08 - Networking and Content Delivery Flashcards
Elastic Network Interfaces (ENI)
1) Logical component in a VPC that represents a virtual network card
2) Bound to a specific availability zone (AZ)
Route 53 – Record Types
1) A – maps a hostname to IPv4
2) AAAA – maps a hostname to IPv6
3) CNAME – maps a hostname to another hostname
• The target is a domain name which must have an A or AAAA record
• Can’t create a CNAME record for the top node of a DNS namespace (Zone Apex)
• Example: you can’t create for example.com, but you can create for www.example.com
4) NS – Name Servers for the Hosted Zone
• Control how traffic is routed for a domain
Route 53 – Hosted Zones
• A container for records that define how to route traffic to a domain and
its subdomains
1) Public Hosted Zones – contains records that specify how to route
traffic on the Internet (public domain names)
application1.mypublicdomain.com
2) Private Hosted Zones – contain records that specify how you route
traffic within one or more VPCs (private domain names)
application1.company.internal
3) You pay $0.50 per month per hosted zone
Route 53 - CNAME vs Alias
1) CNAME:
• Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
• ONLY FOR NON ROOT DOMAIN (aka. something.mydomain.com)
2) Alias:
• Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
• Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
• Free of charge
• Native health check
Route 53 – Alias Records
• Maps a hostname to an AWS resource
- An extension to DNS functionality
- Automatically recognises changes in the resource’s IP addresses
- Unlike CNAME, it can be used for the top node of a DNS namespace (Zone Apex), e.g.: example.com
- Alias Record is always of type A/AAAA for AWS resources (IPv4 / IPv6)
- You can’t set the TTL
Route 53 – Alias Records Targets
- Elastic Load Balancers
- CloudFront Distributions
- API Gateway
- Elastic Beanstalk environments
- S3 Websites
- VPC Interface Endpoints
- Global Accelerator accelerator
- Route 53 record in the same hosted zone
- You cannot set an ALIAS record for an EC2 DNS name
CloudFront – Origins
1) S3 bucket
• For distributing files and caching them at the edge
• Enhanced security with CloudFront Origin Access Identity (OAI)
• CloudFront can be used as an ingress (to upload files to S3)
2) Custom Origin (HTTP) • Application Load Balancer • EC2 instance • S3 website (must first enable the bucket as a static S3 website) • Any HTTP backend you want
CloudFront Signed URL / Signed Cookies
• You want to distribute paid shared content to premium users over the world
1) We can use CloudFront Signed URL / Cookie. We attach a policy with:
• Includes URL expiration
• Includes IP ranges to access the data from
• Trusted signers (which AWS accounts can create signed URLs)
2) How long should the URL be valid for?
• Shared content (movie, music): make it short (a few minutes)
• Private content (private to the user): you can make it last for years
3) Signed URL = access to individual files (one signed URL per file)
4) Signed Cookies = access to multiple files (one signed cookie for many files)
CloudFront Signed URL vs S3 Pre-Signed URL
CloudFront Signed URL:
• Allow access to a path, no matter the origin
• Account wide key-pair, only the root can manage it
• Can filter by IP, path, date, expiration
• Can leverage caching features
S3 Pre-Signed URL:
• Issue a request as the person who pre-signed the URL
• Uses the IAM key of the signing IAM principal
• Limited lifetime
AWS Global Accelerator
• Leverage the AWS internal network to route to your application
Unicast IP vs Anycast IP
• Unicast IP: one server holds one IP address
• Anycast IP: all servers hold the same IP address and the client is routed to the nearest one
- 2 Anycast IP are created for your application
- The Anycast IP send traffic directly to Edge Locations
- The Edge locations send the traffic to your application
AWS Global Accelerator vs CloudFront
• They both use the AWS global network and its edge locations around the world
• Both services integrate with AWS Shield for DDoS protection.
CloudFront
• Improves performance for both cacheable content (such as images and videos)
• Dynamic content (such as API acceleration and dynamic site delivery)
• Content is served at the edge
Global Accelerator
• Improves performance for a wide range of applications over TCP or UDP
• Proxying packets at the edge to applications running in one or more AWS Regions.
• Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP
• Good for HTTP use cases that require static IP addresses
• Good for HTTP use cases that required deterministic, fast regional failover
API Gateway – Security – Summary
IAM:
• Great for users / roles already within your AWS account
• Handle authentication + authorization
• Leverages Sig v4
Custom Authorizer: • Great for 3rd party tokens • Very flexible in terms of what IAM policy is returned • Handle Authentication + Authorization • Pay per Lambda invocation
Cognito User Pool:
• You manage your own user pool (can be backed by Facebook, Google login etc…)
• No need to write any custom code
• Must implement authorization in the backend
Transit Gateway
• Transitive peering connections for VPC, VPN & DX
- For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
- Regional resource, can work cross-region
- Share cross-account using Resource Access Manager (RAM)
- You can peer Transit Gateways across regions
- Route Tables: limit which VPC can talk with other VPC
- Works with Direct Connect Gateway, VPN connections
- Supports IP Multicast (not supported by any other AWS service)
Direct Connect (DX)
- Provides a dedicated private connection from a remote network to your VPC
- Dedicated connection must be setup between your DC and AWS Direct Connect locations
- You need to setup a Virtual Private Gateway on your VPC
- Access public resources (S3) and private (EC2) on same connection
- Use Cases:
- Increase bandwidth throughput - working with large data sets – lower cost
- More consistent network experience - applications using real-time data feeds
- Hybrid Environments (on prem + cloud)
- Supports both IPv4 and IPv6
Direct Connect – Connection Types
Dedicated Connections: 1Gbps and 10 Gbps capacity
• Physical ethernet port dedicated to a customer
• Request made to AWS first, then completed by AWS Direct Connect Partners
Hosted Connections: 50Mbps, 500 Mbps, to 10 Gbps
• Connection requests are made via AWS Direct Connect Partners
• Capacity can be added or removed on demand
• 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners
Lead times are often longer than 1 month to establish a new connection
