AWS Networking Part One


This article summarises the first part of my notes on AWS networking and related technologies from the SA Pro course that I am taking.

AWS Public and Private Services

Within AWS, some services, like S3, are considered public. This designation means that they operate outside any VPC an AWS customer controls. These services are accessible from the internet. Private Services run within customer-controlled VPCs. All services, regardless of public or private designation, are protected by AWS security and access policies and require the appropriate permissions to be set up. The public/private designation indicates whether the service is deployed from a customer VPC.

DHCP inside a VPC

DHCP is a protocol designed to configure level-three details for network clients. Because the service runs before any layer-three information can be set, meaning the host doesn’t yet have an IP address, it starts by sending an IP broadcast to, called DHCP Discovery. The DHCP server on the network segment responds to this broadcast by sending a level two frame to the client, which suggests an IP address addressed to the broadcaster’s MAC address. This message also includes a subnet mask, default gateway, DNS information, and other information about the lease expiration for the IP information. The receiver uses this information to configure itself on the layer-three network.

In AWS, you can control how DHCP is handled using option sets. You can create many option sets associated with zero or more VCPS. The option sets will only impact new DHCP requests after the option set has been associated with the VPC. Existing clients do not renew automatically when a new option set is applied. By default, AWS will set DNS resolution to Route 53 and provide NTP servers with the DHCP request. With DHCP Option Sets, you can configure the DNS Servers for your VPC to use as well as the NTP servers to use. Once created Option Sets cannot be altered - but new ones can be created to replace an existing Option set.

VPC Routers

VPC Routers are virtual devices in a VPC that routes traffic between VPC subnets. The default gateway, the VPC router, is always located at the subnet network address +1. Route Tables are created that define the rules for a VPC Router to use. By default, a default route table is created that allows traffic to flow between all subnets in a VPC. Custom Route Tables can be created and associated on a per subnet basis - placing a custom Route Table on a subnet disassociates the default route table, but removing the custom route table will re-associate the default route table. At no time does a subnet not have a route table.

AWS Local Zones

AWS has introduced Local Zones, an extension to an AWS region that may be physically closer to some customers than the traditional availability zones. For instance, if you have latency-sensitive applications and are in a city where an AWS local zone is present, you might see better performance from placing resources in the local zone over the traditional availability zones.

Not all products currently support local zones, and they may present more limitations than traditional availability zones. But adding a local zone is simple - as the VPCs in the parent region extend over the local zone like any other availability zone. Like Availability Zones, local zones have independent connections to the internet and private networking to the AWS backbone.

Border Gateway Protocol (High Level)

Border Gateway Protocol allows networks to self-configure routing and discover new routes when new peers are added to a network. BGP relies on peering relationships to be established between various networks. Each network is assigned an Autonomous System (AS) number. These networks communicate with each other over TCP port 179 and exchange information about the shorted routes it has to other hosts. This exchange uses something called Path Vector Protocol.

The path information is passed along with the intermediate network’s AS prepended to it. For example, if Network A (ASN 200) is connected to Network B and Network B (ASN 201) is connected to Network C (ASN 202), A path from Network C would look like 201, 200. This path provides a way for network C to talk to network A. Understanding that this decision doesn’t account for connection quality between these networks is important. So assume the connections above are all 1 Gbps connections, and we now ad a link from Network C to Network A directly but on a 128 Kbps ISDN line. So now the path for network C to Network A is merely 200, not 201, 200. This result means we have effectively chosen an inferior connection, and traffic will be slower than if the link traverses through Network B to get to Network A. In this case, Network C’s administrator could prepend its own ASN several times, manually, to the path to make the network prefer the superior 201,200 path over the poor quality ISDN connection, which would make the ISDN connection look like 202, 202, 202, 200.

IANA assigns ASNs, but there is a range from 64,512 - 65534, which are available for private usage.

AWS Global Accelerator

AWS Global accelerator uses Anycast IP Addresses, which are IP Addresses that will resolve to different endpoints depending on the closest endpoint to the request. AWS has many locations worldwide to provide a short hop over the internet before beginning to ride exclusively on the AWS private network backbone. This service effectively moves the AWS network closer to the customers of AWS and avoids much of the internet latency and instability. One note is that often this service needs to be clarified with CloudFront. There are two critical differences between Global Accelerator and CloudFront.

  1. Cloudfront Caches Data - AWS Global Accelerator Does not Cache Data.
  2. Cloudfront only works with HTTP and HTTPS connections. AWS Global Accelerator is a Layer three service and works with all network protocols.

IP Sec VPN Fundamentals

IP Sec VPN is designed to provide a secure encrypted tunnel between two peers. To do this, it provides both Authentication and Encryption between these parties. The tunnels are set up by exchanging key information using public/private keys - once these asymmetrical keys have been established, these are used to negotiate symmetric keys. Finally, the symmetric keys encrypt the data between the two parties.

There are two phases of setup.

  • IKE Phase 1 (Slower)
    • Authenticates with a Pre-Shared Key or Password
    • Each party establishes a public Private Key Pair
    • Each side combines its private key with the public key of the other peer to create the DH key.
    • Each side uses the DH Key to exchange other key material and agreements (protocols and such)
    • Each side can then generate the same symmetrical key based on the exchanged DH Key along with the other key materials.
  • IKE Phase 2 (Faster)
    • Uses the agreed Key in Phase 1
    • Agree on encryption methods and keys
    • Yet another key is created called the IPSec key (based on the above negotiation)
    • This final key is used for the bulk encryption

This process makes it possible to set up a secure connection without ever exchanging the final keys over the internet.

Another thing about IPSec is that the tunnel only stays up occasionally. IPSec is configured to look for what it calls interesting traffic. Interesting Traffic can be based on policies (rules or traffic sent over a pair of security associations) or routes (targeting specific networks based on a prefix). In these cases, the IKE Phase 1 work will often remain in place, but a new IKE Phase 2 key will be established each time the tunnel is re-established.

Site to Site VPN

AWS Site-to-Site VPN is the quickest way to set up a link between AWS and on-premises networks. A Site-to-Site VPN can be set up in a way that is fully highly available on both the AWS and the customer sides.

Components of a Site-to-Site VPN Connection:

  • VPCs
  • Virtual Private Gateway
  • Customer Gateway
    • Refers to two different elements
      • Logical Configuration in AWS
      • Physical Connection and Configuration at Customer Premises
  • VPN Connection between VGW and CGW
    • Stores the configuration for the tunnel
    • Links one Virtual Private Gateway to One Customer Gateway

To be fully highly available, the setup would require the following:

  • Two Virtual Private Gateways (VGW)
  • Two Customer Private Gateways (CGW)
    • With different Hardware and Internet Connections serving each
  • Separate VPN connections between each VGW and CGW

Site-to-Site VPN connections can use either static or dynamic (BGP) routing. Using BGP has the following advantages:

Allows Multiple Links at Once You can still manually add routes to route tables Allows auto route propagation

Each VPN Connection sets up two tunnels, and the speed cap for a VPN connection over both tunnels combined is 1.25Gbps.

One of the downsides of a Site-to-Site VPN (over something like Direct Connect) is that the traffic traverses the public internet and is subject to inconsistency and latency. AWS charges by the hour and by the gigabyte in addition to any metering or bandwidth charges on the customer side of the connection. But, the service can be set up in an hour or less and used as a backup for a direct connection in an HA design.

One feature of AWS VPN is that it can take advantage of the global accelerator network. This feature can reduce or limit latency and inconsistency due to internet issues. However, this feature is only available when using VPN with Transit Gateway, not with a Virtual Private Gateway.

Transit Gateway

AWS allows you to peer VPCs using peering connections. These connections are not, however, transitive. Non-Transitive means connecting VPC A to VPC B, and those two VPCs could communicate. But, If you joined VPC C to VPC A in the same manner, VPC C could not talk to VPC B. Transit gateways solve this problem. So, connecting VPC A, VPC B, and VPC C to a transit gateway (with appropriate routing) would allow all three to communicate.

Transit gateways are highly available and deployed in multiple availability zones. You can also share transit gateways between accounts using AWS RAM.

You can use Transit Gateways to connect direct connections as well or in place of a Virtual Private Gateway to terminate Site-to-Site VPN.