateway that sists between a private and public network (e.g. the Internet)

  • needs application support, configured on the OS, web browser…

  • proxy servers can choose to pass on traffic or not based on things anetwork layer appliance can’t (username, company identity…)

        graph LR
    
    subgraph SubNet
      A[customer unauthorized]
      B[proxy server]
      C[cache]
      D[customer auhtorized]
    end
    
    subgraph PublicInternet
      E((Cloud))
      F[Server]
    end
    
    A -- deny --> B;
    B -- allow --> D;
    B --> C;
    B --> E;
    E --> B;
    E --> F;
    F --> E;

Private networking

VPCs and subnets

• Virtual Private Cloud
  • private network within AWS (“your private data center”)
  • can be configured to be public/private or mixture
  • regional (can’t span regions), highly available, can be cnnected to your datacenter or corporate metwork
  • isolated from otherVPCs by default
  • VPC and subnet: max/16, min/28
  • VPC subnets can’t span AZs (1:1 mapping)
  • certain IPs are reserved in subnets
• Region default VPC
  • required for some services, used as a default for most
  • pre-configured with all required networking/security
  • configured using a /16 CIDS block
  • a /20 public subnet in each AZ, allocating a public IP by default
  • attached internet gateway with a “main” route table sending all IPv4 traffic to the Internet gateway using a 0.0.0.0/route
  • a default DHCP option set attached
  • SG:default- all from itself, all outbound
  • NACL:default - allow all inbound and outbound
• Custom VPC

  • can be designed and configured in any valid way

  • you need to allocate IP ranges, create subnets and provision gateways and networking, as well as design and implement security

  • when you need multiple tiers or a more complex set of networking

  • best practice is not use default for most production things

    Reserved IPs	Value
    .0	Network
    .1	Router
    .2	DNS
    .3	Future
    .X	Broadcast

Routing and Internet Gateway

graph TD

subgraph us-east-1a
  A[Bastion]
  B(Gateway - publicSubnet 10.0.1.1)
end

C((Router))

subgraph us-east-1b
  D(Gateway - publicSubnet 10.0.2.1)
end

E((Internet gateway))

A --> B;
B --> C;
C --> D;
C --> E;

• VPC routing
  • every VPC has a virtual routing device called VPC router (choose default tenancy on the console)
  • it has an interface in any VPC subnet known as the “subnet+1” address (e.g. for 10.0.1.0/24 -> 10.0.1.1/32)
  • router = highly available, scalable and controls data entering and leaving the VPC
• Routes
  • a RT is a collection of routes that are used when traffic from a subnet arrives at the VPC router
  • every route table has a local route, which matches the CIDR if the VPC and lets traffic be routed between subnets
  • a route contains a destination and a target. Traffic is forwarded to the target if its destination matches the route destination
  • if multiple routes apply, the most specific is chosen (/32 before /24 before /16)
  • deafult routes (0.0.0.0 v4 and ::/0 v6) can be added that match any traffic not already matched
  • targets can be IPs or AWS networking gateways/objects
  • a subnet is a public subnet if (AND conditions)
    • it is configured to allocate public IPs
    • tha default VPC has an associated internet gateway
    • that subnet has a default route to that internet gateway

graph LR

A((some network))

subgraph public network
  B[Bastion]
end

C((private instances))
D((private instances))

A -- from trusted IPs --> B;
B -- from bastion --> C;
B -- from bastion --> D;

Bastion Host/JumpBox

• Bastion: a host that sits at the parameter of a VPC
• it functions as an entry point to the VPC for trusted admins
• allows for updates or configuration tweaks remotely while allowing the VPC to stay private and protected
• generally connected to via SSH (Linux) or RDP (Windows)
• bastion hosts must be kept updated and security hardened and audited regularly
• multifactor authentication, ID federation, and/or IP blocks

NAT, NAT Instance, and NAT Gateway

• NAT: Network Address Translation: method to remap IPs or destination IPs from packets

  • static NAT: private IP is mapped to public IP (what IGW do)
  • dynamic NAT: a range of private addresses are mapped onto 1 or more public (your home router and NAT gateways)

• Public IP addressing (EIP)

      graph LR
  
    A[Instance]
    B((NATGW))
    C((IGW))
    D(Internet site)
  
    A -- src --> B;
    B -- src natgwpriv --> C;
    C -- src natgwpub --> D;

NACLs

• Network Access Control Lists (NACL)

  • operate at layer 4 of the OSI model (TCP/UDP and below)
  • a subnet has to be associated with a NACL - either the VPC default or a custom NACL (Security Groups are for resources)
  • NACLs only impact traffic crossing the boundary of a subnet
  • NACLs are collections of rules that can explicitly allow or deny traffic based on its protocol, port range and source/destination
  • rules are processed in number order lowest first. When a match is found, that action is taken and processing stops
  • the * rule is processed last and is an implicit deny
  • NACLs have 2 sets of rules: inbound and outbound

• ephemeral ports (response traffic)

  • When a client initiates communications with a server, it is to a well-known port number on that server
  • the response is from that wel-known port to an ephemeral port on the client (the client decides the port)
  • NACLs are stateless, they have to consider both initating and response traffic - state a session-layer concept

Advanced VPC

VPC Peering

• VPC peeering: allows direct communication between VPCs

  • services can communicate iusing privaye IPs from VPC to VPC
  • VPC peers can span AW accounts and even regions (with some limitations)
  • Data is encrypted amd transists via the AWS global backbone
  • VPC peersare used to link 2 VPCs at layer 3: company mergers, shared services, company and vendor, auditing

• Important limits and considerations

  • VPC CIDR blocks cannot overlap
  • VPC peers connect 2 VPCs - routing is not transitive
  • Routes are required at both sides, so update the Route Tables (remote CIDR -> peer connection)
  • NACL and SGs can be used to control access
  • SGs can be referenced but not* cross-region
  • IPv6 support is not available cross region
  • DNS resolution to private IPs can be enabled, but it’s a setting needed at both sides

• ⚠️ Transistive routing

      graph LR
  
    subgraph VPC A
      A[Instance 10.0.1.10/32]
    end
  
    B((peering connection))
  
    subgraph VPC B
      C[Instance 10.1.10.27/32]
    end
  
    A --> B;
    B --> C;

VPC Endpoints

• VPC endpoints: gateway objects created within a VPC. They can be used t connect to AWS public services without the need for the VPC to have an attached Internet gateway and be public

  • Types
    • gateway endpoints: for DynamoDB and S3
    • interface endpoints: for everything else
  • When to use them
    • entire private VPC (no IGW)
    • an specific instance has no public IP/NATGW and needs to access public services
    • access resources restricted to specific VPCs or endpoints (private S3 bucket)

• Limitations and considerations

  • gateway endpoints are used vua route table entries - they are gateway devices. Prefix lists for a service are used in the destination field with the gateway as the target
  • gateway endpoints can be restricted via policies
  • gateway endpoints are HA across AZ in a region
  • interface endpoints are interfaces in a specific subnet (may override DNSwith private DNS, powered by AWs PrivateLink). For HA you need to add multiple AZ
  • interace endpoints are controlled via SGs on thet interface. NACLs also impact traffic
  • code changes to use the endpoint DNS, or enable private DNS to override the default service DNS

List public endpoints

IPv6 within AWS

• IPv6 is supported, but not across every product and not with every feature

  • 2001:db8:1234:1a00::/56
  • Route tables can cointain IPv6 routes with the dafult route being ::/0 (all 0s)
  • VPCs have optionally have a fixed /56 range allocated by AWS. Each subnets uses a fixed /64. The /64 can be chosen from the /56, but the VPC range cannot be adjusted
  • Instacne can be allocated IPv6 addresses at launch in teh same way as IPv4 - they are static by default

• IPV6 VPC setup

  1. Disabled by default (opt-in)
  2. Request an IPv6 allocation, each VPC is allocated a /56 CIDS from the AWS pool (can’t be adjusted)
  3. With the VPC IPv6 ranbge allocated, subnets can be allocated a /64 CIDR from within the /56 range
  4. Resources launched into a subnet with an IPv6 range can be allocated a IPv6 address via DHCP6

• Limitations and considerations

  • DNS names are not allocated to IPv6 addresses
  • IPv6 addresses are all publicly routable - there is no concept of private vs public with IPv6 (unlike IPv4 addresses)
  • With IPv6, the OS is ocnfigured with this public address via DHCP6
  • Elastic IPs aren’t relevant with IPv6
  • Not concurrently supported for VPNs, customer gateways, and VPC endpoints

• Egress-Only Gateway

  • Egress only internet gateway: provide IPv6 instances with outgoing access to the public internet using IPv6 but prevent the instances from being accessed from the Internet

    • NAT isn’t required with IPv6, and so NATGW’s aren’t copatible with IPv6. Egress-only gateways provide the outgoing-only access of a NATGW but do so without adjusting bay IP addresses
    • Architecturally, they are otherwise the same as IGW

        graph LR
    
    A(incoming)
    
    subgraph VPC
      B[Instance IPv6]
      C((VPC router))
      D[Route table]
      E((Internet gateway))
    end
    
    F(outgoing)
    
    A -- disallowed --> E;
    B --> C;
    D --> C;
    C --> E;
    E -- egress only --> F;

DNS fundamentals

Global DNS (Route 53) Fundamentals: terms

• DNS root servers: trust servers: authoritative on root zone
• Top-Level Domain (TLD): geographical and generic (.es, .us, .com, .org)
• Subdomain: organization, anything between host and TLD (example.com)
• Zone and Zone File: mapping of IPs and hosts for a given subdomain (record of www for example.com)
• Records: DNS has severla record types (A, MX…)
• Name Server: server that runs a DNS service to store/cache info from DNS platform
• Authoritative: root servers ar authoritative for root zone = trusted by every OS and networking stack globally
• Hosts: record in a zone file (www, mail…)
• FQDN: Fully Qualified Domain Name (the host and domain: www.example.com)
  • Absolute domains have a period at the end e.g. www.example.com.)

DNS 101

• Domain Name System (DNS): turn DNS names into IP addresses. It is a distributed system (no part knows all)
• Steps (asking for example.com)
  1. Query your ISP, if it doesn’t know, it handles it for you
  2. The ISP queries the DNS root servers. I they don’t know, they help by providing servers *authoritative for .com
  3. The .com servers are queries. If they don’t have an IP, they provide the example.com authoritative servers
  4. The servers are run by LA, they know and return one or more IPs

Domain registration

• Register a domain in DNS
  1. Check if the domain is available (generally against a database of the TLD subdomain operator)
  2. Purchase the domain via registrar
  3. Hosting the domain (manage/pay for DNS hosting or name servers configured for your domain)
     • Route 53 allows you to registasr and host, or just host it, or just register it.
  4. Records in the zone file (on name servers that authoritative/host the domian, you need to add records into the zone file)

Hosted Zones

• Hosted Zone: container for DNS records relating to aparticular domain
• Route 53 supports public hosted zones (influence the visible domain)
• Visibility
  • Public Zones
    • created when you register a domain with Route53, when you transfer a domain into Route53, or if you create one manually
    • a hosted zone has the same nme as the domain it relates to (e.g. example.com will have a hosted zone called example.com)
    • public zone is accesible either from Internet-based DNS clients
    • a hosted one will have “name servers” - these are the IP addresses you can give to a domain operator, so Route 53 becomes “authoritative” for a domain
  • Private Zones
    • created manually and associated with one or more VPCs - they are only accessible from those VPCs
    • need enableDnsHostnames and enableDnsSupport enabled on a VPC
    • note all Route53 features supported - limits on health checks
    • split-view DNS is supported, using the same zone name ofr public and private zones - providing VPC resources with different reocrds
      • with split view, private is preferred - if no matches, public is used

Record Set Types

• DNS supports different types of records, each providing different functionality
  • A Record: provides an IPv4 address for given host
  • AAAA Record: provides an IPv6 address for given host
  • CNAME Record: allows aliases to be created
  • MX Record: provide the mail serves a given domain
  • NS Record: used to set authoritative servers for a subdomain (e.g. .com would have NS servs for example.com)
  • TXT Record: used for descriptive text ina domain (to verify domain ownership)
  • Alias Records: extension of CNAME - can be used like a A record, with the functionality of a CNAME and none of the limitations
    • can referto AWS logial services (load balancers, S3)
    • AWS doesn’t charge for queries iof alias records against AWS resources
• Default records of a zone - SOA, NS

Health checks

• Health checks can be created with Route53, used to influence Route53 routing decisions
• Classification
  • monitor endpoint
  • monitor another health check
  • monitor CloudWatch alarms
• Route53 health checkers
  • global health chekc system that checks an endpoint in a agreed way of frequency
  • values
    • >18% of checks report healty -> healthy
    • <18% of checks report healty -> unhealthy
• Types of health check
  • HTTP and HTTPS check: tcp/80 or tcp/443 connection checks in less than 4 seconds (reposrt 2xx or 3xx in 2 seconds)
  • TCP check: tcp connection within 10 seconds
  • HTTP/S check: all checks from HTTP and HTTPS but the body is checked for a String match -> 10, 30s
• Route53 and decisions via health checks
  • Records can be linked to health checks. If unhealthy -> record is not used
  • can be used to failover and other routing arcitectures

DNS advanced

Global DNS (Route 53): Routing policy

• Simple: single record within a hosted zone that contains 1 or more values

  • When queried - returns all the values in random order
  • • simple, default, even spread of requests
  • • no performace control, no granular health checks for alias type (only a single AWS resource)

• Failover: allows to create 2 records with the same name (primary and secoundary, in case the 1st is unhealthy)

  • Can be combinedwith other types to allow multiple primary and secoundary records

• Weightened: to control the ammount of traffic that reaches specific resources (!0% for 1st, 90% for 2nd)

  • Useful to test new software, or when resources are being added or removed from a configuration taht doesn’t use a load balancer
  • Records are returned on a ratio of their weight to the total weight, assuming records are healthy

• Latency based: Route53 consults a latency database each time a request occurs to give a latency-based host in DNS from a resolver server

  • Record sets with the same name are considered part of the same latency-set
  • Each is allocated to a region
  • The record set returned is the 1 with the lowest latency to the resolver server

• Geolocation (geoproximity): lets you choose the sresources that serve your trafic based on the geographic region from which queries originate

  • A record set is configured for a continent or a country
  • The record set is used for queries in that same region, with more specificmatches taking priority
  • Record sets can be set as the default that gets return if the IP matching process fails or if no record set is configured for the originating query region