Scribd
Upload
39 views27 pages

FCJ - Week 2 - Networking On AWS

Uploaded by

minhtandragon29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
39 views27 pages

FCJ - Week 2 - Networking On AWS

Uploaded by

minhtandragon29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 27

Networking on AWS

Week 2 – Module 2

Hung Nguyen Gia


Senior Solutions Architect
Champion Authorized Instructor

© 2023, Amazon Web Services, Inc. or its Affiliates.


Table of contents
• Regions and Availability Zones • VPN Connectivity
(AZs) • Direct Connect
• VPC Overview
• Subnets and AZs
• Route Tables
• Internet Access
• NAT Gateways
• Security Groups
• Network Access Control Lists
(NACLs)

© 2023, Amazon Web Services, Inc. or its Affiliates.


Regions and Availability Zones
(AZs)
AWS Cloud

Region – us-east-1 Region – us-west-2

AZ us-east-1a AZ us-east-1b AZ us-west-a AZ us-west-b

AZ us-east-1c AZ us-west-c

© 2023, Amazon Web Services, Inc. or its Affiliates.


AWS VPC - Overview
AWS Cloud

Account 123456789

Region US-EAST-1

VPC AWS Identity and Access


Management

Amazon Simple Storage


Service (S3)
EC2 Instances

Elastic Load Balancing Amazon Route 53

Amazon RDS Amazon DynamoDB


instance

© 2023, Amazon Web Services, Inc. or its Affiliates.


Subnets and AZs
Region us-east-1

VPC 10.0.0.0/16

Availability Zone us-east-1a Availability Zone us-east-1b

Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24

EC2 Instances
Amazon RDS
instance

© 2023, Amazon Web Services, Inc. or its Affiliates.


Route Tables – Internal VPC Traffic
VPC 10.0.0.0/16
Route Table 1 - Rules
Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24
Destination Target
10.0.0.0/16 local
EC2 Instance EC2 Instance
10.0.1.1 10.0.2.1

Route Table 1 Route Table 1

10.0.2.1

© 2023, Amazon Web Services, Inc. or its Affiliates.


Route Tables – Internet Traffic
Route Table 1 - Rules
VPC 10.0.0.0/16
Destination Target
Subnet 1 10.0.1.0/24 Subnet 2 10.0.2.0/24 10.0.0.0/16 local

EC2 Instance EC2 Instance


10.0.1.1 10.0.2.1

Route Table 1
Route Table 1

1.2.3.4
Internet 1.2.3.4

© 2023, Amazon Web Services, Inc. or its Affiliates.


Route Tables – Internet Traffic
Route Table 1 - Rules
VPC 10.0.0.0/16
Destination Target
Subnet 2 10.0.2.0/24 10.0.0.0/16 local
Subnet 1 10.0.1.0/24
0.0.0.0/0 Igw-12345

EC2 Instance
EC2 Instance
10.0.1.1 10.0.2.1

1.2.3.4

Route Table 1 Route Table 1

Internet Internet 1.2.3.4


gateway

© 2023, Amazon Web Services, Inc. or its Affiliates.


Public vs. Private Subnet
VPC 10.0.0.0/16
Private Route Table Public Route Table

Destinati Target Private Subnet 1 Public subnet 1 Destination Target


on 10.0.1.0/24 10.0.2.0/24 10.0.0.0/16 local
10.0.0.0/1 local 0.0.0.0/0 Igw-12345
6

EC2 Instance EC2 Instance


10.0.1.1 10.0.2.1

Private Route Public Route


Table Table
Internet
gateway

© 2023, Amazon Web Services, Inc. or its Affiliates.


Public IPs
VPC 10.0.0.0/16
Public Route Table
Public subnet 1 10.0.2.0/24 Destinatio Target
n
10.0.0.0/16 local
0.0.0.0/0 Igw-12345

EC2 Instance
Private IP: 10.0.2.1
Public IP: 1.2.3.4
Internet
gateway

Route Table

© 2023, Amazon Web Services, Inc. or its Affiliates.


VPC - DNS & DHCP
VPC 10.0.0.0/16
Reserved for AWS use:
10.0.0.0
10.0.0.1
10.0.0.2
10.0.0.3
VPC DHCP VPC DNS

Public subnet 1 10.0.2.0/24

EC2 Instance
Private IP: 10.0.2.1
Private DNS: ip-10.0.2.1.us-west-2.compute.internal

Public IP: 1.2.3.4


Public DNS: ec2-1.2.3.4.us-west-2.compute.amazonaws.com

© 2023, Amazon Web Services, Inc. or its Affiliates.


Internet Access for Private Subnets – NAT
Gateway VPC 10.0.0.0/16
Private Route Table Public Route Table

Destinati Target Private Subnet 1 Public subnet 1 Destinati Target


on 10.0.1.0/24 10.0.2.0/24 on
Destinati Target
on
10.0.0.0/1 local 10.0.0.0/1 local
6 6
10.0.0.0/1 local
6
0.0.0.0/0 ngw-345 0.0.0.0/0 Igw-12345
Private instance
Private IP: 10.0.1.1 NAT gateway
Ngw-345
1.2.3.4 EIP: 2.3.4.5

Private Route Public Route


Table Table Internet
Internet 1.2.3.4
gateway

© 2023, Amazon Web Services, Inc. or its Affiliates.


Multi-AZ Best Practices
Region us-east-1

VPC 10.0.0.0/16
IGW

AZ (us-east-1a) AZ (us-east-1b)

Public subnet 1 Load Public subnet 2


10.0.1.0/24
balancer 10.0.3.0/24

Web Server Web Server

Private Subnet 1 Private Subnet 2


10.0.2.0/24 10.0.4.0/24

Database server Sync Database standby


replication

© 2023, Amazon Web Services, Inc. or its Affiliates.


Security Groups – Default Group Rules
VPC 10.0.0.0/16 Security Group 1

Availability Zone us-east-1a Inbound Rules

Subnet 1 10.0.1.0/24 Protocol Port Source

Security group 1

Outbound Rules
EC2
Protocol Port Destination
All All 0.0.0.0/0

© 2023, Amazon Web Services, Inc. or its Affiliates.


Security Groups – Web Server Example
VPC 10.0.0.0/16 Security Group 1

Inbound Rules
Availability Zone us-east-1a
Protocol Port Source
Subnet 1 10.0.1.0/24 TCP 80 0.0.0.0/0

Security group 1

Outbound Rules

EC2 Protocol Port Destination


All All 0.0.0.0/0

© 2023, Amazon Web Services, Inc. or its Affiliates.


Security Groups – Reference other groups
Web server security group
VPC 10.0.0.0/16
Inbound Rules
Availability Zone us-east-1a Protocol Port Source
Subnet 1 10.0.1.0/24 TCP 80 0.0.0.0/0

Outbound Rules
Webserver security Protocol Port Destination
group
All All 0.0.0.0/0

EC2
Database security group
Inbound Rules
Database security
group Protocol Port Source
TCP 3306 sg-
webserver
EC2 Outbound Rules
Protocol Port Destination
All All 0.0.0.0/0

© 2023, Amazon Web Services, Inc. or its Affiliates.


Security Groups – Self-referencing rules

VPC 10.0.0.0/16

Availability Zone us-east-1a Hadoop Security Group

Subnet 1 10.0.1.0/24
Inbound Rules

Hadoop security group Hadoop security group Protocol Port Source


TCP 80 sg-hadoop

EC2 EC2 Outbound Rules

Protocol Port Destination


Hadoop security group Hadoop security group
All All 0.0.0.0/0

EC2 EC2

© 2023, Amazon Web Services, Inc. or its Affiliates.


Network Access Control Lists (NACLs)
Region us-east-1 NACL Configuration

VPC 10.0.0.0/16 Inbound Rules


Rule # Protoco Port Source Effect
Availability Zone us-east-1a l
1 All All 0.0.0.0/0 Allow
Subnet 1 10.0.1.0/24

Outbound Rules
Rule # Protoco Port Source Effect
l
Network 1 All All 0.0.0.0/0 Allow
access
control list

© 2023, Amazon Web Services, Inc. or its Affiliates.


VPC Building Blocks - Summary
VPC 10.0.0.0/16

Private Subnet 1 Public subnet 1


10.0.2.0/24
10.0.1.0/24

Database security Web server security


group group

Database EC2 EC2 webserver

NAT gateway Internet


gateway

NACL
NACL
Private Route Public Route
Table Table

© 2023, Amazon Web Services, Inc. or its Affiliates.


VPC Peering
VPC 1 VPC 2
10.0.0.0/16 192.168.0.0/16
Route Table 1 Route 2 Table
Private Subnet 1 Private Subnet 2
Destinati Target 10.0.0.0/24 192.168.0.0/24 Destination Target
on 192.168.0.0/16 local
10.0.0.0/1 local 10.0.0.0/16 VPX-123
6
192.168.0. VPX-123 Peering
Private instance connection Private instance
1
VPX-123
10.0.0.1 192.168.0.1

Route Table 1 Route Table 2

© 2023, Amazon Web Services, Inc. or its Affiliates.


VPC Peering – No Transitive Routing

VPC 1 VPC 2 VPC 3


Peering Peering
connection connection

• VPC 1 can reach VPC 2


• VPC 1 cannot reach VPC
3

© 2023, Amazon Web Services, Inc. or its Affiliates.


VPC Peering – No Transitive Routing

VPC 1 VPC 2 VPC 3


Peering Peering
connection connection

Peering
connection

• VPC 1 can reach VPC 2


• VPC 1 can reach VPC 3

© 2023, Amazon Web Services, Inc. or its Affiliates.


AWS Site-to-Site VPN
On-prem data center VPC 10.0.0.0/16 VPC Route Table
172.16.0.0/16
Destination Target
10.0.0.0/16 local
172.16.0.0/16 VGW-
123
IPSec Route Table
Customer Virtual
gateway Private
Gateway
VGW-123

• One VGW per VPC


• BGP or static routes
• Redundant IPSec tunnels
• Redundant routers across two
AZs
© 2023, Amazon Web Services, Inc. or its Affiliates.
AWS Site-to-Site VPN
VPC VPC Route Table
10.0.0.0/16 Destination Target
Virtual 10.0.0.0/16 local
On-prem data center Private
172.16.0.0/16 Gateway
172.16.0.0/16 VGW-123
VGW-123

IPSec
Customer
gateway Route Table

IPSec
IPSec
On-prem data center
172.17.0.0/16
On-prem data center
172.18.0.0/16
Customer
gateway

Customer
gateway

© 2023, Amazon Web Services, Inc. or its Affiliates.


AWS Direct Connect
Customer Data Center Direct Connect Location AWS Cloud
Equinix DA1
Region us-east-1
Customer AWS cage
or partner VPC
cage
Private VIF

Customer Customer or AWS Direct VGW EC2


router partner router Connect
Pu
Endpoint b li
cV
IF

• 1 or 10 Gbps (50 Mbps+ via


partners)
• Consistent performance Amazon S3

• May lower data transfer cost Amazon DynamoDB

• Redundant connections optional


(recommended)
© 2023, Amazon Web Services, Inc. or its Affiliates.
Labs

Bắt buộc – Sử dung account do AWS cung cấp: Không bắt buộc – Sử dụng account cá nhân:
• Amazon VPC • VPC Peering
https://000003.awsstudygroup.com/vi/ https://000019.awsstudygroup.com/vi/
• Transit Gateway
Giải thưởng: 5 áo thun AWS cho 5 anh/chị hoàn https://000020.awsstudygroup.com/vi/
thành bài lab bắt buộc nhanh nhất.
Giải thưởng: 5 áo thun AWS cho 5 anh/chị hoàn
thành tất cả các bài lab tuỳ chọn nhanh nhất.

Lưu ý:
- Chụp màn hình AWS Console sau khi hoàn thành các bài lab và đăng vào kênh lab-week-2 trên Slack.
- Hình chụp phải bao gồm Account ID (Ở góc trên bên phải của AWS Console).
- Tài khoản Lab có thể sử dụng trong vòng 3 ngày từ lúc cấp phát

© 2023, Amazon Web Services, Inc. or its Affiliates.


Thank you!

© 2023, Amazon Web Services, Inc. or its Affiliates.

You might also like