AWS Networking

1) OSI Model 

-The Open Systems Interconnection (OSI) Model defines standards of communication for Telecom and Computer Systems.

-The OSI Model was invented in the 1970 because organizations and governments were creating proprietary networking technology

_ They needed to agree upon a conceptual standard on how these different technologies would communicate with each other at an abstract level.

-The OSI model describes how information moves from software on a computer through a network to another computer.

-The OSI Model is made of multiple layers numbers through to 1 to 7 as follows:

7. Application

6. Presentation

5. Session

4. Transport

3. Network

2. Data Link

1. Physical

-When data leaves on computer it has to 

    * Pass through each of the 7 layers

    * Over the network / internet

    * Pass again through the 7 layers

- As it moves from layer to layer the data is transformed into PDUs.

a) TCP/IP

- What is a Protocol? A technical implementation defining a strict standard to which communication between technologies must adhere. eg. Internet Protocol version 4 (IPv4) is the protocol we use to pass information around on the internet. IPv4 passes around data by organizing data into packets.

-What is a Protocol Data Unit (PDU)? a single unit of information transmitted among peer entities of a computer network. PDUs for the OSI Layers:

    * 4 Transport Layer - Segment

    * 3 Network Layer - Packet

    * 2 Data Link Layer - Frame

    * 1 Physical Layer - Bit

- What is the Internet protocol suite ? (TCP/IP) TCP/IP suite are protocols used for the Internet eg. HTTP, SSL, TCP, IP, MAC, DSL

    * TCP/IP suite are protocols used for the Internet eg. HTTP, SSL, TCP, IP, MAC, DSL

    * The conceptual model and set of communications protocols used in the Internet and similar computer networks. It is commonly known as TCP/IP because the fundational protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP)

    

b) OS 1 - Physical Layer

- The Physical Layer is responsible for transmitting raw bits as a physical signal to the destination network. The raw bits are sent as a bitstream. A bitstream is a sequence of bits. 

-The data signal could be Electrical or Optical (lasers!)

-The hardware or concepts that is related to the Physical Layer would be:

    * Voltage - electrical pressure between two points 

    * Pin Layouts - pins on a silicon board

    * Cabling - Coaxial Cable or Fiber Optics Cables

    * Radio Frequencies - Wireless uses Radio frequencies

    * Repeaters - Repeats a physical signal to increase it range

c) OS 2 - Data Link Layer

- The Data Link Layer is responsible for the packaging data into Frames to transfer to network nodes on the same layer. Network nodes could be a : computer, printer, modem, switch, hub, bridge, server ...

-The Data Link Layer handles:

    * Packages frames

    * Send frames to network nodes 

    * Error detection and correction

    * Identifies network nodes based on MAC address

- What is a MAC address? Media control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address

- MAC addresses are hard-coded in a network card and cannot be changed

-Data Link Protocols

    * Ethernet is a family of networking technologies commonly used in Local Area Networks (LANs)

    * PPP

    * Switch 

    * Bridge

-

d) OS 3 - Network

- The Network Layer is responsible for routing (forwarding) IP addresses.

- The Network layer handles:

    * Logical Addressing

        ** Addressing for IPv4, IPv6, IPX, AppleTalk

     * Switching

        ** Routing packets to specific devices

    * Route discovery and selection

        ** Determining the best route to send packets

    * IPv4/IPv6 - Routing IP Packets

    * IPSec (Internet Protocol Security) - Authenticates and encrypts packets for secure routing.

    * ICMP - error messaging 

- Packets - are PDUs for  THE Network Layer A Packet is a formatted unit that consists of Control information and User Data (Payload)

e) OS 4 - Transport Layer

- The Transport Layer is responsible for end-to-end connections and reliability.

- The Transport Layer is the conceptual division of the OSI upper (Host Layers) and lower layers (Media Layers).

-Layers 

    * Host Layers - Responsible for accurate data between hosts  ( upper layers)

        ** 7. Application

        ** 6.Presentation 

        ** 5. Session

    * Media Layers - Responsible for data arrives at expected destination

        ** 4. Transport

        ** 3. Network

        ** 2. Data Link

        ** 1. Physical

- Transports layer handles:

    * Connection-oriented communication

        ** Connections are established before useful data is transferred

    * Reliability 

        ** Check if data is corrupted or ha been lost, request the data again

    * Flow Control 

        ** The rate at which data flows

    * Congestion Control

        ** The ability to avoid the congestion of data flow

    * Multiplexing 

        ** Gathers multiple chunks of data from multiple sockets and packages them as segments.

- Data Protocols

    * TCP (Transmission Control Protocol) 

        ** Packets require acknowledgement of receival

        ** its guarantee retrieval of packets

        ** Used commonly in web-applications

    * UCP (User Datagram Protocol)

        ** Packets are sent and require no acknowledgement

        ** Packets can be lost, but this protocol is much faster

        ** Used commonly in video games

- Control Protocols

    * ICMP (Internet Control Message Protocol)

        ** Sends error messages or ops information indicating success/failure when communicating  with another IP address

        ** Used by networking devices such routes

f) OS 5 - Session Layer

- What is a Session?

    * A session identifies who is doing what on a computer or device.

    * An example of a session be a User Session e.g. when you login into a website

    * A session has a state (eg. logged in) and thart state has be to stored in some kind of history

    * Sessions are temporary

    * They can expire when a web-browser closes or based on an expiry time

- The Session Layer is responsible for creating , maintaining and destroying sessions.

- Session Layer Protocols

    * API - Application Programming Interface could require a TOKEN to persist a session

    * Web Sockets - Establishes a continuous sessions for streaming data in real-time to web-applications

    * NetBios (Network Basic Input/Output System) - allows app on different computers to communicate within a local area network

    * NFS (Network File System) - allows multiple users to access to shared files system (hard drive)

    * RPC (Remote procedure call) - A protocol that can be used to login to Windows Desktop Servers

g) OS 6 - Presentation

- The Presentation Layer formats and delivers information to the Application Layer. It is also known as the Syntax Layer. It handles thing such as : 

    * Data encryption and decryption

    * Character code translation

    * Data compression

- Presentation Layer Protocols

    * JPEG (Joint Photographic Experts Group)

    * GIF (Graphics Interchange Format) 

    * PNG (Portable Network Graphics)

    * ASCII (American Standard Code for Information Interchange) 

    * MPEG4 (Moving Picture Experts Group 4)

-Why do we need a Presentation Layer? The Presentation Layer ensure that the data at one end of a connection is interpreted in the same way when it reaches the other end of the connection

h) OS 7 - Application

- The Application Layer is the closet to the end-user.

- The protocol for the Application Layer are used by software applications such as:

    * Email 

    * Web Applications

    * Chat Applications

    * Shell Terminals

-Application Layer Internet Protocols:

    * HTTP/S (Hyper Text Transfer Protocol /Secure)

    * SSH (Secure Shell)

    * DNS (Domain Name System)

    * DHCP (Dynamic Host Configuration Protocol)

    * LDAP (Lightweight Directory Access Protocol)

    * SSL (Secure Socket Layer)

    * FTP (File Transfer Protocol)

    * IRC (Internet Relay Chant)

    * BDG (Border Gateway Protocol)

    * RTP (Real-time Transfer Protocol     )

    * TLS ( Transport Layer Security) * depreceted

    * MQTT (Messaging Queue Telemetry Transport)

    * Telnet   

i) Protocol Data Units

-What is a Protocol Data Unit (PDU)? a single unit of information transmitted among peer entities of a computer network. PDUs for the OSI Layers:

    * Application Layer (7) |  Data | Data -HTTP Reguest

    * Transport Layer (4) | Transport Header + Data | Segment - A chunk of data prepared by transmission

    * Network Layer (3) | Network Header + Transport Header + Data |  Packets - A chunk of data prepared by software

    * Data-Link Layer (2) | Frame Header + Network Header + Transport Header + Data + Frame Trailer | Frames - A chunk of data prepared by hardware ( Also used at Layer 1)

    * Physical Layer (1) | 010101000111| Bitstreams - a sequence of bits prepared for phisical transportation

-

i) Network Interface

-What is a Network Interface? Software or hardware interface between two pieces of equipment or protocol layers in a computer network.

- A Network Interface Controller (NIC) A computer hardware component that connects a computer to a computer to a computer network. Also known as:

    * network interface card

    * netwrok adapter

    * LAN adapter

    * physical network interface

- NICs communicate using Internet Protocol (IP)

-NICs are devices for both the :

    * Data Link Layer (Layer 2)

    * Physical Layer (Layer 1)

- Amazon VPC Elastic network interfaces (ENIs)

A virtual network interface that is attached to an EC2 instance. Without an ENI, EC2 instances would have no way to communicate. EC2 instances has to have ENI and can have multiple ENIs

j) IP Addresses 

- What is an IP Address? An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.

-An IP address serves two main functions:

    1. host or network interface identification (Who is this?)

    2. location addressing (Where do they live in the network?)

- There are two versions of IP currently in use:

    * IPv4 (invented 1981) - has available 4,294,967,296 addresses (~4 bilion)

    * IPv6 (invented 1995) - has available 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (~340 undecillion)

- In November 2019 the last remaining IPv4 addresses were claimed

- We still use IPv4 today and its been a slow migration to IPv6 due to:

    * old technology

    * legacy software 

    * outdated attitudes

k) IPv4

- An IPv4 address has a size of 32 bits, which limits the address space to ~ 4 bilion addresses IPv4 uses Dotted Decimal Notation a series for 4 numbers ranging from 0-255 eg. 192.168.0.1

Dotted decimal notation

127.16.254.1

10101100.00010000.11111110.00000001 -> 32bits (4 bytes = 4 * 8bits))

l) IPv6

-An Ipv6 address has a size of 128 bits, which limits the address space to ~340 undecillion addresses

AWS IPv6

-When you enable IPv6 you don't choose set the netmask , AWS will set it to /56. You get so many addresses it doesn't matter to have this fine tune control

m) Binary Math

- Binary - is a base-2 numeral system of 0 or 1. It called Binary because we only use two numbers. Binary is the lowest level language a computer use to communicate, commonly known as a machine language.

- A bit is a basic unit of information that represents either a 0 or 1.

- A byte is  a basic unit of information that represents consecutive bits. eg. 10010100 The most common type of byte is eight consecutive bytes known as an octet

- Binary Math is when you use octets to represent a number. They way binary math works is:

    * you count from right to left 

    * each consecutive byte is 2 to the power of the byte position

    * you add up all the numbers to get the final number 

    * the range of an octet is 1-256 (0-255)

-

n) Classful Addressing

- Classful Addresing is an addressing architecture where the size of network was predefined based on classes. Classful Addressing was in use between 1981 to 1993 and was deprecated with introduction of CIDR.

- The IP address would be divided into the Network IDs (NET ID) and the Host IDs using a Subnet Mask

    * NET IDs - how many network addresses were available 

    * HOST IDs - how many host addresses were available

- The first 4 leading bits are designed to identify the class.

o) Networking Terms

- What is a Network? An IP Network are interconnected devices that are using the TCP/IP suite for communication

- What is a Subnet? A logical subdivision of an IP network

-What is a Host? A computer or other device that communicates with other hosts on a network

p) Net and Host Id

r) Private Address Space

- When you create a Virtual Private Cloud you need to choose a Private Address Space. The following three address spaces are commonly used :

    * 10.0.0.0

    * 172.16.0.0

    * 192.168.0.0

- Private Address Spaces. The internet Assigned Numbers Authority (IANA) documented in the RFC1918 has reserved the following three blocks of the IP address space for private internets:

Start Address                        End Address                        CIDR             Class

10.0.0.0                                 10.255.255.255                   /8                    Class A

172.16.0.0                             172.31.255.255                   /12                  Class B

192.168.0.0                           192.168.255.255                 /16                  Class C

- Its not expected that you use these addresses because with Cloud Networking you can use any private address space and with CIDR define any size of network to host.

-Using these addresses spaces can generally indicate at a glance to other network engineers what size you expect the network to be.

s) Subnet Masks

- A Subnet Mask is a 32-bit number looks like an IP address but is not. eg. 255.0.0.0. A Subnet masks divides the IP address into a the NET ID and HOST ID via masking.

- A Subnet Mask is also sometimes referred to as a Netmask but 99.9% of the time they mean the same thing.

    * When we are defining our Virtual Network CIDR range we'll say netmask

    * When we are defining our Subnet CIDR range we'll say subnet mask

-

t) Reserved Address AWS 

- When you specify a CIDR range AWS reserves five of the IP addresses

- If you created a CIDR block range of 10.0.0.0/28

- That would result in 16 possible addresses

- AWS would reserve the first 4 and last 1 and you would be left with 11 host addresses

- Reserved addresses:

    * 10.0.0.0 Reserved by AWS for Network Address

    * 10.0.0.1 Reserved by AWS VPC Router

    * 10.0.0.2 Reserved by AWS

    * 10.0.0.3 Reserved by AWS

    * 10.0.0.16 * Reserved by AWS -> The Broadcast Address always reserves the last IP in the CIDR bloc range. So if it were to use 10.0.0.0/24 (256 addresses) it would reserve 10.0.0.255

u) CIDR

- What is Classes Inter-Domain Routing (CIDR)? A method of allocating IP addresses for IP routing, was introduced to replace classful networking since which the primary goal to to slow down the rapid exhaustion of IPv4 addresses.

-What is CIDR block range? Sometimes referred as just CIDR block. The CIDR block range defines the size of Network vs Host and the range of IP Addresses.

- What is CIDR Notation? This defines the subnet mask. The number represents the amount of Leading 1s. 

- 104.195.51.120 /32 -> /32 is the same saying a single IP address

-

w) DHCP

- What is Dynamic Host Configuration Protocol (DHCP)?  A network management protocol used on Internet Protocol networks whereby a DHCP server dynamically assign an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.

- Why do we have DHCP? DHCP is needed to simplify the management of IP addresses on networks. No two hosts can have the same IP address, and manually assigning IP addresses can be error prone. Automating this process makes life easier for users and the network administrator

- AWS Virtual Private Cloud (VPC) has a DHCP options set and you can . And an DHCP option set allows you to change:

    * Domain Name

    * Domain Name Servers

    * Network Time Protocol (NTP)

    * NetBIOS name servers and node type

- A use case would be changing default DNS Servers for any device that connection the VPC. Say you wanted to use Qaud9 DNS, you can route through a secure DNS for an added layer of security to block known bad hosts.

x)  Cloud Networking CheatSheet

-The Open Systems Interconnection (OSI) Model defines standards of communication for Telecom and Computer Systems

- There are 7 layers to the OSI model:

    * 1. Physical - responsible for transmitting raw bits as a physical signal to the destination network

    * 2. Data Link - responsible for the packaging data into Frames to transfer to network nodes on the same layer

    * 3. Network - responsible for routing (forwarding) IP addresses

    * 4. Transport - responsible for end-to-end connections and reliability

    * 5. Session - responsible for creating, maintaining and destroying sessions.

    * 6. Presentation - formats and delivers information to the Application Layer

    * 7. Application -the closet to the end-user. Used by software applications such as Email, Web-Apps, Shell Terminals ...

- You will want to remember Layer 3 (Network), 4 (Transport) and 7 (Application) for Cloud Networking

    * AWS DDOS protection occurs on Layer 3,4 and 7

    * AWS WAF protection occurs on Layer 7

    * AWS Application Load Balancer operates on Layer 7 (HTTP/S)

    * AWS Network Load Balancer operates on Layer 4 (TCP/UDP)

- A Network Interface Controller (NIC) connects a computer to a computer network (operate on OSI Layer 1 and 2)

    * AWS has virtual NICs called Amazon VPC Elastic network interface (ENIs)

        ** Every EC2 instance has at least one ENI

        ** EC2 instance can have multiple ENIs attached

-An IP address serves two main functions:

    * host or network interface identification (Who is this?)

    * location addressing (Where do they live in the network?)

-There are two versions of IP currently in use:

    * IPv4 (invented 1981) - has available 4 billion addresses

    * IPv6 (invented 1995) - has available ~ 340 undecillion addresses

- An IPv4 address has a size of 32 bits and uses Dotted Decimal Notation eg. 192.168.0.1

- An IPv6 address has a size of 128 bits and uses Hexadecimal Notation eg. 0123:4567:89ab:cdef:0123:4567:89ab:cdef

-binary is a base-2 numeral system of 0 or 1. It called Binary because we only use two numbers.

-A bit is a basic unit of information that represents either a 0 or 1

- A byte is a basic unit of information that represents consecutive bits.

- The most common type of byte is eight consecutive bytes known as an octet

- In Binary Math every number doubles when its 1, from right to left: 1,2,4,8,16,32,64,128,256

    * 0000 0001 = 1

    * 0000 0011 = 3

    * 1111 1111 = 256

    * 1000 0000 = 128

- Private Address Space commonly used are 10.0.0.0 (Class A), 172.168.0.0 (Class B), 192.168.0 (Class C)

- Dynamic Host configuration Protocol (DHCP) server dynamically assigns an IP address to a device on the network

    * With AWS VPC you can change the DHCP settings to another DNS server (maybe for extra security)

- A subnet Mask is a 32-bit number looks like an IP address but it is not. eg. 255.0.0.0

    * A subnet masks divides the IP address into a the NET ID and HOST ID via masking.

    * A subnet mask is also sometimes referred to as a Netmask but 99.9% of the time they mean the same thing

- AWS reserved 5 IP addresses when you defined a CIDR eg using 10.0.0.0/28

    * 10.0.0.0 Reserved by AWS for Network Address

    * 10.0.0.1 Reserved by AWS VPC Router

    * 10.0.0.2 Reserved by AWS

    * 10.0.0.3 Reserved by AWS

    * 10.0.0.16 * Reserved by AWS -> The Broadcast Address 

    * If you allocate /24 (256 addresses) you'll only have 251 host addresses you can assign.

- Classless Inter-Domain Routing (CIDR) is A method of allocating IP addresses for IP routing where you can choose the choose the size of Networks vs Hosts

- CIDR block range defines the size of Network vs Host and the range of IP Addresses. eg. 10.0.0.0/24

- CIDR Notation defines the subnet mask (how many host addresses will be available) eg. /24 = 256 possible addresses

    * The number in CIDR notation indicates leading  bits flipped to 1. /24 = 1111.1111.0000.0000

    * /32 = 1 address

    * /24 = 256 addrresses

    * /23 = 128 addresses

    * /16 = 65 536 addresses

y)

z)

2) VPC 

- Provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

- When creating a AWS Virtual Private Cloud (VPC) you must specific a IPv4 CIDR range between: /16 (65 536 addresses) and /28 (16 addresses)

- Host addresses are the available IP addresses after we deduct the five addresses that AWS reserves

/29 = 8 IP Addresses - 5 AWS Reserved Addresses = 3 host addresses

a) VPC - Core Components

- Think of a AWS VPC as your own personal data center. Gives you complete control over your virtual networking environment

- Combining these components and services is what makes up your VPC

    * Internet Gateway (IGW)

    * Virtual Private Gateway (VPN Gateway)

    * Routing Tables

    * Network Access Control Lists (NACLs) - Stateless

    * Security Groups (SG) Stateful

    * Subnet 

        ** Public Subnet 

        ** Private Subnets

    * Nat Gateway

    * Customer Gateway

    * VPC Endpoints

    * VPC Peering

b) VPC - Key Features

- VPCs are Region Specific they do not span regions

- You can create upto 5 VPC per region

- Every region comes with a default VPC

- You can have 200 subnets per VPC

- You can use IPv4 Cidr Block and in addition to a IPv6 Cidr Blocks (the address of the VPC)

- Cost nothing: VPC's , Route Tables, Nacis, Internet Gateways, Security Groups and Subnets, VPC Peering

- Some things cost money: eg. NAT Gateway, VPC Endpoints, VPN Gateway, Customer Gateway

- DNS hostnames (should your instance have domain name addresses)

- 

c) VPC - Default VPC

- AWS has a default VPC in every region so you can immediately deploy instances

- Create a VPC with size /16 IPv4 CIDR block (172.31.0.0/16)

- Create a size /20 default subnet in each Availability Zone

- Create an Internet Gateway and connect it to your default VPC

- Create a default security group and associate it with your default VPC

- Create a default network access control list (NACL) and associate it with your default VPC.

- Associate the default DHCP options set for your AWS account with your default VPC.

- "When you create a VPC , it automatically has a main route table

d) VPC - Default VPC Everywhere IP

- 0.0.0.0/0 is also know as default

- It represent all possible IP addresses

-When we specify 0.0.0.0/0 in our route table for IGW we are allow internet access.

- When we specific 0.0.0.0/0 in our security groups inbound rules we are allowing all traffic from the internet access our public resources

- -When you see 0.0.0.0/0 , just think of giving access from anywhere or the internrt

e) VPC - VPC Peering

- VPC  Peering allows you to connect one VPC with another over a direct network route using private IP addresses

- Instances on peered VPCs behave just like they are on the same network

- Connect VPCs across same or different AWS accounts and regions

- Peering uses a Star Configuration: 1 Central VPC - 4 other VPCs

- No Transitive Peering (peering must take place directly between VPCs)

    * Needs a on3 to one connect to immediate VPC

- No Overlapping CIDR Blocks

-

f) VPC - Route Table

- Route tables are used to determine where network traffic is directed

- Each subnet in your VPC must be associated with route table.

- A subnet can only be associated with one route table at a time,  but you can associate multiple subnets with the same route

- each record is called a "route"

-

g) VPC - Internet Gateway (IGW)

- The Internet Gateway allows your VPC access to the internet

- IGW does two things:

    * 1. provide a target in your VPC route tables for internet-routable traffic

    * 2.  perform network address translation (NAT) for instances that have been assigned public IPv4 addresses

-To route out to the internet you need to add in your route tables you need to add a route. To the internet gateway and set the Destination to be 0.0.0.0/0

h) VPC - Bastions / Jumpbox

- Bastions are EC2 instances which are security harden. They are  designed to help you gain access to your EC2 instances via SSH or RCP. That are in a private subnet.

- They are also known as Jump boxes because you are jumping from one box to access another.

- NAT Gateways/Instances are only intended for EC2 instances to gain outbound access  to the internet for things such as security updates. NATs cannot/should not be used as Bastions

- System Manager's Sessions Manager replaces the need for Bastions

i) VPC - Direct Connect

-  AWS Direct Connect is the AWS solution for establishing dedicated network connections from on-premises locations to AWS.

-Very fast network Lower Bandwith 50M-500M or Higher Bandwith 1GB or 10 GB

- Helps reduce network costs and increase bandwith throughput. (great for high traffic networks)

-Provides  more consistent network experience than a typical internet-based connection, (reliable and secure)

-

j) VPC - Introduction to VPC Endpoints

-  Think of a secret tunnel where you don't have to leave the AWS network

- VPC Endpoints allow you to privately connect your VPC to other AWS services, and VPC endpoint services.

-There are 2 Types of VPC Endpoints

    * 1. Interface Endpoints

    * 2. Gateway Endpoints

- Eliminates the need for an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect connections.

- Instances in the VPC do not require a public IP address to communicate with service resources.

-Traffic between your VPC and other services does not leave the AWS network.

- Horizontally scaled , redundant, and highly available VPC component.

- Allows secure communication between instances and services - without adding availability risks or bandwidth constraints on your traffic.

k) VPC - Interface Endpoints

-  Interface Endpoints are Elastic Network Interfaces (ENI) with a private IP address. They serve as an entry point for traffic going to a supported service.

- Interface Endpoints are powered by AWS PrivateLink . Access services hosted on AWS easily and securely by keeping your. network traffic within the AWS network

- Pricing per VPC endpoint per AZ ($/hour) 0.01

- Pricing per GB data processed ($) 0.01

~$7.5/mo

-Interface Endpoints support the following AWS Services

    * API Gateway

    * CloudFormation

    * CloudWatch

    * Kinesis

    * SageMaker

    * Codebuild

    * AWS Config

    * EC2 API

    * ELB API

    * AWS KMS

    * Secrets Manager

    * Security Token Service

    * Service Catalog

    * SNS

    * SQS

    * Systems Manager

    * Market Partner Services 

    * Endpoint Services in other AWS accounts

l) VPC - Gateway Endpoints

- A Gateway Endpoint is a gateway that is a target for a specific route in your route table , used for traffic destined for a supported AWS service.

-To create a Gateway Endpoint, you must specify the VPC in which you want to create the endpoint , and the service to which you want to establish the connection

- AWs Gateway Endpoint currently only supports 2 services 

    * Amazon S3

    * DynamoDB

m) VPC - Endpoint CheatSheet

- VPC Enpoints help keep traffic between AWS services within the AWS Network

-There are two kinds of VPC Endpoints, Interface Endpoints and Gateway Endpoints

- Interface Endpoints cost money, Gateway Endpoints are free

- Interface Endpoints uses an Elastic Network Interface (ENI) with Private IP (powered by AWs PrivateLink)

- Gateway Endpoints is a target for a specific route in your route table

- Interface Endpoints support many AWS services

- Gateway Endpoint only support DynamoDB and S3

n) VPC - Flow Logs

- VPC Flow Logs allow you to capture IP traffic information in-and-out of Network Interfaces within your VPC.

-Flow Logs can be created for:

    * 1. VPC

    * 2. Subnets

    * 3. Network Interface

- All log data is stored using Amazon CloudWatch Logs. 

- After a Flow Log is created it can be viewed in detail within CloudWatch Logs

- can not be edited to make changes you have to remove existing Flow Log and setup new one.

- Flow Log Breakdown <version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>

    * version - the VPC Flow Logs version

    * account-id - the AWS account ID for the flow log.

    * interface-id - the ID of the network interface for which the traffic is recorded.

    * srcaddr - the source IPv4 or IPv6 address. The IPv4 address of the network interface is always its private IPv4 address

    * dstaddr - the destination IPv4 or IPv6 address. The IPv4 address of the network interface is always its private IPv4 address.

    * srcport - the source port or the traffic

    * dstport - the destination port of the traffic 

    * protocol - the IANA protocol number of the traffic. For more information , see Assigned Internet Protocol Numbers.

    * packets - the number of packets transferred during the capture window

    * bytes - the number of bytes transferred during the capture window

    * start - the time, in Unix seconds, of the start of the capture window.

    * end - the time, in Unix seconds , of the end of the capture window.

    * action - the action associated with the traffic:

        ** ACCEPT - the recorded traffic was permitted by the security groups or network ACLs.

        ** REJECT - the recorded traffic was not permitted by the security groups or network ACLs

    * log-status - the logging status of the flow log:

        ** OK - data is logging normally to the chosen destinations

        ** NODATA - there was no network traffic to or from the network interface during the capture window.

        ** SKIPDATA - some flow log records were skipped during the capture window.This may be because of an internal capacity constraint , or an internal error.

VPC - Flow Logs CheatSheet

- VPC Flow Logs monitor the in-and-out traffic of the our Network Interfaces within your VPC

- You can turn on flow Logs at the VPC, Subnet or Network Interface level

- VPC Flow Logs cannot be tagged like other AWS resources

- You cannot change the configuration of a flow log after it's created

- You cannot enable flow logs for VPCs which are peered with your VPC unless it is in the same account

- VPC Flow Logs can be delivered to an S3 or CloudWatch Logs

- VPC Flow logs contains the source and destination IP addresses (not hostnames)

- some instance traffic is not monitored :

    * Instance traffic generated by contacting the AWS DNS servers

    * Windows license  activation traffic from instances

    * Traffic to and from the instance metadata address (169.254.169.254)

    * DHCP Traffic

    * Any traffic to the reserved IP address of the default VPC router

o)

p)

r)

s)

t)

u)

x)

y)

z)

3) Subnets

- AWS has a service limit of 200 subnets per VPC

- A subnet cannot start in the middle of a octet and end in another

- A subnet can start in the middle of an octet and end within the same octet 

- A subnet can start at the start of an octet and end anywhere in the same or another

Sub1 172.16.0.0 - 172.16.0.127

Sub2 172.16.0.128 - 172.16.1.127

Sub2 172.16.1.0 - 172.16.1.255

a) Public Subnet 

- Subnets are consider public if "auto assign public IPv4 address: is set on "Yes"

b) Private Subnets

4)  Internet Gateway (IGW)

5) Virtual Private Gateway (VPN Gateway)

6) Routing Tables

7) Network Access Control Lists (NACLs) - Stateless

- you can block specific ip address

- associated with subnets

- An (optional) layer of security that acts. As a firewall for controlling traffic in an out of subnet(s)

- NACLs acts as a virtual firewall at the subnet level

- VPCs automatically get a default NACL

- Subnets are associated with NACLs . Subnets can only belong to a single NACL.

- Each NACL contains a set of rules that can allow or deny traffic into (inbound) and out of (outbound) subnets.

- Rule # determines the order of evaluation . From lowest to highest. The highest rule # can be 32766 and its recommended to work in 10 or 100 increments.

- You can allow or deny traffic. You could block a single IP address ( you can't do this with security Groups)

a) NACLs - Use Case

- We determine there is a malicious actor at a specific IP address is trying to access our instances so we block their IP

- We never need to SSH into instances so we add a DENY for these subnets. This is just an additional measure in case our Security Groups SSH port was left open.

b) NACLs - CheatSheet

- Network Access Control List is commonly known as NACL

- VPCs are automatically given a default NACL which allows all outbound and inbound traffic

- Each subnet within a VPC must be associated with a NACL

- Subnets can only be associated with 1 NACL at a time. Associating a subnet with a new NACL will remove the previous association

- If a NACL is not explicitly associated with a subnet , the subnet will automatically be associated with the deafult NACL.

- NACL has inbound and outbound rules (just like Security Groups

- Rules can either allow or deny traffic (unlike Security Groups which can only allow)

- NACLs are STATELESS (any allowed inbound traffic is also allowed outbound)

- When you create a NACLs it will deny all traffic by default

- NACLs contain a numbered list of rules that gets evaluted in order from from lowest to highest.

- If you needed to block a single IP address you could via NACLs ( Security Groups cannot deny)

c)

d)

e)

f)

g)

h)

i)

8) Security Groups (SG) Stateful

- you can add only allow rules

- associated with instances

- a virtual firewall that controls the traffic to and from EC2 instances

- Security Groups acts as a virtual firewall at the instance level

- Security Groups are associated with EC2 instances.

- Each security Group contains a set of rules that filter traffic comming into (inbound) and out of (outbound) EC2 instances.

-provide security at the protocol and port access level 

-There are no "Deny" rules. All traffic is blocked by default unless a rule specifically allows it.

- Multiple instances across multiple subnets can belong to a Security Group.

a) Security Groups - Use Case

- You can specify the source to be an IP range or A specific ip (/32 is a specific IP Address)

- You can specify the source to be another security group

- An instance can belong to multiple Security Groups, and rules are permissive (instead of restrictive) . Meaning if you have one security group which has no Allow and you add an allow to another than it will Allow

b) Security Groups - Use Limits

- You can have upto 10 000 Security Groups in a Region (default is 2500)

- You can have 60 inbound rules and 60 outbound rules per security group

- 16 Security Groups per Elastic Network Interface (ENI) (default is 5)

c) Security Groups - Cheat Sheet

-  Security Groups acts as a firewall at the instance level

- Unless allowed specifically, all inbound traffic is blocked by default.

- All Outbound traffic from the instance is allowed by default. 

- You can specific for the source to be either an IP range , single ip address or another security group

-Security Groups are STATEFUL ( if traffic is allowed inbound it is also allowed outbound)

-Any changes to a Security Group take effect immediately 

- EC2 Instances can belong to multiple security groups 

- Security groups can contain multiple EC2 Instances.

- You cannot block specific IP addresses with Security Groups, for this you would need a Network Access Control List (NACL)

- You can have upto 10 000 Security Groups per Region (default 2 500)

- You can have 60 inbound and 60 outbound rules pre Security Group

- You can have 16 Security Groups associated to an ENI (default is 5)

d)

e)

f)

g)

h)

i)

j)

k)

l)

9) NAT Gateway - Network Address Translation

- needs elastic ip

- to get access to interenet to update packages on private instances

- Network Address Translation (NAT) is the method of re-mapping one IP address space into another 

- If you have a private network and you need to help gain outbound access to the internet you would need to use a NAT gateway to remap the Private IPs

- If you have two networks which have conflicting network addresses you can use a NAT to make the addresses more agreeable

a) NAT Instace vs NAT Gateway

- NATs have to run within a Public Subnet

- NAT Instances (legacy) are individual EC2 instances. Community AMIs exist to launch NAT instances

- NAT Gateways is a managed service which launches redundant instances within the selected AZ

-

b) NAT Instance and NAT Gateway CheatSheet

NAT Instances

- When creating a NAT instance you must disable source and destination checks on the instance

- NAT instances must exist in a public subnet

- You must have a route out of the private subnet to the NAT instance

- The side of a NAT instance determines how much traffic can be handled 

- High availability can be achieved using Autoscaling Groups, multiple subnets in different AZs , and automate failover between them using a script

NAT Gateway

- NAT Gateways are redundant inside an Availability Zone (can survive failure of EC2 instance)

- You can only have 1 NAT Gateway inside 1 Availability Zone (cannot span AZs) 

- Starts at 5 Gbps and scales all the way up to 45 Gbps

- NAT Gateways are the preferred setup of enterprise systems.

- There is no requirement to patch NAT Gateways, and there is no need to disable Source/ Destination check for the NAT Gateway (unlike Instances)

- NAT Gateways are automatically assigned a public IP address

-Route Tables for the NAT Gateway MUST be updated

- Resources in multiple AZs sharing a Gateway will lose internet access if the Gateway goes down, unless you create a Gateway in each AZ and configure route tables accordingly

c)

d)

e)

f)

g)

h)

i)

j)

k)

10) Customer Gateway

11) VPC Endpoints

- connect to s3 without internet access

12) VPC Peering

13) Route 53

- Highly available and scalable cloud Domain Name System (DNS). Register and manage domains, create DNS routing rules eg. failovers.

- Route53 is a DNS is a Domain Name Service think Godaddy or NameCheap but with more synergies with AWS Services.

- You can:

    * register and manage domains

    * create various records sets on a domain

    * Implement complex traffic flows eg. Blue/green deploy , failovers

    * Continuously monitor records via health checks

    * resolve VPC's outside of AWS

-

a) Route 53 - Use Case

-  Use Route53 to get your custom domains to point to your AWS Resources

1. Incoming internet traffic

2. Route traffic to our web-app backed by ALB

3. Route traffic to an instance we use to to tweak our AMI

4. Route traffic to API gateway which powers our API

5. Route traffic to CloudFront which servers our S3 static hosted website

6 Route traffic to an Elastic IP (EIP) which is a static IP that hosts our company Minecraft server

-

b) Route 53 - Record Sets

-  We create record sets which allows us to point our naked domain (exampro.co) and subdomains via Domain records.

- For example we can send our www subdomain using an A record to point a specific IP address.

- In most cases you want to be using Alias when routing traffic to AWS resources. 

c) Route 53 - Routing Policies

-  There are 7 different types of Routing Policies available inside Route53

    * Simple Routing - default routing policy, multiple addresses result in random selection

    * Weighted Routing - route traffic based on weighted values to split traffic 

    * Latency-Based Routing - route traffic to region resource with lowest latency

    * Failover Routing - route traffic is primary endpoint is unhealthy to secondary endpoint

    * Geolocation Routing - route traffic based on the location of your users

    * Geo-proximity Routing - route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another

    * Multi-value Answer Routing - respond to DNS queries with up to eight healthy records selected at random.

d) Route 53 - Traffic Flow

-  A visual editor lets you create sophisticated routing configurations for your resources using existing routing types. 

- Supports versioning so you can roll out or roll back updates

- $50 per policy record / month 

e) Route 53 - Simple Routing Policies 

-  Simple Routing Policies are the most basic routing policies in Route53 Default Policy

    * You have 1 record and provide multiple IP addresses

    * When multiple values are specified for a record, Route53 will return all values back to the user in a random order

- For example if you had a record for "www.exampro.co" with 3 different IP address values, users would be directly randomly to 1 of them when visiting the domain.

f) Route 53 - Weighted  Routing Policies 

- Weighted Routing Policies let you split up traffic based on different "weights" assigned. 

- This allows you to send a certain percentage of overall traffic to one server, and have any other traffic apart from that directed to a completely different server. 

- For example if you had an ALB running experimental features you could test against a small amount traffic at random to minimize the impact of affect.

g) Route 53 - Latency  Routing Policies 

- Latency Based Routing allows you to direct traffic based on the lowest network latency possible for your end-user based on region.

- Requiers a latency resource record to be set for the EC2 or ELB resource that hosts your application in each region.

- For example, you have two copies of your web-app backed by ALB. One in California, US and another in Montreal, Canada. An request comes in from Toronto, it will be routed to Montreal since it will have lower latency.

h) Route 53 - Failover  Routing Policies 

- Failover Routing Policies allow you to create active/passive setups in situations where you want a primary site in one location, and a secondary data recovery site in another.

- Route53 automatically monitors health-checks from your primary site to determine the health of end-points. If an end-point is determined to be in a failed state, all traffic is automatically directed to the secondary location.

- For example, we have a primary and secondary web-app backed by ALB. Route53 determines our primary is unhealthy and fails over to secondary ALB.

i) Route 53 - Geolocation Routing Policies 

- Geolocation Routing Policies allow you to direct traffic based on the geographic location of where the request originated from.

- For example this would let you route all traffic coming from North America to servers located in North American regions, where queries from other regions could be directed to servers hosted in that region. (potentially with pricing and language specific to that region

j) Route 53 - Geoproximity Routing Policies 

- Geoproximity Routing Policies allow you to direct traffic based on the geographic location of your users, and your AWS resources.

- You can route more or less traffic to a specific resource by specifin a "Bias" value.

- Bias values expand or shrink the size of the geographic region from which traffic is routed to. You must use Route53 Traffic Flow in order to use geoproximity routing policies.

- In the Route53 Traffic Flow you can select any regions and visualize the bias

- You can choose  as little or as many bias

k) Route 53 - Multi-Value Answer Policies 

- Multi-Value Answer Policies let you configure Route53 to return multiple values such as IP addresses for your web-servers, in response to DNS queries.

- Multiple values can be specified for almost any record. Route53 automatically performs health-checks on resources and only returns values of ones deemed healthy.

- similar to Simple Routing, however with an added health check for your record set resources.

l) Route 53 - Health Checks

- Checks health every 30s by default. Can be reduce to every 10s.

- A health check can initial a failover if status is returned unhealthy

- A CloudWatch Alarm can be created to alert you status unhealhty

- A health check can monitor other health checks to create a chain of reaction

- can create up to 50 health checks for AWS endpoints that are within or linked to the same AWS account 

m) Route 53 - Resolver

- Formally known as .2 resolver

- A regional service that lets you route DNS queries between your VPCs and your network

- DNS Resolution for Hybrid Environments (On-Premise and Cloud)

n) Route 53 - CheatSheet

- Route53 is a DNS provider, register and manage domains , create record sets. Think Godaddy or NameCheap

-Simple Routing - Default routing policy, multiple addresses result in a random endpoint selection

-Weighted Routing - Split up traffic based on different 'weights' assigned (percentages)

-Latency-Based Routing - Directs traffic based on region, for lowest possible latency for users

-Failover Routing - Primary site in one location, secondary data recovery site in another . (change on health check)

- Geolocation Routing  - Route traffic based on the geographic  location of a requests origin. 

- Geo-proximity Routing - Route traffic based on geographic location using "bias" values (needs Route53 Traffic Flow)

- Multi-value Answer Routing - Return multiple  values in response to DNS queries. (using health checks)

- Traffic Flow - visual editor, for chaining routing policies, can version policy records for easy rollback

- AWS Alias Record - AWS smart DNS record, detects changed IPs for AWS resources and adjusts automatically.

- Route53 Resolver - Lets you regionally route DNS queries between your VPCs and your network Hybrid Environments

- Health checks can be created to monitor and automatically over endpoints. You can have health checks monitor other health checks

-

-

o)

p)

r)

s)

t)

14) Elastic Load Balancer (ELB)

- Distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers , IP addresses, and Lambda functions.

- Load Balancers can be physical hardware or virtual software that accepts incoming traffic, and then distributes the traffic to multiple targets. The can balance the load via different rules. These rules vary based on types of load balancers. 

- Elastic Load Balancer (ELB) is the AWS solution for load balancing traffic, and there are 3 types available:

    * 1. Application Load Balancer ALB (HTTP/HTTPS)

    * 2. Network Load Balancer NLB (TCP/UDP)

    * 3. Classic Load Balancer CLB ( Legacy

a) Elastic Load Balancer (ELB) - The Rules of Traffic

- Listeners 

Incoming traffic is evaluated against listeners. Listeners evaluate any traffic that is matches the Listener's port. For Classic Load Balancer, EC2 instances are directly registered to the Load Balancer.

- Rules (Not available for Classic Load Balancer)

Listeners will then invoke rules to decide what to do with the traffic . Generally the nest step is to forward traffic to a Target Group.

- Target Groups (Not available for Classic Load Balancer)

EC2 instances are registered as targets to a Target Group

- For Application Load Balancer (ALB) or Network Load Balancer (NLB) traffic is sent to the Listeners. When the port matches it then checks the rules what do to. The rules will forward the traffic to a Target Group. The target group will evenly distribute the traffic to instances registered to that target group.

- For Classic Load Balancer (CLB) traffic is sent to the Listeners. When the port matches it then it forwards the traffic to any EC2 instances that are registered to the Classic Load Balancer. CLB does not allow you to apply rules to listeners. 

b) Application Load Balancer (ALB)

- Application Load Balancers are designed to balance HTTP and HTTPS traffic.

- They operate at Layer 7 (of the OSI Model). Network layer

- ALB has a feature called Request Routing which allows you to add routing rules to your listeners based on the HTTP protocol.

- Web Application Firewall (WAF) can be attached to ALB. 

- Great for Web Applications.

- 

c) Network Load Balancer (NLB)

- Network Load Balancers are designed to balance TCP/UDP.

- They operate at Layer 4 (of the OSI Model).Transport layer

- Can handle millions of requests per second while still maintaining extremely low latency.

- Can preform Cross-Zone Load Balancing

- Great for Multiplayer Video Games or When network performance is critical

d) Classic Load Balancer (CLB)

- It was AWS first load balancer (legacy)

- Can balance HTTP, HTTPS or TCP traffic (not at the same time)

- It can use Layer 7-specific features (OSI Model) such as sticky sessions.

- It can also use strict Layer 4 (OSI Model) balancing for purely TCP applications. 

- Can preform Cross-Zone Load Balancing

- It will respond with a 504 error (timeout) if the underlying application is not responding (at the web-server or database level)

- Not recommended for use, instead use NLB or ALB.

e) ELB - Sticky Sessions

- Sticky Sessions is an advanced load balancing method that allows you to bind a user's session to a specific EC2 instance.

- Ensure all requests from that session are sent to the same instance. 

- Typically utilized with a Classic Load Balancer

- Can be enabled for ALB though can only be set on a Target Group not individual EC2 instances.

- Cookies are used to remember which EC2 instance.

- Useful when specific information is only stored locally on a single instance.

-

f) ELB - X-Forwarded-For (XFF) Header

- If you need the IPv4 address of a user, check the X-Forwarded-For header

- The X-Forwarded-For (XFF) header is a command method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer

g) ELB - Health Checks

- Instances that are monitored by the Elastic Load Balancer (ELB) report back Health Checks as InService, or OutofService

-Health Checks communicate directly with the instance to determine its state.

- ELB does not terminate (kill) unhealthy instance. It will just redirect traffic to healthy instances.

- For ALB and NLB the Health checks are found on the Target Group.

h) ELB - Cross-Zone Load Balancing

- Only for Classic and Network Load Balancer

- Cross-Zone Load Balancing Enabled - requests are distributed evenly across the instances in all enabled Availability Zones.

- Cross-Zone Load Balancing Disabled - requests are distributed evenly across the instances in only its Availability Zones.

i) ALB - Request Routing 

- Apply rules to incoming request and then forward or redirect traffic.

- Request

    * Host header 

    * Source IP

    * Path

    * Http header

    * Http header method

    * Query string

-

j) ELB CheatSheet

- There are three Elastic Load Balancers: Network, Application and Classic Load Balancer

- A Elastic Load Balancer must have at least two Availability Zones. 

- Elastic Load Balancers cannot go cross-region. You must create one per region.

- ALB has Listeners, Rules and Target Groups to route traffic

- NLB use Listeners and Target Groups to route traffic.

- CLB use Listeners and EC2 instances are directly registered as targets to CLB

- Application Load Balancer is for HTTP(S) traffic and the name implies it good for Web Applications

- Network Load Balancer is for TCP/UDP is good for high network throughput eg. Video Games

- Classic Load Balancer is legacy and its recommended to use ALB or NLB

- Use X-Forwarded (XFF) to get original IP of incoming traffic passing through ELB

- You can attach Web Application Firewall (WAF) to ALB but not to NLB or CLB

- You can attach Amazon Certification Manager SSL to any of the Elastic Load Balancers for SSL 

- ALB has advanced Request Routing rules where you can route based on subdomain header , path and other HTTP(S) information

- Sticky Sessions can be enable for CLB or ALB and sessions are remembered via Cookie

k)

l)

15)

16)

17)

18)

19)

20)

21)

22)

23)

24)

25)