Module 4 - Networking Flashcards
Amazon Virtual Private Cloud (Amazon VPC)
Networking service that you can use to establish boundaries around your AWS resources.
- Enables you to provision an isolated section of AWS Cloud.
- Can launch resources in virtual network that you define.
Subnets can communicate with each other
Subnets
section of a VPC in which you can group resources based on security or operational needs.
Internet Gateway
Connection between VPC and internet.
Allow public traffic from internet to access VPC – attach internet gateway to VPC.
Without internet gateway – no one can access the resources within your VPC.
Packet
Unit of data sent over the internet or a network
Public subnets
Contain resources that need to be accessible by the public, such as an online store’s website.
Private subnets
Contain resources that should be accessible only through your private network.
Subnets and Network Access Control Lists
Can use AWS networking services to isolate resources and determine exactly how network traffic flows.
Network access control list (ACL)
VPC component that checks packet permissions for subnets.
Virtual firewall that controls inbound and outbound traffic at subnet level (each AWS account includes default network ACL).
Network traffic in VPC
Customer requests data from an application hosted in the AWS Cloud – request sent as packet.
o Enters through a VPC through internet gateway.
o Before packet enters into subnet or exit from subnet – checks for permissions.
o Permissions indicate who sent the packet and how packet is trying to communicate with resources in subnet.
Configuring VPC (using ACLs)
o Use account’s default network ACL.
Allows all inbound and outbound traffic but you can modify it by adding your own rules.
o Create custom network ACLs.
All inbound and outbound traffic is denied until you add rules to specify which traffic to allow.
o All network ACLs have an explicit deny rule.
Rule ensures that if packet doesn’t match any of other rules on the list – packet is denied.
Stateless Packet Filtering
Network ACLs
• Network ACLs perform stateless packet filtering.
o Remember nothing and check packets that cross subnet border each way: inbound and outbound.
- Packet response for request comes back to subnet – network ACL does not remember your previous request.
- Network ACL checks packet response against its list of rules to determine whether to allow/deny.
- After packet has entered subnet – must have its permissions evaluated for resources within subnet e.g. Amazon EC2 instances.
Security Groups
VPC component that checks packet permissions for Amazon EC2 instance.
o Default – security group denies all inbound traffic and allows all outbound traffic.
o Can add custom rules to configure which traffic to allow or deny.
- Have multiple Amazon EC2 instances within subnet – can associate them with same security group or use different security groups for each instance.
- Stateful.
Stateful Packet Filtering
Security groups
• Security groups perform stateful packet filtering.
o Remember previous decisions made for incoming packets.
• When packet response for request returns to instance – security group remembers previous request.
o Security group allows response to proceed, regardless of inbound security group rules.
o Both network ACLs and security groups enable you to configure custom rules for traffic in your VPC.
Global networking
Domain Name System (DNS)
Amazon Route 53
Domain Name System (DNS)
• DNS resolution involves a DNS server communicating with web server.
o DNS as phone book of internet.
• DNS resolution is process of translating domain name to IP address.
- When you enter the domain name into your browser, this request is sent to DNS server.
- DNS server asks web server for IP address that corresponds to website.
- Web server responds by providing IP address for website.
