VPC (Virtual Private Cloud)
• It’s virtual private data center, where we configure subnets, AZs, Access Control List.
• The default VPC gets created in each of the region when we create our AWS account.
• Security is the most important aspects of any environment hence when we create the VPC, it creates Network Access Control List and Security Group along with it.
• There is a limit of 5 VPC in each region, but it can be increased by requesting support center.
• The VPC Wizard offers the following configuration:
o VPC with a Single Public Subnet
o VPC with Public and Private Subnets
o VPC with Public and Private Subnets and Hardware VPN Access
o VPC with a Private Subnet Only and Hardware VPN Access
• Security groups is spanned across multiple AZ
• VPC Peering:
o Allows you to connect a subnet in 1 VPC to another subnet in another VPC.
o There peering happens through private IP address as if all are on the same private subnet.
o Peering can happen with VPC in other AWS account.
o Peering happens within the single region.
o For Peering to happen, there shouldn’t be any CIDR block overlapping or matching, e.g. VPC ‘A’ with IP 10.0.0.0/16 can’t peer with VPC ‘B’ with IP 10.0.0.0/24.
o No transitive peering, means in the below diagram B cannot talk to C, for the talk between B and C to happen either it has to be done through ‘A’ or by peering between B and C
• Network Access Control List
o Custom Network Access Control List denies everything by default while default NACL and Security Group allows everything by default.
o NACL is stateless (means any inbound traffic rule is not allowed by default in outbound) while SG is stateful.
o 1 subnet can be associated with only 1 NACL but 1 NACL can have multiple subnets. Let's say 1 NACL has deny rule for 1 particular traffic and other NACL has allow rule for the same traffic on the same rule number, then there will be conflict if these 2 are attached to the same subnet.
o NACL is evaluated in numerical order as defined in “Rule#”, so if Rule# 99 has HTTP(8) with deny from my PC IP and Rule# 100 has HTTP(8) with allow from all then access to the associated subnet wouldn’t be allowed while if Rule# 101 has HTTP(8) with deny from my PC IP and Rule# 100 has HTTP(8) with allow from all then access to the associated subnet would be allowed.
• Subnet
o With VPC, you can create public facing subnet and have your EC2 instances deployed, which has got the web application and at the same time, you can define a private subnet, where you can deploy your DB.
o Any subnet created will be private by default.
o Whenever we create the subnet, it gives 5 less than the expected CIDR IP machines.
• Internet Gateway can be attached to only 1 VPC and each VPC will have only 1 IG, hence there is one to one mapping between IG and VPC. Route table target should point to IG, if there is multiple IG then it might lead to confusion and if the IG is shared then it’s a security breach.
• While creating ELB in the given custom VPC, you should have only 1 subnet per AZ and you should have subnet at least from 2 AZ.
• VPC Flow Log:
o It captures the information about the IP traffic going to and from N/W interfaces in your VPC.
o It can be viewed in Cloud Watch logs.
o It can be created in the 3 following levels:
VPC
Subnet
N/W Interface
o Flow logs for the VPC, which is peered to another VPC, can be enabled if both the VPC are in the same AWS A/C.
o After the flow log is created, the configuration like IAM Role, Group etc can’t be changed.
o Following traffic is not monitored:
Traffic to and from 169.254.169.254 (For instance meta data)
Traffic to the reserved IP address for the default VPC router.
DHCP traffic
Traffic generated by windows instance for Amazon Windows license Activation.
Traffic generated by instances when they contact Amazon DNS server.
• NAT (Network Address Translation)
o While creating NAT instances, disable source/destinations checks on the instances.
o It must be on the public subnet.
o There must be a route of the private subnet to the NAT instances, in order for this to work.
o The amount of traffic NAT instances can support, depends upon the instance size.
o NAT instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.
CloudFront
• CloudFront helps to cache the media, website including dynamic, static, streaming and interactive content in a location closer to the user.
• Edge location is the location where the content would be cached.
• Edge location is for write too
• Objects are cached for TTL
• Clearing the cache would be charged.
• CDN will distribute the content from many origins like S3, EC2, Elastic load balancer, Route53
• When you create a web distribution, you specify where CloudFront sends requests for the files that it distributes to edge locations. CloudFront supports the following as origins:
o Amazon S3 buckets
o HTTP or web servers hosted in EC2 or in your private web servers
• When you create or update a distribution in CloudFront, you can add an origin access identity (OAI) and automatically update the bucket policy to give the origin access identity permission to access your bucket. Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket. Through this you can access private content in S3 from internet.
• Amazon CloudFront only accepts well-formed connections to prevent many common DDoS attacks like SYN floods and UDP reflection attacks from reaching your origin. DDoS attacks are geographically isolated close to the source, which prevents the traffic from affecting other locations.
• Distribution is a collection of edge locations.
• It's not quicker for the 1st user but will be quicker for next user onwards from the same geographical place.
• With “Price Class” option, you can specify what all edge locations you want to cache.
• Terminology
o Web Distribution: websites
o RTMP: Media Streaming
Route53
• It’s domain registration.
• To have the domain name, which is registered with other registrar, you need to ask your registrar to update the name server for your domain names to the ones associated with the hosted zone in AWS.
• It's a DNS service, doesn’t provide web hosting application.
• DNS is used to convert human friendly domain name to Internet Protocol (IP) address.
• IP address is used by the computers to identify each other on the network.
• IP address comes in 2 form IPv4 and IPv6.
• IPv4 is 32 bits field while IPv6 is 128 bits field.
• IPv4 is past while IPv6 is the present and future.
• Internet Assigned Number Address (IANA) is responsible to store and manage top level domain name (.com, in etc.)
• The Registrars (GoDaddy, Amazon etc.) is responsible to assign domain name under one or more domains.
• Domains are registered with InterNIC, a service of ICANN, which enforces uniqueness of domain names across the internet.
• Each domain name is registered with DB, called WhoIS database.
• As the DNS operates at port 53, hence named Route53.
• Start of Authority Record (SOA) stores the information about:
o Name of the server that supplied the data
o TTL for domain name to ip address list.
• Once you type the web url, what happens
o When you type address (e.g vikash.com), it looks for the IP address.
o If ISP didn’t cache the IP address, it goes to .com.
o On querying to .com, it provides following information:
URL: Vikash.com
TTL
NS (Name Server): ns.awsdns.com
o The NS provides “A” (Address) record.
“A” record is used by computer to translate domain name to IP address.
• There are 3 types of records:
o “A” Record
o CNAME (Canonical Name) is a mapping of one domain name to another domain name. E.g. m.vikash.com <=> mobile.vikash.com
o Alias Record: it’s used to map domain names to ELB, Cloud Front Distribution or S3 buckets.
o CNAME is not applicable for naked domain name (e.g. vikash.com), it’s applicable for (m.vikash.com), while Alias record is applicable for naked domain name.
• Common DNS Types:
o NS
o SOA
o A
o CNAMES
o MX Records
o PTR Records
• Routing Policies
o Simple Routing Policy
A domain name can be assigned with multiple IP address (e.g. EC2 public IP address)
In the runtime, it can pick any of the IP addresses (EC2 instance) randomly.
It comes under ‘A’ record.
Only one ‘A’ record can exist (but mapped to multiple IP addresses)
o Weighted Routing Policy
You can assign the weightage (%) to the record.
It gets created as ‘A’ record.
One record will have only 1 IP address and weightage.
You can have multiple ‘A’ records.
o Latency Routing Policy
Based on the user geographic location, it picks the IP addresses.
Each of the entry is meant for one Region.
If there are multiple IPs (multiple EC2 instances), you can have multiple IP addresses in one record set.
There can be more than 1 ‘A’ record set.
o Failover Routing Policy
There will be one primary, which will be configured as part of “Health Checks” under Route53.
Then a passive entry will be configured.
Here there will multiple ‘A’ records and each of ‘A’ record will have single IP.
If the primary goes down, then passive will come into action.
o Geolocation Routing Policy
It selects server based on the geographic location of the user and these servers may have the local language of that geographic location based customers.
Here there will multiple ‘A’ records.
Here we select the location not the region while creating ‘A’ record sets.
o Multi Value Routing
It's very similar to Simple Routing Policy
Here it has multiple records and each record has one IP
• Route53 is global like IAM
• There is 50 domain names available by default, however it is a soft limit and can be raised by contacting AWS support.
API Gateway
• It can transfer the call to EC2 instance or lambda.
• You can improve the performance of API gateway by using API caching, where the response would be stored for the duration defined as TTL. That means the API will not invoke any further calls (like EC2, lambda)
• Cross Origin Resource Sharing (CORS) enables the access to API from the web page present in another domain.
• It scales automatically.
Direct Connect
• It's a direct connectivity between AWS and your DC, office etc.
• It provides private connection.
• It increases reliability and bandwidth.
• It doesn’t use internet unlike VPN.
• DC is a lengthy process so if you have immediate need then better go for VPN.
Top comments (0)