Amazon Web Services

Networking 1
Question Which network components are you
familiar with? Choose all that apply:

A. IP addressing and subnetting

B. Switching and routing

C. Network security

D. None of the above

Overview
• Business requests
• IP addressing
• Virtual Private Cloud (VPC) fundamentals
• VPC traffic security
• Present solutions
• Capstone check-in
• Knowledge check
 Business The network engineer needs to know:
Requirements • How can we make sure that our
network has enough IP addresses to
support our workloads?
• How do we build a dynamic and
secure network infrastructure in our
AWS account?
• How can we filter inbound and
outbound traffic to protect resources
on our network?
Network Engineer
IP addressing

“How can we make sure that our network has enough IP

addresses to support our workloads?”
IP addresses

IPv4 example Network A uses 10.x.x.x

• An IP address
identifies a
location within a
Identifies the
network. network
• It identifies the 10.45.12.120 10.45.12.121
network and the
host.
• There are two 172.31.2.15
Network B uses 172.31.x.x
types of IP
addresses:
• IPv4 Identifies the
location of the
• IPv6 host
172.31.2.15 172.31.121.10
Classless Inter-Domain Routing (CIDR)

CIDR notation is a way of representing an IP address and its network mask.

An IPv4 address is four groups of 8 bits. AWS supported ranges

10.22.0.0/16
10.22.0.0/16
CIDR Total IPs

Dot notation
/28 16
to specify the 00001010.00010110.00000000.00000000 … …
network or
subnet. /20 4,096
/19 8,192

/16 reserves the The remaining bits /18 16,384

first 16 bits for are the host range:
Slash notation for /17 32,768
network 10.22.0.0 to
the subnet mask 10.22.255.255
identification /16 65,536
VPC fundamentals

“How do we build a dynamic and secure network

infrastructure in our AWS account?”
VPC fundamentals topics

Amazon VPC

Subnets

Internet gateway
VPC Route table
fundamentals
Elastic IP address

Elastic network interface

NAT gateway
Amazon VPC

• Provides
Region
logical
isolation for VPC 172.31.0.0/16 (65,536
your addresses)
workloads Availability Zone 1
• Permits
custom
access
controls and
security
settings for Availability Zone 2
your
resources
• Is bound to a
single AWS
Region
Subnets

• Subnets are a Region

subset of the VPC
CIDR block. VPC 172.31.0.0/16 (65,536 addresses)
• Subnet CIDR Availability Zone 1
blocks cannot
Public subnet172.31.0.0/20 Private subnet
172.31.32.0/20
overlap.
• Each subnet (4,096 (4,096
addresses) addresses)
resides within one
Availability Zone.
Availability Zone 2
• An Availability
Zone can contain 172.31.16.0/20
Public subnet 172.31.48.0/20
Private subnet
multiple subnets. (4,096 (4,096
• Five addresses addresses) addresses)
are reserved.
Public subnets
A public subnet holds resources that work with inbound and outbound internet traffic.
It requires the following:

Route table Internet gateway Public IP addresses

• A set of rules that the Allows communication • IP addresses that can be
VPC uses to route between resources in your reached from the
network traffic VPC and the internet internet
• Requires a route to the • Protects the private IP
internet addresses only
reachable on the
VPC network
Public subnet
Public IP:
Internet 203.0.133.15 Private
Internet IP: 172.31.2.15
Route table EC2
gatewa
instance
y
Internet gateways
• Internet gateways
permit
communication Availability Zone
between Internet VPC 172.31.0.0/16 Public subnet172.31.0.0/2
instances in your
0
VPC and the Source IP: Route table
internet. 203.0.133.1
5
• They provide a Source IP: Public IP:
target in your 172.31.2.15 203.0.133.15 Private
subnet route IP: 172.31.2.15
EC2 instance
Internet
tables for gatewa
internet-routable y Private subnet172.31.32.0/20
traffic. Route table
• It protects IP
addresses on your Private IP:
network by 172.31.32.15
performing EC2 instance
network address
translation (NAT).
Route tables
• Your VPC has an
implicit router.
Public route table
• You use route Destination Target
tables to control 172.31.0.0/16 local
Availability Zone
where network
igw-
traffic is directed. VPC 172.31.0.0/16 0.0.0.0/0
1234567890abcdef0
Public subnet172.31.0.0/2
0 IP:
Public
203.0.133.15 Private
EC2 IP: 172.31.2.15 Private route table
Internet Internet
instance
gateway Destination Target
Private subnet172.31.32.0/20
172.31.0.0/16 local
Private IP:
172.31.32.15
EC2
instance
Private subnets

Availability Zone
Internet
VPC 172.31.0.0/16
• Private subnets Public subnet172.31.0.0/2
allow indirect 0 IP:
Public
access to the 203.0.133.15 Private
internet. EC2 IP: 172.31.2.15 Route table
Internet
instance
• The private IP gatewa
address never y Private subnet172.31.32.0/20
changes. Private IP:
172.31.32.15 Private route
• Traffic in the VPC EC2
stays local. Destination table Target
instance
172.31.0.0/16 local

19
 Default Amazon VPCs

Region

• Provisioned at VPC Default: 172.31.0.0/16

account Availability Zone 1
creation
Default subnet 1:
• Preconfigured 172.31.0.0/20
for immediate Public IP:
Internet Main route 203.0.113.17
use Private IP: 172.31.0.5
table Target
Destination
• Span all
Availability 172.31.0.0/1
local
Zones within 6
the Region Availability Zone 2
0.0.0.0/0 igw-id
• Owned and Internet Default subnet 2:
controlled by gatewa 172.31.16.0/20
y Public IP: 203.0.114.23
the customer Private : 172.31.16.5
 Elastic IP addresses
• Permit
association
with an
instance or a Availability Zone
network Internet
interface VPC
• Can be Public subnet
reassociated Private IP: 172.31.0.50 Private IP:
and direct Elastic IP: 172.31.0.51
new traffic Internet 203.0.133.15 Elastic IP:
EC2 EC2
gatewa
immediately instance instance 203.0.133.15
y
• Default
Private subnet
restriction of
five per Private IP: 172.31.32.75
Region, per
account EC2
instance
• Support Bring
Your Own IP
(BYOIP)
Elastic network interface

An elastic network Availability Zone

interface is a logical VPC
networking Public subnet
component in a Instance
VPC that: Private IPv4:
172.31.2.15
• Can be moved Custom
er
across resources
Elastic network interface
in the same Elastic IP: 203.0.133.15
Availability Zone Private IPv4: 172.31.2.11
• Maintains its Internet
gatewa
private IP y
address, Elastic IP Instance
Private IPv4:
address, and MAC 172.31.2.18
address
 Network address translation with NAT gateways

Availability Zone
Internet VPC 172.31.0.0/1
• You use NAT to
6
protect your Public subnet
private IP Source IP: Elastic IP: Elastic IP: 203.0.133.15
addresses. 203.0.133.1 203.0.133.1 Private IP: 172.31.2.15
• A NAT gateway 5 Internet 5
NAT gateway
uses an Elastic gatewa
IP address as y
the source IP Private subnet
address for Source IP:
172.31.32.75
traffic from the
private subnet.
Private IP: 172.31.32.75

EC2
instance
 Connecting private subnets to the internet
NAT gateway use case: Connecting resources in a private subnet to the internet

Public route table

• The route table
for the private Availability Zone Destination Target
subnet sends all VPC 172.31.0.0/1 172.31.0.0/1
local
IPv4 internet Internet 6
6
traffic to the NAT Public subnet
igw-
0.0.0.0/0
gateway. 1234567890abcdef0
• The route table
for the public
Internet NAT gateway
subnet sends all gatewa
internet traffic y
to the internet Private route table
Private subnet
gateway.
Destination Target

EC2 172.31.0.0/16 local

instance nat-
0.0.0.0/0
021345abcdef6789
Deploy a VPC across multiple Availability Zones
• Deploy your VPCs Region
across multiple VPC Availability Zone
Availability Zones Public subnet App subnet
to achieve high
availability.
NAT gateway
• Create subnets in App
each Availability servers
Zone. Elastic Load
Balancing
• Deploy resources
in each
Availability Zone. Internet
gateway Public subnet App subnet
• Distribute traffic
between the
Availability Zones
NAT App servers
using load gateway
Availability Zone
balancers.
VPC traffic security

“How can we filter inbound and outbound traffic to protect

resources on our network?”
Network access control lists (ACLs)
• A network ACL nacl-MyNACL1
VPC
acts as a firewall
Availability Zone 1 Inbound
at the subnet
Rule Type Protoco Port Source Allow
boundary. Public subnet
# l Range or
• By default, it Deny
allows all inbound 100 HTTP TCP 80 0.0.0.0/0 Allow
and outbound Instance 101 HTTPS TCP 443 0.0.0.0/0 Allow
traffic. * ALL ALL ALL 0.0.0.0/0 Deny
Traffic
• It is stateless,
requiring explicit Availability Zone 2 Outbound
rules for all traffic. Rule Type Protoco Port Destinatio Allow
Private subnet # l Rang n or
• It evaluates rules e Deny
starting with the 100 Custom TCP 1024- 0.0.0.0/0 Allow
lowest numbered TCP Rule 6553
Instance 5
rule.
* ALL Traffic ALL ALL 0.0.0.0/0 Deny
Security groups

AWS Cloud
• A security group
is a virtual firewall Availability Zone
that controls VPC
inbound and
outbound traffic Public subnet
into AWS
resources. Security group Security group

• It allows traffic
based on IP
protocol, port, or Instance Instance
IP address.
• It uses stateful
rules.
Default and new security groups

Block all Allow all

• Security groups in inbound traffic outbound traffic
default VPCs
allow all outbound Security group Security group
traffic.
• Custom security
groups have no
inbound rules and
allow outbound
traffic.
Custom security group rules

Inbound
Source Protocol Port Comments

0.0.0.0/0 TCP 80 Allows inbound HTTP access from all IPv4 addresses
0.0.0.0/0 TCP 443 Allows inbound HTTPS traffic from anywhere

Outbound
Destination Protocol Port Comments

Allows outbound Microsoft SQL Server access to instances in

SG ID of DB servers TCP 1433
the specified security group
SG ID of MySQL Allows outbound MySQL access to instances in the specified
TCP 3306
servers security group
 Security group chaining

• Inbound and Availability Zone

outbound Web security group Inbound rule
rules allow Allow HTTPS port 443
traffic flow Source: 0.0.0.0/0 (any)
from the top Web server
tier to the
bottom tier. App security group Inbound rule
• The security Allow HTTP port 80
groups act as Source: Web tier
firewalls to App server
prevent a
subnet-wide Data security group
security Inbound rule
breach. Allow TCP port 3306
Databas Source: App tier
e
Design your infrastructure with multiple layers of defense

VPC

Security
Internet Public group
gateway subnet Instance
Security
Route Network ACL group
table
Instanc
e
Comparing security groups and network ACLs

Security Group Network ACL

Associated to an elastic network interface and Associated to a subnet and implemented
implemented in the hypervisor in the network

Supports Allow rules only Supports Allow rules and Deny rules

A stateful firewall A stateless firewall

All rules evaluated before All rules processed in order

deciding whether to allow traffic when deciding whether to allow traffic

Applies to an instance only if it is associated with Applies to all instances deployed in the
the instance associated subnet
Review
 Present Consider how you would answer
solutions the following:
• How can we make sure that our
network has enough IP addresses to
support our workloads?
• How do we build a dynamic and
secure network infrastructure in our
AWS account?
• How can we filter inbound and
Network Engineer outbound traffic to protect resources
on our network?
Module review

In this module you learned about:

 IP addresses
 VPC fundamentals
 VPC traffic security

Next, you will review:

Capstone check-in

Knowledge check
Capstone architecture

Region
VPC
Availability Zone
Public subnet App subnet Database subnet

NAT gateway EFS mount Aurora replica

App
target
servers
Application
Load Balancer Auto
Scaling
group Amazon EFS
Internet Public subnet Database
gateway subnet
EFS mount
target
Aurora
NAT App servers App subnet primary DB
gateway instance
Availability Zone
Capstone architecture check-in

Region
VPC
Availability Zone
Public subnet App subnet Database subnet

NAT gateway

Internet Public subnet App subnet Database subnet

gateway

NAT
gateway
Availability Zone
Knowledge check
Knowledge check question 1

True or False: A single Amazon VPC can span multiple Regions.

A True

B False
 Knowledge check question 1 and answer

True or False: A single Amazon VPC can span multiple Regions.

A True

B
correct False
Knowledge check question 2

What action must you take to make a subnet public?

A Route outbound traffic from the subnet.

B Route inbound traffic from the internet gateway.

C Route outbound traffic to the internet gateway.

D Subnets are public by default.

 Knowledge check question 2 and answer

What action must you take to make a subnet public?

A Route outbound traffic from the subnet.

B Route inbound traffic from the internet gateway.

C
correct Route outbound traffic to the internet gateway.

D Subnets are public by default.

Knowledge check question 3

What function does the NAT gateway serve?

A Load balances incoming traffic to multiple instances

B Allows internet traffic initiated by private subnet instances

C Allows instances to communicate between subnets

D Increases security for instances in a public subnet

 Knowledge check question 3 and answer

What function does the NAT gateway serve?

A Load balances incoming traffic to multiple instances

B
correct Allows internet traffic initiated by private subnet instances

C Allows instances to communicate between subnets

D Increases security for instances in a public subnet

Knowledge check question 4

What should you use to create traffic filtering rules for a subnet?

A NAT gateway

B Route table

C Security group

D Network ACL
 Knowledge check question 4 and answer

What should you use to create traffic filtering rules for a subnet?

A NAT gateway

B Route table

C Security group

D
correct Network ACL
Knowledge check question 5

Which ports are open by default when you create a new security group? (Select TWO.)

A Nothing allowed inbound

B Nothing allowed outbound

C Anything allowed inbound

D Anything allowed outbound

E Inbound traffic is allowed on public subnets

 Knowledge check question 5 and answer

Which ports are open by default when you create a new security group? (Select TWO.)

A
correct Nothing allowed inbound

B Nothing allowed outbound

C Anything allowed inbound

D
correct Anything allowed outbound

E Inbound traffic is allowed on public subnets