AWS Networking and Content Delivery

Get the broadest and deepest set of networking and content delivery services in the world with
AWS. Run applications with the highest level of reliability, security, and performance global
network in the cloud.
Most secure
Meet the most stringent security requirements in the world with AWS networking capabilities.
Ensure the confidentiality, integrity, and availability of your data through 24/7
infrastructure monitoring.
Highest network availability
Maintain the highest availability levels for your mission-critical workloads using the AWS
Region/Availability Zone (AZ) model. Industry analysts recognize the AZ model as the
recommended approach for running enterprise applications requiring high availability.
Consistent high performance
Run your workloads using the highest throughput and lowest latency cloud network. Use
the AWS network to provide your customers with faster, more responsive applications.
Broadest global coverage
Deliver applications and content anywhere in the world over a purpose-built network. AWS
offers the largest global infrastructure footprint of any provider.

AWS NETWORKING AND CONTENT DELIVERY SERVICES

Network foundations
1. Amazon VPC (Virtual Private Cloud):
o Purpose: Allows you to create a logically isolated section of the AWS cloud
where you can launch AWS resources in a virtual network you define.
o Features:
▪ Subnets (public/private)
▪ Route Tables
▪ Internet Gateway, NAT Gateway
▪ VPC Peering, Transit Gateway
▪ Security Groups, NACLs (Network Access Control Lists)
AWS Transit Gateway

o Purpose: Enables you to connect VPCs and on-premises networks through a

central hub.
o Features:
▪ Scalable, centralized connectivity
▪ Simplifies network topology, High availability and performance

AWS PrivateLink

• Private and Secure Connectivity: AWS Private Link provides private, secure access
to AWS services, third-party services, or your own services without exposing traffic
to the public internet.

Features:

1. VPC Endpoint: Enables private connections within your VPC using interface VPC
endpoints, which are elastic network interfaces with private IPs.
2. No Public Internet Exposure: Ensures that all traffic remains within the AWS
network, enhancing security by avoiding public internet exposure.
3. Support for AWS and Third-Party Services: Allows access to AWS services and
third-party SaaS applications through private, secure connections.

Application networking

Amazon VPC Lattice

Purpose:

• Simplified Service-to-Service Communication: Amazon VPC Lattice provides a

managed application layer networking service that simplifies secure, scalable
communication between services across different VPCs and accounts without
requiring complex network configuration.

Features :

1. Cross-VPC Service Discovery and Communication: Enables seamless

communication between services across multiple VPCs and accounts without the need
for VPC peering or complex networking setups.
2. Integrated Traffic Management: Offers built-in traffic management capabilities such
as request-level routing, load balancing, and observability to ensure optimal service
performance and reliability.
3. Security and Access Control: Provides fine-grained security controls, including
service-level access policies and encryption, to ensure secure communication between
services.
AWS AppMesh

Purpose :

• Service Mesh for Microservices: AWS App Mesh simplifies the management and
monitoring of microservices communication by providing a service mesh that
standardizes and secures service-to-service communication across multiple types of
compute infrastructure.

Features :

1. Traffic Control and Management: Provides fine-grained traffic routing capabilities,

allowing you to control how requests are handled between services, including traffic
shifting, retries, and circuit breaking.
2. Observability: Offers deep visibility into your microservices' communications with
built-in metrics, logs, and traces, helping you monitor performance and troubleshoot
issues effectively.
3. Security: Ensures secure communication between services with end-to-end encryption
and mutual TLS (mTLS), along with the ability to define and enforce access policies.

AWS API Gateway

• API Management and Gateway Service: AWS API Gateway enables you to create,
publish, maintain, monitor, and secure APIs at any scale, facilitating the connection
between clients and backend services.

Features :

1. API Creation and Deployment: Provides tools to design and deploy RESTful APIs,
WebSocket APIs, and HTTP APIs with support for various API methods and stages.
2. Traffic Management and Scaling: Automatically handles traffic management,
including scaling APIs to handle millions of requests, and provides throttling, caching,
and request/response transformation.
3. Security and Access Control: Offers features like authentication and authorization
with AWS IAM, Lambda authorizers, and Amazon Cognito, as well as traffic
encryption via TLS and API key management.

AWS Cloud Map

• Service Discovery and Resource Management: AWS Cloud Map provides a fully
managed service for discovering and managing the locations and attributes of your
cloud resources, helping applications to dynamically locate and connect to services.

Features :

1. Service Discovery: Allows you to register and discover services and their instances,
including microservices, databases, and other resources, enabling applications to
dynamically find and communicate with these resources.
 2. Custom Health Checks: Supports configurable health checks to monitor the status of
registered resources, ensuring that only healthy instances are discovered and used.
3. Integration with AWS Services: Works seamlessly with other AWS services such as
AWS Lambda, Amazon ECS, and Amazon EKS, allowing you to use service discovery
in a variety of application architectures and environments.

Elastic Load Balancing

o Purpose: Distributes incoming application traffic across multiple targets, such

as EC2 instances.
o Types:
▪ Application Load Balancer (ALB)
▪ Network Load Balancer (NLB)
▪ Gateway Load Balancer (GLB)
▪ Classic Load Balancer(CLB)

Edge networking

Amazon CloudFront

o Purpose: A fast content delivery network (CDN) service that securely delivers
data, videos, applications, and APIs to users globally with low latency.
o Features:
▪ Integration with AWS services (S3, EC2, etc.)
▪ DDoS protection (via AWS Shield)
▪ Global edge locations
▪ Caching of content to reduce load on origin servers

Amazon Route S3

o Purpose: A scalable and highly available Domain Name System (DNS) web
service.
o Features:
▪ Domain registration
▪ DNS routing
▪ Health checking
▪ Latency-based routing, Geo DNS, Failover routing

AWS Global Accelerator

o Purpose: Improves the availability and performance of your applications

with global users.
o Features:
▪ Static IP addresses
▪ Intelligent routing
▪ Traffic management
Hybrid connectivity

AWS Direct Connect

o Purpose: Provides a dedicated network connection from your premises to

AWS.
o Features:
▪ Reduced latency and increased bandwidth
▪ Hybrid cloud architecture
▪ Private connection to VPCs

AWS Site-to-Site VPN

o Purpose: Establishes secure connections from your on-premises networks

or mobile devices to AWS.
o Features:
▪ Site-to-Site VPN
▪ Client VPN
▪ Secure, encrypted connections

AWS Client VPN

• Secure Remote Access: AWS Client VPN provides a fully managed, scalable virtual
private network (VPN) service that enables secure remote access to your AWS
resources and on-premises networks.

Features:

1. Secure Connectivity: Uses industry-standard protocols (such as OpenVPN) to provide

encrypted and secure connections between remote clients and AWS resources, ensuring
data confidentiality and integrity.
2. Scalable and Managed: Automatically scales to accommodate an increasing number
of users without requiring manual intervention or additional infrastructure
management.
3. Centralized Authentication and Access Control: Integrates with AWS Directory
Service and other identity providers for user authentication, and allows for the
management of access control policies to restrict access to specific resources.

AWS Cloud WAN

• Global Network Management: AWS Cloud WAN provides a managed wide area
network (WAN) service that simplifies the setup, management, and monitoring of a
global network connecting multiple sites and VPCs across different regions.

Features:
 1. Centralized Network Management: Offers a single pane of glass to manage and
monitor your global network, including configuration and visibility of all connected
VPCs, on-premises locations, and branch offices.
2. Automated Network Connectivity: Facilitates automatic creation and management of
network connections between your VPCs, on-premises networks, and other locations,
reducing the complexity of network operations.
3. Integrated Network Monitoring and Insights: Provides built-in tools for monitoring
network performance and health, including traffic flow metrics and network analytics,
to ensure efficient and reliable connectivity.

Network security
AWS Shield

• DDoS Protection: AWS Shield provides advanced protection against Distributed

Denial of Service (DDoS) attacks to ensure the availability and performance of your
AWS applications.

Features:

1. Automatic Protection: Offers automatic, in-line protection against common and

sophisticated DDoS attacks for AWS services such as Amazon CloudFront, Elastic
Load Balancing (ELB), and Amazon Route 53.
2. Advanced Threat Detection: Includes AWS Shield Advanced, which provides
additional DDoS protection features, including real-time attack visibility, detailed
reporting, and access to the AWS DDoS Response Team (DRT).
3. Cost Protection: Provides financial protection against DDoS-related scaling charges
for eligible services, helping to manage unexpected costs arising from DDoS attacks.

AWS WAF(Well Architected Framework)

o Purpose: Protects your web applications from common web exploits that
could affect application availability, compromise security, or consume
excessive resources.
o Features:
▪ Customizable rules
▪ Integration with CloudFront, ALB
▪ Real-time monitoring and automatic traffic inspection

AWS Network Firewall

Purpose:

• Network Traffic Protection: AWS Network Firewall provides a managed service to

protect your VPC by controlling and monitoring inbound and outbound network
traffic through customizable firewall rules.

Features:
 1. Customizable Firewall Rules: Allows you to create and manage network security
policies with rules for traffic filtering, including stateful and stateless rules to control
traffic based on IP addresses, ports, and protocols.
2. Deep Packet Inspection: Provides capabilities for inspecting and analyzing network
traffic, including support for intrusion detection and prevention to identify and block
malicious activity.
3. Integrated Management and Monitoring: Easily integrates with AWS services like
AWS CloudWatch for logging and monitoring, and AWS Security Hub for centralized
security management and compliance reporting.

AWS Firewall Manager

Purpose:

• Centralized Firewall Management: AWS Firewall Manager provides a centralized

management solution for configuring and managing firewall rules across multiple
AWS accounts and VPCs, streamlining security operations.

Features:

1. Centralized Rule Management: Allows you to define and enforce firewall rules and
policies across multiple accounts and regions from a single dashboard, ensuring
consistent security policies across your organization.
2. Integration with AWS Services: Works with AWS Network Firewall, AWS WAF
(Web Application Firewall), and AWS Shield, enabling you to manage and apply
security policies for network traffic, web applications, and DDoS protection centrally.
3. Policy Automation and Compliance: Automates the deployment of security policies,
ensures compliance with organizational security standards, and provides visibility into
policy compliance status and violations.

Amazon Virtual Private Cloud

• Define and launch AWS resources in a logically isolated virtual network.
Benefits of Amazon VPC

Increase security
• Secure and monitor connections, screen traffic, and restrict instance access inside your
virtual network.
Save time
• Spend less time setting up, managing, and validating your virtual network.
Manage and control your environment
• Customize your virtual network by choosing your own IP address range, creating subnets,
and configuring route tables.
How it works

• Amazon Virtual Private Cloud (Amazon VPC) gives you full control over your virtual networking
environment, including resource placement, connectivity, and security. Get started by setting
up your VPC in the AWS service console. Next, add resources to it such as Amazon Elastic
Compute Cloud (EC2) and Amazon Relational Database Service (RDS) instances. Finally,
define how your VPCs communicate with each other across accounts, Availability Zones, or
AWS Regions. In the example below, network traffic is being shared between two VPCs within
each Region.

Use cases
Launch a simple website or blog
• Improve your web application security posture by enforcing rules on inbound and
outbound connections.
Host multi-tier web applications
• Define network connectivity and restrictions between your web servers, application
servers, and databases.
Create hybrid connections
• Build and manage a compatible VPC network across your AWS services and on
premises.
Understanding the AWS Virtual Private Cloud

With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically
isolated virtual network that you’ve defined. It enables you to have complete control over your
network settings, such as IP address ranges, subnets, route tables, and network gateways.

IP Address and CIDR Blocks

IP Address Range
IP addresses in your VPC enable communication between resources, as well as with resources
on the internet. CIDR notation represents an IP address and its network mask.
There are two parts to an IP address:

• Network addresses contain numerical digits indicating the network’s unique identifier
• Host addresses indicate the network identifier for a host or device

CIDR Blocks

An IP address CIDR block is a collection of IP addresses with the same network prefix and
number of bits. It consists of more IP addresses and a small suffix.
IPv4 addresses are 32 bits long. The numerical value for every string of numbers separated by a
period is 0 to 255, where 0 is the lowest value, and 255 is the highest value. An IPv4 address
could be purchased in three classes by an organization.

Class A: IPv4 Class A addresses have eight network prefix bits. Consider 48.0.0.2, in which 48 is
the network address and 0.0.2 is the host address.

Class B: IPv4 Class B addresses have 16 network prefix bits. Consider the example of 192.16.0.2,
where 192.16 is the network address and 0.2 is the host address.

Class C: Class C IPv4 addresses have 24 network prefix bits. Consider the example of
192.168.2.1, where 192.168.2 is the network address and 1 is the host address.

Classless Addresses: CIDR addresses use variable length subnet masking (VLSM). Subnet
masks return IP addresses by converting host addresses into zeroes. Subnets of different sizes
can be created using a VLSM sequence. IP addresses and hosts can be flexible in each subnet.

As an example, 192.168.1.0/24 is an IPv4 CIDR address with 192.168.1 as the first 24 bits and
192.0.2 as the Network address.
Deep Dive into Subnets

Subnets allow for effective IP address distribution. These are segments of a larger network that
often reside within a private network. You can manage IP address ranges more easily by dividing
them up into smaller, easier-to-manage blocks. Subnets are restricted to one Availability
Zone. You can protect your applications from single Availability Zone failure by launching AWS
resources in different Availability Zones.
When you create a subnet, you specify its IP addresses, depending on the configuration of the
VPC:
• When configuring your VPC’s IP addresses, it’s important to note whether you are working
with IPv4-only, dual-stack, or IPv6-only subnets.
• In an IPv4-only subnet, communication must be done over IPv4 as there is no IPv6 CIDR
block available.
• Dual-stack subnets have both IPv4 and IPv6 CIDR blocks, allowing for communication over
both protocols.
• Finally, in an IPv6-only subnet, communication must be done over IPv6 as there is no IPv4
CIDR block available. Make sure to properly configure your VPC to avoid any potential
connectivity issues.

Subnet Masks
A subnet mask is a 32-bit address that divides an IP address into network and host bits. The
network bits identify the network, while the host bits identify the device on that network. This allows
for the creation of smaller networks within a larger network, known as subnets.

Subnet mask representation

When a new device connects to a network, it is assigned an IPv4 address which is a 32-bit
numeric address separated into four numbers by periods. Each group of numbers within a block
is called an octet, and its value ranges from 0 to 255. Without the subnet mask, the network and
host portions of such IP addresses become indistinguishable

Let’s look at an example, Consider the IP address for my device: 192.168.112.121 –

> 11000000.10101000. 01110000. 01111001

The subnet mask for the IP network above: 255.255.255.0 –> 11111111. 11111111. 11111111.
00000000

Using this example, a household home network has a subnet mask of 255.255.255.0. This means
that within the defined network, there are 254 IP addresses that are usable. To put it simply, you
can connect up to 254 internet-enabled devices such as phones, computers, IoT gadgets, and
many others to the home network, and can access the internet using them.

Subnet Types

When configuring your subnet’s routing, the type of subnet you end up with will depend on your
choices. For instance:

When creating subnets in your VPC, it’s crucial to consider their internet connectivity.

• A public subnet enables resources to access the internet directly via an internet gateway.
• A private subnet requires a NAT device for internet access.
• A VPN-only subnet has a route to a Site-to-Site VPN connection, but no access to the
internet gateway.
• An isolated subnet has no external connectivity and can only be reached within the VPC.

Subnet Routing

Each subnet is associated with a route table that specifies allowed outbound traffic routes. All
subnets are initially associated with the VPC’s main route table, but you can change this
association and the contents of the main route table.
Subnet Settings

Every subnet possesses an alterable attribute that decides if a network interface created within it
gets assigned a public IPv4 address and, if applicable, an IPv6 address. This includes the primary
network interface (eth0) that is generated when you initiate an instance in that
subnet. Nevertheless, it is imperative to note that this setting can be overridden for a specific
instance during launch.

To configure the auto-assign IP settings for a new network interface in a subnet, there are
two ways.

• You can enable the Auto-assign IP settings option. This will allow you to request a public
IPv4 or IPv6 address automatically.
 You can configure the Resource-based Name (RBN) settings to specify the hostname type
for EC2 instances in the subnet and configure how DNS queries are handled for A and AAAA
records. For more information on hostname types for EC2 instances.

AWS VPC and Subnet Security

To protect your AWS VPC and Subnet resources, it is recommended that you use private
subnets. We can use a bastion host or NAT device to provide internet access to resources,
such as EC2 instances, in a private subnet.
• To increase security for the resources in your VPC, AWS offers security groups and
network ACLs.
• Security groups permit inbound and outbound traffic for associated resources, while
network ACLs allow or deny traffic at the subnet level.
• Keep in mind that using private subnets with a bastion host or NAT device is necessary to
grant internet access to EC2 instances in private subnets.