[REPORT] A developer’s guide to cloud networking #AWSreInvent #BOA207

[REPORT] A developer’s guide to cloud networking #AWSreInvent #BOA207

Clock Icon2023.12.31

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

I participated in this session about introduction to cloud networking for developers at re:Invent2023. Here is an over view of the session.

Today, website accessibility depends on robust cloud networking. This session offers insights for developers to help them clearly understand the fundamentals of AWS networking to prevent the dreaded “this site can’t be reached” error messages. Explore essential AWS components like VPCs, subnets, routing, and security groups to understand their significance in cloud networking. Leave equipped with methodologies and tools to build accessible, available cloud-based applications and websites. Architects, developers, and technology decision-makers alike can gain takeaways to ensure that websites remain reachable in the cloud.

Report

During this session, we learned the basics of AWS networking, and I've summarized an overview of each component on this blog.

Agenda

  • AWS Global Infrastructure
  • Amazon VPC and security basics
  • Connectivity in AWS
  • Hybrid connectivity
  • Traffic monitoring and visibility

Poll

We had an online poll.

What percentage of your day on average is spent troubleshooting the network?

  • 0% - 10%
  • 11% - 20%
  • 21% - 30%
  • 31% or more
  • Unsure

Here is the result.

0% - 10% is the most common. This is a good result since it means less time spent troubleshooting the network.

AWS Global Infrastructure

It started with an introduction to AWS infrastructure.

  • 32 launched Regions
    There are 32 regions around the world where you can deploy your applications, typically as close to your customers as possible.
  • 102 Availability Zones
  • 600+ Points of Presence (CloudFront, Route53, AWS Global Accelerator)

AWS Region design

  • AWS regions are separate geographic areas where AWS operates data centers
  • Multiple AZs for high availability, high scalability, and high fault tolerance
  • Three availability zones in each region

AWS Availability Zone (AZ) design

  • Fully isolated with one or more data centers
  • Highly available, fault tolerant, and scalable
  • Physically separated by a meaningful distance - all within 60 miles (100Km) of each other
    Just in case there's a flood or earthquake near that AZ.
  • Data centers connected via fully redundant and isolated metro fiber

Building a VPC

  • A VPC created in region spans the entire region.
  • A VPC can span multiple AZs but only within a single region.
  • After creating a VPC, create subnets. Then, deploy EC2 instances within these subnets.
  • Achieve high availability by utilizing multiple AZs.
  • This constitutes the fundamentals of VPC architecture.

Amazon VPC and security basics

In this section, there was an explanation about the following.

  • Usage of IP addresses within and outside the VPC
    Inside of VPC: EC2, Lambda functions, RDS - Recommend that use private IP addressing
    Outside the VPC: DynamoDB, S3, Bedrock - Using public IP addresses

  • IP range (CIDR)
    When creating a VPC, you must specify and IPv4 CIDR block for the VPC. The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).

  • Subnet
    A subnet is a range of IP addresses in your VPC. Each subnet must reside entirely within one Availability Zone and cannot span zones.

  • Elastic Network Interface
    ENI is a logical networking component in a VPC that represents a virtual network card and can be attached to an instance.

  • Route table
    A route refers to a defined path for network traffic. A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

  • NACLs
    A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level.
    ※ NACLs are stateless.

  • Security gropus
    A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
    ※ Security groups are stateful.

Connectivity in AWS

Connecting to the internet

"Amazon VPC and security basics" section above was about accessing public AWS services from VPC and between VPC.
This section is about accessing the internet from VPC.

[ 3 things for connecting to the internet ]

  1. Attach an internet gateway
  2. Assign external IPv4 address
  3. Update VPC route table
    ※ Add IPv6 address rules to the route table if you are using IPv6 addresses as well as IPV4 addresses.

How to check the IP address of an EC2 instance

Local IP address

[ec2-user@ip-172-31-16-14 ~]$ ifconfig
enX0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 172.31.16.14  netmask 255.255.240.0  broadcast 172.31.31.255

Public IP address

[ec2-user@ip-172-31-16-14 ~]$ curl -w "\n" -H "X-aws-ec2-metadata-token: $TOKEN" \
> http://169.254.169.254/latest/meta-data/public-ipv4
34.219.144.122

Egress-only internet gateway

  • An egress-only internet gateway is for use with IPv6 traffic only.
  • Instances can access the internet, but internet access to instances is not allowed.

Connecting from the internet

This section is about accessing the EC2 instances from the internet.

[ 5 things for connecting from the internet ]

  1. Public IP
  2. Security groups allow
  3. NACLs allow
  4. Attach internet gateway
  5. Route to IGW

VPC gateway endpoints

  • A private connection from a VPC to an AWS public service.
  • No Internet gateway, NAT gateway, VPN required.
  • Public services that can be connected are S3 and DynamoDB.
  • No data transfer charge when connecting to the above services from VPC.

VPC interface endpoints

  • The interface endpoint is utilizing PrivateLink.
    ※ This means that a private and secure connection is provided between the VPC and the AWS Service.

  • There are hundreds of services available, but basically you can do the following.
    -- If you create an interface endpoint, it creates an ENI in the AZ.
    -- If you want to communicate with CloudWatch, you'll communicate through that interface endpoint.
    -- Access directly through PrivateLink.

[ Difference between gateway endpoint and interface endpoint ]

  • A gateway endpoint utilizes routing within the route table.
  • A interface endpoint uses AWS PrivateLink to obtain IP addresses or ENIs and communicate with services, also capable of using DNS for communication.

AWS PrivateLink

  • AWS PrivateLink enables private connections between VPCs, supported AWS services, and on-premises networks without them to the internet.
  • Using NLB.
  • No Internet gateway, NAT gateway, VPN required.

Connecting between VPCs

  • Amazon VPC peering
    -- Max 125 peers per VPC
    -- No bandwidth limit
    -- Routed connectivity Bidirectional

  • AWS Transit Gateway
    -- 5,000 VPCs per Transit Gateway
    -- Up to 100 Gpbs per attachment
    -- Routed connectivity Bidirectional

  • AWS PrivateLink
    -- No quota on number of consumer VPC
    -- Scales to 100 Gbps per ENI
    -- Application connectivity Client to server
    -- Unidirectional

Hybrid connectivity

This section is about hybrid connectivity.
When connecting from a data center to AWS, there are several options available.

  • Site-to-Site VPN
  • AWS Direct Connect (Dedicated network)
  • Direct Connect Gateway (High availability)
  • Transit Gateway (Transit Gateway + VPN, Transit Gateway + Direct Connect)

Traffic monitoring and visibility

We had an online poll.

What's your biggest challenge when it comes to troubleshooting network problems in the cloud?

  • Security groups/NACLs
  • DNS
  • Routing
  • VPC configuration
  • Other

Here is the result.

"Routing" has the most votes, and "SG/NACLs" have a high voting rate as well. As means to address these issues, there are two options available within the VPC.

Amazon VPC flow logs

  • Supported for Amazon VPC and AWS Transit Gateway
  • Capture non-real-time metadata information about the IP traffic for your VPC and transit gateway
  • Provides better visibility of network traffic patterns; monitor network security and troubleshoot issues
  • Flow log data can be published to Amazon CloudWatch Logs, Amazon S3, and Amazon kinesis Data Firehose

Amazon VPC Traffic Mirroring

  • Copy network traffic from an EC2 instance's ENI
  • Packet capture
  • Content inspection
  • Thread monitoring
  • Troubleshooting
  • Copies network traffic, including payload

Reachability Analyzer

  • Configuration analysis tool that can perform conncectivity testing between source and destination resources in a VPC.
  • Troubleshoot connectivity issues caused by misconfigured networks.

Conclusion

The session covered mostly basic content, I was able to review my knowledge and even learned few new things. I'm not familiar with Traffic Mirroring and Reachability Analyzer, so will try to learn them hands-on. It was also a good opportunity to find out what service is not familiar with.

If you are new to AWS or want to learn more about AWS networking, I recommend checking out the video of thi session.

References

AWS re:Invent 2023 - A developer’s guide to cloud networking (BOA207)
Amazon Virtual Private Cloud
Traffic Mirroring
Reachability Analyzer

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.