Professional Documents
Culture Documents
AcademyCloudFoundations Module 05-1
AcademyCloudFoundations Module 05-1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module overview
Topics Activities
• Networking basics • Label a network diagram
• Design a basic VPC architecture
• Amazon VPC
• VPC networking Demo
• VPC security • VPC demonstration
• Amazon Route 53
Lab
• Amazon CloudFront
• Build your VPC and launch a web server
Knowledge check
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2
Module objectives
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Networks
Subnet 1 Subnet 2
Router
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 5
IP addresses
192 . 0 . 2 . 0
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 6
IPv4 and IPv6 addresses
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 7
Classless Inter-Domain Routing (CIDR)
192 . 0 . 2 . 0 / 24
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 8
Open Systems Interconnection (OSI) model
Data link 2 Transfer data in the same LAN network (hubs and switches) MAC
Physical 1 Transmission and reception of raw bitstreams over a physical medium Signals (1s and 0s)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 9
Module 5: Networking and Content Delivery
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon VPC
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 12
IP addressing
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 13
Reserved IP addresses
Example: A VPC with an IPv4 CIDR block of 10.0.0.0/16 has 65,536 total IP addresses.
The VPC has four equal-sized subnets. Only 251 IP addresses are available for use by each
subnet.
IP Addresses for
CIDR block Reserved for
VPC: 10.0.0.0/16 10.0.0.0/24
Subnet 1 (10.0.0.0/24) Subnet 2 (10.0.2.0/24)
10.0.0.0 Network address
Network broadcast
10.0.0.255
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
address 14
Public IP address types
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 15
Elastic network interface
Subnet: 10.0.1.0/24
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 16
Route tables and routes
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 17
• A VPC is a logically isolated section of the
AWS Cloud.
Section 2 key • A VPC belongs to one Region and requires
takeaways a CIDR block.
• A VPC is subdivided into subnets.
• A subnet belongs to one Availability Zone
and requires a CIDR block.
• Route tables control traffic for a subnet.
• Route tables have a built-in local route.
• You add additional routes to the table.
• The local route cannot be deleted.
18 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 5: Networking and Content Delivery
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internet gateway
AWS Cloud
Region
Availability Zone
VPC: 10.0.0.0/16
Public Subnet Route Table
Public subnet:10.0.1.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-id
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 20
Network address translation (NAT) gateway
AWS Cloud
Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24 Public Subnet Route Table
Public route Destination Target
table 10.0.0.0/16 local
NAT gateway
(nat-gw-id) 0.0.0.0/0 igw-id
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 21
VPC sharing
AWS Cloud
Region
Account D (participant)
Account B (participant) Account C (participant)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 22
VPC peering
AWS Cloud
You can connect VPCs in your
own AWS account, between
VPC A: 10.0.0.0/16 VPC B: 10.3.0.0/16 AWS accounts, or between
AWS Regions.
Peering
connection Restrictions:
(pcx-id) • IP spaces cannot overlap.
• Transitive peering is not
supported.
Route Table for VPC A Route Table for VPC B • You can only have one
Destination Target Destination Target
peering resource between
10.0.0.0/16 local 10.3.0.0/16 local
the same two VPCs.
10.3.0.0/16 pcx-id 10.0.0.0/16 pcx-id
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 23
AWS Site-to-Site VPN
AWS Cloud
Public subnet route table
Region Destination Target
Availability Zone 10.0.0.0/16 local
Region
Availability Zone Internet
VPC: 10.0.0.0/16
Public subnet:10.1.0.0/24
802.1q
VLAN AWS Direct
Connect
AWS Direct
Customer VPN Amazon VPC Amazon
Connect
gateway connection VPC peering VPC
gateway
Amazon Amazon
VPC VPC
VPN VPC VPC VPC AWS Direct
connection peering peering peering Connect
gateway AWS
Transit Gateway
VPN Amazon Amazon
connection Amazon VPC Amazon VPC VPC
VPC peering VPC
VPN
connection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 27
Activity: Label this network diagram
AWS Cloud
?
?
? Public?subnet:10.0.1.0/24
? ? Internet
_?_ IP address Q6
?
Destination Target
Private subnet: 10.0.2.0/24
? ? local
?
0.0.0.0/0 ?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 28
Activity: Solution
AWS Cloud
Region
Availability Zone
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 29
Recorded Amazon
VPC demonstration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 30
• There are several VPC networking
Section 3 key options, which include:
takeaways •
•
Internet gateway
NAT gateway
• VPC endpoint
• VPC peering
• VPC sharing
• AWS Site-to-Site VPN
• AWS Direct Connect
• AWS Transit Gateway
• You can use the VPC Wizard to
implement your design.
31 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 5: Networking and Content Delivery
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security groups
AWS Cloud
Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24
Security group
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 33
Security groups
• Security groups have rules that control inbound and outbound instance traffic.
• Default security groups deny all inbound traffic and allow all outbound traffic.
• Security groups are stateful.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 34
Custom security groups
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 35
Network access control lists (network
ACLs)
AWS Cloud
Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.0.0/24
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 36
Network ACLs
• A network ACL has separate inbound and outbound rules, and each rule can
either allow or deny traffic.
• Default network ACLs allow all inbound and outbound IPv4 traffic.
• Network ACLs are stateless.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 37
Custom network ACLs
• Custom network ACLs deny all inbound and outbound traffic until you add rules.
• You can specify both allow and deny rules.
• Rules are evaluated in number order, starting with the lowest number.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 38
Security groups versus network ACLs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 39
Activity: Design a VPC
Scenario: You have a small business with a website that is hosted on an Amazon Elastic
Compute Cloud (Amazon EC2) instance. You have customer data that is stored on a
backend database that you want to keep private. You want to use Amazon VPC to set up a
VPC that meets the following requirements:
• Your web server and database server must be in separate subnets.
• The first address of your network must be 10.0.0.0. Each subnet must have 256 total
IPv4 addresses.
• Your customers must always be able to access your web server.
• Your database server must be able to access the internet to make patch updates.
• Your architecture must be highly available and use at least one custom firewall layer.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 40
• Build security into your VPC
Section 4 key architecture:
takeaways • Isolate subnets if possible.
• Choose the appropriate gateway device
or VPN connection for your needs.
• Use firewalls.
• Security groups and network ACLs
are firewall options that you can use
to secure your VPC.
41 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lab 2:
Build Your VPC
and Launch a Web
Server
42 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lab 2: Scenario
In this lab, you use Amazon VPC to create your own VPC and add some
components to produce a customized network. You create a security group for
your VPC. You also create an EC2 instance and configure it to run a web
server and to use the security group. You then launch the EC2 instance into
the VPC.
Amazon Amazon
VPC EC2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 43
Lab 2: Tasks
• Create a VPC.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 44
Lab 2: Final product
AWS Cloud
Public Route Table
Region
Destination Target
Availability Zone A Availability Zone B
10.0.0.0/16 Local
VPC: 10.0.0.0/16
Internet
Public subnet 1: gateway Public subnet 2: 0.0.0.0/0 Internet gateway
10.0.0.0/24 10.0.2.0/24
Security group
NAT
gateway Web Private Route Table
server
Destination Target
Private subnet 1: Private subnet 2:
10.0.0.0/16 Local
10.0.1.0/24 10.0.3.0/24
0.0.0.0/0 NAT gateway
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 45
Build Your VPC and Launch a Web Server
~ 30 minutes
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 46
Lab debrief:
Key takeaways
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 47
Module 5: Networking and Content Delivery
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Route 53
• Is a highly available and scalable Domain Name System (DNS) web service
• Is used to route end users to internet applications by translating names (like
Amazon www.example.com) into numeric IP addresses (like 192.0.2.1) that computers
Route 53
use to connect to each other
• Is fully compliant with IPv4 and IPv6
• Connects user requests to infrastructure running in AWS and also outside of
AWS
• Is used to check the health of your resources
• Features traffic flow
• Enables you to register domain names
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 49
Amazon Route 53 DNS resolution
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 50
Amazon Route 53 supported routing
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 51
Use case: Multi-region deployment
Amazon Route 53
some-elb-name.us-west-2.elb.amazonaws.com User
some-elb-name.ap-southeast-2.elb.amazonaws.com
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 52
Amazon Route 53 DNS failover
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 53
DNS failover for a multi-tiered web
application
Record Sets AWS Cloud
CNAME www
Primary
Amazon S3
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. static website 54
• Amazon Route 53 is a highly available and
Section 5 key scalable cloud DNS web service that
takeaways translates domain names into numeric IP
addresses.
• Amazon Route 53 supports several types of
routing policies.
• Multi-Region deployment improves your
application’s performance for a global
audience.
• You can use Amazon Route 53 failover to
improve the availability of your
applications.
55 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 5: Networking and Content Delivery
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Content delivery and network latency
Hop
Router
Hop Hop
Origin server
Hop
Router
Router
Hop
Hop
Client
Router Hop
User
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 9
Content delivery network (CDN)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 10
Amazon CloudFront
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 59
Amazon CloudFront infrastructure
Edge locations
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 61
Amazon CloudFront pricing
63 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 5: Networking and Content Delivery
Module wrap-up
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module summary
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 66
Sample exam question
Which AWS networking service enables a company to create a virtual network within
AWS?
A. AWS Config
B. Amazon Route 53
C. AWS Direct Connect
D. Amazon VPC
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 67
Additional resources
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 68
Thank you
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon
Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-feedback@amazon.com. For all other
questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.