AWS Network Basics

This post distills key insights from my study of "AWS Network Basics" from AWS Skillbuilder.

View Course on AWS

Networking on AWS

On AWS, networking is virtualized and available in several different types and configurations which helps to match your networking methods with your needs.

Maybe you have a regional, public, private, mesh, or hub-and-spoke network design.

The AWS Networking Options

  1. Run on top of the AWS global network which is the backbone that supports the interconnectivity needs for elasticity, scalability, and highly availability as well as continual growth.
  2. Support the foundational building blocks of your design for your environment, network, and workloads to ensure you meet your business goals.
  3. Provide services built by AWS to accelerate deployment and management of your network.

Guidance from AWS

AWS Well-Architected Framework

To build secure, high-performing, resilient, and efficient networks for applications and workloads. The framework is built around six pillars:

  • Operational excellence
  • Security
  • Reliability
  • Performance efficiency
  • Cost optimization
  • Sustainability

The well-architected framework provides a consistent approach for customers and partners to evaluate architectures and implement scalable designs.

AWS Shared Responsibility Model

This model adds defined security management for your network and environment. In AWS, security and compliance is a shared responsibility between you and AWS. At a high level:

  • AWS is responsible for the security of the cloud.
  • You are responsible for the security in the cloud, including your data, applications, and network traffic in AWS.

The shared responsibility model provides clarity around which areas of systems security are owned by AWS and which are owned by you.

Planning Your Network Design and Cost Optimization

The fifth pillar of the AWS Well-Architected Framework, the cost optimization pillar, recommends measuring and monitoring your infrastructure. This is crucial because as your environment grows, your environment changes.

Data transfer charges are often overlooked in your design. There is no charge for inbound data transfer across all services in all Regions. However, data transfer from AWS to the internet is charged per service, with rates specific to the originating Region.

Define your metrics, set target goals, define and enforce your tagging strategy, use cost allocation tags, and regularly review for any changes. This helps to track your costs and optimize them.

AWS provides the following services to track expenses and usage:

  • AWS Cost Explorer
  • AWS Billing and Management Console
  • AWS Budgets
  • AWS Trusted Advisor

The framework and the Hybrid Network Lens provide a consistent approach to evaluate your network and implement scalable designs over time.

Network Security

The shared responsibility model balances the agility of your network with the need to improve the security of the data as it traverses your network using network controls, configurations, and so on.

To learn more about each layer of the shared responsibility model, explore additional resources provided by AWS.

Network Foundations

Everything you do in AWS uses networking, whether communicating with AWS or creating connections between your on-premises environment and AWS. A solid network design is the foundation of any environment.

The AWS network foundation options support the foundational building blocks of your design, environment, network, and workloads to ensure that you meet your business goals. However, designing and configuring your foundation for networking is different in AWS than for on-premises environments.

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) provides a private location to launch AWS resources in an isolated virtual network.

Amazon supports services to monitor your network traffic, like:

AWS PrivateLink

AWS PrivateLink helps establish secure and private connectivity between Amazon VPCs, AWS services within your Region, inside another Amazon VPC, or your on-premises network.

AWS Transit Gateway

AWS Transit Gateway is a service to manage and simplify the connections and peering for your Amazon VPCs.

Hybrid Connectivity

AWS provides services and hybrid connectivity solutions to link your on-premises and AWS networks. This supports a wide range of hybrid architectures and use cases.

AWS has a large global network footprint, many connection types, and networking services for building your hybrid networks. Additionally, AWS offers connections to run AWS services on premises and wirelessly.

This provides tools to meet specific requirements, applications, and business goals, no matter where your AWS services are connected—in your Amazon VPC, on-premises, or at the network edge.

  • AWS Direct Connect
  • AWS Cloud WAN
  • AWS Client VPN
  • AWS Site-to-Site VPN

Edge Networking Services

On AWS, edge networking services securely transmit your user-facing data with improved latency globally. When you use the AWS edge networking services, your traffic moves off the internet and behind the AWS global network.

Network edge computing removes the need for reaching back to your data centers or the cloud, to the edge of the network. This interconnects your network and provides a path for the exchange of information quicker.

The AWS Global Network

  • Defends and limits your exposure to attack by encrypting data, removing network hops, and controlling application access.
  • Improves your application performance and integrates access to the AWS global network global multi-service points of presence (PoPs).

AWS edge networking services sit at the AWS global edge locations and are configured to connect and deliver data with single-digit millisecond AWS network latency.

  • Amazon CloudFront
  • Amazon Route 53
  • AWS Global Accelerator

Application Networking

On AWS, application networking services enhance your application's network architecture with improved security, availability, performance, and monitoring capabilities. These services ensure scalability, high availability, and security for traditional and modern applications globally.

  • Amazon API Gateway
  • AWS App Mesh
  • AWS Cloud Map

Network Security

AWS provides multiple network and application protection services to secure your environment, inspect and filter traffic, enforce fine-grained security policies, and meet compliance requirements. Security is a shared responsibility: customers manage security in the Cloud, while AWS handles security of the Cloud.

Network security helps prevent attacks, maintain high availability, and ensure application responsiveness. AWS network security services support always-on detection and automatic inline threat mitigations. These services offer protections at the host-level, network-level, and application-level boundaries.

  • AWS WAF
  • AWS Shield
  • AWS Firewall Manager
  • AWS Network Firewall

Networking Concepts

A network is a set of devices sharing resources using common communication protocols over interconnections. Networks can be physically wired, optical, wireless, or a hybrid of these.

Network Topologies

When designing or troubleshooting networks, understanding data flow and topology is essential. AWS supports flexible designs, including traditional zone-based segmentation and VLANs.

Common Network Topologies

  • Point-to-Point: Secure private data connection between two locations without traversing the public Internet.
  • Bus Network: Early local networks using a single coaxial cable. A break disables the link.
  • Tree: Shares information across networks via root nodes transmitting signals to all computers.
  • Hub-and-Spoke: Central hub connects to devices (spokes). Used in AWS with VPNs, Direct Connect, VPC Peering, and Transit Gateways.
  • Mesh: Redundant multiple links for load balancing and fault tolerance, common in WANs.
  • Ring: Connections form a loop, often with redundancy, used in MANs.
  • Hybrid: Combination of multiple topology types.

Design documents and topology diagrams are essential for visibility, helping to spot risks and weak points in the network.

Protocols

Protocols optimize network performance, security, and visibility. Examples include:

  • Network Management: Facilitates network monitoring and optimization.
  • Network Communication: Includes HTTP/HTTPS for web browsing.
  • Network Security: Ensures secure data transmission, e.g., HTTPS.
  • File Transfer: FTP enables efficient and fast file transfers.

Choosing appropriate protocols aligns network design with business goals.

IPv4

IPv4 addresses are 32-bit numbers represented in dotted decimal notation, ranging from 0.0.0.0 to 255.255.255.255. This provides over 4.2 billion unique IP addresses.

Public IPv4

Public IPv4 addresses are globally routed and divided into class ranges:

  • Class A: 0.0.0.0 - 127.255.255.255 (over 2.1 billion addresses).
  • Class B: 128.0.0.0 - 191.255.255.255 (over 1 billion addresses).
  • Class C: 192.0.0.0 - 223.255.255.255 (over 2 million addresses).
  • There are also Class D and E ranges reserved for multicast and experimental use.

Private IPv4

Private IPv4 addresses are used for internal networks and are not routed on the internet. Examples:

  • Class A: 10.0.0.0 - 10.255.255.255
  • Class B: 172.16.0.0 - 172.31.255.255
  • Class C: 192.168.0.0 - 192.168.255.255

Private addresses require Network Address Translation (NAT) to communicate with the internet.

IPv6

IPv6 addresses are 128-bit hexadecimal numbers, providing a vastly larger address space compared to IPv4. These addresses use a start address and prefix to represent networks.

Key Differences:
  • IPv4: 32-bit, dotted decimal.
  • IPv6: 128-bit, hexadecimal.

Classless Inter-Domain Routing (CIDR)

CIDR replaces classful addressing, allowing more efficient IP address management and routing scalability. CIDR is represented by a network address and a prefix (e.g., 192.168.1.0/24).

Advantages of CIDR:

  • Efficient IP address space management.
  • Reduces routing table entries.

Subnetting

Subnetting divides a network into smaller segments, improving routing efficiency, network management, and security. Each subnet isolates groups of hosts for better control and organization.

Subnetting creates logical networks within Class A, B, or C ranges, enabling efficient traffic management.

Transmission Control Protocol/Internet Protocol (TCP/IP) Model

The TCP/IP model is a suite of communication protocols used to interconnect network devices on the internet. It is a simplified model derived from the OSI model and consists of four layers. This model standardizes protocols for reliable communication across interconnected networks.

TCP/IP Model Layers

Layer Role Common Example
Link Defines the networking methods within the local network link for communication without routers. Media Access Control (MAC) addresses
Internet Responsible for sending packets across network boundaries and establishing basic data channels. Internet Protocol version 4 (IPv4)
Transport Establishes channels for application-specific data exchange. Transmission Control Protocol (TCP)
Application Provides end-user services like exchanging application data over network connections. Hypertext Transfer Protocol (HTTP)

Key Functions of TCP and IP

  • TCP (Transmission Control Protocol): Creates communication channels, assembles messages into packets for transmission, and reassembles them in the correct order at the destination.
  • IP (Internet Protocol): Defines addressing and routing for packets, ensuring they reach the correct destination through successive hops.

Advantages of TCP/IP

TCP/IP specifies how data is exchanged over the internet, ensuring:

  • End-to-end communications with efficient packet management.
  • Automatic recovery from device failures.
  • Reliability without requiring significant overhead management.

Open Systems Interconnection (OSI) Model

The OSI model contains 7 layers, each responsible for a specific function in computer communication. These layers are categorized into two groups: Media layers and Host layers.

Layers Overview

The OSI model consists of the following 7 layers:

  • Physical Layer: Transmits raw data bits over the physical medium (e.g., cables, radio waves).
  • Data Link Layer: Provides error detection and correction, ensures data transfer over a reliable link.
  • Network Layer: Routes data from source to destination, handles logical addressing (e.g., IP addresses).
  • Transport Layer: Ensures end-to-end communication and reliability, manages data flow and error correction (e.g., TCP/UDP).
  • Session Layer: Manages sessions or connections between applications, controls dialogues between computers.
  • Presentation Layer: Formats and encrypts data, ensuring it can be understood by the application layer (e.g., data compression, encryption).
  • Application Layer: Interfaces directly with the end-user application, where communication services like HTTP and FTP are provided.

Host and Media Layers

The OSI model can be divided into two main categories:

  • Media Layer (Layers 1-3): Handles the physical transfer of data between devices. Includes the Physical, Data Link, and Network layers.
  • Host Layer (Layers 4-7): Manages the data transport process, from breaking data into packets to reassembling them at the destination. Includes the Transport, Session, Presentation, and Application layers.

About the OSI Model

The OSI model was developed by the International Organization for Standardization (ISO) to create a standardized framework for computer communications and developing protocols.