AWS Cloud Practitioner Certification: Networking

Concepts

  • VPC (Virtual Private Cloud): essentially is your own private network in AWS. VPC allows you to:
    • Create your own private IP range for AWS resources.
    • Create public-facing resources.
    • Create private or internal resources.
    • You can perform techniques like subnetting.
  • Public-facing resources.
    • Resources that you expose to the public traffic (anybody can access to your resources).
    • You need to set an Internet Gateway (IGW) to your VPC with public IP to expose your apps to the public or customers.
    • IGW ⇒ Handling Public traffic
  • Private resources.
    • Resources that only have access the private traffic (the devices connected to your corporate network, certain users, …).
    • You need to set a Virtual Private Gateway (VPG) to create a VPN connection between a private network or internal corporate network and your VPC.
    • VPG ⇒ Handling Private traffic.

  • The problem with this method is that the private and public traffic is route them inside the VPC, but share the same infrastructure, so the slowdowns and bandwidth issues affect both.
  • AWS Direct Connect is the solution to assign certain traffic to a dedicated infrastructure.

Network ACL vs Security Group

  • Every package pass trough a network access control list (Network ACL). If your IP, user account, … is in the approved list, you get through.
  • All EC2 instances have a Security Group. This Security Group blocks all the traffic, so you need to configure the rejection/acceptance rules.
  • Security Group ⇒ Stateful = Has a memory that store credentials.
  • Network ACL ⇒ Stateless = Hasn’t memory, so it checks all inbound and outbound traffic.

Security pattern

How can my customers access my application?

  1. Your customers can access the app through the public IP address of the EC2 instance where it is hosted.
  1. However, most people don’t connect using an IP address, so you should map that IP to a domain using AWS’s DNS service, Amazon Route 53.
  1. The customer’s request is routed through the IGW to the public subnet where the service is hosted.
  1. Based on traffic demand, ELB distributes the traffic across the available EC2 instances.
  1. The request is evaluated by the Security Group.
  1. Your customers are successfully connected to your app.