AWS Cloud Path Week 10: Important Things to Know about Networking in AWS

Missed the session? Catch up here:

Introduction

Welcome to Week 10 of the AWS Cloud Path! This week, we're diving deep into AWS networking fundamentals - one of the most critical aspects of cloud architecture that every AWS practitioner must master. Whether you're just starting your cloud journey or looking to strengthen your networking foundation, this guide will walk you through the essential concepts, best practices, and practical tips you need to know.

Prerequisites

Before diving into AWS networking, you should have:

• Basic understanding of AWS console navigation
• Familiarity with fundamental networking concepts (IP addresses, subnets, routing)
• An active AWS account for hands-on practice
• Basic knowledge of AWS regions and availability zones

Understanding AWS Global Infrastructure

Regions and Availability Zones

Before we can discuss AWS networking, it's crucial to understand the foundation: AWS global infrastructure. Every networking decision you make will be built upon regions and availability zones.

Key Points:

• Services availability varies between regions
• Pricing differs across regions
• Your network topology depends on region and AZ placement
• Resource placement directly impacts latency and accessibility

When planning your network architecture, always consider:

• Where your users are located
• Data sovereignty requirements
• Service availability in your chosen region
• Cost implications of different regions

Important: If you deploy resources in US-East-1 (North Virginia), you cannot access them from US-East-2 (Ohio). Always verify you're working in the correct region when troubleshooting network issues.

Amazon VPC: The Heart of AWS Networking

What is VPC?

Amazon Virtual Private Cloud (VPC) is the centerpiece of AWS networking. It creates an isolated virtual network environment where you can deploy and manage your AWS resources securely.

Default VPC vs Custom VPC

Every AWS account created after December 4th, 2013 comes with a default VPC. However, best practice strongly recommends creating custom VPCs for production workloads.

Why avoid default VPC:

• Cannot peer default VPCs between accounts
• Limited customization options
• Potential complications with advanced networking features
• May require resource redeployment if you need to change networking later

CIDR Blocks: Planning Your IP Address Space

When creating a VPC, the most critical decision is choosing your CIDR (Classless Inter-Domain Routing) block. This determines the total number of IP addresses available in your VPC.

CIDR Block Examples:

• 172.31.0.0/16 provides 65,536 IP addresses (172.31.0.0 to 172.31.255.255)
• 10.0.0.0/24 provides 256 IP addresses (10.0.0.0 to 10.0.0.255)
• 10.0.0.0/27 provides 32 IP addresses

Planning Considerations:

• Estimate your resource requirements
• Account for future growth
• Consider multiple availability zones
• Remember AWS reserves 5 IP addresses per subnet

Pro Tip: Use online CIDR calculators to determine the exact number of available IP addresses for your chosen mask.

Subnets: Organizing Your Network

Creating Subnets

Subnets are smaller networks within your VPC that allow you to organize resources and control traffic flow. Each subnet resides in a single availability zone.

Best Practices:

• Use at least two availability zones for high availability
• Plan subnet sizes based on expected resource count
• Consider public vs private subnet requirements
• Use /24 or /27 masks for most subnet deployments

Reserved IP Addresses:
AWS reserves 5 IP addresses in every subnet:

1. Network address
2. VPC router
3. DNS resolver
4. Reserved for future use
5. Network broadcast address

Route Tables: Directing Network Traffic

Understanding Route Tables

Route tables contain rules (routes) that determine where network traffic is directed. Every VPC has a main route table, and you can create additional custom route tables.

Key Components:

• Destination: Where traffic is going (IP range or specific address)
• Target: Where to send the traffic (internet gateway, NAT gateway, etc.)
• Priority: Most specific routes take precedence

Example Route Table:

Destination      Target
172.31.0.0/16    Local
0.0.0.0/0        Internet Gateway

Internet Connectivity

Internet Gateways

An Internet Gateway (IGW) enables communication between your VPC and the internet. It's a horizontally scaled, redundant, and highly available VPC component.

Important Security Principle:
Only attach an internet gateway if you actually need internet connectivity. Follow the principle of least privilege - don't add "just in case" connections.

Cost Considerations:
Every additional component (gateways, NAT instances, VPC endpoints) has associated costs. Plan carefully and only deploy what you need.

Security: Defense in Depth

Security Groups vs Network ACLs

AWS provides two layers of security for controlling traffic:

Security Groups (Instance-Level)

• Stateful: Return traffic is automatically allowed
• Allow rules only: Everything denied by default
• Instance-specific: Attached to individual resources
• Evaluates all rules: Checks all rules before making a decision

Network ACLs (Subnet-Level)

• Stateless: Must explicitly allow both inbound and outbound traffic
• Allow and deny rules: Can explicitly deny traffic
• Subnet-wide: Applies to all resources in the subnet
• Rule order matters: Processes rules in numerical order

Best Practices for Security Groups

1. Create specific security groups for each resource type:

   • Web server security group
   • Database security group
   • Load balancer security group

2. Use reference-based rules:
   

   Web Server SG: Allow traffic from Load Balancer SG only
   Database SG: Allow traffic from Web Server SG only

1. Follow least privilege principle:
   • Only open necessary ports
   • Restrict source IP ranges
   • Regularly review and audit rules

Advanced Networking Features

VPC Peering

Connects two VPCs directly, allowing resources to communicate as if they're in the same network.

Requirements:

• Non-overlapping CIDR blocks
• Must be explicitly configured in both VPCs
• Not transitive (A-B and B-C doesn't mean A-C)

Transit Gateway

Provides a central hub for connecting multiple VPCs and on-premises networks.

Benefits:

• Simplifies complex network topologies
• Supports overlapping CIDR blocks
• Centralized routing and management
• Scalable architecture

VPC Endpoints

Enable private connectivity to AWS services without internet gateways.

Types:

• Gateway endpoints: S3, DynamoDB
• Interface endpoints: Most other AWS services

Network Monitoring and Security

Essential Monitoring Tools

1. VPC Flow Logs

   • Monitor network traffic patterns
   • Troubleshoot connectivity issues
   • Security analysis and compliance
   • Note: Additional storage costs apply

2. Network Access Analyzer

   • Verify intended network access
   • Analyze security group configurations
   • Identify unintended access paths

3. AWS Network Firewall

   • Advanced traffic filtering
   • Deep packet inspection
   • Intrusion prevention capabilities

4. Amazon GuardDuty

   • Threat detection for network traffic
   • Machine learning-based anomaly detection
   • Automated security monitoring

Practical Implementation Tips

Subnet Design Strategy

When designing your subnet architecture:

Example Multi-AZ Setup:
- Public Subnet AZ-A: 10.0.1.0/24 (Web tier)
- Private Subnet AZ-A: 10.0.2.0/24 (App tier)
- Database Subnet AZ-A: 10.0.3.0/24 (DB tier)
- Public Subnet AZ-B: 10.0.4.0/24 (Web tier)
- Private Subnet AZ-B: 10.0.5.0/24 (App tier)  
- Database Subnet AZ-B: 10.0.6.0/24 (DB tier)

Security Group Rules Example

Web Server Security Group:
- Inbound: Port 80 from 0.0.0.0/0 (HTTP)
- Inbound: Port 443 from 0.0.0.0/0 (HTTPS)
- Inbound: Port 22 from Admin-SG (SSH)

Database Security Group:
- Inbound: Port 3306 from Web-Server-SG (MySQL)
- No outbound rules needed (stateful)

Common Pitfalls to Avoid

1. Using default VPC for production workloads
2. Opening security groups to 0.0.0.0/0 unnecessarily
3. Not planning CIDR blocks for future growth
4. Forgetting about the 5 reserved IP addresses per subnet
5. Not considering cross-AZ data transfer costs
6. Mixing up security groups and NACLs functionality

Visual Architecture Overview

The video demonstrates a typical VPC architecture including:

• VPC spanning multiple availability zones
• Public and private subnets
• Internet gateway for public connectivity
• Route tables directing traffic flow
• Security groups protecting individual resources
• Network ACLs providing subnet-level security

Cost Optimization Tips

1. Use VPC endpoints for AWS service communication instead of internet gateways
2. Plan data transfer patterns to minimize cross-AZ charges
3. Right-size your NAT gateways based on actual traffic requirements
4. Implement VPC flow logs judiciously due to storage costs
5. Regular security group audits to remove unused rules and resources

Conclusion and Next Steps

AWS networking forms the backbone of any cloud architecture. The key takeaways from this week's session:

• Always use custom VPCs instead of default VPCs
• Plan your CIDR blocks carefully with future growth in mind
• Implement defense in depth using both security groups and NACLs
• Follow the principle of least privilege for all network access
• Monitor and audit your network configurations regularly

Recommended Next Steps

1. Hands-on Practice: Create a custom VPC with public and private subnets
2. Experiment with Security Groups: Set up multi-tier security group rules
3. Explore VPC Endpoints: Connect to S3 privately without internet gateway
4. Study Advanced Features: Learn about Transit Gateway and VPC peering
5. Cost Analysis: Monitor your networking costs and optimize accordingly

Additional Resources

• AWS VPC User Guide
• AWS Network ACL Documentation
• VPC Security Best Practices
• AWS Well-Architected Framework - Reliability Pillar

Remember, networking in AWS is foundational knowledge that will serve you throughout your cloud journey. Take time to practice these concepts in a safe environment before implementing them in production workloads.