Essential Essences of AWS Cloud Networking

Fig : Networking in AWS

While I was preparing for AWS Certified Advanced Networking certification, I had my struggles in understanding the whys and what's of several networking features and architecture patterns in AWS Cloud. My inability to appreciate them was due to the fact that am not from networking background hence my basics were quite minimal. I realized that a good understanding of networking fundamentals is needed to appreciate the essence of why a certain AWS service behaves the way it does.

I thought I should first read CCNA Cisco certified network associate study guide before AWS Networking but got intimidated by the sheer size of the book, "I would never get it done and clear the certification on time" were the thoughts lingering in my mind . I then took a backward approach on achieving my AWS networking certification. As an d when I encounter a networking concept in AWS networking that am unable to comprehend, I would take a detour, understand it's core and then get back to AWS. The essentials of networking that I was exposed to on the many detours I took while studying for the AWS Advanced Networking certification exam are compiled in this series. Hope this turns out to be a good primer for you on your endeavor to build AWS networking solutions or prepare for AWS certification exams.

Essence#1 : Network Address Translation (NAT)

IP address scarcity is a common topic of conversation in the networking world. With the proliferation of devices in home and offices, it is not possible for each and every device in the world to have unique IP addresses. To counteract this, it was decided that devices in a closed network such as home/offices would have unique IP addresses for themselves called Private IP addresses that would work only within this network. But they would use a Public IP address to identify themselves when they're connected to the internet. This necessitates a mechanism through which private IP addresses could be translated into public IP address and this is done by Network Address Translation device.

Let's take an example of my home wifi set up having 5 devices such as a phone, smart watch, laptop, tablet and Amazon Echo connecting to the internet. The home wifi router is assigned a single public IP address by Internet Service Provider (ISP), the router in turn assigns unique private IP addresses for each of the 5 devices. When the devices connect to the router for internet access, they assume the router's public IP address. The router thus acts as a NAT device eliminating the need to have unique public IP address for each device. For example, when my smart watch wants to tell my phone that I haven't done my morning walk for 5 days in a row, it would communicate with the phone with the latter's private IP address. But if my phone wants to broadcast to the internet that I have become a lazy slob then it would assume the home wifi router's public IP address.

Fig : AWS NAT acting as a router

In AWS world, similar to home devices, workloads in a closed network or AWS Virtual Private Cloud (VPC) need not be launched in a public subnet. As a best practice, they should be placed in private subnet where each workload would have its own Private IP address. During the time they want to talk to internet, they could talk to AWS NAT Gateway, a scalable managed services from AWS, that would act like the home wifi router. A NAT Gateway is created in a public subnet and it needs an Elastic IP which would be its own Public IP address. It allows the private subnet workloads access the internet using this Public IP address but prevents any connection from the internet.

Fig : Creating an AWS NAT Gateway

Creating a NAT gateway needs an Elastic IP address and a public subnet. The NAT gateway and the workloads using it should reside in separate subnets.

Fig : Elastic IP address in AWS

The route table associated with public subnet housing the NAT gateway should point the default route to the internet gateway.

Fig : Route Table for public subnet

The route table associated with the private subnet housing the workloads should point the default route to the NAT Gateway.

Fig : Route Table for NAT gateway

The network traffic would be initiated from the workloads through the NAT Gateway out to the internet. If there was a network packet initiated from the internet back to the workloads, the only IP address it would see would the Elastic IP address of the NAT gateway. The network packet would be dropped and not reach the workloads. This way, NAT Gateways offer a security layer to grant internal workloads access to the internet without being exposed to it.

Essence#2 : RFC 1918

Internet Engineering Task Force (IETF) is the leading Internet standards body that defines standard operating internet protocols. In the year 1996, IETF released a Request For Comments (RFC) documenting the range of reserved IP addresses that can be used in private networks which are not reachable from the internet. Any data packets sent to these IP addresses range would be dropped on the public internet. If an organization has a ne twork where devices need to communicate with each other over IP addresses without the need to connect with internet, they can be assigned with any of the below RFC 1918 Private IP address range.

Fig : RFC 1918

Next time, when you create a AWS VPC, you must specify IPv4 CIDR blocks from any of the above IP address range. Now you know the reason why the CIDR block for a default VPC is always 172.31.0.0/16. As a best practice, use addresses from different IP classes for production, UAT or DR regions VPC.

Essence#3: Autonomous Systems

What makes the internet work? I would say IP addresses and routing. Routing is the act of moving information across a network from a source to a destination. In a network of 4 computers, if each one of them needs to communicate with one another, it needs 6 connections to be made. This is not a scalable ap proach on larger networks. Instead, the computers can connect to a single router and each network can link to other networks via its router.

Fig : ASN set up

Ultimately, a network grows out to be a collection of routers forming an Autonomous System whose prefixes and routing policies are governed by a common administrative control or an organization. An organization can own one or many Autonomous Systems.

Autonomous Systems are defined as 16 bit integers which allowed a maximum of 65,536 assignments
(2 ^ 16). And then same story as IP addresses, this turned out to be insufficient and private AS numbers 64,512–65,534 were introduced. This was too small a range of nearly 1000 numbers to solve the shortage crisis. IETF released RFC 4893, which introduced 32-bit AS numbers, now allowing a maximum of 4,294,967,296 numbers possible in whic h 4200000000–4294967294 range of numbers are private AS numbers.

In AWS networking world, there are a number of places where you would see ASN being asked. One of them is when you create a customer gateway, you need to provide the ASN of the customer gateway device.

Fig : Customer Gateway in AWS

Also, in a hybrid cloud scenario, when you create a Virtual Interface (VIF) for a Direct Connect connection, the BGP ASN of the on-premises router needs to be given.

Fig : ASN in Public virtual interface

Another instance is when you configure an AWS Transit Gateway. You would be asked to provide the ASN for the Amazon side of a BGP session.

Fig : ASN in AWS Transit Gateway

Click the "info" beside "Amazon side Autonomous System Number (ASN)", it would open a pop up window. I hope now it all makes sense to you.

Essence #4: Border Gateway Protocol (BGP)

Almost all the ASNs have something called BGP prefixed in the AWS console form. Border Gateway Protocol (BGP) is the fundamental protocol that Autonomous Systems use to figure out how to take a network packet and transmit it further to another AS or internet. It basically dictates the mechanism of routing decisions made by external facing routers that establish connection with other Autonomous Systems.

Fig : BGP session in ASN

BGP resides on top of TCP protocol 179. In the above system, Router#1 belonging to AS 100 would use TCP port 179 to commun icate with Router#6 of AS 400. Pre-requisites for establishing a BGP session is that Router#1 and Router#7 should be peered and if the routers are behind a firewall, TCP port# 179 should be opened on both the sides else BGP will never establish a session. A BGP session established between routers within the same AS is called internal BGP (IBGP) and that between different AS is called external BGP (EBGP). In the cloud world, all we care about is EBGP that focus on determining the path a network packet should take to reach it's destination AS. That's why they are sometimes called Path Vector Routing protocols.

When two BGP peered routers advertise the routing information, they also advertise a series of constructs called Path Attributes (PA). This enables us to easily manipulate the BGP path selection to promote traffic engineering. One widely used use case would be creating active and passive tunnels between 2 ASNs (AWS Virtual Private Gateway and customer's gateway devic e are examples of two ASNs that could be connected) in a hybrid cloud scenario. The source and destination for both the tunnels is the same, with BGP you can manipulate the traffic in a way that based on certain conditions, tunnel #1 would be the primary path and when the conditions change, tunnel #2 would be the primary path. This tunability and scalability is what makes BGP the most preferred protocol not only by AWS cloud but also other CSPs worldwide. BGP has got a decision tree and an algorithm that determines how the network traffic would be sent.

BGP path algorithm deserves a separate attention in part#2 of this series along with some oranges and more networking essences. Too many essences in a single article could cause essence fatigue.

See you soon …

Essential Essences of AWS Cloud Networking was originally published in Towards AWS on Medium, where people are continuing the conversation by highlighting and responding to this story.

Namaste Devops is a one stop solution view, read and learn Devops Articles selected from worlds Top Devops content publishers inclusing AWS, Azure and others. All the credit/appreciations/issues apart from the Clean UI and faster loading time goes to original author.

Comments

Post a Comment

Did you find the article or blog useful? Please share this among your dev friends or network.

An android app or website on your mind?

We build blazing fast Rest APIs and web-apps and love to discuss and develop on great product ideas over a Google meet call. Let's connect for a free consultation or project development.

Contact Us

Trending DevOps Articles

Working with System.Random and threads safely in .NET Core and .NET Framework

In this post I look at some of the ways you can misuse System.Random, comparing .NET Framework, NET Core, and .NET 6 implementations. In this post I look at some of the ways you can misuse System.Random for generating random numbers, specifically around thread safety. I start by showing how to use the built-in thread-safe Random generator in .NET 6. I then step back to previous .NET Core implementations, before the thread-safe Random generator was added, and show how to add your own. Finally, we take one more step back to .NET Framework, and look at he issues that arise there. tl;dr; If you're using .NET 6, then always use the static property Random.Shared if possible. If (like me) you need to support older version of .NET Core and .NET Framework, then read on! Generating random numbers from multiple threads in .NET 6+ It's a common requirement to be able to generate some sort of random number in .NET. If you don't need this to be a cryptographically secure ran...
Read more

Popular DevOps Categories

AWS Devops aws devops use cases best devops tutorial for beginners AWS DevOps Guru Azure Business Analytics DataOps DataOps Automation DevOps Interview Questions
Docker aws cdk application load balancer AWS CDK Application security AWS CDK application Application Load Balancers with DevOps Guru Auto scale group Automation Autoscale EC2 Autoscale VPC Autoscaling AWS Azure DevOps Big Data BigQuery CAMS DevOps Containers Data Observability Frequently Asked Devops Questions in Interviews GCP Large Table Export GCP Serverless Dataproc DB Export GTmetrix Page Speed 100% Google Page Speed 100% Healthy CI/CD Pipelines How to use AWS Developer Tools IDL web services Infrastructure as code Istio App Deploy Istio Gateways Istio Installation Istio Official Docs Istio Service Istio Traffic Management Java Database Export with GCP Jenkin K8 Kubernetes Large DB Export GCP Linux MSSQL March announcement MySQL Networking Popular DevOps Tools PostgreSQL Puppet Python Database Export with GCP Python GCP Large Table Export Python GCP Serverless Dataproc DB Export Python Postgres DB Export to BigQuery Sprint Top 100 Devops Questions TypeScript Client Generator anti-patterns of DevOps application performance monitoring (APM) aws amplify deploy blazor webassembly aws cdk application load balancer security group aws cdk construct example aws cdk l2 constructs aws cdk web application firewall aws codeguru reviewer cli command aws devops guru performance management aws service catalog best practices aws service catalog ci/cd aws service catalog examples azure Devops use cases azure devops whitepaper codeguru aws cli deploy asp.net core blazor webassembly devops guru for rds devops guru rds performance devops project explanation devops project ideas devops real time examples devops real time scenarios devops whitepaper aws docker-compose.yml health aware ci/cd pipeline example host and deploy asp.net core blazor webassembly on AWS scalable and secure CI/CD pipelines security vulnerabilities ci cd pipeline security vulnerabilities ci cd pipeline aws smithy code generation smithy server generator
Show more