AWS Network Services In a Nutshell
There are millions of clients sharing the same cloud platform. Each client could be running one to several 100s of projects on the cloud. Given such a scenario, these Network Services enable us to create clearcut secured boundaries for our logical groups of applications. It, also, provide us ways to create secured windows(gateways) to communicate through these boundaries. They include the services to establish secured connectivity through the available gateways; help us manage our traffic for a healthy and scalable infrastructure.
In short, these services form the backbone of AWS, ensuring a reliable, scalable, secure and efficient communication infrastructure for our applications.
The AWS Network in a nutshell organizes the key elements involved in AWS networking to provide a concise and consolidated view of these networking service elements in one go.
What queries do these network services address for you ?
In line with the objective of the nutshell module, our focus would be on highlighting the big picture.
We will loo...
Virtual Private Cloud(VPC): Provides logically isolated virtual network to keep your applications or environments separate from millions of other such VPCs being deployed in the AWS cloud.
- Query : When millions of projects are deployed in the cloud, how do I keep my set of applications safe, secure and isolated from others?
Public & Private Subnets inside the VPCs:
- Query : Inside a single logical set of my applications, there are many sub-groups needing different
levels of security protection. For instance, my web application may be exposed to the outside internet
but, my database needs to be private - no one should be accessing from outside.
- How do I provide separate secured boundaries inside a single VPC.
Connectivity : VPCs and Subnets do provide safe boundaries. But, at the same time we need to interact with other specific destinations.
-
How do I create those specific narrow windows or channels for communication ?
Each of the following options for example provide connectivity with specific purpose:
- Internet Gateway for internet,
- VPC Peering, Transit Gateways, ProvateLinks for establishing inter VPC connectivity
- Virtual Private Gateway, VPN, Direct Connect for connecting to on-premise.
Router : Thus, I can communicate to on-premise servers, internet or other VPCs over different channels or windows as discussed above.
- So, do I need to know my channels every time I need to communicate ? Is there anything that can simplify this for me by mapping my communication request to the right channel based on my destination address ?
- Note: The routers not only simplify your communication by doing the mapping to the right channels, they also provide a single point of reference to manage where all you can communicate.
Let's have a recap of what we saw on the previous two tabs:
- VPC & Subnets provided secured network boundaries.
- With Connectivity options & the routers we could open windows or channels of commnication with different destinations
Question: Should we allow all kinds of communication using any protocol to take place through these windows?
- In order to control our incoming /outgoing traffics, we have traffic control rules implemented using :
- Network Access Control List(NACL) at the subnet level and
- Security Groups(SG) at the instance levels.
These rules can filter the traffics based on IP addresses and communication protocols(HTTPS/HTTP/FTP etc.). For example:
- While communicating to internet only HTTP or HTTPS may be allowed.
- While communicating to a database instance for maintenance purpose, only a set of private IPs and SSH may be allowed.
As shown in the diagram, AWS provides many different types of the load balancers to distribute traffic across the workloads and, also, support scalability and failover management. Each of them has been built to address specific business and technical requirements.
It would not be possible to discuss on these load balancers in details in this article but, you can find brief notes on them in the table below.
2. Brief Descriptions, Features & Usages of the Network Services
| AWS Service | Description | Sample Usage |
|---|---|---|
| Network Boundry | ||
| AWS Virtual Private Cloud(VPC) | Amazon VPC is a logically isolated newtwork boundry in AWS cloud where to lunch your AWS resources. A VPC provides complete control over your virtual networking environment, including selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways. | 1. You can create a public-facing subnet for your web servers that have access to the Internet, and place your databases or application servers in a private-facing subnet with no Internet access. 2. Isolating different environments (e.g., development, testing, production) in separate VPCs. |
| Connectivity | ||
| AWS VPN | Enables secure communication between on-premises network and Amazon VPCs using encrypted tunnels over internet. | Connecting an on-premises data center to an Amazon VPC to access resources securely. |
| AWS Direct Connect | Provides dedicated private network connection from on-premises to AWS for improved security and performance. Expensive compared to AWS VPN. | Establishing a private, high-speed connection from an on-premises data center to AWS services. |
| AWS Transit Gateway | Acts as a hub to simplify the connectivity among multiple VPCs and VPN connections using a centralized routing. AWS Transit Gateway uses route tables to define how traffic should flow between your VPCs , on-premises networks and other resources. | Building a multi-VPC architecture with a central hub (Transit Gateway) for inter-VPC communication. |
| AWS PrivateLink | AWS PrivateLink allows accessing services in AWS, securely as private IPs in their own VPC, eliminating the need of a public internet, VPN or complex firewall rules. You can create PrivateLink service for any service in AWS such as AWS services, your own services or SaaS solutions, so that the users can access them securely as VPC endpoints in their own VPCs. | 1. Accessing Amazon S3 or Amazon DynamoDB from an Amazon VPC without using public IPs or going over the internet. 2. As a service owner, you can register your service as a PrivateLink service. It will allow your customers to access it as a VPC endpoint (private IP in their VPC) within their VPC, once you whitelisted their accounts and IAM roles. |
| Load Balancers | ||
| AWS Elastic Load Balancer (ELB) | Elastic Load Balancing (ELB) supports four types of load balancers namely ALB, NLB, Classic & Gateway Load Balancer. These load balancers support many features like TSL Termination, Sticky Sessions, Data Compression, Path Based Routing and so on. These are dynamic load balancers regulating traffic based on the health & availability of the target instances distributed across a single Availability Zone or multiple Availability Zones. | If we need to load balance HTTP requests, we can use the Application Load Balancer(layer-7) (ALB). For extreme performance/low latency applications, we can go for layer 4 or Network Load Balancer(NLB). If our application is built on EC2-Classic network, we can use Classic Load Balancer. If we need to deploy and run third-party virtual appliances, we can use Gateway Load Balancer. |
| AWS Global Accelerator | AWS Global Accelerator is designed to improve the availability and performance of applications with global user bases. It does so by using Anycast IP addresses. Anycast IPs provides entry points using the same static IP addresses from different regions across the globe. As the traffic enters into AWS network from the nearest edge locations, it minimizes latency and provides good fault tolerance. | AWS ELB is used for load balancing traffic within a single region across multiple availability zones, whereas AWS Global Accelerator is used for optimizing the routing of traffic across multiple AWS regions. |
| AWS Route 53 | Amazon Route 53 is a powerful DNS service that offers domain registration, DNS management, traffic routing and load balancing. Like Global Accelerator, the AWS Route 53 is also capable of load balancing traffic across multiple global regions. One key difference between these two being, the former enables the traffic to enter the AWS network at the closest AWS region using Anycast IP, whereas the later works by directing the traffic to the optimal target server based on latency, geolocation etc. Entry at the closest AWS region makes the Global Accelerator more efficient with reduced latency and minimal failovers. | 1. Route 53 is cable of providing routing based on latency, geolocation, weight configurations, failover condition and many more. 2. Route 53 allows you to register new domain names or transfer existing ones. It supports managing domain renewals and ownership. |
| AWS CloudFront | Content Delivery Network (CDN) service for caching and delivering content globally. | Accelerating the delivery of web content, videos, and APIs to end-users with low-latency access. |
| Service Discovery | ||
| AWS App Mesh | AWS App Mesh is that it externalizes the networking and traffic management complexity from the distributed application design. Developers can focus on writing business logic without having to implement custom load balancing, service discovery, or routing logic within their application code. | 1. Traffic Control and Routing: App Mesh allows you define path based routing rules. You may use weighted traffic for A/B testing or Canary Deployments. 2. Metrics and Tracing: App Mesh captures distributed traces from your applications to provide insights into the performance and traceability of your microservices. |
| AWS Cloud Map | AWS Cloud Map is a cloud resource discovery service. It allows you to register any application resources such as databases, queues, microservices, and other cloud resources with custom names. It automatically collects the locations of the dynamically created resource instances, so that developers and operators can work with familiar names rather than dealing with complex IDs or IP addresses. | 1. Microservices Naming: If you have microservices for user authentication, order processing, and inventory management, you could name them auth-service, order-service, and inventory-service. 2. Environment-Specific Resources: We could have payment-gateway-dev, payment-gateway-staging, and payment-gateway-prod as custom names for the payment gateway service in each environment. AWS Cloud Map integrates well with AWS App Mesh for managing microservices. |
| Expose Service | ||
| AWS API Gateway | Amazon API Gateway acts as a front-door for your backend services, allowing you to expose functionalities, data, and services to external clients and developers in a controlled and scalable manner. Key features of AWS API Gateway API includes : - Creation and Management of APIs , - Authorization and Authentication , - Request and Response Transformation, - Traffic Management , - Integration with AWS Services, - Monitoring and Analytics etc. | 1. API Gateway provides built-in mechanisms to secure your APIs using various authentication methods like API keys, IAM roles, or custom authorizers. 2. You can modify the format and structure of incoming requests and outgoing responses using mapping templates. 3. API Gateway offers control over traffic flow with features like caching, throttling, and rate limiting. |