Module 4 Networking

Mod 4 MODULE 4: Networking

Learning objectives

In this module, you will learn how to:

Describe the basic concepts of networking.

Describe the difference between public and private networking resources. 

Explain a virtual private gateway using a real life scenario. 

Explain a virtual private network (VPN) using a real life scenario.

Describe the benefit of AWS Direct Connect. 

Describe the benefit of hybrid deployments. 

Describe the layers of security used in an IT strategy.

Describe the services customers use to interact with the AWS global network.

Connectivity to AWS

Amazon Virtual Private Cloud, or VPCs

Public Subnet

Private Subnet 

A VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. These resources can be public facing so they have access to the internet, or private with no internet access, usually for backend services like databases or application servers. The public and private grouping of resources are known as subnets and they are ranges of IP addresses in your VPC.

ELB => Auto Scaling Group [Security Group => EC2s]  => [Security Group => Databases] 

Public Subnet

Client -> Internet (Public Traffic) => Firewall Internet gateway IGW  [VPC - Elastic Load Balancer ELB ->Auto Scaling Group [Security Group { EC2 instances}] -> Security Group {Database}] 

Private Subnet 

Client -> Internet ->Virtual Private Gateway [VPC - Elastic Load Balancer ELB ->Auto Scaling Group [Security Group { EC2 instances}] -> Security Group {Database}] 

VPC -DIRECT CONNECT traffic

Data Center => AWS Direct Connect [ VPC  => Elastic Load Balancer (ELB) => Auto Scaling Group [EC2 Instances]  => Security Group {Database} ]

AWS Direct Connect is a service that enables you to establish a dedicated private connection between your data center and a VPC.  

VPC - Virtual Private Cloud

Subnets - 
Networking rule - Private or Public 
VPC -PUBLIC


Connectivity  to AWS

Amazon Virtual Private Cloud (Amazon PVC)
Amazon VPC enables you to provision an isolated section of the AWS Cloud. In this isolated section, you can launch resources in a virtual network that you define. Within a virtual private cloud (VPC), you can organize your resources into subnets. A subnet is a section of a VPC that can contain resources such as Amazon EC2 instances.

Internet Gateway

To allow public traffic from the internet to access your VPC, you attach an internet gateway to the VPC

An internet gateway is a connection between a VPC and the internet

AWS Direct Connect

AWS Direct Connect is a service that enables you to establish a dedicated private connection between your data center and a VPC

Subnet  and Network Access Control List 

Subnet 

A subnet is a section of a VPC in which you can group resources based on security or operational needs. Subnets can be public or private. 

Public subnets contain resources that need to be accessible by the public, such as an online store’s website.

Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories. 

In a VPC, subnets can communicate with each other. For example, you might have an application that involves Amazon EC2 instances in a public subnet communicating with databases that are located in a private subnet.

Internet Gateway - Traffic in or Out of VPC 

AWS Tools 
Network Harden
Application Security 
User Identity
Authentication & Authorization
Distributed Denial of Service prevention 
Data Integrity
Encryption

Network Hardening
Public Subnet
Private Subnet 
Packet  => ACL (check traffic in and out) =>   
Eg Accept https => Security Group - By default block everything
Stateful - Security Group
Stateless - NACL 

Network Hardening 

Packet =>Network Access Control List (Network ACL) (Stateless) => Traffic in /Out 

Instance Level Access - https => Security Group (stateful) [EC2s]  All outbound traffic is allowed 

QUESTION

1. Which statement best describes an AWS account’s default network access control list?
It is stateless and allows all inbound and outbound traffic..


Amazon Route 53 Routing policies
Latency -based routing
Geolocation DNS
Geo proximity routing 
Weighted round robin

A CDN Content Delivery Network - Is a network that delivers edge content to user base on their geographical location

Questions
1. Your company has an application that uses Amazon EC2 instances to run the customer-facing website and Amazon RDS database instances to store customers’ personal information. How should the developer configure the VPC according to best practices?
Place the Amazon EC2 instances in a public subnet and the Amazon RDS database instances in a private subnet.

2. Which component or service can be used to establish a private dedicated connection between your company’s data center and AWS?
AWS Direct Connect

3. Which statement best describes security groups?
They are stateful and deny all inbound traffic by default.

4. Which component is used to connect a VPC to the internet?
Internet gateway

5. Which service is used to manage the DNS records for domain names?
Amazon Route 53

================================

Question 

Which statement best describes an AWS account’s default network access control list?

The correct response option is It is stateless and allows all inbound and outbound traffic.

Network access control lists (ACLs) perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

Each AWS account includes a default network ACL. When configuring your VPC, you can use your account’s default network ACL or create custom network ACLs.

By default, your account’s default network ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules. For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic should be allowed. Additionally, all network ACLs have an explicit deny rule. This rule ensures that if a packet doesn’t match any of the other rules on the list, the packet is denied.

-Global networking

Route 53 - AWS DNS 

Domain Name System (DNS)

Suppose that AnyCompany has a website hosted in the AWS Cloud. Customers enter the web address into their browser, and they are able to access the website. This happens because of Domain Name System (DNS) resolution. DNS resolution involves a DNS server communicating with a web server.

You can think of DNS as being the phone book of the internet. DNS resolution is the process of translating a domain name to an IP address. 

Latency Based Routing 

Geolocation DNS

Geoproximity routing

Weighted round robin

Amazon CloudFront - CDN Develer edge content (static assets gif, 

Question

Which statement best describes DNS resolution?

In Module 4, you learned about the following concepts:

Translating a domain name to an IP address

Structuring and connecting to a VPC

Securing VPC resources with network access control lists and security groups

Using Amazon Route 53 and Amazon CloudFront to deliver content

Amazon Virtual Private Cloud

Gateways, Network ACLs and Security Groups

VPN and Direct Connect

Edge Locations

Route 54 for DNS

Amazon CloudFront

Question1

Your company has an application that uses Amazon EC2 instances to run the customer-facing website and Amazon RDS database instances to store customers’ personal information. How should the developer configure the VPC according to best practices?

Place the Amazon EC2 instances in a public subnet and the Amazon RDS database instances in a private subnet.

Question2

Which component can be used to establish a private dedicated connection between your company’s data center and AWS?

AWS Direct Connect

Question3

Which statement best describes security groups?

They are stateful and deny all inbound traffic by default.

Question4

Which component is used to connect a VPC to the internet?

The correct response option is Internet gateway.

The other response options are incorrect because:

A public subnet is a section of a VPC that contains public-facing resources.

An edge location is a site that Amazon CloudFront uses to store cached copies of your content for faster delivery to customers.

A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.

Question5

Which service is used to manage the DNS records for domain names?

he correct response option is Amazon Route 53.

Amazon Route 53 is a DNS web service. It gives developers and businesses a reliable way to route end users to internet applications that host in AWS.

Another feature of Route 53 is the ability to manage the DNS records for domain names. You can transfer DNS records for existing domain names managed by other domain registrars. You can also register new domain names directly in Route 53.

The other response options are incorrect because:

Amazon Virtual Private Cloud (Amazon VPC) is a service that enables you to provision an isolated section of the AWS Cloud. In this isolated section, you can launch resources in a virtual network that you define.

AWS Direct Connect is a service that enables you to establish a dedicated private connection between your data center and VPC.  

Amazon CloudFront is a content delivery service. It uses a network of edge locations to cache content and deliver content to customers all over the world.