Module 4 Introduction

Learning objectives

In this module, you will learn how to:

• Describe the basic concepts of networking.

• Describe the difference between public and private networking resources.

• Explain a virtual private gateway using a real life scenario.

• Explain a virtual private network (VPN) using a real life scenario.

• Describe the benefit of AWS Direct Connect.

• Describe the benefit of hybrid deployments.

• Describe the layers of security used in an IT strategy.

• Describe the services customers use to interact with the AWS global
network.

To start the module introduction video, choose the play button.

Amazon Virtual Private Cloud (Amazon VPC)

Imagine the millions of customers who use AWS services. Also, imagine the
millions of resources that these customers have created, such as Amazon EC2
instances. Without boundaries around all of these resources, network traffic would
be able to flow between them unrestricted.

A networking service that you can use to establish boundaries around your AWS
resources is Amazon Virtual Private Cloud (Amazon VPC)(opens in a new tab).

Amazon VPC enables you to provision an isolated section of the AWS Cloud. In this
isolated section, you can launch resources in a virtual network that you define.
Within a virtual private cloud (VPC), you can organize your resources into subnets.
A subnet is a section of a VPC that can contain resources such as Amazon EC2
instances.

Internet gateway

To allow public traffic from the internet to access your VPC, you attach an internet
gateway to the VPC.
Internet gateway icon attached to a VPC that holds three EC2 instances. An arrow
connects the client to the gateway over the internet indicating that the client's
request has gained access to the VPC.

An internet gateway is a connection between a VPC and the internet. You can think
of an internet gateway as being similar to a doorway that customers use to enter
the coffee shop. Without an internet gateway, no one can access the resources
within your VPC.

What if you have a VPC that includes only private resources?

Virtual private gateway

To access private resources in a VPC, you can use a virtual private gateway.

Here’s an example of how a virtual private gateway works. You can think of the
internet as the road between your home and the coffee shop. Suppose that you are
traveling on this road with a bodyguard to protect you. You are still using the same
road as other customers, but with an extra layer of protection.

The bodyguard is like a virtual private network (VPN) connection that encrypts (or
protects) your internet traffic from all the other requests around it.

The virtual private gateway is the component that allows protected internet traffic
to enter into the VPC. Even though your connection to the coffee shop has extra
protection, traffic jams are possible because you’re using the same road as other
customers.
A virtual private gateway enables you to establish a virtual private network (VPN)
connection between your VPC and a private network, such as an on-premises data
center or internal corporate network. A virtual private gateway allows traffic into
the VPC only if it is coming from an approved network.

AWS Direct Connect

AWS Direct Connect(opens in a new tab) is a service that lets you to establish a
dedicated private connection between your data center and a VPC.

Suppose that there is an apartment building with a hallway directly linking the
building to the coffee shop. Only the residents of the apartment building can travel
through this hallway.

This private hallway provides the same type of dedicated connection as AWS
Direct Connect. Residents are able to get into the coffee shop without needing to
use the public road shared with other customers.

A corporate data center routes network traffic to an AWS Direct Connect location.
That traffic is then routed to a VPC through a virtual private gateway. All network
traffic between the corporate data center and VPC flows through this dedicated
private connection.

The private connection that AWS Direct Connect provides helps you to reduce
network costs and increase the amount of bandwidth that can travel through your
network.

Subnets and Network Access Control Lists

To learn more about the role of subnets within a VPC, review the following example
from the coffee shop.

First, customers give their orders to the cashier. The cashier then passes the
orders to the barista. This process allows the line to keep running smoothly as
more customers come in.

Suppose that some customers try to skip the cashier line and give their orders
directly to the barista. This disrupts the flow of traffic and results in customers
accessing a part of the coffee shop that is restricted to them.

To fix this, the owners of the coffee shop divide the counter area by placing the
cashier and the barista in separate workstations. The cashier’s workstation is
public facing and designed to receive customers. The barista’s area is private. The
barista can still receive orders from the cashier but not directly from customers.
A cashier, a barista, and three customers in line. The icon for the first customer in
line has an arrow pointing to cashier showing that the customer gives their order to
the cashier. Then the cashier icon has an arrow pointing to barista icon showing
that the cashier forwards the customer's order to the barista. The last customer in
line tries to give their order directly to the barista, but they're blocked from doing
so.

This is similar to how you can use AWS networking services to isolate resources
and determine exactly how network traffic flows.

In the coffee shop, you can think of the counter area as a VPC. The counter area
divides into two separate areas for the cashier’s workstation and the barista’s
workstation. In a VPC, subnets are separate areas that are used to group together
resources.

Subnets

A subnet is a section of a VPC in which you can group resources based on security
or operational needs. Subnets can be public or private.
Public subnets contain resources that need to be accessible by the public, such
as an online store’s website.

Private subnets contain resources that should be accessible only through your
private network, such as a database that contains customers’ personal
information and order histories.

In a VPC, subnets can communicate with each other. For example, you might have
an application that involves Amazon EC2 instances in a public subnet
communicating with databases that are located in a private subnet.

Network traffic in a VPC

When a customer requests data from an application hosted in the AWS Cloud, this
request is sent as a packet. A packet is a unit of data sent over the internet or a
network.
It enters into a VPC through an internet gateway. Before a packet can enter into a
subnet or exit from a subnet, it checks for permissions. These permissions indicate
who sent the packet and how the packet is trying to communicate with the
resources in a subnet.

The VPC component that checks packet permissions for subnets is a network
access control list (ACL)(opens in a new tab).

Network ACLs

A network ACL is a virtual firewall that controls inbound and outbound traffic at the
subnet level.

For example, step outside of the coffee shop and imagine that you are in an airport.
In the airport, travelers are trying to enter into a different country. You can think of
the travelers as packets and the passport control officer as a network ACL. The
passport control officer checks travelers’ credentials when they are both entering
and exiting out of the country. If a traveler is on an approved list, they are able to
get through. However, if they are not on the approved list or are explicitly on a list of
banned travelers, they cannot come in.

Each AWS account includes a default network ACL. When configuring your VPC,
you can use your account’s default network ACL or create custom network ACLs.

By default, your account’s default network ACL allows all inbound and outbound
traffic, but you can modify it by adding your own rules. For custom network ACLs,
all inbound and outbound traffic is denied until you add rules to specify which
traffic to allow. Additionally, all network ACLs have an explicit deny rule. This rule
ensures that if a packet doesn’t match any of the other rules on the list, the packet
is denied.

Stateless packet filtering

Network ACLs perform stateless packet filtering. They remember nothing and
check packets that cross the subnet border each way: inbound and outbound.

Recall the previous example of a traveler who wants to enter into a different
country. This is similar to sending a request out from an Amazon EC2 instance and
to the internet.

When a packet response for that request comes back to the subnet, the network
ACL does not remember your previous request. The network ACL checks the
packet response against its list of rules to determine whether to allow or deny.

After a packet has entered a subnet, it must have its permissions evaluated for
resources within the subnet, such as Amazon EC2 instances.

The VPC component that checks packet permissions for an Amazon EC2 instance
is a security group(opens in a new tab).

Security groups

A security group is a virtual firewall that controls inbound and outbound traffic for
an Amazon EC2 instance.
By default, a security group denies all inbound traffic and allows all outbound
traffic. You can add custom rules to configure which traffic should be allowed; any
other traffic would then be denied

For this example, suppose that you are in an apartment building with a door
attendant who greets guests in the lobby. You can think of the guests as packets
and the door attendant as a security group. As guests arrive, the door attendant
checks a list to ensure they can enter the building. However, the door attendant
does not check the list again when guests are exiting the building

If you have multiple Amazon EC2 instances within the same VPC, you can
associate them with the same security group or use different security groups for
each instance.

Stateful packet filtering

Security groups perform stateful packet filtering. They remember previous

decisions made for incoming packets.

Consider the same example of sending a request out from an Amazon EC2
instance to the internet.

When a packet response for that request returns to the instance, the security
group remembers your previous request. The security group allows the response to
proceed, regardless of inbound security group rules.
With both network ACLs and security groups, you can configure custom rules for
the traffic in your VPC. As you continue to learn more about AWS security and
networking, make sure to understand the differences between network ACLs and
security groups.

A packet travels over the internet from a client, to the internet gateway and into the
VPC. Then the pack goes through the network access control list and accesses the
public subnet, where two EC2 instances are located.

VPC component recall

Recall the purpose of the following four VPC components. Compare your response
by choosing each VPC component flashcard.

To practice recalling VPC components, select each of the following flashcards by

choosing them.

Private subnet

Isolate databases containing customers' personal information.

Virtual private gateway

Create a VPN connection between the VPC and the internal corporate network.

Public subnet

Support the customer-facing website.

AWS Direct Connect

Establish a dedicated connection between the on-premises data center and the
VPC.

Domain Name System (DNS)

Suppose that AnyCompany has a website hosted in the AWS Cloud. Customers
enter the web address into their browser, and they are able to access the website.
This happens because of Domain Name System (DNS) resolution. DNS resolution
involves a customer DNS resolver communicating with a company DNS server.

You can think of DNS as being the phone book of the internet. DNS resolution is the
process of translating a domain name to an IP address.
A client connects to a DNS resolver looking for a domain. The resolver forwards the
request to the DNS server, which returns the IP address to the resolver.

For example, suppose that you want to visit AnyCompany’s website.

1. 1

When you enter the domain name into your browser, this request is sent to a
customer DNS resolver.

2. 2

The customer DNS resolver asks the company DNS server for the IP address that
corresponds to AnyCompany’s website.

3. 3

The company DNS server responds by providing the IP address for AnyCompany’s
website, 192.0.2.0.

Amazon Route 53

Amazon Route 53(opens in a new tab) is a DNS web service. It gives developers
and businesses a reliable way to route end users to internet applications hosted in
AWS.

Amazon Route 53 connects user requests to infrastructure running in AWS (such

as Amazon EC2 instances and load balancers). It can route users to infrastructure
outside of AWS.

Another feature of Route 53 is the ability to manage the DNS records for domain
names. You can register new domain names directly in Route 53. You can also
transfer DNS records for existing domain names managed by other domain
registrars. This enables you to manage all of your domain names within a single
location.
In the previous module, you learned about Amazon CloudFront, a content delivery
service. The following example describes how Route 53 and Amazon CloudFront
work together to deliver content to customers.

Example: How Amazon Route 53 and Amazon CloudFront deliver content

Suppose that AnyCompany’s application is running on several Amazon EC2

instances. These instances are in an Auto Scaling group that attaches to an
Application Load Balancer.

1. 1

A customer requests data from the application by going to AnyCompany’s

website.

2. 2

Amazon Route 53 uses DNS resolution to identify AnyCompany.com’s

corresponding IP address, 192.0.2.0. This information is sent back to the
customer.

3. 3

The customer’s request is sent to the nearest edge location through Amazon
CloudFront.

4. 4

Amazon CloudFront connects to the Application Load Balancer, which sends the
incoming packet to an Amazon EC2 instance.
The correct response option is Translating a domain name to an IP address.

For example, if you want to visit AnyCompany’s website, you enter the domain
name into your PC and this request is sent to a DNS server. Next, the DNS server
asks the web server for the IP address that corresponds to AnyCompany’s website.
The web server responds by providing the IP address for AnyCompany’s website,
192.0.2.0.

In Module 4, you learned about the following concepts:

• Structuring and connecting to a VPC

• Securing VPC resources with network access control lists and security
groups

• Using Amazon Route 53 and Amazon CloudFront to deliver content

The correct response option is Place the Amazon EC2 instances in a public
subnet and the Amazon RDS databases instances in a private subnet.

A subnet is a section of a VPC in which you can group resources based on security
or operational needs. Subnets can be public or private.

Public subnets contain resources that need to be accessible by the public, such as
an online store’s website.

Private subnets contain resources that should be accessible only through your
private network, such as a database that contains customers’ personal
information and order histories.
The correct response option is AWS Direct Connect.

The other response options are incorrect because:

• A private subnet is a section of a VPC in which you can group resources that
should be accessed only through your private network. Although it is
private, it is not used for establishing a connection between a data center
and AWS.

• DNS stands for Domain Name System, which is a directory used for
matching domain names to IP addresses.

• A virtual private gateway enables you to create a VPN connection between

your VPC and a private network, such as your company’s data center.
Although this connection is private and encrypted, it travels through the
public internet, not through a dedicated connection.
The correct response option is Security groups are stateful and deny all inbound
traffic by default.

Security groups are stateful. This means that they use previous traffic patterns and
flows when evaluating new requests for an instance.

By default, security groups deny all inbound traffic, but you can add custom rules
to fit your operational and security needs.
The correct response option is Amazon Route 53.

Amazon Route 53 is a DNS web service. It gives developers and businesses a

reliable way to route end users to internet applications that host in AWS.

Another feature of Route 53 is the ability to manage the DNS records for domain
names. You can transfer DNS records for existing domain names managed by other
domain registrars. You can also register new domain names directly in Route 53.

The other response options are incorrect because:

• Amazon Virtual Private Cloud (Amazon VPC) is a service that enables you to
provision an isolated section of the AWS Cloud. In this isolated section, you
can launch resources in a virtual network that you define.

• AWS Direct Connect is a service that enables you to establish a dedicated

private connection between your data center and VPC.

• Amazon CloudFront is a content delivery service. It uses a network of edge

locations to cache content and deliver content to customers all over the
world.