AWS Network for dummy (me)

Page content

Reference

I found the good slide which contains good figures to understand AWS network.

https://de.slideshare.net/AmazonWebServicesLATAM/aws-vpc-fundamentals-webinar

Physical location

From the slide 10/58.

  • Region consists of multi AZs (Availability Zone)
  • An AZ consists of AZ-a, AZ-b, AZ-c, etc.
  • AZx (x=a,b,c) consists of data centers

The latency within the Region is ~2ms.

Logical network

  • VPC: A private network like 172.31.0.0/16 across AZs (AZa, AZb, AZc).
  • VPC subnet: Each AZx is assiend a subnet, like 172.31.(11|21|31).0/24.
    • VPC subnets are assign in an AZx.
    • We can create other subnets, like 172.31.(21|22|23).0/24.
  • Routing: A VPC has Route Tables.
    • Should be configured pulic or private nerwork. Some of routings are configured automatically.
    • Example 1: Destination=172.31.0.0/16 + Target=local.
    • Example 2: Destination=0.0.0.0/0 + Target=igw-abcdefgh. igw is an “Internet GateWay”.
  • Internet Gateway is placed at the boundary of VPC, and NAT is placed IN the subnet.
  • ELB is placed at the boundary of subnet (internal) or public (internet-facing). This is call “Scheme” of an ELB.

Security group

Multi AZ by default.

NAT and Internet Gateway

https://medium.com/awesome-cloud/aws-vpc-difference-between-internet-gateway-and-nat-gateway-c9177e710af6

  • An Internet Gateway allows resources within your VPC to access the internet, and vice versa.
    • In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.
  • A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.
  • A NAT Gateway only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

EKS network

https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html

Private-only: Everything runs in a private subnet and Kubernetes cannot create internet-facing load balancers for your pods. Public-only: Everything runs in a public subnet, including your nodes.

If we want to public our services via service -> Public-only

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot establish connections to the database servers.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses

When you launch an instance in a default VPC, we assign it a public IP address by default. When you launch an instance into a nondefault VPC, the subnet has an attribute that determines whether instances launched into that subnet receive a public IP address from the public IPv4 address pool. By default, we don’t assign a public IP address to instances launched in a nondefault subnet. … A public IP address is assigned to your instance from Amazon’s pool of public IPv4 addresses, and is not associated with your AWS account. When a public IP address is disassociated from your instance, it is released back into the public IPv4 address pool, and you cannot reuse it.


Just a memo, not reviewed

https://de.slideshare.net/AmazonWebServicesJapan/20191002-aws-black-belt-online-seminar-amazon-ec2-auto-scaling-and-aws-auto-scaling-178995835

auto scaling

Launch template is recommended than Launch configuration.

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html https://cloud-images.ubuntu.com/aws-eks/ ami-03303797cba33c750

aws ec2 create-launch-template \
    --launch-template-name TemplateForWebServer \
    --version-description WebVersion1 \
    --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":true,"DeviceIndex":0,"Ipv6AddressCount":1,"SubnetId":"subnet-7b16de0c"}],"ImageId":"ami-03303797cba33c750","InstanceType":"t2.nano","TagSpecifications":[{"ResourceType":"instance","Tags":[{"Key":"purpose","Value":"webserver"}]}]}'