November 7, 2016
Understanding what AWS provides for setting up private networks, security groups and more is important for anyone who calls themselves DevOps.
AWS allows you to define a software defined network. You do this with Amazon Virtual Private Cloud (Amazon VPC). You can define subnets, ingress rules, security groups, NAT gateways, Internet gateways, and more.
A VPC is a virtual private cloud. You can create multiple Amazon VPCs within a region that spans multiple availability zones. A VPC is an isolated area to deploy instances.
A VPC is associated with a CIDR block.
CIDR Address (source Wikipedia)
With CIDR block notation the /# denotes the size of the network or rather how many bits of the address will be used for the network. For example: 10.10.1.32⁄27 denotes a CIDR range (also known as CIDR block). It denotes that the first 27 bits of address is for the network (32 bits total). 32 - 27 leaves five bits for your servers. 00000-11111. The first five addresses are reserved in a subnet, and the last address is reserved for broadcast. This leaves us 26 addresses for our servers. There are tools to help build CIDR based subnets. From address 10.10.1.37 to 10.10.1.61. VPC address range may be as large as /16 (32-16 = 16 bits which allows for 65,536 available addresses) or as small as 16 addresses (/28 is 32 - 28 = 4 bits which is 16 available addresses). The addresses of two VPC should not overlap if you plan on adding VPC peering.
An Amazon VPC is made up of subnets, route tables, DHCP option sets, security groups, and Network ACLs.
An AWS VPC can also have Internet Gateways (IGWs), Virtual Private Gateways, VPGs, Elastic IP (EIP) addresses, Elastic Network Interfaces (ENIs), Endpoints, Peering, and NAT gateways.
A VPC has a router defined by its route tables (per subnet and default).
Amazon Region and availability zones
AWS supports regions around the world and throughout the USA. A region is like a datacenter. Regions are independent of each other. You can place services in a region to be closer to your end consumer to lower latency and to improve reliability.
An Availability Zone (AZ) is isolated but multiple AZs live in a region. Placing your services and application in separate Availability Zones, protects you from outages. Each AZ in region has independent power, backup generators, UPS units, and often use different utility companies when possible. AZs may exists in a separate location of a metropolitan area. AZs are redundantly connected together with fast connections that deliver low-latency using multiple tier-1 transit providers.
A VPC lives in a single region and a VPC subnet must live in a single AZ.
A subnet is a part of an VPC’s IP address range. Just like a VPC you need to specify a CIDR blocks for a subnets. Subnets are associated with availability zones (independent power source and network). Subnets can be public or private. A private subnet is one that is not routable from the IGW.
Subnet Route tables
Route tables contain a set of ingress and egress rules called routes. These rules are applied to the subnet. The routes direct network traffic. The route tables connect subnets within a VPC so they can communicate. Routes are specified by CIDR and a target.
The most specific route that matches the traffic determines how to route the traffic. Route tables can specify which subnets are public and which subnets are private (if the subnet does or does not have a route to the InternetGateway). Each subnet is always associated with a route table which dictates routes for that subnet. If a route table for a subnet is not specified then that subnets uses the main route table (which is associated with the VPC).
An Internet Gateway (IGW) enables traffic from the public Internet to your VPC. Subnets that have route tables that target the IGW are public subnets.The IGW does network address translation from public IPs of EC2 instances to their private IP for incoming traffic. When an EC2 instance send IP traffic from a public subnet, the IGW acts as the NAT for the public subnet, and translates the reply address to the EC2 instance’s public IP (EIP). The IGW keep track of the mappings of EC2 instances private IP address and their public IP address. AWS ensures that the IGW is highly available and handles the horizontal scale, redundancy as needed.
We hope this information on AWS software defined networks is helpful. Please check out our Casandra consulting and Kafka consulting. We specialize in AWS DevOps Automation for Cassandra and Kafka. We also provide training geared towards AWS deployments.
Amazon VPGs, CGWs and VPNs
Amazon allows VPCs to be connected to your existing data center to allow AWS to augment your existing IT infrastructure. You can connect your existing datacenter to an Amazon VPC using VPG (Virtual Private Gateways) and CGW (Customer Gateways).
Think of the VGW like the IGW but it sends traffic to your corporate network instead of the public Internet. VPGs connect to your companies Virtual Private Network (VPN) connector. The VPG is the Amazon side of the VPN connection. The CGW is the customer side of the VPN connector. CGWs are processes running on a server or network device.
You connect a VPG and a CGW with a VPN tunnel, which allows traffic between your corporate network and your Amazon VPCs. The VPN connection uses the IPSec (Internet Security Protocol) tunnels for higher availability to the AWS VPC.
You can setup the VPN connection to use dynamic routing if the CGW supports it (via Border Gateway Protocol). If your CGW does not support dynamic routing, use static routes to decide which traffic is meant for the VPC. Routes are propagated to the VPC to allow traffic back to your corporate network via the VGW.
Amazon EC2 instances launched in a private subnet cannot access the Internet unless there is a NAT.
A NAT is a network address translator. Even if you wanted to update your instances with
yum install foo, you could not do it
because they have no route to the public Internet. AWS provides NAT gateways which are similar to IGW but unlike IGWs they do not allow
incoming traffic, but rather only allow responses to outgoing traffic from your Amazon EC2 instances.
NAT gateways are simple to manage and highly available. A VPC subnet lives in a single Availability Zone (AZ). To maximize failover you will want to deploy a NAT gateway per AZ.
To allow Amazon EC2 instances within a private subnet to access Internet resources through the IGW using a NAT gateway, you must do the following:
- Set up the route table by connecting the private subnet to direct Internet traffic to the NAT gateway
- Associate the NAT gateway with an EIP
Enhanced networking: Placement groups and networking speed
Instance types m4, c4, p2, g2, r3, g2, x1, i2 and d2 support placement groups which are essential for server to server performance which is important for clustering.
To achieve maximum throughput, placement groups must be placed in the same AZ. Amazon EC2 instances can achieve speeds of up to 10 Gbits if both instances are in the same placement group and in the same AZ.
A VPC is associated with a DHCP Option Set.
Dynamic Host Configuration Protocol (DHCP) provides a standard for configuring TCP/IP networks.
DHCP Options allow you to configure DHCP per VPC as follows:
- domain name
- domain name server
By default AWS creates and associates a DHCP option set for your Amazon VPC. The default DHCP option set uses
domain-name-servers set to AmazonProvidedDNS (Amazon Domain Name System), and the domain-name set to the domain name for your region.
AWS has a pool of public IP addresses available to rent per region. These public IP addresses are called Elastic IP Addresses (EIPs). You check out an EIP like a library book. As long as you have the EIP checked out, no one else can use it. You can keep the EIP as long as you want but you pay for it. Unused EIPs are more expensive than EIPs that you are using with an EC2 instance. You can assign an EIP to an instance (and only one). You could spin up a new upgraded version of the instance from a snapshot, and the reassign the EIP to the new upgraded instance.
EIPs allow using a set of fixed public IP addresses that can be reassigned to underlying infrastructure which could change over time. EIPs are allocated in a VPC, but can be moved to another VPC in the same region. EIPs can be assigned to resources like EC2 instances.
An ENI is an Elastic Network Interfaces. An ENI is often just called a network interface in AWS speak. An ENI is a virtual network interface that you can attach to an instance in a VPC. You can also detach an ENI and attach to another EC2 instance. ENIs don’t work with EC2 classic (no VPC EC2).
An ENI can have the following properties:
- primary private IPv4 address
- potentially multiple secondary private IPv4 addresses
- EIP per private address
- public IPv4 address
- multiple IPv6 addresses
- multiple security groups (at least one)
- MAC address
- source/destination check flag
Again, the what makes these ENIs elastic is that you can create an ENI, attach it to an EC2 instance, detach it from an EC2 instance, and attach it to another. The ENI keeps its properties no matter which instance it is attached to.
If an underlying instance fails, the IP address (MAC, public IP, EIPs, etc.) are preserved by attaching the ENI to a new replacement EC2 instance. ENIs can be used to create low-budget, high-available solutions.
A security group (SG) is a stateful firewall that controls inbound and outbound network traffic to EC2 instances and AWS resources like Elastic Load Balancers. Security groups being stateful means an Amazon instance (or resource) is allowed to respond to an inbound traffic with outbound traffic. AWS EC2 instances have to be associated with a security group if not specified then it is associated with the default security group for the VPC. AWS EC2 instances can be associated with security groups after they are already running. Each VPC can have up to 500 security groups.
Rules are only allow rules. Rules consist of the following attributes:
Source(CIDR or SG id)
Protocol(TCP, ICMP, UDP, HTTP, HTTPS, SSH, etc.)
Security groups specify up to fifty inbound and 50 outbound rules using CIDRs or other security groups. AWS will evaluate every rule before deciding to permit traffic.
Network ACL Control List (NACL) is a stateless layer of security. NACLs act as a stateless firewall. NACLs provide a number ordered list of rules. The lowest number rule is evaluated first. First rule that allows or denies wins. NACLS support both allow rules and deny rules. Return traffic must be allowed (stateless). NACL applies to the whole subnet.
Related and important
Auto Scaling is used scale Amazon EC2 capacity up or down automatically. You can autoscale a group of instances based on workload. It can be used to recover when instances go down by automatically spinning up an instance to take its place. Auto Scaling groups can span multiple AZs.
Amazon Route 53
Amazon Route 53 is a DNS as a service. Route 53 is highly available and scalable. You can use easily assign resources DNS names instead of configuring with public IP addresses.
Amazon CloudWatch is a monitoring service it uses for its AWS Cloud resources and services. However you can use CloudWatch for your services and applications.
CloudWatch can track key performance indicators (KPIs) and metrics, allow log aggregation, and can easily create alarms. You can even trigger AWS Lambda functions based on limits of an KPI or how often an item shows up in log stream in a give period of time.
Amazon CloudWatch provides system-wide visibility into resource utilization, and operational health. Unlike many monitoring systems, CloudWatch integration with the entire Amazon ecosystem so you not only have insights into your systems but you can react to triggers and events to keep everything running smoothly.
CloudFormation allows developers, DevOps, and Ops create and manage a collection of related AWS resources. You can create and update items in a predictable fashion. You do this by creating CloudFormation templates which are written in JSON or YAML. Then you can submit the templates to be create stacks which can be updated.
AWS Identity and Access Management (IAM) enables secure control access to AWS Cloud services and resources for their users. IAM defines, users, roles, and allows you to apply this to EC2 instances as well as users or groups of users. To use CloudWatch logging or metrics from an application, you would need to assign rights to a role and then associate an IAM role with your EC2 instance.
AWS Key Management Service (KMS) allows you to create and control the encryption keys. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys. KMS can be used to encrypt Amazon EBS volumes, Amazon S3 buckets and other services.
KMS can be used for compliance encryption operations for SOC1, SOC2, SOC 3, PCI DSS Level, ISO 27017⁄20018, and for FIPS 140-2.
KMS also provides an REST API to encrypt data on an application basis.
AWS Certificate Manager
AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/ TLS certificates. AWS Certificate Manager allows provision, manage, and deploy Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for use with AWS Cloud services like ELB or CloudFront (an Amazon CDN). No longer do you have to purchase, upload and manually update/renew SSL/TLS certificates for the ELB or CDN.
Amazon’s CDN to put resources closer to end users of your applications and services.
Amazon Simple Storage Service to store your backups and big data.
Slide deck that covers configuring AWS Cassandra to run in an Amazon VPC
Cloudurable™ streamline DevOps for Cassandra running on AWS provides AMIs, CloudWatch Monitoring, CloudFormation templates and monitoring tools to support Cassandra in production running in EC2. We also teach advanced Cassandra courses which teaches how one could develop, support and deploy Cassandra to production in AWS EC2.
Please take some time to read the Advantage of using Cloudurable™.
- Subscription Cassandra support to streamline DevOps (Support subscription pricing for Cassandra and Kafka in AWS)
- Quickstart Mentoring Consulting for Developers and DevOps
- Architectural Analysis Consulting
- Training and mentoring for Cassandra for DevOps and Developers
- Training and mentoring for Kafka for DevOps and Developers
We hope you enjoyed this article. Please provide feedback.
Cloudurable provides Cassandra training, Cassandra consulting, Cassandra support and helps setting up Cassandra clusters in AWS. Cloudurable also provides Kafka training, Kafka consulting, Kafka support and helps setting up Kafka clusters in AWS.
Check out our new GoLang course. We provide onsite Go Lang training which is instructor led.Tweet
Apache Spark Training
AWS Cassandra Database Support
Kafka Support Pricing
Cassandra Database Support Pricing
Advantages of using Cloudurable™
Cloudurable™| Guide to AWS Cassandra Deploy
Cloudurable™| AWS Cassandra Guidelines and Notes
Free guide to deploying Cassandra on AWS
Kafka Tutorial PDF
ElasticSearch / ELK Consulting
InfluxDB/TICK Training TICK Consulting