Skip to main content

[[TOC]]

Networking Refresher

IPv4

IPv4 0.0.0.0 - 255.255.255.255

  • Class A 0 - 127.255.255.255
  • Class B 128.0.0.0 - 191.255.255.255
  • Class C 192.0.0.0 - 223. 255.255.255

RFC 1919 defines the private networks

  • 10.0.0.0 - 10.255.255.255 (A Single Class A)
  • 172.16.0.0 - 172.31.255.255 (16 Class B)
  • 192.168.0.0 - 192.168.255.255 (256 Class C)

NAT introduced CIDR networks

Bigger the prefix, the smaller the network.

  • 10.0.0.0/16 = 10.0.0.0 - 10.0.255.255 65536 addresses.

Split this into two networks

  • 10.0.0.0/17 = 10.0.0.0 - 10.0.127.255 32768 addresses
  • 10.0.125.0/17 = 10.0.128.0 - 10.0.255.255 32768 addresses

Split this into another 2 networks

  • 10.0.0.0/18 = 10.0.0.0 - 10.0.63.255
  • 10.0.64.0/18 = 10.0.64.0 - 10.0.127.255
  • 10.0.128.0/18 = 10.0.128.0 - 10.0.191.255
  • 10.0.192.0/18 = 10.0.192.0 - 10.0.255.255

Sizing

Bigger the prefix, the smaller the network Smaller the prefix, the bigger the network 0.0.0.0/0 is the biggest network of them all because it contains all of the IP addresses. 10.0.12.45/32 = one IP address. the /32 makes it the one IP. Big 3 10.0.0.0/8 = 10.anything - 16 million IP addresses. 10.0.0.0/16 = 10.0.anything 10.0.0.0/24 = 10.0.0.anything.

Concepts:

  • Packets - Source IP, Destination IP, Data (Data includes TCP and UDP segmeents)

IPv6

  • 2001:db8:3333:4444:5555:6666:7777:8888
  • 2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF
  • :: (implies all 8 segments are zero)
  • 2001:db8:: (implies that the last six segments are zero)
  • :: 1234:5678 (implies that the first six segments are zero)
  • 2001:db8:: 1234:5678 (implies that the middle four segments are zero)
  • 2001:0db8:0001:0000:0000:0ab9:C0A8:0102 (This can be compressed to eliminate leading zeros, as follows: 2001:db8:1::ab9:C0A8:102 ) Starts at 0000 and ends at ffff

::/0 is ALL of the IP Addresses.

VPC Sizing and Structure

VPC Considerations

  • Try to consider the future
  • Try to build around existing networks - if you have a 10.20.0.0 on prem, don't make your VPC the same.
  • Consider Tiers and resiliency and availability zones
  • Try to make a list of IP ranges that we want to avoid.
  • Make it the largest that you think you will use.

Think of the AWS recommended sizes

  • micro
  • Small
  • Medium
  • Large
  • Extra Large

How many availability zones will you use + 1 How many tiers + 1 Plan out the subnets and build a VPC that can handle that.

Custom VPCs

Create a multi-tier custom VPC that uses 4 tiers in 4 availability zones.

  • Regional Service - covers all AZ's in the region
  • creates an isolated network
  • VPC creates a wall that lets nothing IN or Out without specific configuration.
  • support hybrid networking
  • default or dedicated tenancy - all resources created on dedicated tenancy in the VPC must be on dedicated hardware

Networking

IPv4 Private CIDR blocks and Public IPs 1 Primary Private IPv4 CIDR block

  • minimum /28 (16 IP addresses)
  • Max /16 (65,536 IP addresses) Optional secondary IPv4 blocks or an optional single assigned IPv6 /56 CIDR block.

DNS inside of the VPC is controlled by Route53

  • using enableDNSHostnames - gives the DNS names to the instances.
  • using enableDNSSupport - enables DNS resolution

Quick Demo

  1. Navigate to the Management account and select the VPC console
  2. Click Create VPC
  3. Name the VPC - babyyoda-vpc1
  4. Set the IP CIDR block 10.16.0.0/16
  5. Select Amazon provided IPv6 and set tenancy to default
  6. Create VPC
  7. Navigate to the VPC that you created and look around.
  8. Click on the VPC and go to Actions > Edit DNS resolution > Enable
  9. Click on the VPC again and go to Actions > Edit DNS Hostnames > Enable
  10. Note the IPv4 and IPv6 CIDRs

VPC Subnets

  • Availability zone resilient - subnets are only in one Availability zone.
  • IPv4 CIDR must be a subset of the VPC CIDR
  • Cannot be overlapping. Cannot have the same CIDRs in multiple subnets.
  • optional IPv6 CIDR (/64 subset of the /56 VPC)
  • Subnets are able to communicate with other subnets in the VPC.

Reserved IP Addresses

Lets say we've created this subnet: 10.16.16.0/20 which ranges between 10.16.16.0 to 10.16.31.255

  • Network address - 10.16.16.0
  • Network +1 - 10.16.16.1 - VPC Router
  • Network +2 - 10.16.16.2 - DNS
  • Network +3 - 10.16.16.3 - Reserved
  • Broadcast - 10.16.31.255

DHCP Option Set

Attached to the entire VPC that acts as the DHCP server Allows for the Auto-Assign IP Addresses for both IPv4 and IPv6

Demo: Implement multi-tier VPC Subnets

Demo

VPC Routing, Internet Gateway and using Bastion Hosts

VPC router is located on the network +1 address and is highly available Routes between subnets Controlled by route tables and each subnet has a route table Your VPC has a main rote table which is the subnets default unless you set one up yourself.

Routes

  • Where the traffic leaves the subnets
  • Higher the prefix, the more specific and the higher priority
  • Target is where it sends the traffic.
  • Route tables are attached to one or more subnets

Internet Gateway

Region resilient gateway attached to the VPC 1 VPC = 0 or 1 IGW 1 IGW = 0 or 1 VPC

Used to route from internal VPC to AWS's public zone.

  • Public IPs are not used inside of the VPC, however, the IGW translates the public IP to the private IP address.
  • OS of the instance does not understand what the public IP is at all

Bastion Hosts

  • Also called a Jumpbox
  • an instance inside a public subnet that allows access into the private subnet
  • Usually the only path into the private VPC.

Example: image.png

Demo: Configuring Public Subnets and the Jumpbox

Demo

Stateful and Stateless Firewalls

Stateless firewalls need ports open for both the request and the response Stateful firewalls only need ports open for the request because it automatically knows how to handle the response ports.

Network Access Control Lists (NACLs)

Concepts

Used when the data crosses subnet boundaries

  • Inbound
  • Outbound

Processed in order with the Lowest # rule first. Stops processing when the rule is matched.

Think about how the bastion host works:

  • you're on your computer
  • you try to SSH into the machine
  • your traffic enters the VPC
  • it then enters the subnet, hitting the inbound rules on the NACL
  • if accepted, it then hits the bastion host.

Thought # 2. ICMP Ping traffic.

  • You send a ping request to the bastion host
  • that request hits the port 22 SSH rule, doesn't match
  • hits probably a few more rules, doesn't match.
  • hits the ICMP port rule, matches, is allowed and then the rule processing stops.

If no rules are triggered, it ends up at the bottom in what is called an Implicit Deny:

  • * All traffic 0.0.0.0/0 DENY

Types of traffic

Some types of traffic require both an inbound and outbound rule. HTTP traffic is a great example.

  • you try to access a website
  • traffic from your computer hits the vpc and the subnet (the inbound request)
  • it's allowed, so then it hits the web server
  • the webserver then sends you the content of the page (the outbound response)

You need to enable ports both inbound AND outbound in order for HTTP to work. This also brings up the subject of ephemeral ports. An ephemeral port is a random port that is opened up during the response.

  • Traffic comes in on port 80 or 443 and leaves on port 16985 for example.
  • you need to account for ANY ephemeral port leaving the web server.

This gets more confusing when you move traffic from a web server to an app server on different subnets.

Tips

NACLs are STATELESS - initiation and responses are seen as different requests -Only impacts the data crossing the subnet border

  • Can Explicitly Allow AND Deny
  • no knowledge of the logical resources
  • You cannot assign NACLs to resources, only subnets
  • you can use these in conjunction with SGs to add explicit DENY
  • One subnet = one NACL

Security Groups

Stateful Firewall

  • These are one level up from NACLs and are attached to a resource.
  • A common example is that a security group is usually attached to the network interface that is attached to the EC2 instance.
  • Security Groups are STATEFUL, which means the response is automatically allowed.
  • Security groups also can reference itself - means that anything this group is attached to is allowed
  • Security Groups cannot explicitly Deny. NACLs are used in conjunction with the SGs to allow explicit DENYs

Tips

  • SGs are Stateful - Traffic and response are the same rule
  • SGs can filter based on AWS Logical resources, actual resources, other SGs and even themselves
  • They have an implicit DENY and Explicit ALLOW
  • NO EXPLICIT DENY ON A SECURITY GROUP.

Comparing Security Groups to NACLs

NACLs on the subnet are used for ANY products which don't work with Security Groups - for example, NAT Gateways NACLs when adding explicit DENY (bad IPs and bad actors) SGs are the default almost everywhere

NAT and NAT Gateways

NAT gateways translate multiple private IPs to a single Public IP.

  • NAT Gateway runs in the public subnet
  • Routes direct to the IGW
  • Has an Elastic IP address
  • Need a NAT GW in each Availability Zone because these are AZ resilient.
  • two points of pricing, one for running it per hour and one for the data per hour.

Demo Implementing Private Internet Access using NAT Gateways

Demo

End.