Free AI web copilot to create summaries, insights and extended knowledge, download it at here

Abstract

onnections between a VPC and supported services without exposing it to the public internet.There are two types of VPC endpoints:<ul><li>Interface endpoints → It provides an <a href="https://plazagonzalo.medium.com/ec2-aws-solutions-architect-associate-complete-course-eaf3b641ebb9#175a">Elastic Network Interface</a> as the entry point.</li><li>Gateway endpoints → It provides a Gateway Load Balancer endpoint as a target to put in the routing table. We only use these endpoints with <a href="https://readmedium.com/amazon-s3-aws-solutions-architect-da19e7eb21dc">Amazon S3</a> and <a href="https://aws.plainenglish.io/serverless-aws-solutions-architect-associate-c066dec2a732#0895">DynamoDB</a>!</li></ul><figure id="0b8b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*-Thkb9zIc45AbcBSHN1RuA.png"><figcaption>VPC endpoints & VPC Peering in an AWS VPC.</figcaption></figure><h1 id="a507">FLOW LOGS</h1>VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. We can use <a href="https://towardsaws.com/amazon-cloudwatch-explanation-for-the-aws-solutions-architect-associate-exam-b303d0100a71#5a9e">Amazon CloudWatch Logs</a> or <a href="https://readmedium.com/amazon-s3-aws-solutions-architect-da19e7eb21dc#eae2">Amazon S3 Athena</a> to analyze them.<figure id="f75d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*3N2VgpGCPt_HVELvq74rng.png"><figcaption>Flow logs in Amazon CloudWatch (via aws.amazon.com).</figcaption></figure>The most typical params that we can capture are:<ul><li>“srcaddr” → The source IP address for incoming traffic.</li><li>“srcport” → The source port of the traffic.</li><li>“action” → The action associated with the traffic (ACCEPT or REJECT, depending on the Security Groups and the NACLs).</li></ul><h1 id="6ff6">AWS MANAGED VPN</h1>You can create an IPsec VPN connection between your remote networks and Amazon VPC over the internet. A VPN creates a private network connection between devices through the internet. VPNs are used to safely and anonymously transmit data over public networks, and can be configured to encrypt data over the shared connection.To create this connection, we would need the following services:<ul><li>Site-to-Site VPN Connection → A secure connection between your on-premises equipment and your VPCs.</li><li>Virtual Private Gateway → Gateway for the Amazon side of the Site-to-Site VPN connection. It’s used on the VPC to allow this Site-to-site connection.</li><li>Customer Gateway → Physical or software appliance that you own or manage in your on-premises network to allow this Site-to-site connection.</li></ul><figure id="3dbe"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*uDaUsKv8ufH0JldT.png"><figcaption>Establishing a site-to-site connection between your VPC and on-premise network (via docs.aws.amazon.com).</figcaption></figure><h1 id="77b4">DIRECT CONNECT</h1>AWS Direct Connect is a cloud service that links your on-premise network directly to your AWS VPC in a private way, bypassing the internet to deliver more consistent, lower-latency performance. It’s important to know that this connection is not encrypted, but it’s private.As we can see in the following diagram, we connect the client’s on-premise data network to the AWS Direct Connect Location using a Direct Connect endpoint that we will use to establish a connection with AWS.<figure id="d90

Options

6"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*H2-iFtAfuXkq9eGZI6hNrg.png"><figcaption>AWS Direct Connect.</figcaption></figure>There is just one problem, what if we want to connect our on-premise network to many different AWS VPCs? In that case, we can use Direct Connect Gateway. You can also connect to different VPCs in different regions.<ul><li>Connect to one region with different VPCs → You connect the Direct Connect Gateway to a Transit Gateway (we will study this service below).</li></ul><figure id="63f3"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*W5QHvWvPYN19uwQtkqanQQ.png"><figcaption>AWS Direct Connect Gateway with Transit Gateway.</figcaption></figure><ul><li>Connect to different regions → You connect the Direct Connect Gateway to Virtual Private Gateways, as shown in the following diagram.</li></ul><figure id="1614"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*_ZoY2UVqYDmlyfm9FT_NnA.png"><figcaption>AWS Direct Connect Gateway with Virtual Private Gateway.</figcaption></figure><h1 id="bbbc">AWS PRIVATELINK</h1>AWS PrivateLink allows you to expose a service to the VPCs/on-premise networks that you want in a private way. It uses Network Load Balancers to expose services, and the client would only need an ENI endpoint to connect to these provided services.<figure id="19cb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*sWats7DnZUMU4gKjAOWBcQ.png"><figcaption></figcaption></figure>If the exam asks you to privately connect a service to hundreds of VPCs, or even use Network Load Balancers to do it, this will be the chosen one.<h1 id="6fa2">AWS VPN CLOUDHUB</h1>It allows us to establish secure communications between multiple on-premise networks. This is its main functionality, establishing secure connections between your on-premises networks, but you can also include your AWS VPCs. The following diagram shows that we can connect the Customer Network Office of New York with Los Angeles using AWS CloudHub.<figure id="7986"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*OeEVBdBYpi6XuQkr.png"><figcaption>AWS CloudHub (via docs.aws.amazon.com).</figcaption></figure><h1 id="7fc3">AWS TRANSIT GATEWAY</h1>It connects VPCs and on-premises networks through a central hub, acting as a cloud router. Imagine you want to connect with ten different VPCs from your on-premise network. You can create an AWS Transit Gateway with these ten VPCs and establish a connection once, as it’s a transitive service. You can gather VPCs that are even in different regions.<figure id="6324"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*tMEd1DSKfJ0ol-j-1On5OQ.png"><figcaption>AWS Transit Gateway (via aws.amazon.com).</figcaption></figure><h1 id="5b9b">OTHER NETWORK SERVICES</h1><ul><li>Bastion Hosts → Server aims to provide access to a private network from the internet. You can access your instances in a private network using SSH.</li><li>Egress-only Internet Gateway → Allows outbound communication over IPv6 from instances in your VPC to the Internet.</li></ul><h1 id="dae6">Thanks for Reading!</h1>If you like my work and want to support me…<ol><li>You can follow me on Medium <a href="https://plazagonzalo.medium.com/">here</a>.</li><li>Feel free to clap if this post is helpful for you! :)</li><li>More AWS practice exam questions? Find them at <a href="https://www.fullcertified.com/">FullCertified.com</a>!</li></ol></article></body>

AWS Networking (Part 2) — AWS Solutions Architect Associate Complete Course

Chapter 21: Networking in AWS Part 2

Last week, I published the first part of the chapter on Networking in Amazon Web Services. As this is quite an important topic, which the AWS Solutions Architect Associate Exam will ask quite a lot, I have divided it into two parts. We will see more services in this last part than in the previous chapter, but they are less complex than the others. Let’s get on with it!

Networking Fundamentals (part 2) for the AWS Solutions Architect Associate Certification.

VPC peering
VPC endpoints
Flow logs
AWS Managed VPN
Direct Connect & Direct Connect Gateway
AWS Private Link
VPN Cloudhub
Transit Gateway
Other network services

Remember that all the chapters from the course can be found in the following link:

Complete Course for the AWS Solutions Architect-Associate Certification

Are you interested in getting certified as AWS Solutions Architect Associate for free? Keep reading!

plazagonzalo.medium.com

VPC PEERING

VPC peering allows you to connect two private VPCs using IP addresses, acting like a VPC. Instances in either VPC can communicate as if they are within the same network. It even works with VPCs from different regions.

The only requirement is that the CIDR of the subnets cannot overlap. You also need to update the route table of each VPC. This will allow the instances to communicate with each other.

AWS VPC Peering connection (via docs.aws.amazon.com)

VPC peering is not transitive. What does it mean? If we had two VPCs connected to VPC A, for example, VPC B and VPC C, as shown in the following diagram, they could not establish a connection between them. You would need another VPC peering connection between them to allow it.

VPC ENDPOINTS

What if we want to establish a connection between an AWS service (for example, Amazon S3) and the instances from your private network? As we saw in the last chapter, you can do it, but the connection would be using the internet. What if we don’t want this traffic to be public? That’s why we use VPC endpoints. A VPC endpoint enables connections between a VPC and supported services without exposing it to the public internet.

There are two types of VPC endpoints:

Interface endpoints → It provides an Elastic Network Interface as the entry point.
Gateway endpoints → It provides a Gateway Load Balancer endpoint as a target to put in the routing table. We only use these endpoints with Amazon S3 and DynamoDB!

VPC endpoints & VPC Peering in an AWS VPC.

FLOW LOGS

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. We can use Amazon CloudWatch Logs or Amazon S3 Athena to analyze them.

The most typical params that we can capture are:

“srcaddr” → The source IP address for incoming traffic.
“srcport” → The source port of the traffic.
“action” → The action associated with the traffic (ACCEPT or REJECT, depending on the Security Groups and the NACLs).

AWS MANAGED VPN

You can create an IPsec VPN connection between your remote networks and Amazon VPC over the internet. A VPN creates a private network connection between devices through the internet. VPNs are used to safely and anonymously transmit data over public networks, and can be configured to encrypt data over the shared connection.

To create this connection, we would need the following services:

Site-to-Site VPN Connection → A secure connection between your on-premises equipment and your VPCs.
Virtual Private Gateway → Gateway for the Amazon side of the Site-to-Site VPN connection. It’s used on the VPC to allow this Site-to-site connection.
Customer Gateway → Physical or software appliance that you own or manage in your on-premises network to allow this Site-to-site connection.

Establishing a site-to-site connection between your VPC and on-premise network (via docs.aws.amazon.com).

DIRECT CONNECT

AWS Direct Connect is a cloud service that links your on-premise network directly to your AWS VPC in a private way, bypassing the internet to deliver more consistent, lower-latency performance. It’s important to know that this connection is not encrypted, but it’s private.

As we can see in the following diagram, we connect the client’s on-premise data network to the AWS Direct Connect Location using a Direct Connect endpoint that we will use to establish a connection with AWS.

There is just one problem, what if we want to connect our on-premise network to many different AWS VPCs? In that case, we can use Direct Connect Gateway. You can also connect to different VPCs in different regions.

Connect to one region with different VPCs → You connect the Direct Connect Gateway to a Transit Gateway (we will study this service below).

AWS Direct Connect Gateway with Transit Gateway.

Connect to different regions → You connect the Direct Connect Gateway to Virtual Private Gateways, as shown in the following diagram.

AWS Direct Connect Gateway with Virtual Private Gateway.

AWS PRIVATELINK

AWS PrivateLink allows you to expose a service to the VPCs/on-premise networks that you want in a private way. It uses Network Load Balancers to expose services, and the client would only need an ENI endpoint to connect to these provided services.

If the exam asks you to privately connect a service to hundreds of VPCs, or even use Network Load Balancers to do it, this will be the chosen one.

AWS VPN CLOUDHUB

It allows us to establish secure communications between multiple on-premise networks. This is its main functionality, establishing secure connections between your on-premises networks, but you can also include your AWS VPCs. The following diagram shows that we can connect the Customer Network Office of New York with Los Angeles using AWS CloudHub.

AWS TRANSIT GATEWAY

It connects VPCs and on-premises networks through a central hub, acting as a cloud router. Imagine you want to connect with ten different VPCs from your on-premise network. You can create an AWS Transit Gateway with these ten VPCs and establish a connection once, as it’s a transitive service. You can gather VPCs that are even in different regions.

OTHER NETWORK SERVICES

Bastion Hosts → Server aims to provide access to a private network from the internet. You can access your instances in a private network using SSH.
Egress-only Internet Gateway → Allows outbound communication over IPv6 from instances in your VPC to the Internet.

Thanks for Reading!

If you like my work and want to support me…

You can follow me on Medium here.
Feel free to clap if this post is helpful for you! :)
More AWS practice exam questions? Find them at FullCertified.com!