Basic of Networking
What is Networking?
- Computer network is two or more devices that are connected together to share resources.
- Node: devices on the network
- Host node: servers
- Client: node that depends on the host node
- Network require network connecting devices (ex. router, switch) to connect all devices together.
Network Components
Server
- physical computer that runs software services that other computer devices or software can access
Router
- Network device that connects multiple network segments into one network. L3
Hub and Switch
- Device that connects all or multiple nodes of a network together. L2
Internet Service Provider (ISP)
- Organization that provides internet access to its customers
Cloud
- on-demand delivery of IT resources over the internet
Network nodes
- computer hardware device that accesses a service under a server
OSI Model: 7-Layers
Layer 1: Physical Layer
- transmitting raw data over transmission media to connect network nodes
Layer 2: Data link Layer
- transferring data btw adjacent network nodes in a WAN or btw nodes on the same LAN segment
- ex. Switch to connect node inside the network - IP address X
Layer 3: Network Layer
- communication across different networks
- transferring variable-length network packets through one or more networks
- ex. Router to connect multiple networks - have IP address
Layer 4: Transport Layer
- trasfer of data btw users
- provide reliable data transfer services to the upper layers
Layer 5: Session Layer
- managing a session btw user application processes
Layer 6: Presentation Layer
- translate data based on the syntax that the application accepts
Layer 7: Application Layer
- interact with user directly with the software application
Network Models and Types
Network Models
- Peer-to-peer: connected to each other for the purpose of distributing workloads
- Client-Server: data management is centralized at the server and distributed to the clients
Network Types
- Local area networks (LANs)
- connect device in a limited geographical area
- Ethernet
- Wide area networks (WANs)
- connect device in a large geographical area
- using fiber-optic cables and satellites
- Internet
IP Address and CIDR
IP Address
- Each node in a network has a unique IP address that identifies it
- IPv4 address: 32 bits, supported by all VPNs, provides up to 4.3 billion IP addresses
- IPv6 address: 128 bits, provide unlimited number of IP addresses, will eventually replace IPv4
Classless Inter-Domain Routing (CIDR)
- Decide the range of IP addresses using Netmask
- Netmask: the number that how many of 32 bits of the routing prefix must be fixed
- determine the number of IPs that are available for the network
- Fixed IP address: all 32 bits are fixed.
- set up a firewall rule and give access to a specific host
- Internet CIDR block: all 32 bits are flexible
- set up firewall rules to allow internet traffic
Subnet
Subnet is a network whthin a network
- each subnet comprises a specified range of consecutive IP addresses for this partition of the network
- if an IP address needs to reach an IP in another subnet, it must travel through the router. but within subnet, through switch.
- subnet also must have a CIDR block address
- subnet's CIDR block must fit within the network's CIDR block and Subnet CIDR blocks cannot overlap
Subnet Types
- Public subnets: allows internet traffic, ex. website
- Private subnets: denies inbound traffic from the public internet
- access to the public internet from a private subnet requires a NAT device
Amazon VPC
Virtual Private Cloud (VPC)
VPC provides you with a cloud within the cloud = create your own cloud
Amazon VPC
- Amazon VPC is a virtual networking environment
- There is no cost for setting up a basic VPC
Amazon VPC Architecture
- Region Specific: VPCs cannot span multiple regions -> should create new one
- Within each Region, inside VPC, are multiple Availability Zones (AZ)
- choose which AZ to place your subnet & you can place multiple subnets within an AZ
- Launch your resources such as EC2, RDS into appropriate subnets
Default VPC
- When you set up AWS account, a Default VPC in each AWS Region is automatically provided
- Default VPCs have a public subnet for every AZ in the Region
- It is recommended that you don't use or delete your default VPC
Amazon VPC Quotas
- Amazon VPC has a quota that limits you to five VPCs per Region
- if you need more, you can submit a ticket to increase the number
Use Case
- host multi-tier web applications - each tier can be in different subnet within one VPC
- common multi-tier architecture
- Presentation tier: where users will interact with t he website or app. ex. Website
- Logic tier: where t he computing processes occur. ex. Application
- Data tier: where the data is stored, typically protected in private subnets. ex. Database
VPC Architectural Patterns
- Single VPC pattern: one account - one VPC
- high-performance computing
- Multi-VPC pattern: one account - multiple VPC
- Multi-account pattern: multiple account
- for large organizations
Using Amazon VPC
Amazon VPC Components
Amazon VPC CIDR Blocks
- when creating VPC, must specify an IPv4 CIDR block for the VPC
- VPC's netmask must be large enough to contain all of the required subnet IP addresses in your network
- Largest AWS CIDR block: /16 netmask <-> Smallest: /28 netmask
- You cannot change the CIDR block later
- VPCs that will be communicating cannot have identical CIDR blocks because it can cause networking issues
Amazon VPC Default components
- when creating VPC, Main route table, Network Access Control List (ACL), Security group will be created automatically
VPC ID and Tags
- VPC ID: auto-assigned, cannot be edited, string of random numbers and letters that identify your VPC
- VPC Tags: an option to tag your VPC with a more identifiable name
Subnets in AWS
Subnets in AWS
- AWS subnets are smaller network inside a VPC, where you can place your AWS resources
- Routing can be configured at the subnet level
- VPC subnets are mapped to specific Availability Zones
- Recommend that create your subnets at least two different AZs for high availability
Subnetting in AWS
- when creating subnet, it requires its own CIDR block, which is a subset of the VPC CIDR block
- AWS reserves five IP addresses within the block, and these addresses are not available for use
- First IP: network address
- Second IP: VPC local router (Internal communication)
- Third IP: Domain Name System (DNS) resolution
- Fourth IP: Future use
- Last IP: Network braodcast address
- ex. VPC CIDR block 10.0.0.0/24 and Four subnets with a 26/ netmask
- Five IPs are reserved per subnet = 64 - 5 = 59 IP addresses available for use per subnet
- total 59 * 4 = 236 P addresses available for use
Subnet Sizes
- Best practice: Create larger subnets as possible
- It is not recommended to create small multiple subnets
- You cannot change subnet sizes after setting
Subnet and VPC Associations
- When subnet is created, it will be given a subnet ID, which works like a VPC ID to attach componenets
Network Gateways
Network Gateway is a gateway that determines the traffic that will be given acess to your network
Internet Gateway
- horizontally scaled, highly available VPC componenet
- enables communication btw your VPC and the internet
Virtual Private Gateway
- VPN connector on the Amazon side of site-to-site VPN connection
- Can connect your on-premises site to your VPC
Route Tables
Route tables are the mechanism that directs traffic in a VPC
- contain a set of rules = routes, Each route specifies a destination and a target
- destination: range of IP addresses (destination CIDR)
- target: connection that the destination traffic is sent through. can be a gateway
Route Table Associations
- Each subnet must be associated with only one route table
- When creating subnet, they will be associated with the main route tables
- Subnet : Route Table = N : 1 == many-to-one
Security Groups
Security Groups: Filtering inbound and outbound traffic that is allowed to your instances
- You can specify only allow rules, not deny rules
- Inbound Rules: by default, a security group has no inbound rules
- Outbound Rules: by default, security group allows all outbound traffic
Security groups are Stateful
- for every inbound rule, an outbound response is allowed and vice versa.
Network ACL (Access Control List)
Network ACL is the other firewall that you can use for protecting your VPC (Other one is Security Group)
- control traffic that is allowed in and out of your subnets
- Each subnet must be associated with a network ACL -> automatically associated with the default network ACL
- Subnet : ACL = N : 1 == many-to-one
Network ACLs are Stateless
- for every inbound rule, it doesn't automatically allow an outbound response.
Network ACL Rules
- Setting up deny rules is possible: You can deny traffic types or specific IP address
- can prevent traffic from leaving a subnet
- Numbered list of rules that are evaluated in order, starting with the lowest numberd rules
- Recommends that create rules in increments (like 10 or 100) so that you can insert new rules when you need them later
Default and Custom Network ACLs
- Default network ACL: allows all inbound and outbound traffic by default
- Custom network ACL: by default, each custom network ACL denies all inbound and outbound traffic until you add rules
Security Group vs Network ACL
- They work together to protect our VPC
- network ACL is the outer firewall: if traffic is not allowed to pass through this firewall, then it will not be able to reach the inner firewalls, security group
표
| Attribute | Security Group | Network ACL |
| Protection level | Instance level (inner firewall) | Subnet level (outer firewall) |
| Usable patterns | Many-to-Many | Many-to-One |
| Flexibility | Can span Availability Zone | Cannot span AZ |
| Rule types | Allow rules only | Allow and deny rules |
| State characteristic | Stateful | Stateless |
| Descision logic | All rules are evaluated | Rules are evaluated in numeric order |
Deleting a VPC
Before deleting VPC, you must first manually terminate or delete some resources in the VPC
- some VPC components will be deleted automatically
Requires manual deletion first
- EC2, RDS, Elastic load Blancers, NAT gateways, Transit gateways, VPC endpoints
Automatic deletion with VPC
- Subnets, Internet Gateways, Egress-only internet gateways, Route tables, Security groups, Network ACLs, DHCP options, Gateway endpoints
Additional features
Elastic IP Address
- When creating a VPC, every instance in VPC is assigned a private IP address automatically
- you can also request a public IP address to be assigned
Elastic IP address: static public IPv4 address that is designed for dynamic cloud computing
- when assigning Elastic IP address in EC2 instance, it replaces the default public IP address.
- you can mask the failure of an instance by rapidly remapping the address to another instance in your VPC
Elastic IP Address Flexbility and Costs
- Elastic IP addresses operates at the Region level
- can use Elastic IP address in any VPC in the Region where it was created
- Only cost when it is detached from an instance and not in use.
NAT Gateway
- Using NAT gateway, instances in a private subnet can connect to the internet or other AWS services
- to create a NAT gateway, must specify the public subnet in which the NAT gateway should reside
- must also specify Elastic IP address to associate with the NAT gateway
- after creating a NAT gateway, update the route table associated with your private subnets to point internet-bound traffic to the NAT gateway
AWS Direct Connect
AWS VPN
- To connect your VPC to your remote network through a VPC connection, you need to set it up
- One of the challenges of a VPN connection is network performance
AWS Direct Connect
- With Direct Connect, your network traffic remains on the AWS global network and never touches the public internet
- for establishing a dedicated, private network connection btw your network and one of the Direct Connect locations
VPC Endpoint
VPC endpoint provides connections btw a VPC and supported services
- VPC is not exposed to the public internet
Interface VPC endpoint
- AWS PrivateLink: provides private connectivity btw VPCs, AWS services, on-promises networks without exposing your traffic to the public internet
Gateway endpoint
- provide reliable connectivity to Amazon S3 and Amazon DynamoDB without requiring an internet gateway or a NAT device for your VPC
VPC Peering
VPC peering is networking connection btw two VPCs that you can use to route traffic btw them privately
- your own VPCs, VPCs in other accounts, VPCs in different Regions possible to peering
- create rulese in your route table to allow the VPCs to communicate with each other through the peering resource
VPC Peering Restrictions
- IP address ranges cannot overlap
- Transitive peering is not supported
AWS Transit Gateway
AWS Transit Gateway is used to simplify your networking model
- acts as a hub that control routing traffic among all the connected networks
- ease of connectivity makes it simpler to scale your network as you grow
Other AWS Networking Service
Amazon Route53
- cloud Domain Name System (DNS)
Amazon CloudFront
- simplify the delivery of websites, videos, apps, and APIs securely at high speeds with low latency
Amazon API Gateway
- fully manage service for developers to manage APIs at any scale.
'CS > 클라우드컴퓨팅' 카테고리의 다른 글
| Lec 08: Cloud Operations (0) | 2023.12.02 |
|---|---|
| Lec 07: Database (0) | 2023.10.22 |
| Lec 05-2: Using Amazon S3 (0) | 2023.10.16 |
| Lec 05-1: Intro to Amazon S3 (0) | 2023.10.16 |
| Lec 04-3: Managing Amazon EC2 (0) | 2023.10.15 |
