Concepts
AWS utilizes Virtual Private Cloud (VPC) which allows you to provision a logically isolated section of the AWS Cloud. Inside a VPC, subnets are subdivisions that can increase the network’s organization and security.
Typically, network architectures include:
- Public Subnets: These have a route to the internet via an Internet Gateway (IGW). Use public subnets for resources that must be directly reachable from the internet, like a public-facing web server or load balancer.
- Private Subnets: These lack direct routes to the internet. Instead, they can access the internet using a NAT Gateway or Instance. Place backend systems like databases or application servers here.
- Protected Subnets: Sometimes, you might have resources that should not have outgoing internet access at all, even via a NAT device. In these cases, there is no route defined for Internet-bound traffic.
Routing
Each subnet in a VPC is associated with a route table that specifies the allowed routes for outbound traffic. AWS enables you to design highly adaptable routing mechanisms including:
- Route Tables: Contain a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.
- Internet Gateway (IGW): Routes traffic between your VPC and the internet.
- NAT Gateways/Instances: Allow private subnets to send outbound internet traffic without receiving inbound traffic.
- VPC Peering Connections: Provide a route between two VPCs, acting like an extended network.
- Virtual Private Gateway (VGW) & Direct Connect: Connect your AWS VPC to on-premises networks.
For example, the routing table for a public subnet might look like this:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 0.0.0.0/0 | igw-abc123 |
IP Addressing
AWS gives each VPC a CIDR block which is a range of IP addresses. You then carve this CIDR block into subnets.
- Choose CIDR blocks carefully: You must allocate non-overlapping CIDR blocks for your VPCs and subnets.
- Elastic IP Addresses (EIPs): These are static IPv4 addresses designed for dynamic cloud computing.
- Automate Assignment: Use DHCP options sets in your VPC to automatically assign IP addresses and other network settings to your EC2 instances.
For instance, if you have a VPC with a CIDR block of 10.0.0.0/16, you could create a public subnet with the CIDR block of 10.0.1.0/24, which provides up to 251 usable IP addresses.
Security Considerations
In any network design, especially cloud environments, security is paramount.
- Security Groups and Network ACLs: Control inbound and outbound traffic to resources.
- Private Subnets and NAT Gateways: Reduce exposure and enable minimal access from the public internet.
- Flow Logs: Capture information about IP traffic going to and from network interfaces.
Examples in an AWS Scenario
Here’s how these principles might be applied in designing an AWS network for a web application:
- Create a VPC with CIDR block 10.0.0.0/16.
- Create a public subnet 10.0.1.0/24 for the web servers and an Internet Gateway.
- Create a private subnet 10.0.2.0/24 for database servers.
- Use a NAT Gateway in the public subnet to route outbound traffic from the private subnet.
- Set up a route table for the public subnet that directs internet-bound traffic to the IGW.
- Configure a route table for the private subnet to route internet-bound traffic to the NAT Gateway.
By implementing these network strategies, Solutions Architects ensure they’re crafting AWS infrastructures that are not only robust and scalable but also follow best practices for security, cost, and performance. Remember, the AWS Certified Solutions Architect – Associate exam will expect you to understand these concepts and be able to apply them pragmatically to various use cases.
Answer the Questions in Comment Section
True or False: When designing a network architecture in AWS, it is best practice to create a single, large subnet to simplify the design.
- False
It is not a best practice to create a single large subnet because this can result in inefficient IP space usage and can compromise network security and management. Subnetting allows for better organization, security, and controlled access to network resources.
Which AWS service allows you to define networking and routing policies in a virtual network?
- A) Amazon S3
- B) Amazon EC2
- C) Amazon VPC
- D) AWS Direct Connect
C
Amazon VPC (Virtual Private Cloud) allows you to define a virtual network within your AWS environment where you can control your IP address range, create subnets, configure route tables, and network gateways.
True or False: Public subnets can be used to host databases that need to be accessible only from within the network.
- False
Public subnets are designed for resources that need to be accessed from the internet. Databases that need to be accessible only from within the network should be placed in private subnets.
Which AWS service is primarily used to establish a dedicated network connection from an on-premises network to AWS?
- A) AWS Direct Connect
- B) Amazon VPC Peering
- C) AWS VPN
- D) Amazon Route 53
A
AWS Direct Connect provides a dedicated network connection from an on-premises network to AWS, which can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience.
True or False: Security groups in AWS are stateful, while network access control lists (ACLs) are stateless.
- True
Security groups are stateful, meaning they automatically allow return traffic for initiated connections, while network ACLs are stateless and require rules to allow return traffic.
How many internet gateways can you attach to an Amazon VPC?
- A) One per Availability Zone
- B) One per VPC
- C) One per subnet
- D) Unlimited
B
You can attach only one internet gateway to an Amazon VPC, which enables resources within your VPC to access the internet.
True or False: In AWS, when configuring a VPC, the subnet IP address ranges can overlap with other VPCs as long as they are in different regions.
- False
Subnet IP address ranges must be unique and cannot overlap with the IP address ranges of other VPCs, even if they are in different regions, to ensure that the routing is not ambiguous.
Which statement is true regarding VPC peering?
- A) It allows routing of traffic between VPCs using private IP addresses.
- B) It can be established between VPCs in different AWS accounts.
- C) Transitive peering is not supported natively.
- D) All the above.
D
VPC peering allows private routing between VPCs, can be established between VPCs in different accounts, and does not support transitive peering natively, meaning you cannot route packets from a VPC to another VPC through a third VPC.
When creating subnets within a VPC, what is the minimum number of IP addresses in each subnet reserved by AWS for internal use?
- A) 1
- B) 2
- C) 5
- D) None
C
AWS reserves five IP addresses in each subnet for internal use. Therefore, the smallest subnet you can create is a /29 CIDR block which provides 8 IP addresses, 5 of which are reserved.
True or False: Amazon Route 53 can only route traffic based on the geographical location of the user.
- False
Amazon Route 53 is a highly available and scalable DNS web service that offers various routing policies, including geolocation routing, latency-based routing, failover routing, and others, not just based on the geographical location of the user.
To ensure high availability for applications hosted in AWS, which of the following practices should you follow?
- A) Place all instances in the same Availability Zone.
- B) Use multiple Availability Zones and replicate instances across them.
- C) Use a single instance to avoid complex setups.
- D) Host all instances in a single region.
B
Using multiple Availability Zones and replicating instances across them ensures high availability and fault tolerance for applications, as it protects against failures of individual data centers.
True or False: IPv6 addresses are automatically assigned to each EC2 instance within a subnet that is associated with an IPv6 CIDR block.
- True
When a subnet is associated with an IPv6 CIDR block, IPv6 addresses are automatically assigned to EC2 instances launched in that subnet. IPv6 addressing provides a larger address space to support more devices and efficient routing.
This blog post on designing network architecture for AWS Certified Solutions Architect – Associate is really helpful. Thanks!
I appreciate the detailed explanation of subnet tiers and IP addressing. It cleared up a lot of confusion I had.
Could anyone explain what factors to consider when creating subnet tiers for a highly available system?
Does anyone have a strategy for IP addressing in a large-scale AWS environment?
The section on routing tables was a bit confusing for me. Can someone clarify?
Great blog post! Loved the practical examples.
The blog is good, but it could use more visual aids like diagrams or charts.
Do we need to design network architecture differently for different AWS regions?