08 - Networking and Content Delivery Flashcards
Elastic Network Interfaces (ENI)
1) Logical component in a VPC that represents a virtual network card
2) Bound to a specific availability zone (AZ)
Route 53 – Record Types
1) A – maps a hostname to IPv4
2) AAAA – maps a hostname to IPv6
3) CNAME – maps a hostname to another hostname
• The target is a domain name which must have an A or AAAA record
• Can’t create a CNAME record for the top node of a DNS namespace (Zone Apex)
• Example: you can’t create for example.com, but you can create for www.example.com
4) NS – Name Servers for the Hosted Zone
• Control how traffic is routed for a domain
Route 53 – Hosted Zones
• A container for records that define how to route traffic to a domain and
its subdomains
1) Public Hosted Zones – contains records that specify how to route
traffic on the Internet (public domain names)
application1.mypublicdomain.com
2) Private Hosted Zones – contain records that specify how you route
traffic within one or more VPCs (private domain names)
application1.company.internal
3) You pay $0.50 per month per hosted zone
Route 53 - CNAME vs Alias
1) CNAME:
• Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
• ONLY FOR NON ROOT DOMAIN (aka. something.mydomain.com)
2) Alias:
• Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
• Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
• Free of charge
• Native health check
Route 53 – Alias Records
• Maps a hostname to an AWS resource
- An extension to DNS functionality
- Automatically recognises changes in the resource’s IP addresses
- Unlike CNAME, it can be used for the top node of a DNS namespace (Zone Apex), e.g.: example.com
- Alias Record is always of type A/AAAA for AWS resources (IPv4 / IPv6)
- You can’t set the TTL
Route 53 – Alias Records Targets
- Elastic Load Balancers
- CloudFront Distributions
- API Gateway
- Elastic Beanstalk environments
- S3 Websites
- VPC Interface Endpoints
- Global Accelerator accelerator
- Route 53 record in the same hosted zone
- You cannot set an ALIAS record for an EC2 DNS name
CloudFront – Origins
1) S3 bucket
• For distributing files and caching them at the edge
• Enhanced security with CloudFront Origin Access Identity (OAI)
• CloudFront can be used as an ingress (to upload files to S3)
2) Custom Origin (HTTP) • Application Load Balancer • EC2 instance • S3 website (must first enable the bucket as a static S3 website) • Any HTTP backend you want
CloudFront Signed URL / Signed Cookies
• You want to distribute paid shared content to premium users over the world
1) We can use CloudFront Signed URL / Cookie. We attach a policy with:
• Includes URL expiration
• Includes IP ranges to access the data from
• Trusted signers (which AWS accounts can create signed URLs)
2) How long should the URL be valid for?
• Shared content (movie, music): make it short (a few minutes)
• Private content (private to the user): you can make it last for years
3) Signed URL = access to individual files (one signed URL per file)
4) Signed Cookies = access to multiple files (one signed cookie for many files)
CloudFront Signed URL vs S3 Pre-Signed URL
CloudFront Signed URL:
• Allow access to a path, no matter the origin
• Account wide key-pair, only the root can manage it
• Can filter by IP, path, date, expiration
• Can leverage caching features
S3 Pre-Signed URL:
• Issue a request as the person who pre-signed the URL
• Uses the IAM key of the signing IAM principal
• Limited lifetime
AWS Global Accelerator
• Leverage the AWS internal network to route to your application
Unicast IP vs Anycast IP
• Unicast IP: one server holds one IP address
• Anycast IP: all servers hold the same IP address and the client is routed to the nearest one
- 2 Anycast IP are created for your application
- The Anycast IP send traffic directly to Edge Locations
- The Edge locations send the traffic to your application
AWS Global Accelerator vs CloudFront
• They both use the AWS global network and its edge locations around the world
• Both services integrate with AWS Shield for DDoS protection.
CloudFront
• Improves performance for both cacheable content (such as images and videos)
• Dynamic content (such as API acceleration and dynamic site delivery)
• Content is served at the edge
Global Accelerator
• Improves performance for a wide range of applications over TCP or UDP
• Proxying packets at the edge to applications running in one or more AWS Regions.
• Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP
• Good for HTTP use cases that require static IP addresses
• Good for HTTP use cases that required deterministic, fast regional failover
API Gateway – Security – Summary
IAM:
• Great for users / roles already within your AWS account
• Handle authentication + authorization
• Leverages Sig v4
Custom Authorizer: • Great for 3rd party tokens • Very flexible in terms of what IAM policy is returned • Handle Authentication + Authorization • Pay per Lambda invocation
Cognito User Pool:
• You manage your own user pool (can be backed by Facebook, Google login etc…)
• No need to write any custom code
• Must implement authorization in the backend
Transit Gateway
• Transitive peering connections for VPC, VPN & DX
- For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
- Regional resource, can work cross-region
- Share cross-account using Resource Access Manager (RAM)
- You can peer Transit Gateways across regions
- Route Tables: limit which VPC can talk with other VPC
- Works with Direct Connect Gateway, VPN connections
- Supports IP Multicast (not supported by any other AWS service)
Direct Connect (DX)
- Provides a dedicated private connection from a remote network to your VPC
- Dedicated connection must be setup between your DC and AWS Direct Connect locations
- You need to setup a Virtual Private Gateway on your VPC
- Access public resources (S3) and private (EC2) on same connection
- Use Cases:
- Increase bandwidth throughput - working with large data sets – lower cost
- More consistent network experience - applications using real-time data feeds
- Hybrid Environments (on prem + cloud)
- Supports both IPv4 and IPv6
Direct Connect – Connection Types
Dedicated Connections: 1Gbps and 10 Gbps capacity
• Physical ethernet port dedicated to a customer
• Request made to AWS first, then completed by AWS Direct Connect Partners
Hosted Connections: 50Mbps, 500 Mbps, to 10 Gbps
• Connection requests are made via AWS Direct Connect Partners
• Capacity can be added or removed on demand
• 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners
Lead times are often longer than 1 month to establish a new connection
VPC in AWS – IPv4
• VPC = Virtual Private Cloud
• You can have multiple VPCs in an AWS region (max. 5 per region – soft limit)
- Max. CIDR per VPC is 5, for each CIDR:
- Min. size is /28 (16 IP addresses)
- Max. size is /16 (65536 IP addresses)
- Because VPC is private, only the Private IPv4 ranges are allowed:
- 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
• Your VPC CIDR should NOT overlap with your other networks (e.g., corporate)
VPC – Subnet (IPv4)
- AWS reserves 5 IP addresses (first 4 & last 1) in each subnet
- These 5 IP addresses are not available for use and can’t be assigned to an EC2 instance
- Example: if CIDR block 10.0.0.0/24, then reserved IP addresses are:
- 10.0.0.0 – Network Address
- 10.0.0.1 – reserved by AWS for the VPC router
- 10.0.0.2 – reserved by AWS for mapping to Amazon-provided DNS
- 10.0.0.3 – reserved by AWS for future use
- 10.0.0.255 – Network Broadcast Address. AWS does not support broadcast in a VPC, therefore the address is reserved
- Exam Tip, if you need 29 IP addresses for EC2 instances:
- You can’t choose a subnet of size /27 (32 IP addresses, 32 – 5 = 27 < 29)
- You need to choose a subnet of size /26 (64 IP addresses, 64 – 5 = 59 > 29)
VPC Endpoints (AWS PrivateLink)
- Every AWS service is publicly exposed (public URL)
- VPC Endpoints (powered by AWS PrivateLink) allows you to connect to AWS services using a private network instead of using the public Internet
- They’re redundant and scale horizontally
- They remove the need of IGW, NATGW, … to access AWS Services
- In case of issues:
- Check DNS Setting Resolution in your VPC
- Check Route Tables
Types of Endpoints
Interface Endpoints
• Provisions an ENI (private IP address) as an entry point (must attach a Security Group)
• Supports most AWS services
Gateway Endpoints
• Provisions a gateway and must be used as a target in a route table
• Supports both S3 and DynamoDB
VPC Flow Logs
- Capture information about IP traffic going into your interfaces:
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface (ENI) Flow Logs
- Helps to monitor & troubleshoot connectivity issues
- Flow logs data can go to S3 / CloudWatch Logs
- Captures network information from AWS managed interfaces too: ELB, RDS, ElastiCache, Redshift, WorkSpaces, NATGW, Transit Gateway…
AWS Site-to-Site VPN
Virtual Private Gateway (VGW)
• VPN concentrator on the AWS side of the VPN connection
• VGW is created and attached to the VPC from which you want to create the Site-to-Site VPN connection
• Possibility to customize the ASN (Autonomous System Number)
Customer Gateway (CGW) • Software application or physical device on customer side of the VPN connection • https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html#DevicesTested
Egress-only Internet Gateway
- Used for IPv6 only
- (similar to a NAT Gateway but for IPv6)
- Allows instances in your VPC outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances
- You must update the Route Tables
