Module-2

Network Service

AWS VPC, Route 53

AWS VPC (Virtual Private
Cloud)

Isolated user defined network inside AWS (like VLAN in switch)

Logically isolated subnets
Reserve IP Address ranges and assign to resources
Setup Route Tables, Firewalls, Gateways
Use Network ACL, IAM to control access

2
IP Addressing and Subnetting
Let’ s Talk About Addressing!

Types of Addressing:
- Layer 2 – MAC Addresses (Media Access
Control)
0134.2345.1 A MAC
2AB Address
0134.23 Vendor
45.12AB Code Serial
- Layer 3 – Logical Addresses (IPv4 or IPX)
Number
Assignment of IP Addresses:
- Static Addresses – assigned by an
Administrator
- Dynamic Addresses – DHCP
- “Hierarchical” vs. “Flat” Addressing
Schemes
 Basics of An IPv4 Address

Layer 3 (L3) Logical IP

Addresses are
comprised of 4 Octets,
separated by a .
The Decimal form looks like this:

176.223.14.127
The Binary form looks like:
128 64 32 16 8 4 2 1

10110000.11011111.00001110.0
1111111
Basics of An IPv4 Address

Each of the 4 Octets has 8 Bits

Each of these Bits has a “Binary
Value”
Each Bit can only be a One or a
Zero
Let’ s Look at One of the Octets –
8 Bits
128 64 32 16 8 4 2 1
Each of these 8 bits has a distinct value, that
starts at “1” from the right side and moving to
the left, doubles each time to 2, 4, 8, 16, 32,
64, and finally 128, as shown above.
 IPv4 Addressing

32
Dotte bits Host
Network
d
Deci 255 255 255 255
mal
Maxim
um
1 8 24 3
11111111 11111111 16 11111111
2511111111 2
Binary 9
17

Examp
le
Decim 172 16 122 204
al
Examp 10101100 00010000 01111010 11001100

le
Binary

128
64
32
16
8
IPv4 Address Classes

8 8 8 8
bit
Network Hostbit Host bit Host bit
Class s s s s
A: Network Network Host Host

Class Network Network Network Host

B:
Class Multic
C: ast
Class Resear
D:
ch
Class
E:
 IPv4 Address Classes

Bit 1 8 9 16 24 25 32
s: 0NNNNNNN Host 17 Host Host
Class
Range (1-127) –
A: 16,777,214 hosts
Bit1 8 9 16 24 25 32
s:10NNNNN Network 17Host Host

Class N
Range (128-191) –
B: 65,534 1hosts
8 9 16 24 25 32
Bit
17
s: 110NNNNN Network Network Host
Class
Range (192-223) – 254
C: hosts 1 8 9 16 2425 32
Bits:
17Multicast Multicast
1110MMM Multicast
Class M Group
Group Group
Range (224-
D: 239)
Host Addresses

172.16 10.1.
.2.1 10.6.2 1.1
4.2
172.16. E0 E1 10.250.
3.10 172.16 8.11
.2.1
172.16.1 10.180.30
2.12 .118

Routing Table
172.16 . 12 . Network Interface
12 172.16 E
Network Host .0.0
0
10.0.0.
0
E
1
Determining Available
Host Addresses
Network Ho
172 16 00 st
10101100 00010000 00000000 N
00000000 1
00000000 2
00000001 3
Remember 00000000
11111111
00000011 655
2N-2 (where . .
16
N is the15 11111101 34.
14 . . .
655
number13 11111111
. . .
12
of host bits)
11 11111110 35
- 2
10
9 211111111
N
-2 = 216-2 = 655
655
8 11111111 36
7 65534 34
6
5
4
3
2
1
Addressing without Subnets

172.16.0.1 172.16.0.2 172.16.255.253

172.16.0.3
172.16.255.254
…...
172.16
.0.0

• Network
172.16.0.0
Addressing with Subnets

172.16.3.0
172.16.4.0

172.16 172.16
.1.0 .2.0

• Network
172.16.0.0
Subnet Mask

Netw Ho
172 ork16 0 st0
IP
Addr
ess
Netw Ho
ork st
Defa
ult 255 255 0 0
Sub 11111111 11111111 00000000 00000000
net
Mas
k
Also written
255 as “/16” where
255 16 represents
255 the number
0 of
1s in the mask.
Network Subnet Host
8-
bit
Sub
net
Mas
k
Also written as “/24” where 24 represents the number of
1s
in the mask.
Subnet Mask with Subnets

Network Subnet Host

1010110 0001000 0000001 1010000

172.16.2. 0 0 0 0
160
255.255.2 1111111 1111111 1111111 0000000
55.0 1 1 1 0
10101100 00010000 00000010 00000000

Netw
ork 172 16 2 0 128192
224
Numb 240
Network number extended by eight
248 bits
er 252
Without a subnet mask you cannot
254 tell the host address nor
the network it resides on! 255
 Subnet Mask with Subnets (cont.)

Netw Subn Ho
ork et st
172.16.2. 10101100 00010000 00000010
160 10100000
255.255.25
5.192
11111111
10101100 11111111 11111111
00000010
11000000
00010000 10000000

Netw
ork 172 16 2 128
Numb
128
er Network number
192
224 extended by
240
ten bits 248
252
254
255
128
192
224
240
248
252
254
255
Broadcast Addresses

172.16.3.0
172.16.4.0

172.16
.1.0
172.16.3.255 172.16
(Directed .2.0
broadcast)
255.255.255.255
(Local network
X
broadcast)
172.16.255.255
(All subnets
broadcast)
AWS VPC (Virtual Private Cloud)

Isolated user defined network inside AWS (like VLAN in switch)

Logically isolated subnets
Reserve IP Address ranges and assign to resources
Setup Route Tables, Firewalls, Gateways
Use Network ACL, IAM to control access
Remotely connect on-prem DC network with VPN or
Direct Connect
Multiple VPCs can be peered across Region
Subnet IPs are in Private range, once we assign
Internet Gateway, we call it as Public Subnet
VPC allocates a part of the cloud as your own
network, we can control, manage IP, manage security,
etc.
Wen AWS launched initially the entire AWS cloud was
a flat network.
Forced to apply instance level security since the
network is not managed / maintained by us
We can connect to the VPC network and then access
EC2s with private IPs
We create Subnets in VPC so that we can provide
access level
Virtual Private Gateway (1.25Gbps) used to connect
on-prem DC
AWS has created Default VPCs in every Region of your
account.
Components of VPC
Subnet: We create Subnet inside VPC (later we can name it as Public or Private). VPC
span across Region and Subnet spans within AZ.
Route Table: Routing table holds information about where traffic to be sent. Router
works based on the information in the route table. With in the VPC we use static
routes. When it comes to VPN and Direct Connect, we go for Dynamic routing.
Router: Router goes ahead and looks the route table and ask the route table that
how do I go to the other system / device.
Elastic IP: Static public IP, when we start EC2 in default VPC, dynamically we get
public IP to the EC2 instance along with the private IP. If we restart EC2, the public
IP may change. When we use Elastic IP, the public IP will be statically assigned to
the EC2 until you release.
Elastic Network Interface (ENI): Virtual network card for EC2 instance. When we
assign IP (Elastic or Dynamic), those IPs always get assigned to the ENI and the ENI
gets assigned to EC2. We can always re- attach the ENI from one EC2 to another EC2
instance.
Internet Gateway (IGW): Gateway that allows you to connect to internet
Customer Gateway: The router in on-prem data center for VPN
VPN Connection: IPSec VPN connection between Customer Gateway and Virtual
Private Gateway
Virtual Private Gateway: Router in AWS side for VPN
VPC Peering: To interconnect 2 VPCs together, 1 VPC sends a request and the other
st

VPC accepts it.

VPC Endpoints: Connectivity that allows you to talk to certain AWS cervices
privately from VPC. For example, EC2 communicating to S3 go over via internet,
VPC Endpoint gives direct connection to S3 privately. It doesn’t go out of AWS
network.
NAT Gateway: Provides internet access to devices in private subnet of PVC. NAT
Gateway sits in the Public subnet. Only outbound connection and response to that
connections are allowed, no new inbound connections from internet.
IP Classless Inter-Domain Routing CIDR Block
Notation that shows exactly how many IPs are
there in a network, how large the network is, and
additional information about the network. E.g.
10.0.0.0/16 (Network Prefix IP Addressing Method)
Range: 10.0.0.0 to 10.0.255.255
When we create VPC, we need to specify CIDER
range of that VPC. We can add additional CIDER
range to
VPC, but existing one can’t be deleted.
10.0.1.2/32
VPC capacity is- Represents one IP using CIDER
notation.
between /28 (14 +2 IPs)
to /16 (65534+2 IPs)
We can bring our public IPs to AWS (Should talk to
provider and AWS)
IP Address Reservations:
o .0 - Network Address
o .1 - Reserved by AWS for the internal VPC Router
o .2 - Reserved by AWS for the internal DNS Server
o .3 - Reserved by AWS for future use
o .255 - Broadcast Address. Broadcast is not
supported with in VPC.
Subnets

Create subnets to divide the larger chunks of IPs

Subnets are the Sub Networks of VPC, they have to
fall in the IP range (CIDR) of VCP
E.g.: CIDR 10.0.0.0/16
o Subnet 1: 10.0.1.0/24 (10.0.1.0 to 10.0.1.255)
o Subnet 2: 10.0.2.0/24 (10.0.2.0 to 10.0.2.255)
o

o ………
o Subnet 255: 10.0.255.0/24 (10.0.1.0 to
Routing in VPC

When we create Subnets in VPC, it is just a smaller

chunk of VPC CIDR, there is nothing called Public
or Private.
The moment we associate Route Table on
subnet, based on the Route Table information,
we call the subnet as Public or Private.
Route Table is the one that decides whether the
subnet is Public or Private.
Apart from the Public Route Table, your EC2
Hands-On VPC Configurations
Step 1: Creating VPC

Open AWS Console

>> Services >>
VPC

(Optional)
We have an option to
use Launch VPC
Wizard to create a
VPC, how ever that is
too easy and you
might not understand
what’s happening
behind the scene.
Go to Your VPCs, you can see the default VPC
created by AWS here. Every region will have default
VPCs created.
We can also see the IP CIDR block as well
Go ahead and hit Create VPC button
Go to Your VPCs, you can see the
default VPC created by AWS
here. Every region will have
default VPCs created.
We can also see the IP CIDR block
as well
Go ahead and hit Create VPC
button

Now we have successfully

created VPC
Go to Your VPCs, you can see the default VPC created by AWS
here. Every region will have default VPCs created.
We can also see the IP CIDR block as well
Go ahead and hit Create VPC button

Now we have successfully created VPC

 In the VPC services page, you can see the newly
created VPC and AWS Default VPC.
Note: There won’t be any name tag for default VPC,
it is recommended to provide a name tag for the
default VPC.
Step 2: Enable Public DNS Hostnames
When you create VPC, it doesn’t give any Public DNS
hostnames to EC2 instances by default.
To enable this, select the VPC >> Actions >> Edit
DNS Hostnames >> Yes >> Save
 Go to the Subnet options in VPC Dashboard >>
You can observe the default Subnets created by
AWS itself.
Note: It is recommended to provide a friendly name
to the default subnets.
I have given some friendly names to the default Subnets.
Go ahead and click Create Subnet button
In our lab practice we are creating 4 subnets (2 Private in 2
AZs and 2 Public in 2 AZs)
1. ap-south-1-public-subnet-1a

2. ap-south-1-public-subnet-1b

3. ap-south-1-private-subnet-1a

4. ap-south-1-private-subnet-1b
I have configured below
subnets,
SUBNET CIDR

ap-south-1-public-subnet-1a 172.16.11.0/24

ap-south-1-public-subnet-1b 172.16.12.0/24

ap-south-1-private-subnet-1a 172.16.21.0/24

ap-south-1-private-subnet-1b 172.16.22.0/24
We can apply a filter in the Subnets and see all the
Subnets that we created.
Step 4: Enable Auto Assign Public IP for Public Subnet
Now we have Public and Private Subnets, lets enable Auto
Assign Public IP settings on the two Public subnets.
Select the Public Subnet >> Actions >> Modify auto-assign
IP settings >> Enable auto-assign public IPv4 address.
EC2 instances on the Public subnet will be automatically
assigned with Public IP.
Step 5: Add Internet Gateway and Associate to Public Subnet
Go to Internet Gateways >> Create internet gateway
Note: You can see the default Internet Gateway here.
This will provide connectivity to internet from VPC

Provide a Name tag >> Create internet

gateway
Step 6: Route Table Configuration
For every VPC we create, AWS will add a specific Route Table for that VPC. You
can see Main = Yes in those Route tables.
We basically need 2 Route Tables now, either you can create 2 new or edit
existing one and add another one. (ap-south-1-public-route-table, ap-south-1-
private-route-table)
Rename the Route Table that was created automatically for ap-south-1-vpc
We are going to attach the Internet Gateway app-south-1-igw to this route
table. Now this route table becomes public route table.
Edit routes >>
 Add an internet route (0.0.0.0/0)
and point to the app-south-1-
igw

Now add one more Route

Table ap-south-1- private-
route-table
Do not associate Internet
gateway to this route
table so that this
becomes always private.
 Let’s try understand how one is Public and other one is Private
ap-south-1- ap-south-1-
with below table.
public-route- private-route-
table table
Destination Target Destination Target
172.16.0.0/16 Local 172.16.0.0/16 Local
0.0.0.0/0 igw-054a82ce1feb26815 - -
Step 7: Associate Route Table with Subnets

Select the ap-south-1-public-

route-table >> Subnet
Associate ap-south-1-public-
Associations >> Edit subnet
subnet-1a and ap- south-1-
associations
public-subnet-1b to the ap-south-
1-public- route-table
Now this particular subnet is
actually a Public Subnet

Similarly, associate ap-south-1-

private-subnet-1a and ap-
south-1-private-subnet-1b to the
ap-south-1- private-route-
table
Now this particular subnet is
 Let’s try understand how the entire routing has been
configured for the VPC using below table.

TYPE SUBNET CIDR ROUTE TABLE ROUTES

Destination Target

Publi ap-south-1-public- 172.16.11.0/2 ap-south-1-public-route- 172.16.0.0/16 Local

c subnet-1a 4 table
subn
et
ap-south-1-public- 172.16.12.0/2 0.0.0.0/0 igw-
subnet-1b 4 054a82ce1feb26815

Privat ap-south-1-private- 172.16.21.0/2 ap-south-1-private-route- 172.16.0.0/16 Local

e subnet-1a 4 table
subn
et
ap-south-1-private- 172.16.22.0/2 - -
subnet-1b 4
Step 8: Launch EC2 Instances in the VPC
Now launch an EC2 instance on your VPC with in Public Subnet, make sure
you have a security group that allows access the EC2 from internet. Try to
access the EC2 instance
 Now launch an EC2 instance on your VPC with in Private Subnet, you won’t get any
Public IP top access it.
Even if you enable auto assign public IP, and allow RDP access to all network, still
the instance won’t be
accessible since it is in private subnet (without an internet gateway).
The only way to access the EC2 instance is via another EC2 that is in Public
subnet and then RDP to private subnet EC2 via private IP address.
Security Groups

Virtual firewalls for EC2 instances applied at instance NIC level.

Created under VPC and applied at EC2
Block / allow inbound and outbound traffic for an EC2 instances.
One Security Group can be assigned to multiple EC2 instances, but one EC2 will
have only one security group.
Some other services (RDS, Redshift) also uses Security Groups to protect network
attack.
Each of the EC2 instances are protected by Security Group
It is only protecting the individual resources assigned to an EC2
If 2 instances are communicating in same Security group, traffic from one E2
goes out to the security group and enters to the same security group, then other
EC2.
Default is Allow all outbound and Deny all inbound.
Response to the Security Group accepted automatically, no need to specify
inbound rule for accepting response traffic.
Create or Select Security Group while Launching EC2
You might have already seen, the way of assigning Security Group during the
creation of EC2 instance.
You can either cerate a new security group and define allow rules or select
existing
At this time we only add inbound rules, all outbound traffics allowed default.
Modify Existing Security Group
Modify inbound and outbound rules of Security group is available in
EC2 Dashboard >> Security Groups
You can also create new security group from this
dashboard.
Allow ICMP from Internet to a Windows EC2 Instance
When you spin up an EC2 in public subnet, the default Security Group blocks the ICMP
traffic to the instance.
In this lab, we modify the existing security group to allow ICMP (ping) traffic.
You can either select the Security group from the EC2 instance or navigate to Security
Group from the EC2 dashboard.
Select the Security Groups >> Inbound Rules >> Edit inbound rules >> Add Rule (Inbound
rule 2 will be crated)
Since we are working on a Windows EC2, make sure either disable Windows
native firewall or enable ICMP.
Assign new Security Group to a Running EC2 Instance
So far, we have seen modifying security group rules, what if we need to
change the security group of a running EC2. That can be done by NIC level.
Select the EC2 >> Network eth0 >> Interface ID >> Actions >> Change
Security Groups
Network Access Control Lists (NACLs)
Virtual firewalls for subnets, rules defined in CIDR range
Created inside VPC and associated to Subnets
We can define NACLs for the ports range as well
Rules applied in order (1st rule applied always)
One NACL can be allied to many subnets but one subnet will have only
one NACL
By default all inbound and all outbound traffic allowed
Modify NACLs to Block ICMP Traffic at the Subnet Level
In the previous lab we have enabled ICMP traffic to our
Windows EC2, you can ping the Windows machine from
internet.
Network ACLs allow all traffic (inbound and outbound) by
default, in this lab, let’s block the ICPM so the
subnet (where our EC2 is running) using NACLs.
You can access NACL from VPC dashboard >> Security >>
Network ACLs or from EC2 >> Subnet ID >> NACL ID
Create new NACL and Associate to Subnet
If you are creating a new NACL, you need to
associate to the required subnets.
When you create a new NACL, all the traffic
blocked by default