AWS
A VPC is a logically isolated virtual network segment of the AWS Cloud tied to your AWS account.
Each VPC is contained within a single AWS region.
When you create a VPC, you specify it's IP address range.
Subnets - can be private or public, that is, they can contain private or public resources
Route table - can manipulate how traffic flows into and out of subnets
Internet gateway - to access to the Internet from within a VPC
Egress-only internet gateway - If you're making use of IPV6 and want to get to the Internet, but want to prohibit inbound connections, you need to use an egress-only gateway
VPC endpoint - If you want to enable private access to other AWS services without traversing the Internet, VPC endpoints are available for a variety of different services.
Network Address Translation or NAT gateways - NAT as a service
Highly available service which lets resources in a private subnet connect to the Internet
Virtual private gateway - VPG
If you have external resources you wish to connect privately to resources within AWS.
Transit Gateway -
If you're looking to simplify network management across multiple VPCs and potentially local data centers.
Peering Connection - establish connectivity between VPCs
DHCP option sets - allow you to create your own DHCP options. For instance, if you want to specify your own DNS servers instead of using the AWS provided DNS, you can create an option set and assign it to a VPC. Keep in mind that a VPC can only have one DHCP option set.
- to connect to an existing infrastructure
External Connection Components
Customer gateway - is a physical networking appliance in an on premises facility, to which all AWS bound network traffic is anchored.
Virtual private gateway - VPG
is the virtual counterpart to a customer gateway, it resides inside of AWS, and is the anchor point for all on-premises bound network traffic.
Site-to-site VPN - need a site-to-site VPN, in order for machines in a local data center to communicate with services in AWS. When the VPN connection is established, network traffic flows securely over an encrypted VPN tunnel.
Internet Protocol Security, or Ipsec
VPN tunnel between your existing facilities and your AWS VPC.
Instead of VPN Tunnel, we can use Direct Connect
Direct Connect -
- dedicated connectivity to AWS
- Improved network performance
- Reduced bandwidth costs
To avoid SPOF, we can use Two Direct Connect links
Alternatively, If an existing infrastructure is also AWS, then we can use
VPC Peering - no need of a Gateway or vpn connection
VPC peering connections can span regions.
Transit Gateway
If we need to connect local assets with multiple VPCs. Instead of a VPN connection for each VPC, you can centralize route management using a transit gateway.
Route 53
provide DNS for AWS
- provides name address resolution [ www.google.com --> 192.173.45.35]
- DNS failover - can detect website outage and redirect to different location
- Global traffic management - allows to create traffic policies that optimise user experience
Types of Routing policies:
Failover Routing
Weighted Round-Robin Routing
Latency-Based Routing
Geolocation Routing [image same as above]
routing traffic based on the coordinated ip address to the physical locations
One way to connect local resources with your AWS account is with an Internet Protocol Security, or Ipsec, VPN tunnel between your existing facilities and your AWS VPC. Let's visualize the components required to make that happen. After creating a VPC, you want to attach it back to an existing data center you operate.
VPC - Virtual Private Cloud
A VPC is a logically isolated virtual network segment of the AWS Cloud tied to your AWS account.
Each VPC is contained within a single AWS region.
When you create a VPC, you specify it's IP address range.
VPC Components
Subnets - can be private or public, that is, they can contain private or public resources
Route table - can manipulate how traffic flows into and out of subnets
Internet gateway - to access to the Internet from within a VPC
Egress-only internet gateway - If you're making use of IPV6 and want to get to the Internet, but want to prohibit inbound connections, you need to use an egress-only gateway
VPC endpoint - If you want to enable private access to other AWS services without traversing the Internet, VPC endpoints are available for a variety of different services.
Network Address Translation or NAT gateways - NAT as a service
Highly available service which lets resources in a private subnet connect to the Internet
Virtual private gateway - VPG
If you have external resources you wish to connect privately to resources within AWS.
Transit Gateway -
If you're looking to simplify network management across multiple VPCs and potentially local data centers.
Peering Connection - establish connectivity between VPCs
DHCP option sets - allow you to create your own DHCP options. For instance, if you want to specify your own DNS servers instead of using the AWS provided DNS, you can create an option set and assign it to a VPC. Keep in mind that a VPC can only have one DHCP option set.
Establish private connection
- to connect to an existing infrastructure
External Connection Components
Customer gateway - is a physical networking appliance in an on premises facility, to which all AWS bound network traffic is anchored.
Virtual private gateway - VPG
is the virtual counterpart to a customer gateway, it resides inside of AWS, and is the anchor point for all on-premises bound network traffic.
Site-to-site VPN - need a site-to-site VPN, in order for machines in a local data center to communicate with services in AWS. When the VPN connection is established, network traffic flows securely over an encrypted VPN tunnel.
Internet Protocol Security, or Ipsec
VPN tunnel between your existing facilities and your AWS VPC.
 |
| Ipsec tunnel |
Instead of VPN Tunnel, we can use Direct Connect
Direct Connect -
- dedicated connectivity to AWS
- Improved network performance
- Reduced bandwidth costs
To avoid SPOF, we can use Two Direct Connect links
Alternatively, If an existing infrastructure is also AWS, then we can use
VPC Peering - no need of a Gateway or vpn connection
VPC peering connections can span regions.
Transit Gateway
Route 53
provide DNS for AWS
- provides name address resolution [ www.google.com --> 192.173.45.35]
- DNS failover - can detect website outage and redirect to different location
- Global traffic management - allows to create traffic policies that optimise user experience
Types of Routing policies:
Failover Routing
Weighted Round-Robin Routing
Latency-Based Routing
Geolocation Routing [image same as above]
routing traffic based on the coordinated ip address to the physical locations
One way to connect local resources with your AWS account is with an Internet Protocol Security, or Ipsec, VPN tunnel between your existing facilities and your AWS VPC. Let's visualize the components required to make that happen. After creating a VPC, you want to attach it back to an existing data center you operate.
No comments:
Post a Comment