AWS Networking 101 | Aviatrix

AWS Services

There are a total of 212 Sevices at that time on Amazon Web Services let’s discuss Few of them here

  1. EC2

These can be thought of as virtual machines that you can build inside the AWS cloud platform. And AWS does not limit you only to virtual machines, you can build physical dedicated machines using EC2 service also.

2. AWS Lambda

3. Elastic BeanStalk

4. AWS Lightsail

  1. VPC (Virtual Private Cloud)

This is a Virtual Private Cloud, which is essentially a data center in the cloud.AWS Uses implicit routers that configure auto to communicate between VPC’s.

  1. Direct Connect

Helps users connect their on-premise Data Center to AWS.

  1. Route 53

DNS service of Amazon Web Services is known as Route53. So IP lookup tables and other related technologies are located within this service.

  1. CloudFront

CloudFront is Amazon’s content delivery network (CDN).CloudFront associates with edge locations. This network of edge locations is a CDN and is called CloudFront.

  1. S3 Bucket

This is one of the oldest storage services available in AWS. This is object-based storage where you have things called buckets and you upload your files to these buckets.

IAM

This is Identity and Access Management, and it allows users to get access to the instances or applications.

Global Accelerator

Allows users to connect their remote branches to the closest point in the AWS System.

AWS — Difference between Security Groups and Network Access Control List (NACL)

Security Groups and Network Access Control List (NACL)

Security groups are tied to an instance whereas Network ACLs are tied to the subnet. i.e. Network Access control lists are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow the rules of NACL. That’s not the case with security groups, security groups have to be assigned explicitly to the instance. This means any instances within the subnet group gets the rule applied. If you have many instances, managing the firewalls using Network ACL can be very useful. Otherwise, with the Security group, you have to manually assign a security group to the instances.

Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

Users have basic access to the route-table but do not have access to the actual router.

Once you have taken flat, you need to divide it based on your usage. A flat consists of different rooms like bedrooms, living room, kitchen, etc. Similarly, you need to divide VPC space into smaller subnets and use it for different purposes, and put security accordingly.

Public Subnet

This is your living room. This is a place where you receive your guests (internet traffic). So, if you have a web application you need to host a web tier or external-facing load balancer on this subnet.

Private Subnet

This is your bedroom for privacy and should not have direct access to the world. Its door open only internally to other internal spaces. If it needs something it always goes through the living room i.e. public subnet. This is good for deploying internal app tier or databases since they need protection from the world.

AWS Gateways

  1. Internet Gateway

This is your main gate which means every traffic of your application that comes or out from your VPC. If you have a public Subnet then you have direct access to the internet gateway but incase if you have a Private Subnet then you need to deploy a NAT Gateway inside your Security Group.

2. NAT Gateway

For Instance in private subnet need to get internet access.

3. Transit Gateway

A Network Transit hub that interconnects VPCs and on-premise network.

4. VPN Gateway

AWS VPN Router that links the on-prem network to VPC or creates a hub and spoke topology between third party VPN devices and AWSVGW. The anchor on the AWS Side of the VPN Connection is called VPN Gateway.

5. Customer Gateway

A Customer VPN Route Connect with VGW, TGW, DCGW

6. Direct Connect Gateway

Scalable Direct connect Connectivity to VPC across account and region.

Transit Gateway Fundamentals

  • Native Service
  • 5000 VPC attached per TGW
  • 50GBPS VPC <-> TGW throughput
  • Multiple Route Table
  • AWS Specific only

Transit Gateway Limitations

  • Manual VPC routing which means automation AWS VPC Routing is not available yet.
  • Initial Created
  • Subsequent Update
  • IPSEC Tunnel Throughput ~ 1.25 GBPS
  • TGW Router Scalability which means you have only 100BGP Routes per Routing table and no VPC CIDR Summarization
  • Limited Static Multi-Region
  • No Overlapping IP Support
  • Native firewall have performance limitation
  • No ITGW Peering support within the region.

TGW And Route Table Orchestration by Aviatrix

  • Removing Vpc Peering limitation and complexities
  • Orchestrates VPC Routing tables
  • Simplifies BGP over direct connect
  • Provides additional route control and traffic options
  • Propagates on-prem routes to VPC
  • New CIDRs / VPC routes updated on all other VPCs

Transit Gateway peering with Aviatrix

You can peer two transit gateway and route traffic between them. ipv4 and ipv6 traffic.

  1. Orchestrates VPC to VPC and on-prem to VPC connectivities via AWS Transit Gateway.
  2. Automates AWS Resource Access Manager (RAM) for multi-account support.
  3. Creates security boundaries between groups of VPCs to achieve network segmentation.
  4. Out-of-the-box integration of AWS Transit Gateway and Direct Connect and Internet to re-use what has been built.
  5. Provides Insane Mode high performance and features rich hybrid network for connecting to on-prem.
  6. Supports Bring Your Own Firewall to TGW deployment for inline traffic inspection (Firewall Network)
  7. Orchestrate AWS TGW Inter-Region Peering and expand the Security Domains to be global.
  8. Advanced mode for an end to end encryption where Aviatrix gateways are deployed in the AWS Spoke VPCs and Azure Spokes VNet.

AWS Global Accelerator

AWS Global Accelerator improves the availability and performance of the application for the global user. it provides a static IP with an application connectivity endpoint in single or multiple regions such as Application load balancer, Network Load Balancer, and Amazon EC2.

  • Improve Globally Application Availability
  • Accelerate your global Application
  • Easily manage endpoint