AWS Networking in depth: Learn practically in 5 hours
This course aims to build the complete understanding of Amazon Web Services (AWS) Networking from ground up where students will understand the networking core concepts by doing exercises on their own.
This course contains 2 sections. First section is about Understanding AWS Networking where I have explained starting from very basics the AWS VPC, VPC components and Private connectivity options in AWS . If you are already aware of AWS networking components, then you may want to skip this section and jump directly to hands on exercises section.
1. Understanding AWS Networking in depth
Physical on premises networking vs AWS VPC
Getting familiar with AWS VPC terminologies – VPC, Subnets, Route tables, Internet Gateway, Security Group, Network ACL
Understanding VPC CIDR
Understanding Subnets and Route Tables
Public Subnet vs Private Subnet
Understanding NAT (Network Address Translation) Concept
NAT Gateway and NAT instance
AWS Private Connectivity options
Understanding VPC Peering
VPC Endpoint and Privatelink for private connectivity to AWS Services
2. AWS Networking Hands on exercises (Basics to Advance)
Create VPC with single public subnet, launch EC2 instance and connect over internet
Create VPC with Pubic and Private subnet, connect to EC2 instance in Private subnet via EC2 instance in Public subnet
Create NAT Gateway and allow EC2 instances in Private subnet to access internet through NAT Gateway
Create and use NAT EC2 instance instead of NAT Gateway
Create VPC Peering between VPCs across AWS regions and connect to EC2 instance over private IP by using VPC peering connection
Create VPC endpoint gateway for S3 and access S3 contents from EC2 instance in Private subnet without requiring internet connection
Create and use VPC Private Link to expose your Web service privately to application hosted in another VPC
Implement AWS region level failover using AWS Route53
Hosting website on S3 using custom domain name from GoDaddy
Hosting HTTPS enabled website using S3 and CloudFront
Advanced Networking: Setup Site-To-Site VPN between AWS VPC and simulated on-premise network
Advanced Networking: Setup AWS and Google Site to Site VPN using Dynamic BGP Routing
Understanding AWS Networking
In this lecture, you will learn about Basics of AWS VPC, moving physical to virtual networking, VPC terminologies and how to calculate VPC, Subnets address in CIDR notation
In this lecture, understand how the routing works within VPC to allow communication between subnets or between subnets and internet. What are public subnets, what are private subnets and how to restrict network reaching to your EC2 instances using Security groups and Network ACLs.
In this lecture, you will understand the very important network component "NAT". Why to use NAT, NAT benefits, the working of NAT (Network address translation) and how to use AWS NAT Gateway to allow instances in private subnets to access internet.
Then we will see how to configure EC2 instance as a NAT and what all it takes to launch and configure EC2 instance to function as NAT.
In this lecture, understand advanced networking features of AWS. To start with, we will see how to connect two VPCs over a private network using VPC peering followed by VPC Endpoint. We will also see an overview of AWS and On-premise connectivity options in the form of VPN connection and DirectConnect. In the exercises section, you will find an exercise for setting up VPN connection using AWS Virtual Private Gateway.
That's all you need to know as an intermediary level AWS solution architect or devops engineer or developer when it comes to Networking in AWS.
Please move on to Section 2 and complete all Hands on exercises. This should definitely give you confidence to design and create network architecture for any given requirements.
AWS VPC - Hands On Exercises
This is our first exercise and its very simple. Make sure you follow each step carefully and remember what we did so that while doing next exercises, it will be easy for you to set the things up quickly.
In this exercise, learn how to setup VPC with Public Subnet and connect to EC2 instance launched in this Subnet.
Here, we are not using default VPC. In the real world scenario, when you would require a Web application to be accessible over internet, typically you will create this kind of the setup. Optionally, you may choose to assign Elastic IP to EC2 instance instead of Public IP as Elastic IPs remains associated with the instance even after instance restart or you can detach and re-attach to another EC2 instance.
In this exercise, learn how to setup VPC with Public and Private subnets. We then create EC2 instances in each subnet and connect to Private EC2 instance via EC2 instance in Public Subnet.
In real life, you would have Web server or public facing instances in Public subnets and Application servers/Database servers in private subnet. You can build your network as explained in this video and achieve the desired network security and isolation.
In this exercise, learn how to NAT Gateway to allow EC2 instances in Private subnet to access internet.
In real life, you will have Application servers/Database servers in private subnet but still need to have internet connectivity to download packages from the internet. For this NAT can be used where it allows instances in private subnet to access internet but we can not reach to these instances from over the internet
In this exercise, learn how to use EC2 instance as NAT instead of NAT Gateway.
Understand that NAT Gateway is managed AWS service which automatically scales and is highly available in the AZ. When we use EC2 instance as NAT, its called NAT Instance. In that case, the availability and bandwidth scaling is limited and hence NAT Instance might not be a good choice for deploying in production environment. Typically people deploy NAT instance in Dev/QA environments and use NAT Gateway in Production environment.
In this exercise, learn how to setup VPC peering between 2 VPCs across AWS Regions. VPC Peering is very important feature of AWS networking by which you can create private connectivity between 2 VPC. The EC2 instances in these VPCs can communicate with each other over Private IP addresses.
With VPC Peering, you don't require to have VPN connection and no need to expose your applications over internet if only other customers in AWS need to access it securely.
This lecture captures the VPC peering features, limitations and use cases. Though VPC Peering is an important offering from AWS, it has been designed in a way that it does not allow transitive access. Due to this, VPC peering is a safe networking construct which you can use to allow private communication between workloads hosted in same or different AWS accounts in same or different AWS regions.
In this exercise, we will see how to use VPC Endpoint gateway which enables a private connection between VPC and another AWS service (currently only S3 and DynamoDB). If enabled, you do not require IGW or NAT when EC2 needs to access S3 or DynamoDB in same AWS region. The traffic between VPC & AWS service does not leave the Amazon network.
VPC endpoint gateway scales automatically and provides consistent bandwidth for S3 or DynamoDB access. Using VPC endpoint gateway instead of internet to access S3. It saves you considerable data transfer cost (and NAT charges). Also VPC endpoint gateway scales automatically as more bandwidth is required.
In this exercise, you will learn how your applications hosted privately in AWS can be exposed securely to other AWS services.
By definition, AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.
In this exercise, we will host a Webserver service in one of the VPC in private subnet and will expose this service to service consumer in other VPC.
AWS Route53 DNS Management and Website hosting - Hands on exercises
In this lecture, we will see how to host static website on S3. However AWS provides custom aws dns names for website hence we need to map our own domain name to AWS provided dns name. This is done using AWS Route53 service. Here for this exercise, I have got my domain from Godaddy and I updated godaddy DNS to resolve to AWS Route53 DNS. Then added record set in AWS Route53 to point the my custom domain to S3.
Note that AWS S3 does not provide a single IP address for websites hosted on S3, hence we have to use Route53 Alias record set to point our domain name to S3 DNS.
In this lecture, we will see how to enable HTTPS for websites hosted on S3. In the last lecture we hosted static website on S3 however we can't make it HTTPS as S3 does not support uploading SSL certificates. For this we need to have CloudFront (CDN) which acts as a front end for our website. We can deploy SSL certificate on CloudFront and it also caches the static contents like Pictures/Media giving user better experience by serving the contents from the nearest edge location.
For this exercise, we need to have your own domain name. You can buy that either from AWS or from any other domain registrar like Godaddy or namecheap etc. To know how to redirect your DNS queries from domain registrar to AWS Route53, please refer earlier lecture "Hosting website on S3 using custom domain name.."
In this exercise, we will see how to use Route53 to achieve AWS Region level failover. As you already know we can use ELB with backend EC2 instances to achieve high availability within same AWS region. However many a times its required to distribute your workloads across AWS regions e.g for failover, country specific regulations, providing lower latency to endusers etc. In this case, we need to manage the traffic at DNS level and its done using different AWS Route53 routing policies.
In this exercise, we will be using Failover routing policy where we configure the Primary and Secondary sites in different AWS regions and then simulate the primary site failure which results in DNS switching to secondary site.
Advanced: AWS VPN Connectivity - Hands on exercises
In this exercise, we will see how to setup Site-To-Site IPSec VPN connection between AWS VPC and simulated data center. As we don't have our own datacenter (physical) router on the other end, we will use EC2 instance as VPN endpoint which has OpenSWAN VPN software installed.
After completing this exercise, you will know how VPN works in real world. As a next step, you may also want to setup VPN connectivity between AWS and Google Cloud or AWS and Azure cloud.
In this lecture, we are going to see how to setup site to site VPN using BGP routing. BGP stands for Border Gateway Protocol and used widely for dynamic routing between different AS (Autonomous Systems). BGP stabilizes the network by identifying optimal network paths using Path vector protocol, policy based and rules based routing. If the routing is done within AS then its called internal BGP or iBGP however when its between different AS then its called external BGP or eBGP.
In this lecture, we will setup eBGP between AWS and Google network. This kind of hybrid networks are always seen in big enterprises where there are multiple ISP networks.