2 of 20

Introduction

In this module, you will learn how to:

Describe the basic concepts of networking.
Describe the difference between public and private networking resources.
Explain a virtual private gateway using a real life scenario.
Explain a virtual private network (VPN) using a real life scenario.
Describe the benefit of AWS Direct Connect.
Describe the benefit of hybrid deployments.
Describe the layers of security used in an IT strategy.
Describe the services customers use to interact with the AWS global network.

3 of 20

Virtual Private Cloud

VPC is a networking service that you can use to establish boundaries around your AWS resources.

VPC lets you provision a logically isolated section of AWS cloud where you can launch AWS resources in a virtual network you defined. They can be public facing or private.

4 of 20

Subnet

A subnet is a section of a VPC that can contain resources such as Amazon EC2 instances.

Public and private grouping of resources is called a subnet.

Subnet are chunks of IP addresses in your VPC that allow you to group resources together�Or we can say: �A subnet is a section of a VPC in which you can group resources based on security or operational needs. Subnets can be public or private.

Public subnets contain resources that need to be accessible by the public, such as an online store’s website.

Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories.

In a VPC, subnets can communicate with each other. For example, you might have an application that involves Amazon EC2 instances in a public subnet communicating with databases that are located in a private subnet.

5 of 20

Internet Gateway

To allow public traffic to VPC, we need to attach Internet Gateway to VPC.

An internet gateway is a connection between a VPC and the internet. Without an internet gateway, no one can access the resources within your VPC.

6 of 20

Virtual Private Gateway

For accessing private resources, we can use Virtual Private Gateway.

The virtual private gateway is the component that allows protected internet traffic to enter into the VPC. A virtual private gateway allows traffic into the VPC only if it is coming from an approved network.

7 of 20

AWS Direct Connect

Allow you to establish completely private dedicated fiber connection from your data center / building to AWS.

8 of 20

Subnets and Network Access Control List

A network ACL is a virtual firewall that controls inbound and outbound traffic at the subnet level. It keeps a check on the traffic going in and going out of a subnet. Approved requests are passed in and un-approved requests are blocked.

Network ACL is applied on subnet level. For instance level, we can use Security Groups.

Security Groups checks packages in, not out. They check traffic when coming in, but allow all traffic going out.

ACL is stateless but Security group is stateful.

10 of 20

Network ACL

11 of 20

Network ACL

Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

12 of 20

Security Groups

A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.

13 of 20

Security Groups - Stateful packet filtering

They remember previous decisions made for incoming packets.

Consider the same example of sending a request out from an Amazon EC2 instance to the internet. When a packet response for that request returns to the instance, the security group remembers your previous request. The security group allows the response to proceed, regardless of inbound security group rules.

14 of 20

Network ACL & Security Group

15 of 20

Global Networking

A client connects to a DNS resolver looking for a domain. The resolver forwards the request to the DNS server, which returns the IP address to the resolver.

16 of 20

Domain Name System - DNS

You can think of DNS as being the phone book of the internet. DNS resolution is the process of translating a domain name to an IP address.

For example, suppose that you want to visit AnyCompany’s website.

When you enter the domain name into your browser, this request is sent to a customer DNS resolver.
The customer DNS resolver asks the company DNS server for the IP address that corresponds to AnyCompany’s website.
The company DNS server responds by providing the IP address for AnyCompany’s website, 192.0.2.0.

17 of 20

Route 53 - AWS DNS

A highly available DNS service from AWS.

Amazon Route 53 connects user requests to infrastructure running in AWS (such as Amazon EC2 instances and load balancers). It can route users to infrastructure outside of AWS.

Another feature of Route 53 is the ability to manage the DNS records for domain names. You can register new domain names directly in Route 53. You can also transfer DNS records for existing domain names managed by other domain registrars. This enables you to manage all of your domain names within a single location.

Routing policies:

Latency-based routing
Geolocation DNS: we direct traffic based on where customer is located.
Geo-proximity routing
Weighted round robin

18 of 20

AWS Cloudfront

A CDN from AWS - helps deliver edge contents to users based on geolocation.

19 of 20

How Amazon Route 53 and Amazon CloudFront deliver content

Suppose that AnyCompany’s application is running on several Amazon EC2 instances. These instances are in an Auto Scaling group that attaches to an Application Load Balancer.

A customer requests data from the application by going to AnyCompany’s website. �
Amazon Route 53 uses DNS resolution to identify AnyCompany.com’s corresponding IP address, 192.0.2.0. This information is sent back to the customer. �
The customer’s request is sent to the nearest edge location through Amazon CloudFront. �
Amazon CloudFront connects to the Application Load Balancer, which sends the incoming packet to an Amazon EC2 instance.

1 of 20