AWS Network Basic Knowledge

AWS Network Basic Knowledge:

AWS Basic Network

Note to learn aws network.

AWS

• Region (Barginia, Oregon, Tokyo...)
• Availability Zone (Phisically separated, )
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

IP Address

• 
  IP Address
  
  
  
  
  • 8 bit * 4 = 32 bit 0.0.0.0 ~ 255.255.255.255
  • 00000000.00000000.00000000.0000000 ~ 11111111.11111111.11111111.11111111
• 
  Network part
  
  
  
  
  • 192.168.1.0 ~ 192.168.1.255 -> Network part: 192.168.1 (24bit), Host part 0, 255(8bit)
  • 192.168.0.0 ~ 192.168.255.255 -> Network part: 192.168(16bit), Host part 0.0, 255.255(16bit)
• 
  PrivateIP Addresses which is not used in internet
  
  
  
  
  • 10.0.0.0 ~ 10.255.255.255
  • 172.16.0.0 ~ 172.31.255.255
  • 192.168.0.0 ~ 192.168.255.255
• 
  CIDR notation (show network part by bit which is called prefix)
  
  
  
  
  • 192.168.0.0 ~ 192.168.255.255 -> 192.168.0.0/16 [prefix:16bit]
  • 192.168.10.0 ~ 192.168.10.255 -> 192.168.10.0/32 [prefix:32bit]
• 
  Subnet mask notation (show network part by 1)
  
  
  
  
  • 192.168.0.0 ~ 192.168.255.255 -> (11111111.11111111.00000000.00000000) -> 192.168.0.0/255.255.0.0
  • 192.168.10.0 ~ 192.168.10.255 -> 192.168.10.0/255.255.255.0
• 
  Conclusion
  
  
  
  
  • These three expressions mean the same IP address range.
    
    
    • 192.168.0.0 ~ 192.168.255.255
    • 192.168.0.0/16
    • 192.168.0.0/255.255.0.0
• 
  AWS Specification
  
  
  
  
  • When create VPC, more than 16 must be configured as prefix.
    
    
    • ex) 10.0.0.0/16 -> 10.0.0.0 ~ 10.0.255.255

Practice

• 
  Create VPC
  
  
  
  
  • IPv4 CIDR block
  • CIDR block: 10.0.1.0/24
  • https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/getting-started-ipv4.html
• 
  Divide VPC into Subnet
  
  
  
  
  • pre-test-public : 10.0.1.0/24
  • The reason to divide: want to attach another subnet corresponding to the physical area, want to configure other security policy
• 
  Connect pre-test-public to internet
  
  
  
  
  • Create an internet gateway
  • Attach VPC to the gateway
  • https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/VPC_Internet_Gateway.html
• 
  Configure Route table
  
  
  
  
  • Route table: Configure the route to where depending on IP address.
  • Target: Who
  • Desitnation: to where
  • Enable to configure route table in each subnet
  • Default Desitination: 10.0.0.0/16, Target: local -> Send local network to CIDR 10.0.0.0/16 -> Cannot go out internet
  • In order to connect internet, need to send packet except for destination 10.0.0.0/16 to internet gateway
    
    
    • Create New Route Table
    • Add configuration in route table Destination: 0.0.0.0/0, Target: Internet Gateway
    • Connect route table to public subnet
  • https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/VPC_Route_Tables.html
• 
  Create EC2 instance in public subnet
  
  
  
  
  • Network : Choose VPC
  • Subnet : Choose Subnet to put
  • Auto-assign Public IP: Enable
  • Network Interfaces, Primary IP: 10.0.1.10 (Public Subnet CIDR 10.0.1.0/24)
    
    
    • Cannot use top and bottom of CIDR block for instance private IP, since 10.0.1.0 means the whole subnet network, 10.0.1.255 means broadcast address( but aws does not support)
  • Skip Storage and tags and security group.
• 
  Security Group
  
  
  
  
  • Security: Packet filtering = Firewall
  • Inboud: Who can come in
  • Outbound: Who can go out
  • https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/VPC_SecurityGroups.html
• 
  DNS
  
  
  
  
  • No pulic DNS on the instance
  • Edit DNS Hostnames on VPC
  • public DNS is attached into instances which have public ip
  • https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/vpc-dns.html
• 
  Private Subnet
  
  
  
  
  • Never connect from internet like Database
  • Enable to make subnet in other availability zone, but low latency
  • Create Subnet : Smae AZ with public subnet, CIDR block is 10.0.2.0/24
  • Unnecessary to configure route table (default is OK, since no need to connect internet)
  • Create EC2 instance as Database in private subnet
    
    
    • Network : Choose VPC
    • Subnet : Choose private Subnet to put
    • Auto-assign Public IP: Disable
    • Network Interfaces, Primary IP: 10.0.2.10 (Private Subnet CIDR 10.0.2.0/24)
    • SecurityGroup: Create a new secrutiy group.
    • Add MYSQL with 0.0.0.0/0
    • Add ALL ICMP with 0.0.0.0/0 for ping connection
    • If private IP of public subnet CIDR(10.0.1.0/24), secrutiy becomes more stronger
    • This instance does not have public IP and public DNS
• 
  NAT
  
  
  
  
  • Network Address Tanslation
  • Databse server cannot connect internet now. How can we install databse server? -> NAT
  • With NAT, enable to connect to internet from private subnet, but disable to connect to private subnet from internet
  • 2 way to create NAT in AWS, one is NAT instance (Community AMIs), the other is NAT Gateway
  • Create NAT
    
    
    • VPC menu -> Create a NAT gateway
    • Choose public subnet
    • Allocate Elastic IP
    • Update Route Table
    • Open Route table for private subnet and add rule Destination: 0.0.0.0/0, Target: NAT Gateway
  • https://docs.aws.amazon.com/ja_jp/vpc/latest/userguide/vpc-nat.html

Trouble Shoot

• ping
  
  
  • ICMP(Internet Control Message Protocal)
  • If server does not open ICMP, ping cannot reach
• traceroute
  
  
  • ICMP
  • Check routing table function
• telnet
  
  
  • Check the port can be reached
  • telnet [target] [port]
• nslookup, dig
  
  
  • Request to solve domain

tools

• CloudWatch
  
  
  • AWS Managed Service