Skip to content

AWS Networking - Overview

Introduction

This article provides a simplified overview of AWS networking concepts sourced from various learning materials. The primary responsibility breakdown between AWS and customers is outlined, followed by explanations of key communication types, protocols, and AWS networking services.

Responsibility Breakdown

AWS Responsibility:

  • Physical (e.g., CAT5, fiber optic cable)
  • Data Link (MAC)

Customer Responsibility:

  • Network (IP, ARP)
  • Transport (TCP)
  • Session (Setup, Negotiation, Teardown)
  • Application (e.g., web browser)

Communications

Unicast

Communication from one host to a specific destination.

Unicast

Multicast

Communication to a specific group of devices or clients.

Multicast

Broadcast

Communication from one address to all other addresses.

Broadcast

Protocols

TCP (Transmission Control Protocol)

  • Connection-based, stateful, acknowledges receipt.
  • Example applications: web, email, file transfer.

UDP (User Datagram Protocol)

  • Connectionless, stateless, simple with no retransmission delays.
  • Example applications: streaming media, DNS.

ICMP (Internet Control Message Protocol)

  • Used by network devices to exchange information.
  • Examples: traceroute, ping.

Ports

Ephemeral

  • Short-lived transport protocol used in IP communications.
  • Dynamic ports (49152 to 65535).
  • Implications for NACL and security groups.

Ephemeral Ports

VPN / Direct Connect

AWS Managed VPN

  • AWS-managed IPSec VPN over existing internet.
  • Quick and secure tunnel to a VPC.
  • Supports static routes or BGP peering.

AWS Managed VPN

Direct Connect

  • Dedicated network connection over private lines to AWS backbone.
  • Predictable network performance, supports BGP peering.

Direct Connect

VPN Cloud Hub

  • Connects locations in a hub-and-spoke manner using AWS’s Virtual private gateway.
  • Reuses existing internet connection, supports BGP route.

AWS Direct Connect + VPN

  • IPsec VPN connection over private lines with additional secure IPsec VPN connection.

VPN Cloud Hub

Software VPN

  • Provides your own VPN endpoint and software.
  • Ultimate flexibility and manageability.
  • Customer responsible for high availability.

Virtual Private Cloud (VPC)

Transit VPC

  • Software appliance-based VPN connection with hub VPC.
  • Common strategy for connecting geographically dispersed VPCs.

Transit VPC

VPC Peering

  • AWS-provided network connectivity between two VPCs.
  • Uses AWS backbone without touching the internet.

VPC Peering

  • Network connectivity between VPCs and/or AWS services using interface endpoints.
  • Keeps private subnets truly private using the AWS backbone.

PrivateLink

Internet Gateways

Internet Gateway

  • Horizontally scaled, redundant component for VPC communication with the internet.
  • Supports IPv4 and IPv6.

Egress-Only Internet Gateway

  • Provides outbound internet access for IPv6 instances.
  • Prevents inbound access to those IPv6 instances.

NAT Instances and Gateways

NAT Instance

  • EC2 instance for translating traffic from private IPs to a single public IP.
  • Limited bandwidth, not IPv6 compatible.

NAT Gateway

  • Fully managed NAT service for high bandwidth.
  • Up to 45 Gbps bandwidth, not suitable for VPC peering, VPN, or Direct Connect.

Routing Table and BGP

Routing Table

  • VPCs have an implicit route and main routing table.
  • Modify main routing table or create new tables.

Border Gateway Protocol (BGP)

  • Popular routing protocol for the internet.
  • Required for Direct Connect, optional for VPN.
  • AWS supports BGP community tagging for traffic control.

BGP

Enhanced Networking

  • Used for high-performance computing use-cases.
  • Utilizes single root I/O virtualization (SR-IOV) for high performance.
  • Supports Intel 82599 VF interface (10 Gbps) and Elastic Network Adapter (25 Gbps).

Placement Groups

Clustered

  • Low-latency group within a single AZ for instances.
  • Used for low network latency and/or high network throughput.

Spread

  • Instances spread across underlying hardware.
  • Reduces risk of simultaneous failure.

Placement Groups

Route 53

  • Domain registration, health checking, and internet traffic routing.

DNS Record Types

  • A-Records (Host address)
  • CNAME-records (Domain name aliases)
  • TXT-records (Descriptive text)
  • ALIAS-Records (Auto Resolved Alias)
  • MX-Records (Mail exchange)

Route 53 Routing Policies

  • Simple, Failover, Geolocation, Latency, Multivalue Answer, Weighted.

CloudFront

  • Distributed content delivery service for static assets and video streaming.
  • Integrated with various AWS services for seamless operation.

Elastic Load Balancer (ELB)

  • Distributes inbound connections to backend endpoints.
  • Three types: Application Load Balancer, Network Load Balancer, Classic Load Balancer.

ELB Types

Comparison: NAT Gateway vs NAT Instance

  • Availability, Bandwidth, Maintenance, Performance, Public IP, Security Groups, Bastion Server.

MPLS and Customer Gateway

  • MPLS: Multi-protocol Label Switching.
  • Customer Gateway: Anchor on the customer's side for the connection between the network and Amazon VPC.

References