Coming in from a traditional networking background of branch, campus and data center networks, I always had a Inclination towards cloud networking and how this is done in web native companies like Amazon and Facebook. Due to rapid adoption of cloud computing solutions from the likes of AWS, Azure and Google Cloud, cloud networking has become very foundational In enabling connectivity not only from the users to the cloud but also how networking is done within the cloud. In this blog I focus specifically on networking within the cloud solution offered by Amazon Web Services (AWS).
Its Important to understand AWS Infrastructure first before getting into networking. All the AWS resources and services are grouped under a hierarchical model that includes regions, availability zones, data centers and point-of-presence. This can be roughly compared to country, state, county and city and this kind of organization is necessary to effectively manage and deliver services to digital users. Just like the Russian doll, a region includes multiple availability zones, an availability zone includes multiple data centers connected over high speed links and data center includes multiple point of presence.
The above infrastructure model allows AWS customers to create their own cloud which is called VPC (Virtual Private Cloud). A VPC is a logical entity containing two or more availability zones (AZ) and is a foundational networking service block within the AWS infrastructure. Once you have a barebone VPC created, it is now possible to add additional networking elements to control the traffic flow within and outside of VPC.
Image that you want to host few EC2 compute applications within a VPC that should be accessible from the public Internet. Then the question would be what are the necessary networking elements you need to add to securely host these application within the VPC. I am assuming that you are hosting these applications within a single region for simplicity.
Above is a rough depiction of the basic networking elements, its placement and interconnectivity. So lets take a look at various VPC components according to its function and use.
Create subnets: Subnets are basic building block of networking and so the first step after creating a VPC. Here we allocate a CIDR (Classless Interdomain Routing) subnet block and break them across the availability zones and application tiers.
Control routing: Once the subnets are created, we want to control routing in and out of this subnet. Each subnet within an AZ has a route table and can be updated with the required routes.
Control traffic flows: Traffic flows can be controlled at the host (EC2) level or the subnet level. These are achieved by security groups (SG) at the host level and network access control list at the subnet level.
Connect to Internet: For Internet connectivity for in and out of the VPC, we can use internet gateway (IGW) as the edge firewall performing NAT function and NAT gateway inside the public subnet for internal hosts to connect to the Internet.
Connect to another VPC: VPC peering object can be created for peering one VPC to another. If you have application tier on one VPC and database tier on another VPC, we can use the VPC peering element to achieve connectivity.
Connect to public AWS services: On occasions you would need your VPC hosts to connect to the public AWS services like S3 buckets. Instead of this traffic going out to the internet and come back to S3, AWS has VPC endpoints which can be used to avoid this round about of the traffic from VPC hosts to S3 buckets.
AWS has really simplified data center networking through abstraction and enabling network engineers to build complex cloud network through GUI approach. The details covered in this blogs are the basic elements of networking within AWS cloud.