Skip to content

Networking⚓︎

API Gateway⚓︎

API Gateway acts as the primary entry point to AWS resources such as Lambda functions, EC2 instances, and DynamoDB. Here are some key features:

  • Caching for Performance: API Gateway can cache responses for increased performance.
  • Throttling: Efficiently manage and control request traffic to prevent abuse.
  • Low-Cost and Scalable: API Gateway is cost-effective and scales seamlessly.
  • Security Features:
    • Authentication: Integrates with Cognito User Pools for user authentication.
    • Authorization: Utilizes IAM for internal AWS authorization.
  • API Key Management: Create and manage API keys for enhanced security.
  • Swagger/Open API Support: Import API definitions using Swagger/Open API.
  • Custom Domain with HTTPS: Secure custom domains with AWS ACM, supporting both Edge-Optimized and Regional configurations.

Endpoints⚓︎

  • Edge-Optimized: Utilizes CloudFront Edge Locations for global distribution (1 region).
  • Regional: Serves clients and API Gateway in the same region.
  • Private: Accessible within a VPC via VPC endpoint with a resource policy.

Load Balancers⚓︎

Load balancers distribute incoming traffic across multiple instances to ensure reliability and high availability. Here's an overview:

  • Sticky Sessions: CLB ties sessions to EC2 instances, ALB ties sessions to Target Groups.
  • Health Checks: Ensures the health of instances by periodically checking their status.
  • Cross Zone Load Balancing: Equally distributes traffic across instances in multiple Availability Zones.
  • Routing Options:
    • CLB: HTTP(S), TCP, SSL
    • ALB: HTTP(S), WebSockets
    • NLB: TCP, TLS, UDP
    • GLB: Layer 3 (IP Protocol)
  • X-Forwarded-For Header: Utilized to retrieve the IPv4 address in version 2.
  • 504 Error Handling: Indicates a gateway timeout and suggests issues with DB or web server responsiveness.

Application Load Balancer (ALB)⚓︎

  • Layer 7 Load Balancing: Suited for HTTP(S) traffic and websockets.
  • Dynamic DNS Name: Uses a static DNS name for requests forwarded to web servers.
  • SSL Certificate Management: Supports multiple SSL certificates on one listener.
  • Routing Based on URL, Hostname, etc.: Directs traffic based on various parameters.
  • Sticky Sessions: Available through cookies (AWSALB).
  • Health Checks: Conducted at the target group level.

Elastic Load Balancer (ELB/CLB)⚓︎

  • Legacy Load Balancer: Supports HTTP(S) and Layer-7 features like X-Forwarded and sticky sessions.
  • TCP Protocol Support: Can use strict Layer 4 load balancing for TCP-only applications.
  • Static DNS Name: Uses a static DNS name for requests forwarded to web servers.
  • Health Checks: Can be configured for TCP or HTTP.
  • Sticky Sessions: Available via cookies (AWS ELB).
  • SNI Not Available: Supports only one certificate.

Gateway Load Balancer⚓︎

  • Scaling Network Virtual Appliances: Manages third-party network virtual appliances (e.g., Firewalls, IDS/IPS) at Layer 3 (Network layer).
  • Transparent Network Gateway: Serves as a single entry/exit point for traffic.
  • Load Balancing: Distributes traffic to virtual appliances.
  • Geneve Protocol: Utilized on port 6081.

Network Load Balancer (NLB)⚓︎

  • Layer 4 Load Balancing: Suited for high-performance TCP/UDP traffic.
  • Ultra-Low Latency: Handles millions of requests per second with minimal latency.
  • Static Public IP: Provides one static public IP address per Availability Zone.
  • Health Checks: Supports TCP, HTTP(S) health checks.
  • Cross Zone LB: Requires payment per use and is disabled by default.
  • Target Configurations: Based on instance ID or IP addresses.

Connection Draining (ELB)/Deregistration Delay (ALB and NLB)⚓︎

  • Inflight Request Handling: Completes inflight requests while instances are unhealthy or deregistering.
  • Time Configuration: Set between 1 to 3600 seconds, default is 300 seconds.
  • Disabling: Can be disabled by setting to 0 seconds for shorter requests.

Health Checks⚓︎

Health checks are essential for monitoring the status of resources. Key points include:

  • HTTP Endpoint Response Criteria: Passes for 2xx/3xx responses.
  • Route 53 Health Checks: Enable automated DNS failover for various routing policies.
  • CloudWatch Alarms Integration: Monitors CloudWatch alarms for VPC private resources.
  • Response Text Matching: Can pass/fail based on the text of the first 5120 bytes of response.
  • Routing Policy Compatibility: Works with weighted, latency-based, geolocation, and multivalue routing policies.

AWS Global Accelerator⚓︎

AWS Global Accelerator enhances application availability and performance for global users. Key features include:

  • Anycast/Static IP Addresses: Provides fixed entry points globally, ensuring a consistent experience.
  • Optimal Routing: Routes traffic to the nearest optimal endpoint based on various factors.
  • Fast Failover: Achieves failover in less than a minute for unhealthy applications.
  • Use Cases: Suitable for non-HTTP use cases like gaming (UDP), IoT (MQTT), or VOIP.
  • Integration: Works with Elastic IP, EC2, ALB, NLB, public, or private endpoints.
  • Traffic Control: Allows precise control using traffic dials within an endpoint group.

Amazon Route 53⚓︎

Amazon Route 53 is a comprehensive DNS routing and domain registration service with various features:

  • DNS Routing/Domain Registration: Manages DNS routing and domain registration seamlessly.
  • Cost Considerations: Charges increase with Route 53 traffic.
  • Routing Types:
    • Simple
    • Multi-Value
    • Weighted
    • Latency
    • Geolocation
    • Geoproximity (traffic flow only)
  • Alias vs. CNAME: Alias is preferred, especially for AWS resources.
  • Record Types: A, AAAA, CNAME, NS, MX, PTR, and more.
  • Resolver Integration: Connects to AWS infrastructure and external infrastructure.
  • Health Checks: Utilizes health checks for failover scenarios.

Route 53 Resolver⚓︎

  • AWS Side:
    • Automatic DNS Answers: Resolves DNS queries for local VPC domain names.
    • Integration with On-Premises DNS: Configures forwarding rules for on-premises DNS resolvers.
  • On-Premises Side:
    • Conditional Forwarding: Forwards queries to resolvers on the on-premises network via outbound endpoints.
    • Resolver Rules: Specifies domain names and IPs of on-premises DNS resolvers.

Route 53 Records⚓︎

  • Record Components: Contains domain/subdomain name, record type, value, routing policy, and TTL.
  • Record Types: A, AAAA, CNAME, NS, etc.
  • Hosted Zones: Public for internet traffic and private for VPCs.
  • Targets: Supports various AWS resources like ELB, CloudFront, API Gateway, and more.

Amazon CloudFront⚓︎

Amazon CloudFront is a serverless content delivery service with global edge locations. Key aspects include:

  • Global Content Delivery: Delivers websites with dynamic, static, streaming, and interactive content.
  • Web and RTMP Distributions: Serves websites without architectural changes and supports media streaming.
  • Edge Locations (Lambda@Edge): Caches and processes content at global edge locations.
  • Origin: Defines the source of all files distributed by the CDN (S3 bucket, EC2, ELB, or Route 53).
  • Security Options: Supports HTTPS, geo-restriction, signed URLs/cookies, field-level encryption, and AWS WAF.
  • Pricing Options: Varied pricing classes based on global reach.
  • Scaling and Clearing Cache: Scalable and can clear cached objects (with associated charges).

Unicast IP vs. Anycast IP⚓︎

  • Unicast: One server holds one IP address.
  • Anycast: Multiple servers share the same IP address, and the client is routed to the nearest one.

CloudFront Signed URLs/Cookies⚓︎

CloudFront Signed URLs and Cookies enhance content security for authorized users:

  • Usage: Implement for securing content access.
  • Policy Elements: Include limited lifetime, IP ranges, and trusted signers.
  • Origin Considerations: Use CloudFront Signed URLs/Cookies with EC2 as the origin.

AWS Global Accelerator vs. CloudFront⚓︎

Both services use the global AWS network but have distinct use cases:

  • CloudFront:
    • Improves performance for cacheable and dynamic content.
    • Serves content at the edge for faster delivery.
  • Global Accelerator:
    • Enhances TCP/UDP application performance.
    • Routes traffic at the edge to applications running in AWS Regions.
    • Ideal for non-HTTP use cases and requires static IP addresses.

AWS PrivateLink facilitates secure VPC-to-VPC service exposure:

  • VPC Connectivity: Allows opening a VPC service to other VPCs securely.
  • No VPC Peering Requirement: No need for VPC peering, route tables, NAT, or IGWs.
  • Implementation Components: Requires NLB on the service VPC and an ENI on the customer VPC.
  • Issue Resolution: Check DNS settings and Route Tables if facing issues.

AWS Direct Connect⚓︎

AWS Direct Connect provides dedicated network connections between on-premises and AWS VPC:

  • Private Connectivity: Establishes private connections to AWS VPC from on-premises.
  • High Throughput: Suitable for high-throughput workloads with significant network traffic.
  • Stability and Reliability: Offers a stable and reliable connection compared to internet-based connections.
  • Setup Time: Requires at least a month for setup.
  • IPv4/IPv6 Support: Supports both IPv4 and IPv6.

CIDR⚓︎

CIDR (Classless Inter-Domain Routing) is crucial for defining IP ranges:

  • VPC and Subnet Limits: AWS imposes limits on VPCs and subnets per region.
  • Launch Issues: Check IPv4 CIDR even if using IPv6 for EC2 launch issues.
  • Security Group Rules: Utilizes CIDR in security group rules.
  • IPv4 Not Disableable: IPv4 cannot be disabled in a VPC.

VPC CIDR Unavailable IPs in Subnets⚓︎

AWS reserves specific IP addresses in each subnet that cannot be used:

  • Example (10.0.0.0/24):
    • 10.0.0.0: Network address.
    • 10.0.0.1: Reserved for the VPC router.
    • 10.0.0.2: Used by AWS for mapping Amazon-provided DNS.
    • 10.0.0.3: Reserved by AWS for future use.
    • 10.0.0.255: Network broadcast address (reserved even though AWS does not support broadcast in VPC).