AWS networking concepts (for example, Amazon VPC, AWS Direct Connect, AWS VPN, transitive routing, AWS container services)

What is Amazon VPC and why is it considered a fundamental component of AWS networking?

Amazon VPC (Virtual Private Cloud) is a service that lets you launch AWS resources in a logically isolated virtual network that you define. It’s fundamental because it provides the networking layer of Amazon EC2, allowing you to control network configurations, IP address ranges, subnetting, route tables, network gateways, and security settings.

Can you explain the differences between AWS Direct Connect and AWS VPN?

AWS Direct Connect is a network service that provides an alternative to using the internet to utilize AWS services by establishing a dedicated network connection from your premises to AWS. On the other hand, AWS VPN provides secure and private communication tunnels from your network to AWS over the internet. Direct Connect is usually preferred for stable and consistent network performance, while VPN is used for quick, cost-effective, encrypted connections.

How does transitive routing work within a VPC, and how should one set it up?

Transitive routing allows network traffic to pass between different VPCs or VPN connections via a central hub. In AWS, transitive routing is not natively supported for VPC peering, so to achieve it, you must use a Transit Gateway or implement a network appliance in a VPC that acts as a router.

Can you describe the function and benefits of AWS Transit Gateway?

AWS Transit Gateway acts as a network hub that simplifies the connectivity between VPCs, AWS VPNs, and on-premises networks. The main benefits include central management, reduced complexity, and the ability to scale connectivity across thousands of VPCs and networks without managing individual peering connections.

What is the purpose of Network Access Control Lists (NACLs) in an Amazon VPC?

Network Access Control Lists (NACLs) are stateless, layer 4 packet filters that provide a rule-based approach to control inbound and outbound traffic at the subnet level within an Amazon VPC. They serve as an additional layer of security to the security groups, which are stateful and operate at the instance level.

In AWS, what is the difference between a NAT Gateway and a NAT Instance?

A NAT Gateway is a managed service provided by AWS that allows instances in a private VPC subnet to connect to services outside the VPC (e.g., the internet) but prevents external services from initiating connections with those instances. A NAT Instance is an EC2 instance configured to perform Network Address Translation. NAT Gateways are more scalable, highly available, and managed by AWS, while NAT Instances are more customizable but require manual management and scaling.

Explain how Elastic Load Balancing (ELB) works in the context of an AWS VPC.

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as EC2 instances, containers, and IP addresses, within an AWS VPC. It improves the fault tolerance of your applications by ensuring that the end-users’ requests are routed to healthy instances, supporting different load balancing mechanisms (e.g., round robin, least outstanding requests).

When would you recommend the use of AWS PrivateLink in a VPC?

AWS PrivateLink should be recommended when private connectivity is required between VPCs, AWS services, and on-premises applications. It securely connects services across a VPC endpoint without needing to use public IPs or traverse the public internet, thus enhancing security and possibly reducing bandwidth costs.

What are the best practices for designing a VPC for high availability and fault tolerance?

Best practices include using multiple Availability Zones by spreading resources across them, creating public and private subnets, and ensuring critical components (such as NAT Gateways, EC2 instances, RDS instances) are replicated across these zones. Additionally, the design should incorporate Elastic IP addresses, failover configurations, and perhaps Multi-AZ deployment for RDS and other services.

How does AWS Fargate enhance the networking of container-based applications?

AWS Fargate is a serverless compute engine for containers that works with Amazon ECS and EKS. For networking, Fargate removes the need to manage the underlying EC2 instances, allowing you to focus on designing and managing your applications. It integrates with Amazon VPC, enabling you to run containers in a secure, isolated environment, with support for VPC features like security groups, NACLs, and route tables.

Can you explain briefly what AWS Outposts is and how it fits into AWS’s networking portfolio?

AWS Outposts is a fully managed service that brings AWS infrastructure and operating models on-premises, allowing a truly consistent hybrid experience. It extends AWS networking capabilities to your own datacenter, co-location space, or on-premises facility to support applications with low-latency or local data processing requirements while still having seamless access to the full range of AWS services in the cloud.

Describe how AWS Cloud Map can assist with service discovery in a large, microservices-driven architecture.

AWS Cloud Map is a cloud resource discovery service that allows developers to define custom names for application resources such as databases, queues, microservices, or other cloud services. It simplifies the management of resource locations, routes, and names, making it straightforward for services within a microservices architecture to discover and communicate with each other reliably, even as resources change and scale.