In modern networking, network functions are increasingly becoming abstracted from the underlying switching and routing hardware layer. These virtualized resources are usually API driven, allowing developers to create, update and delete software-based network interfaces, firewalls, load balancers and routing functions through code.
Public cloud providers such as AWS offer many network services to customers that can be configured through graphical interfaces, command line and API endpoints. In this article, which is aimed at those who are new to cloud and networking in general, I discuss the basic concepts you need to understand to get started with network services on AWS.
There are a few supporting concepts that are important to understand if you’re working with networking in the cloud that I’ll cover off first. These include IP subnetting, routing and gateways, the OSI model and network virtualization.
Whatever your role in IT, you’ll likely need to understand IP addressing to some level. In the cloud you need to understand how to define the IP subnet address ranges your cloud resources will use and the difference between private and public addresses (at a minimum).
An Internet Protocol (IP) address is a label used to identify a computer on a shared network. There are two versions of IP in common use today: version 4 and version 6.
IPv4 has been around for much longer and is the most well used address range but IPv6, which has a much larger address space, is becoming increasingly common, and is supported by many AWS services today.
As IPv4 is the default protocol used on AWS I’ll exclude IPv6 from the rest of the discussion. However, it is worth understanding IPv6 and how and why it is used. You can get more information on IPv6 on Wikipedia.
An IPv4 address is a 32-bit number which provides up to 4,294,967,296 possible addresses. Each address consists of a network identifier (which represents the network or subnet) and a host identifier (which represents the individual network attached device).
A subnet mask is a prefix that determines which portions of the address represent the network and which represent the hosts (devices). The following diagram depicts this:
A classful network design was created back in the 80s that used three classes of network (A, B & C), based on the first octet of the address and using strict octet boundaries for the entire address. This proved to lack the scalability required for the expansion of the Internet and so a classless network design was created. This is known as Classless Inter-Domain Routing (CIDR).
With CIDR variable length subnet masks can be used to allow more granular and efficient use of addresses. An example of CIDR usage is the private address space, which is a reserved address space meant for computers not directly connected to the Internet.
The table below shows how a more granular approach can be taken to allocating addresses:
The CIDR blocks in the table above would allow the creation of subnets with just the right numbers of hosts, this is an efficient way of assigning address blocks.
Routing and Gateways
IP addresses are the means of identifying a unique device on a network. To get to a device across a network a method of determining the best path to get there is required.
This is where routers come in. A router uses a routing protocol (or it may be directly configured) to learn the best path to reach a destination network. This data is held in a routing table.
A router is also considered a gateway when devices on a network are pointed towards it by way of a default gateway address. This address is configured in the IP settings of the networked device and specifies the target for all traffic that is destined to networks other than the local network.
This has been a very brief overview of a complex subject. For more information check out the following links to an article and detailed course on Udemy (affiliate link):
The OSI Model
The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of communication and computing systems.
The OSI model divides data communication into 7 abstraction layers and standardizes protocols into groups of networking functionality that ensure interoperability between diverse systems irrespective of the underlying technology.
It’s important to understand the 7 layers of the OSI model and where common protocols are located.
The following diagram depicts the 7 layers of the OSI model:
A brief description of the seven layers of the OSI model can be found on Webopedia.
Two commonly used terms related to network virtualization are Software Defined Networking (SDN) and Network Functions Virtualization (NFV).
SDN refers to the ability to control the behavior of network devices programmatically. Usually SDN implementations offer centralized control, separation of control and forwarding functions, and the ability to programmatically control behavior using well-defined interfaces.
NFV is an approach whereby standard compute virtualization technologies are used to host network services that would traditionally run on dedicated proprietary hardware. With NFV, Virtual Machines (VMs) can run network functions such as routing, load balancing and firewalls.
SDN and NFV are considered to be complementary technologies that can be implemented together resulting in virtualized network functions that can be centrally controlled through software.
Networking on AWS – Virtual Private Cloud (VPC)
An Amazon Virtual Private Cloud (VPC) is an isolated network environment on AWS that is analogous to having a private data center in the cloud.
With a VPC you can specify your own CIDR address block, create subnets, and configure route tables and gateways. VPC allows the creation of both IPv4 and IPv6 addresses. VPCs are created within AWS regions.
A VPC subnet is created within an Availability zone (AZ) which is comprised of one or more data centers within an AWS region. There are two or more AZs in each region and you can create many subnets in each AZ.
Each subnet can be configured as either private or public. With a private subnet instances are only assigned a private IP address (not routable on the Internet) and can only communicate with the outside world by way of a network address translation (NAT) device such as an AWS NAT Gateway.
A public subnet is a subnet in which instances are assigned a public IP address (in addition to a private IP address) and to which an Internet Gateway (IGW) is connected (this is essentially the default gateway for the instances in the subnet).
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated to a route table. A subnet can only be assigned to one route table but a route table can be assigned to multiple subnets.
An “implicit” router is associated with all VPCs and ensures that routing works between all the subnets you create. Each route in a route table specifies a destination CIDR and a target, and the router will use the most specific route that matches the traffic when making forwarding decisions.
Load balancing is a method of efficiently distributing incoming network traffic across a series of backend servers or targets. With a load balancer you can evenly distribute connections to multiple servers ensuring high availability and reliability as well as providing scalability as the number of requests increases or decreases.
The AWS Elastic Load Balancing service is provided within the Elastic Compute Cloud (EC2) console and there are three different types of ELB available for use with your EC2 instances. These are:
- Application Load Balancer (ALB) – layer 7 load balancer that routes connections based on the content of the request
- Network Load Balancer (NLB) – layer 4 load balancer that routes connections based on IP protocol data
- Classic Load Balancer (CLB) – this is the oldest of the three and provides basic load balancing at both layer 4 and layer 7
VPN and Direct Connect
A virtual private network (VPN) is used to extend a private network across a public or untrusted network. On AWS you can create an IPsec VPN connection between your VPC and your remote network, which could be your company’s on-premise data center.
Another option is AWS Direct Connect which is a network service that provides an alternative to using the Internet to connect a customer’s on premise sites to AWS. With AWS Direct Connect data is transmitted through a private network connection between AWS and a customer’s datacenter or corporate network.
There are a number of tools and services to secure your resources in your VPC. A Security Group is an instance-level virtual firewall that controls inbound and outbound traffic. A Network ACL is a subnet-level firewall controlling traffic in and out of your subnets.
The AWS Web Application Firewall (WAF) protects web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF provides control over which traffic to allow or block to web applications through the definition of customizable web security rules.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield offers always-on protection and provides detection and mitigation against sophisticated DDoS attacks at the network, transport and application layers.
If you would like to learn more about network services on AWS, the following AWS Certified Solutions Architect Associate training notes pages contain a lot more detail:
This article is part of a series, please also check out: