AWS NETWORKING

AND CONTENT
DELIVERY

Module 3
BCSE355L – AWS Solution Architect
Agenda
AWS Global Infrastructure

AWS Networking foundations

Edge networking
Networking in AWS

 Networking is the first step for any organization to set up its

landing zone and the entire IT workload built on top of it.
 Networking is the backbone of the IT application and
infrastructure workload.
 AWS provides various networking services for building your
IT landscape in the cloud.
 With a traditional on-premise IT workload, it becomes
challenging to scale globally and provide the same user
experience across the globe.
 AWS helps solve these problems through edge networking,
and you will learn more about deploying your application for
global users without compromising their experience.
Networking in AWS

 Networking is the first step for any organization to set up its

landing zone and the entire IT workload built on top of it.
 Networking is the backbone of the IT application and
infrastructure workload.
 AWS provides various networking services for building your
IT landscape in the cloud.
 With a traditional on-premise IT workload, it becomes
challenging to scale globally and provide the same user
experience across the globe.
 AWS helps solve these problems through edge networking,
and you will learn more about deploying your application for
global users without compromising their experience.
IP Address

 Each client machine in a network has a unique Internet

Protocol (IP) address that identifies it.
 An IP address is a numerical label in decimal format.
Machines convert that decimal number to a binary format.
 In this example, the IP address is [Link].
 Each of the four dot (.)-separated numbers of the IP address
represents 8 bits in octal number format.
 That means each of the four numbers can be anything from
0 to 255.
 The combined total of the four numbers for an IP address is
32 bits in binary format.
Networking in AWS

 IP Address
 Each client machine in a network has a unique Internet
Protocol (IP) address that identifies it.
 An IP address is a numerical label in decimal format.
Machines convert that decimal number to a binary format.
 In this example, the IP address is [Link]. Each of the four
dot (.)-separated numbers of the IP address represents 8
bits in octal number format.
 That means each of the four numbers can be anything from
0 to 255.
 The combined total of the four numbers for an IP address is
32 bits in binary format.
IPv4 and IPv6 addresses

 A 32-bit IP address is called an IPv4 address.

 IPv6 addresses, which are 128 bits, are also available. IPv6
addresses can accommodate more user devices.
 An IPv6 address is composed of eight groups of four letters
and numbers that are separated by colons (:).
 In this example, the IPv6 address is
[Link].
 Each of the eight colon-separated groups of the IPv6
address represents 16 bits in hexadecimal number format.
 That means each of the eight groups can be anything from 0
to FFFF.
 The combined total of the eight groups for an IPv6 address
is 128 bits in binary format.
About AWS Global
Infrastructure
About AWS Global Infrastructure

 The infrastructure offered by AWS is highly secure and

reliable.
 It offers over 200 services. Most are available in all AWS
Regions worldwide, spread across 245 countries.
 Regardless of the type of technology application you are
planning to build and deploy, AWS is sure to provide a
service that will facilitate its deployment.
 AWS has millions of customers and thousands of consulting
and technology partners worldwide.
 Businesses large and small across all industries rely on AWS
to handle their workloads.
About AWS Global Infrastructure

 AWS provides the following as its global infrastructure:

 26 launched Regions and 8 announced Regions
 84 Availability Zones
 Over 110 Direct Connect locations
 Over 310 Points of Presence
 17 Local Zones and 32 announced LZs
 24 Wavelength Zones
AWS Global Infrastructure

 Amazon provide such a reliable service across the globe?

 How can they offer reliability and durability guarantees for
some of their services?
 The answer reveals why they are the cloud leaders and why
it’s difficult to replicate what they offer.
 AWS has billions of dollars worth of infrastructure deployed
across the world. These locations are organized into
different Regions and Zones.
 AWS calls them the following:
 AWS Regions
 Availability Zones (AZs)
 Local Zones (LZs)
AWS Global Infrastructure

 Amazon provide such a reliable service across the globe?

 How can they offer reliability and durability guarantees for
some of their services?
 The answer reveals why they are the cloud leaders and why
it’s difficult to replicate what they offer.
 AWS has billions of dollars worth of infrastructure deployed
across the world. These locations are organized into
different Regions and Zones.
 AWS calls them the following:
 AWS Regions
 Availability Zones (AZs)
 Local Zones (LZs)
AWS Global Infrastructure

 AZ is comprised of multiple distinct data centers, each

equipped with redundant power, networking, and
connectivity, and located in separate facilities.
 AWS Regions exist in separate geographic areas.
 Each AWS Region comprises several independent and
isolated data centers (AZs) that provide a full array of AWS
services.
 AWS is continuously enhancing its data centers to provide
the latest technology.
 AWS’s data centers have a high degree of redundancy.
 AWS uses highly reliable hardware, but the hardware is not
foolproof.
AWS Global Infrastructure

 Occasionally, a failure can happen that interferes with the

availability of resources in each data center.
 Suppose all instances were hosted in only one data center. If
a failure occurred with the whole data center, then none of
your resources would be available.
 AWS mitigates this issue by having multiple data centers in
each Region.
AWS Regions

 AWS Regions are groups of data centers in one geographic

location - designed to be independent and isolated from
each other.
 A single Region consists of a collection of data centers
spread within that Region’s geographic boundary -
independence promotes availability and enhances fault
tolerance and stability.
 AWS services available in that Region.
 There is a possibility that a particular service is not available
in your Region.
 Eventually, all services become generally available (GA)
after their launch; however, the timing of availability may
differ between different Regions.
AWS Regions

 Eg:, Direct Connect Gateway (DXGW), Identity and Access

Management (IAM), Cloud-Front, and Route53.
 Other services are not global but allow you to create inter-
Region fault tolerance and availability.
 For example, Amazon Relational Database Service (RDS)
allows you to create read replicas in multiple Regions.
 Advantages
 Resources will be closer to users, increasing access speed
and reducing latency.
 Serve your clients without disruption even if a whole
Region becomes unavailable by planning your disaster
recovery workload to be in another Region.
AWS AZs

 AZs are components of AWS Regions.

 The clusters of data centers within a Region are called AZs.
 A single AZ consists of multiple data centers,
 are connected to each other using AWS-owned dedicated
fiber optic cables
 located within a 60-mile radius,
 far enough to avoid localized failures,
 achieves a faster data transfer between the data centers.
 AZs have multiple power sources, redundant connectivity,
and redundant resources.
AWS AZs

 The AZs within an AWS Region are interconnected.

 These connections have the following properties:
 Fully redundant
 High-bandwidth
 Low-latency
 Scalable
 Encrypted
 Dedicated
AWS LZs

 AZs focus on covering larger areas throughout regions(like

highly populated cities) through newer component of AWS
infrastructure i.e. LZs (Local Zones).
 LZs place select services close to end users, allowing them
to create AWS applications that deliver single-digit,
millisecond responses.
 An LZ is the compute and storage infrastructure located
close to high-population areas and industrial centers, and
offers high-bandwidth, low-latency connectivity to the
broader AWS infrastructure.
 Due to their proximity to the customer, LZs facilitate the
delivery of applications that necessitate latency in single-
digit milliseconds to end-users. AWS had has 32 LZs in US.
AWS LZs

 AWS LZs can run various AWS services, such as

 Amazon Elastic Compute Cloud,
 Amazon Virtual Private Cloud,
 Amazon Elastic Block Store,
 Amazon Elastic Load Balancing,
 Amazon FSx,
 Amazon EMR,
 Amazon ElastiCache,
 Amazon RDS in geographic proximity to your end users.
Benefits of the AWS Global Infrastructure

 Security - AWS’s shared security responsibility model, you

offload infrastructure security to AWS and focus on the
application security that matters for your business.
 Availability - AWS Regions are fully isolated, and within
each Region, the AZs are further isolated partitions of AWS
infrastructure. You can use AWS infrastructure with an on-
demand model to deploy your applications across multiple
AZs in the same Region or any Region globally.
 Performance – Performance is another critical factor in
retaining and increasing the user base. AWS provides low-
latency network infrastructure by using redundant 100 GbE
fiber, which leads to terabits of capacity between regions.
Benefits of the AWS Global Infrastructure

 Scalability – When user demands increase, you must have

the required capacity to scale your application. With AWS,
you can quickly spin up resources, deploying thousands of
servers in minutes to handle any user demand.
 Flexibility – With AWS, you can choose how and where to
run your workloads; for example, you can run applications
globally by deploying into any of the AWS Regions and AZs
worldwide.
AWS Network
Foundation
AWS Network Foundations

 Networking concepts are the same when it comes to the

cloud.
 Know about what networking is, but instead how to set up
your private network in the AWS cloud and establish
connectivity between the different servers in the cloud and
from on-premises to an AWS cloud.
 First, let’s start with the foundation; the first step to
building your networking backbone in AWS is using Amazon
VPC.
Amazon Virtual Private Cloud (VPC)

 VPC is one of the core services AWS provides.

 VPC is your version of the AWS cloud, and as the name
suggests, it is “private,” which means that by default, your
VPC is a logically isolated and private network inside AWS.
 VPC as being the same as your own logical data center in a
virtual setting inside the AWS cloud, where you have
complete control over the resources inside your VPC.
 AWS resources like AWS servers, and Amazon EC2 and
Amazon RDS instances are placed inside the VPC, including
all the required networking components to control the data
traffic as per your needs.
Amazon Virtual Private Cloud (VPC)

 VPC is one of the core services AWS provides.

 VPC is your version of the AWS cloud, and as the name
suggests, it is “private,” which means that by default, your
VPC is a logically isolated and private network inside AWS.
 VPC as being the same as your own logical data center in a
virtual setting inside the AWS cloud, where you have
complete control over the resources inside your VPC.
 AWS resources like AWS servers, and Amazon EC2 and
Amazon RDS instances are placed inside the VPC, including
all the required networking components to control the data
traffic as per your needs.
Amazon Virtual Private Cloud (VPC)

 Creating a VPC could be a very complex task, but AWS has

made it easy by providing Launch VPC Wizard.
 The following screenshot shows the VPC network
configuration across two AZs, us-east-1a and us-east-1b:
Amazon Virtual Private Cloud (VPC)

 VPCs spread across two AZs,  Classless Inter-Domain

where each AZ has two Routing (CIDR) blocks
subnets – one public and  Subnets
one private.  Route tables
 The highlighted flow shows  Internet Gateway
the data flow of a server  Network Address Translation
deployed into a private (NAT) Gateway
subnet of the us-east-1 AZ.  Security Groups (SGs)
 Before going into further  Network Access Control
details, let’s look at key VPC List(NACL)
concepts to understand  Egress-only IGWs
them better:  DHCP
 VPC Flow Logs
Amazon Virtual Private Cloud (VPC)

 Classless Inter-Domain Routing (CIDR) blocks: CIDR is the IP

address range allocated to your VPC.
 Creating a VPC, specify its set of IP addresses with CIDR
notation.
 CIDR notation is a simplified way of showing a specific
range of IP addresses.
 For example, [Link]/16 covers all IPs from [Link] to
[Link], providing 65,535 IP addresses to use.
 All resources in your VPC must fall within the CIDR range.
Classless Inter-Domain Routing (CIDR)

 Classless Inter-Domain Routing (CIDR) blocks: CIDR is the IP

address range allocated to your VPC.
 Creating a VPC, specify its set of IP addresses with CIDR
notation.
 CIDR notation is a simplified way of showing a specific
range of IP addresses.
 For example, [Link]/16 covers all IPs from [Link] to
[Link], providing 65,535 IP addresses to use.
 All resources in your VPC must fall within the CIDR range.
Open System Interconnection (OSI) Model

 Classless Inter-Domain Routing (CIDR) blocks: CIDR is the IP

address range allocated to your VPC.
 Creating a VPC, specify its set of IP addresses with CIDR
notation.
 CIDR notation is a simplified way of showing a specific
range of IP addresses.
 For example, [Link]/16 covers all IPs from [Link] to
[Link], providing 65,535 IP addresses to use.
 All resources in your VPC must fall within the CIDR range.
Amazon Virtual Private Cloud (VPC)

 Subnets:
 Subnet is the VPC CIDR block subset. Partitions of the
network are divided by the CIDR range within the range of IP
addresses in your VPC.
 A VPC can have multiple subnets for different kinds of
services or functions, like a frontend subnet (for internet
access to a web page), a backend subnet (for business logic
processing), and a database subnet (for database services).
 Subnets create trusted boundaries between private and
public resources, organize your subnets based on internet
accessibility, allows to define clear isolation between
public and private resources.
 Majority of resources can be hosted in private subnets.
Amazon Virtual Private Cloud (VPC)

 Route tables: A routing table contains a set of rules called

routes. Routes determine where the traffic will flow.
 By default, every subnet has a routing table.
 Manually create a new route table and assign subnets to it.
For better security, use the custom route table for each
subnet.
 An Internet Gateway (IGW): The IGW sits at the edge of the
VPC and provides connectivity between your VPC resources
and the public network (the internet).
 By default, internet accessibility is denied for internet traffic
in your environment.
 An IGW needs to be attached to your public subnet through
the subnet’s route table, defining the rules to the IGW.
Amazon Virtual Private Cloud (VPC)

 Network Address Translation (NAT) gateways:

 A NAT gateway provides outbound internet access to the
private subnet and prevents connections from being
initiated from outside to your VPC resources.
 A private subnet blocks all incoming and outgoing internet
traffic, but servers may need outgoing internet traffic for
software and security patch installation.
 A NAT gateway enables instances in a private subnet to
initiate outbound traffic to the internet and protects
resources from incoming internet traffic.
 All restricted servers (such as database and application
resources) should deploy inside your private subnet.
Amazon Virtual Private Cloud (VPC)

 Security Groups (SGs):

 SGs are the virtual firewalls for your instances to control
inbound and outbound packets.
 Only allow statements can used in the SG, and everything
else is denied implicitly.
 SGs control inbound and outbound traffic as designated
resources for one or more instances from the CIDR block
range or another SG.
Amazon Virtual Private Cloud (VPC)

 Network Access Control List (NACL):

 A NACL is another firewall that sits at the subnet boundary
and allows or denies incoming and outgoing packets.
 The main difference between a NACL and an SG is that the
NACL is stateless – therefore, you need to have rules for
incoming and outgoing traffic.
 With an SG, you need to allow traffic in one direction, and
return traffic is, by default, allowed.
 SG in most places as it is a firewall at the EC2 instance level,
while a NACL is a firewall at the subnet level.
 NACL can put control at the VPC level and also deny
specific IPs, as an SG cannot have a deny rule for network
traffic coming for a particular IP or IP range.
Amazon Virtual Private Cloud (VPC)

 Egress-only IGWs:
 It provide outbound communication from Internet Protocol
version 6 (IPv6) instances in your VPC to the internet and
prevent the inbound connection from the internet to your
instances on IPv6.
 IPv6, the sixth iteration of the Internet Protocol, succeeds
IPv4 and employs a 128-bit IP address. Like IPv4, it
facilitates the provision of unique IP addresses required for
internet-connected devices to communicate.
 DHCP option sets:
 This is a group of network information, such as DNS name
server and domain name used by EC2 instances when they
launch.
Amazon Virtual Private Cloud (VPC)

 VPC Flow Logs:

 These enable you to monitor traffic flow to your system
VPC, such as accepted and rejected traffic information for
the designated resource to understand traffic patterns.
 Flow Logs can also be used as a security tool for monitoring
traffic reaching your instance.
 Can create alarms to notify you if certain types of traffic are
detected.
 Amazon VPC

 VPCs:
 Logically isolated from other
VPCs.
 Dedicated to your AWS
account
 Belong to a single AWS Region
and can span multiple AZ
 Subnets:
 Range of IP addresses that
divide a VPC.
 Belong to a single AZ
 Classified as public or private.
 Amazon VPC

 IP addressing
 When you create a VPC, assign
to an IPv4 CIDR block.
 Cannot change the address
range after you create the
VPC.
 Largest IPv4 CIDR block size is
/16.
 Smallest IPv4 CIDR block size
is /28.
 IPv6 is also supported.
 CIDR blocks of subnets cannot
overlap.
 Amazon VPC

 VPC subnets can be either

private or public.
 Name suggests, a private
subnet doesn’t have access
to and from the internet,
and a public subnet does.
 By default, any subnet you
create is private; what
makes it public is the
default route – as in,
[Link]/0, via the IGW.
Reserved IP Addresses

 Example: A VPC with an IPv4 CIDR block of [Link]/16 has

65,536 total IP addresses. The VPC has 4 equal-sized subnets.
Only 251 IP addresses are available for use by each subnet.
Public IP Addresses

 Public IPv4 Address

 Manually assigned through an Elastic IP address
 Automatically assigned through the auto-assign public IP
address setting at the subnet level.
 Elastic IP Address
 Associated with an AWS account
 Can be allocated and remapped anytime
 Additional costs might apply.
Elastic Network Interface

 An elastic network interface is a virtual network interface

that can:
 Attach to an instance
 Detach from the instance, and attach to another instance
to redirect network traffic.
 It attributes follow when it reattached to a new instance
 Each instance in your VPC has a default network interface
that is assigned a private IPv4 address from IPv4 address
range of your VPC.
Route table and routes

 A route table contains a set of rules that you can configure

to direct network traffic from your subnet.
 Each route specifies a destination and a target.
 By default, every route table contains a local route for
communication within the VPC.
 Each subnet must be associated with a route table.
Amazon Virtual Private Cloud (VPC)

 VPC’s route tables comprise directives for packet routing,

and a default route table exists.
 Unique route tables can be assigned to individual subnets.
By default, all VPC subnets possess interconnectivity.
 VPC enhancements for more precise subnet routing, which
enables configuration of subnet route tables that direct
traffic between two subnets in a VPC through virtual
appliances like intrusion detection systems, network
firewalls, and protection systems.
 VPC creation and building tighter security, organizations
tend to create multiple VPCs, which makes things more
complicated when these VPCs need to communicate with
each other. To simplify, we use Transit Gateway (TGW).
AWS Transit Gateway (TGW)

 Customers are spinning more and more VPCs in AWS, there

is an ever-increasing need to connect various VPCs.
 Before TGW, you could connect VPCs using VPC peering, but
VPC peering is a one-to-one connection, which means that
resources within peered VPCs only can communicate with
each other.
 If multiple VPCs need to communicate with each other,
which is often the case, it results in a complex mesh of VPC
peering.
 For example, a shown in the diagram below, if you have 5
VPCs, you need 10 peering connections.
 AWS Transit Gateway (TGW)

 Managing so many VPC peering

connections will become
challenging, and there is also a
limit on the number of peering
connections per account.
 To overcome this challenge, AWS
released TGW.
 TGW needs one connection called
an attachment to a VPC, and you
can establish full- or part-mesh
connectivity easily without
maintaining so many peering
connections.
 AWS Transit Gateway (TGW)

 Diagram shows simplified

communication between five VPCs
using TGW.
 AWS TGW is a central aggregation
service spanned within a Region,
which can be used to connect your
VPCs and on-premises networks.
 TGW is a managed service that takes
care of your availability and
scalability and eliminates complex
VPN or peering connection scenarios
when connecting with multiple VPCs
and on-premises infrastructure.
AWS Transit Gateway (TGW)

 You can connect TGWs in different Regions by using TGW

peering.
 TGW is a Regional entity, meaning you can only attach VPCs
to the TGW within the same Region, and per VPC, the
bandwidth reserved is 50 Gbps.
 However, one TGW can have up to 5,000 VPC attachments.
AWS PrivateLink

 AWS PrivateLink establishes secure connectivity between

VPCs and AWS services, preventing exposure of traffic to
the internet.
 PrivateLink allows for the private connection of a VPC with
supported AWS services hosted by different AWS accounts.
 To access AWS services from a VPC using the Gateway VPC
endpoint and Interface VPC endpoint.
 Gateway endpoints do not support PrivateLink but allow for
connection to Amazon S3 and DynamoDB without the need
for an IGW or NAT device in your VPC.
 For other AWS services, an interface VPC endpoint can be
created to establish a connection to services through AWS
PrivateLink.
AWS PrivateLink

 Enabling PrivateLink in AWS requires the creation of an

endpoint network interface within the desired subnet, and
assignment of a private IP address from the subnet address
range for each specified subnet in the VPC.
 PrivateLink provides access to the resources hosted in other
VPC or other AWS accounts within the same subnet as the
requester - eliminates the need of NAT gateway, IGW, public
IP address, or VPN.
 AWS PrivateLink enables private connectivity between the
Service Provider and Service Consumer using AWS
infrastructure to exchange data without going over the
public internet - To achieve this, the Service Provider
creates an Endpoint Service in a private subnet.
AWS PrivateLink

 Enabling PrivateLink in AWS requires the creation of an

endpoint network interface within the desired subnet, and
assignment of a private IP address from the subnet address
range for each specified subnet in the VPC.
 PrivateLink provides access to the resources hosted in other
VPC or other AWS accounts within the same subnet as the
requester - eliminates the need of NAT gateway, IGW, public
IP address, or VPN.
 AWS PrivateLink enables private connectivity between the
Service Provider and Service Consumer using AWS
infrastructure to exchange data without going over the
public internet - To achieve this, the Service Provider
creates an Endpoint Service in a private subnet.
AWS PrivateLink

 Service Consumer creates an endpoint in a private subnet

with the Service Provider’s service API as the target.
 The partner sets up an Endpoint Service to expose the
service running behind the load balancer (NLB).
 An NLB is created in each Private Subnet.
 These services are running on EC2 instances hosted inside a
Private Subnet.
 The client can then create a VPC Endpoint with the target as
the Endpoint Service and use it to consume the service.
AWS PrivateLink

 Use of PrivateLink between a Service Consumer on an AWS

account and an on-premises Service Provider
AWS PrivateLink

 NLB in the Shared Service account is configured with an

auto-scaling group with targets referencing the IP
addresses of the on-premise servers.
 The NLB is then exposed as an Endpoint Service.
 The Service Consumer account can consume this Endpoint
Service by creating a VPC Endpoint.
 DirectConnect - a dedicated high-speed fiber optics line
between the on-premises server and AWS Regions.
Edge networking
Edge Networking

 Edge networking is like last-mile delivery in the supply chain

world.
 Users across the world, from the USA to Australia and India
to Brazil, you want each user to have the same experience
regardless of the physical location of your server where the
application is hosted.
 There are serval components that play their role in building
last mile networking.
 Route 53
 Amazon CloudFront
 AWS Global Accelerator (AGA)
 AWS Wavelength
Route 53

 Amazon Route 53 is a fully managed, simple, fast, secure,

highly available, and scalable DNS service.
 It provides a reliable and cost-effective means for systems
and users to translate names like [Link] into IP
addresses like [Link].
 Route 53 is a domain register where you can register a new
domain.
 You can choose an available domain and add it to the cart
from the AWS Console and define contacts for the domain.
 AWS allows you to transfer your domains to AWS and
between accounts.
Route 53

 In Route 53, AWS assigns four name servers for all domains,
as shown in the screenshot: one for .com, one for .net, one
for .[Link], and one for .org.
Route 53

 Route 53 supports both public and private hosted zones.

 Public hosted zones have a route to internet-facing
resources and resolve from the internet using global
routing policies.
 Meanwhile, private hosted zones have a route to VPC
resources and resolve from inside the VPC - helps to
integrate with on-premises private zones using forwarding
rules and endpoints.
 Route 53 provides IPv6 support with end-to-end DNS
resolution and support for IPv6 forward (AAAA) and reverse
(PTR) DNS records, along with health check monitoring for
IPv6 endpoints.
Route 53

 Route 53 provides the following seven types of routing

policies for traffic:
1. Simple routing policy – This is used for a single resource
(for example, a web server created for the
[Link] website).
2. Failover routing policy – This is used to configure active-
passive failover.
3. Geolocation routing policy – This routes traffic based on
the user’s location.
4. Geoproximity routing policy – This is used for geolocation
when users are shifting from one location to another.
Route 53

 Route 53 provides the following seven types of routing

policies for traffic:
5. Latency routing policy – This optimizes the best latency for
the resources deployed in multiple AWS Regions.
6. Multivalue answer routing policy – This is used to respond
to DNS queries with up to eight healthy, randomly selected
records.
7. Weighted routing policy – This is used to route traffic to
multiple resource properties as defined by you (for
example, you want to say 80% traffic to site A and 20% to
site B).
Amazon CloudFront
 Amazon CloudFront is a content delivery service that
accelerates the distribution of both static and dynamic content
like image files, video files, and JavaScript, CSS, or HTML files,
through a network of data centers spread across the globe.
(data centers are referred to as edge locations).
 It used to distribute your content, users requesting content get
served by the nearest edge location, providing lower latency and
better performance.
 AWS has over 300 high-density edge locations spread across over
90 cities in 47 countries.
 All edge locations are equipped with ample cache storage space
and intelligent routing mechanisms to increase the edge cache
hit ratio.
Amazon CloudFront

 AWS content distribution edge locations are connected with

high-performance 100 GbE network devices and are fully
redundant, with parallel global networks with default
physical layer encryption.
 Consider an image distribution website, [Link],
hosted in the US, which serves art images.
 Users can access the URL [Link]/[Link], and
the image is loaded.
 If your server is close to the user, then the image load time
will be faster, but if users from other locations like Australia
or South Africa, access the same URL, the request has to
cross multiple networks before delivering the content to the
user’s browser.
Amazon CloudFront

 AWS content distribution edge locations are connected with

high-performance 100 GbE network devices and are fully
redundant, with parallel global networks with default
physical layer encryption.
 Consider an image distribution website, [Link],
hosted in the US, which serves art images.
 Users can access the URL [Link]/[Link], and
the image is loaded.
 If your server is close to the user, then the image load time
will be faster, but if users from other locations like Australia
or South Africa, access the same URL, the request has to
cross multiple networks before delivering the content to the
user’s browser.
Amazon CloudFront

 As shown in the preceding diagram, when a viewer requests

access to page content from the origin server – in this case,
[Link] – Route 53 replies with the CloudFront
edge IP and redirects the user to the CloudFront location.
 CloudFront uses the following rules for content distribution:
 If the requested content is already in the edge data
center, which means it is a “cache hit,” it will be served
immediately.
 If the content is not at the edge location (a “cache
miss”), CloudFront will request the content from the
original location (the web server or S3). The request flows
through the AWS backbone, is delivered to the customer,
and a copy is kept for future requests.
Amazon CloudFront

 If you are using CloudFront, it also provides an extra

layer of security since your origin server is not directly
exposed to the public network.
 CloudFront eliminates the need to go to the origin server
for user requests, and content is served from the nearest
location.
 CloudFront provides security by safeguarding the
connection between end-users and the content edge, as
well as between the edge network and the origin.
 By offloading SSL termination to CloudFront, the
performance of applications is improved since the burden of
processing the required negotiation and SSL handshakes is
removed from the origins.
Amazon Global Accelerator (AGA)

 AGA enhances application availability and performance by

offering fixed static IP addresses as a single entry points, or
multiple entry points, to AWS Regions, including ALBs, NLBs,
and EC2 instances.
 AGA utilizes the AWS global network to optimize the path
from users to applications, thereby improving the
performance of TCP and UDP traffic.
 AGA continuously monitors the health of application
endpoints and promptly redirects traffic to healthy
endpoints within 1 minute, in the event of an unhealthy
endpoint detection.
Amazon Global Accelerator (AGA)

 AGA and CloudFront are distinct services offered by AWS

that employ the AWS global network and its edge locations.
 While CloudFront accelerates the performance of both
cacheable (e.g., videos and images) and dynamic (e.g.,
dynamic site delivery and API acceleration) content, AGA
enhances the performance of various applications over TCP
or UDP.
 Both services are compatible with AWS Shield, providing
protection against DDoS attacks.
 AGA automatically reroutes your traffic to the nearest
healthy endpoint to avoid failure.
Amazon Global Accelerator (AGA)

 AGA health checks will react to customer backend failure

within 30 seconds, which is in line with other AWS load-
balancing solutions (such as NLB) and Route 53.
 AGA raises the bar is with its ability to shift traffic to healthy
backends in as short a timeframe as 30 seconds, whereas
DNS-based solutions can take minutes to hours to shift the
traffic load.
 Some key reasons to use AGA are:
 Accelerate your global applications – AGA intelligently
directs TCP or UDP traffic from users to the AWS-based
application endpoint, providing consistent performance
regardless of their geographic location.
Amazon Global Accelerator (AGA)

 Improve global application availability – AGA constantly

monitors your application endpoints, including but not
limited to ALBs, NLBs, and EC2 instances. It instantly
reacts to changes in their health or configuration,
redirecting traffic to the next closest available endpoint
when problems arise.
 Fixed entry point – AGA provides a set of static IP
addresses for use as a fixed entry point to your AWS
application. Announced via anycast and delivered from
AWS edge locations worldwide, these eliminate the
complexity of managing the IP addresses of multiple
endpoints and allow you to scale your application and
maintain DDoS resiliency with AWS Shield.
Amazon Global Accelerator (AGA)

 Protect your applications – AGA allows you to serve

internet users while keeping your ALBs and EC2 instances
private.
 AGA allows customers to run global applications in multiple
AWS Regions.
 Traffic destined to static IPs is globally distributed, and end
user requests are ingested through AWS’s closest edge
location and routed to the correct regional resource for
better availability and latency.
 This global endpoint supports TCP and UDP and does not
change even as customers move resources between Regions
for failover or other reasons.
AWS Wavelength

 AWS Wavelength is designed to reduce network latency

when connecting to applications from 5G-connected devices
by providing infrastructure deployments within the Telco 5G
network service providers’ data centers.
 It allows application traffic to reach application servers
running in Wavelength Zones, as well as AWS compute and
storage services.
 This eliminates the need for traffic to go through the
internet, which can introduce latency of up to 10s of
milliseconds and limit the full potential of the bandwidth
and latency advancements of 5G.
AWS Wavelength

 AWS Wavelength allows for the creation and

implementation of real-time, low-latency applications,
such as edge inference, smart factories, IoT devices, and
live streaming.
 Benefits of AWS Wavelength are:
 Ultra-low latency for 5G – Wavelength combines the AWS
core services, such as compute and storage, with low-
latency 5G networks. It helps you to build applications
with ultra-low latencies using the 5G network.
 Consistent AWS experience – You can use the same AWS
services you use daily on the AWS platform.
AWS Wavelength

 Benefits of AWS Wavelength are:

 Global 5G network – Wavelength is available in popular
Telco networks such as Verizon, Vodafone, and SK
Telecom across the globe, including the US, Europe,
Korea, and Japan, which enables ultra-low latency
applications for a global user base.
 Wavelength Zones are connected to a Region and provide
access to AWS services.
 Architecting edge applications using a hub-and-spoke
model with the Region is recommended for scalable and
cost-effective options for less latency-sensitive
applications.
Example: Routing
traffic using VPC
Internet gateway

 An internet gateway is a scalable, redundant, and highly

available VPC component that allows communication
between instances in your VPC and the internet.
 An internet gateway serves two purposes: to provide a
target in your VPC route tables for internet-routable traffic,
and to perform network address translation for instances
that were assigned public IPv4 addresses.
 To make a subnet public, you attach an internet gateway to
your VPC and add a route to the route table to send non-
local traffic through the internet gateway to the internet
([Link]/0).
Internet gateway

 An internet gateway is a scalable, redundant, and highly

available VPC component that allows communication
between instances in your VPC and the internet.
 An internet gateway serves two purposes: to provide a
target in your VPC route tables for internet-routable traffic,
and to perform network address translation for instances
that were assigned public IPv4 addresses.
 To make a subnet public, you attach an internet gateway to
your VPC and add a route to the route table to send non-
local traffic through the internet gateway to the internet
([Link]/0).
Network address translation (NAT) gateway

 It enables instances in a private subnet to connect to the

internet or other AWS services, but prevents the internet
from initiating a connection with those instances.
 To create a NAT gateway, specify the public subnet in which
the NAT gateway should reside, and must also specify an
Elastic IP address to associate with the NAT gateway when
you create it.
 After creation of NAT gateway, update the route table that is
associated with one or more of your private subnets to point
internet-bound traffic to the NAT gateway. So instances in
your private subnets can communicate with the internet.
 NAT instance in a public subnet - better availability, higher
bandwidth, and less administrative effort.
Network address translation (NAT) gateway

 It enables instances in a private subnet to connect to the

internet or other AWS services, but prevents the internet
from initiating a connection with those instances.
 To create a NAT gateway, specify the public subnet in which
the NAT gateway should reside, and must also specify an
Elastic IP address to associate with the NAT gateway when
you create it.
 After creation of NAT gateway, update the route table that
is associated with one or more of your private subnets to
point internet-bound traffic to the NAT gateway. (So, your
private subnets can communicate with the internet)
 NAT instance in a public subnet - better availability, higher
bandwidth, and less administrative effort.
VPC sharing
VPC sharing
 It enables customers to share subnets with other AWS accounts
in the same organization in AWS Organizations.
 It enables multiple AWS accounts to create their application
resources—such as Amazon EC2 instances, Amazon Relational
Database Service (Amazon RDS) databases, Amazon Redshift
clusters, and AWS Lambda functions—into shared, centrally
managed VPCs.
 In this model, the account that owns the VPC (owner) shares
one or more subnets with other accounts (participants) that
belong to the same organization in AWS Organizations.
 After a subnet is shared, the participants can view, create,
modify, and delete their application resources in the subnets
that are shared with them.
VPC sharing

 Participants cannot view, modify, or delete resources that

belong to other participants or the VPC owner.
 VPC sharing offers several benefits:
 Separation of duties –Centrally controlled VPC structure,
routing, IP address allocation
 Ownership –Application owners continue to own resources,
accounts, and security groups
 Security groups –VPC sharing participants can reference the
security group IDs of each other
 Efficiencies –Higher density in subnets, efficient use of VPNs
and AWS Direct Connect
VPC sharing

 VPC sharing offers several benefits:

 No hard limits –Hard limits can be avoided—for example, 50
virtual interfaces per AWS Direct Connect connection through
simplified network architecture
 Optimized costs –Costs can be optimized through the reuse
of NAT gateways, VPC interface endpoints, and intra-
Availability Zone traffic VPC sharing - enables you to
decouple accounts and networks.
VPC peering

 A VPC peering connection is a networking connection

between two VPCs that enables you to route traffic
between them privately.
 Instances in either VPC can communicate with each other as
if they are within the same network.
 Creating a VPC peering connection between your own VPCs,
with a VPC in another AWS account, or with a VPC in a
different AWS Region.
 Setting up the peering connection, must create rules in your
route table to allow the VPCs to communicate with each
other through the peering resource.
VPC peering
VPC peering

 For example, suppose that you have two VPCs. In the route
table for VPC A, you set the destination to be the IP address
of VPC B and the target to be the peering resource ID. In the
route table for VPC B, you set the destination to be the IP
address of VPC A and the target to be the peering resource
ID.
 VPC peering has some restrictions:
 IP address ranges cannot overlap.
 Transitive peering is not supported. For example, suppose that
you have three VPCs: A, B, and C. VPC A is connected to VPC B, and
VPC A is connected to VPC C. However, VPC B is not connected to
VPC C implicitly. To connect VPC B to VPC C, you must explicitly
establish that connectivity.
 Only one peering resource between the same two VPCs.
AWS Site-to-Site VPN
AWS Site-to-Site VPN

 By default, instances that you launch into a VPC cannot

communicate with a remote network.
 To connect your VPC to your remote network (that is, create
a virtual private network or VPN connection), you:
1. Create a new virtual gateway device (called a virtual private
network (VPN) gateway) and attach it to your VPC.
2. Define the configuration of the VPN device or the customer
gateway. The customer gateway is not a device but an AWS
resource that provides information to AWS about your VPN
device.
AWS Site-to-Site VPN

3. Create a custom route table to point corporate data

center-bound traffic to the VPN gateway. You also must
update security group rules. (You will learn about security
groups in the next section.)
4. Establish an AWS Site-to-Site VPN (Site-to-Site VPN)
connection to link the two systems together.
5. Configure routing to pass traffic through the connection.
AWS Direct Connect
AWS Direct Connect

 One of the challenges of network communication is network

performance.
 Performance can be negatively affected if your data center is
located far away from your AWS Region.
 For such situations, AWS offers AWS Direct Connect, or DX.
 It enables you to establish a dedicated, private network
connection between your network and one of the DX
locations.
 This private connection can reduce your network costs,
increase bandwidth throughput, and provide a more
consistent network experience than internet-based
connections.
 DX uses open standard 802.1q VLANs.
VPC endpoints

 A VPC endpoint is a virtual device that enables you to

privately connect your VPC to supported AWS services and
VPC endpoint services that are powered by AWS PrivateLink.
 Connection to these services does not require an internet
gateway, NAT device, VPN connection, or AWS Direct
Connect connection.
 Instances in your VPC do not require public IP addresses to
communicate with resources in the service.
 Traffic between your VPC and the other service does not
leave the Amazon network.
VPC endpoints
VPC endpoints

 There are two types of VPC endpoints:

 An interface VPC endpoint (interface endpoint) enables you to
connect to services that are powered by AWS PrivateLink.
 These services include some AWS services, services that are hosted
by other AWS customers and AWS Partner Network (APN) Partners
in their own VPCs (referred to as endpoint services), and
supported AWS Marketplace APN Partner services.
 The owner of the service is the service provider, and you—as the
principal who creates the interface endpoint—are the service
consumer.
 You are charged for creating and using an interface endpoint to a
service. Hourly usage rates and data processing rates apply.
 Gateway endpoints: The use of gateway endpoints incurs no
additional charge.
 Standard charges for data transfer and resource usage apply.
AWS Transit Gateway

 You can configure your VPCs in several ways, and take

advantage of numerous connectivity options and gateways.
These options and gateways include AWS Direct Connect (via
DX gateways), NAT gateways, internet gateways, VPC
peering, etc.
 It is not uncommon to find AWS customers with hundreds of
VPCs distributed across AWS accounts and Regions to serve
multiple lines of business, teams, projects, and so forth.
 Things get more complex when customers start to set up
connectivity between their VPCs. All the connectivity
options are strictly point-to-point, so the number of VPC-
to-VPC connections can grow quickly.
AWS Transit Gateway

 As you grow the number of workloads that run on AWS, you

must be able to scale your networks across multiple
accounts and VPCs to keep up with the growth.
 Though you can use VPC peering to connect pairs of VPCs,
managing point-to-point connectivity across many VPCs
without the ability to centrally manage the connectivity
policies can be operationally costly and difficult.
 For on-premises connectivity, you must attach your VPN to
each individual VPC. This solution can be time-consuming to
build and difficult to manage when the number of VPCs
grows into the hundreds.
AWS Transit Gateway

 To solve this problem, you can use AWS Transit Gateway to

simplify your networking model.
 With AWS Transit Gateway, you only need to create and
manage a single connection from the central gateway into
each VPC, on-premises data center, or remote office across
your network.
 A transit gateway acts as a hub that controls how traffic is
routed among all the connected networks, which act like
spokes.
 This hub-and-spoke model significantly simplifies
management and reduces operational costs because each
network only needs to connect to the transit gateway and
not to every other network.
AWS Transit Gateway

 Any new VPC is connected to the transit gateway, and is then

automatically available to every other network that is
connected to the transit gateway.
 This ease of connectivity makes it easier to scale your
network as you grow.
AWS Transit Gateway

 Any new VPC is connected to the transit gateway, and is then

automatically available to every other network that is
connected to the transit gateway.
 This ease of connectivity makes it easier to scale your
network as you grow.
Label this network diagram

 Any new VPC is connected to the transit gateway, and is then

automatically available to every other network that is
connected to the transit gateway.
 This ease of connectivity makes it easier to scale your
network as you grow.
Label this network diagram

 Any new VPC is connected to the transit gateway, and is then

automatically available to every other network that is
connected to the transit gateway.
 This ease of connectivity makes it easier to scale your
network as you grow.
THANK YOU

Module 3

BCSE355L – Aws Solution Architect