AWS

NETWORKING

CLOUD ADDRESSES

• PRIVATEIP–THESEARESTATICANDARERETAINEDIFYOUSTOPANINSTANCE,AREIPv6(Internet

Protocol version 6)

• PUBLICIP–THESEAREDYNAMICANDCHANGEUSEIPv4,FREE

• ELASTICIP–YOUPAYFORTHISANDARESTATICPUBLICIPYOUCANASSIGNTOAPRIVATEIPTO

ALLOW FOR CONSISTENT PUBLIC ADDRESSES ON THE INTERNET

FIREWALLS

Classless Inter-Domain

Routing (CIDR)

Runintherange16–28.

Essentially subtract the number from

32 to get the power of 2.

32-24=^8 = 256

Then for AWS remove 5 numbers.

You can use: X.X.X.0 = Network

X.X.X.1 = VPC ROUTER

X.X.X.2 = VPC DNS

X.X.X.3 = VPC RESERVED

X.X.X.255 = BROADCAST

10.0.0.1/24 is a base address of 10.0.0.1

with a CIDR notation of 24.

INTERNET CONNECTIVITY

• PRIVATE SUBNET –NotexposedtotheinternetsodoesnothavePublicIps.

• PUBLIC SUBNET – Exposed the internet so has IPv4 internet addresses (public)

• NAT stands for Network Address Translation,andit’susedtoallowinstancesinaprivate subnet to access the internet without exposing them to inbound traffic from the

internet

• NAT INSTANCES – Sits on a EC2 instance.

• NAT GATEWAY –Isamanagedservice.

• INTERNET GATEWAY (IGW) in AWS when you want resources inside your VPC—likeEC2instances—tocommunicatedirectlywiththepublic internet.

VPC PEERING -

A way of getting two VPCs to talk to each other. By setting up

an agreement, routing and security groups and passing the

traffic through the private Amazon Global Network.

All done by configuring software.

VPC ENDPOINTS -

Direct connection from the VPC to AWS Services. Two types of VPC endpoints.

HYBRID

CONNECTIVITY

VPCs talking to on-premise networks

AWS Client VPN –Basicallysoftwareclientonlaptop

Site to Site VPN –AWSletsyoucreateaVirtualGatewayineachVPCthatenablesyoutoestablishaVPN(avirtualprivatenetwork)betweenyouron-premisenetworkand

theVPC.TheconnectionissecuredoverIPsec.

Virtual Gateways(VGW) –

Are in the access point

at the AWS end.

Found on Site-to-Site VPNs

AWS CloudHub –isasite-to-siteVPNpattern(HUB&SPOKE)

DIRECT CONNECT(DX) -

AWS Direct Connect is a physical fibre link between your data centre and an AWS location. You plug into a router or switch at your site,

connect to a Direct Connect partner or carrier, and they route traffic directly to AWS—bypassing the public internet for faster, more

secure performance. Takes weeks to setup because its essentially re-routing telecoms at physical box using a cross-over cable. Its not

encrypted but you can apply IPSEC S25VPN over the top.

Note the Virtual Interface has two options Hosted VIF (shared) or Hosted Connection (Dedicated)

Public or Private options exist on top of this.

DIRECT CONNECT GATEWAY

A cost cutting solution to use DX for multiple VPCs in different regions

but from a single office

PROBLEM WITH MULTIPLE VPC PEERING

The example below shows how complicated trying to peer together 4 VPCs and connect them into

an on-premise network with a Site-to-Site VPN connection.

TRANSIT GATEWAY

A Transit Gateway provides a simplified solution to setting up multiple VPN and VPC

peering's when you have multiple VPCs. All the VPCs can go through the Transit

Gateway and you can simply connect a Site-to-Site VPN or Direct Connection to

handle your on-premise connection