AWS SAP Notes 02 - Networking and Hybrid
aws sap
15
AWS
44
White

Nguyễn Huy Hoàng viết ngày 10/10/2021

VPC - Virtual Private Cloud

Public vs Private Services

  • Public service: a service which is accessed by using public endpoints
  • Private service: a service which runs inside a VPC
  • Either private or public, every service can have permissions in order to be accessible
  • VPC: private network isolated from the internet. Can't communicate to the network unless we are allowing it. Nothing from the internet can reach the services from a VPC as long as we do not configure it otherwise
  • Internet Gateway: we can connect it to a VPC, this will allow the services in the VPC to communicate with the public internet

DHCP in a VPC

  • DHCP - Dynamic Host Configuration Protocol: offers auto configuration for network resources
  • Every device has a hard-coded MAC address (Layer 2 address)
  • DHCP begins with a L2 broadcast to discover a DHCP server on the local network
  • Once discovered a DHCP server and a DHCP clients communicate, meaning that the client will get in the end an IP address, a Subnet Mask and Default Gateway address (L3 configuration)
  • DHCP also configures which DNS server should a resource use in a VPC
  • Also configures NTP servers, NetBios Name Servers and Node types
  • For DNS server we can explicitly provide values or we can use AmazonProvidedDNS
  • We also get allocated 1 or 2 DNS names for the services in the VPC. One can be public if the instance has a public IP address allocated
  • Custom DNS names: we can give custom DNS names to EC2 instances if we use our own custom DNS servers
  • DHCP options sets:
    • Once created option sets can not be changed
    • Can be associated with 0 or more VPCs
    • Each VPC can have a max of 1 option set associated
    • We we change a DHCP option set associated to the VPC, the change is immediate, but any new setting will only affect anything once a DHCP renew occurs
    • What we can configure in an option set:
      • DNS server (Route 53 resolver) what we can use in the VPC
      • NTP server

VPC Router Deep Dive

  • Is at the core of any network which involves AWS
  • Is a virtual router in a VPC
  • It is HA across al AZs in a region, no management overhead is required
  • It is scalable, no management overhead required
  • VPC routes routes traffic between subnets in a VPC
  • Routes traffic from external network into the and vice-versa
  • VPC router has an interface in every subnet in a VPC: subnet+1 address (Default Gateway), the first IP address in each subnet after the network address itself
  • We control how the VPC routes traffic using Route Tables

VPC Route Tables

alt text

  • Every VPC is created with a main Route Table (RT), which is the default for every VPC
  • Custom route tables can be created for each subnet
  • Subnets can be associated with only one RT which can be the main one or custom
  • If we disassociate a custom RT form a subnet, the main RT will be attached to it
  • Main RT should not be changed, custom RT should be used for any routing changes
  • RT have routes, routes have an order, the most specific route wins
  • Edge Association: a RT tables is associated with network gateway
  • All RTs have at least one route: the local route which matches the VPC cidr range. These routes are un-editable

NACL - Network Access Control Lists

  • A NACL can be considered to be a traditional firewall in an AWS VPC
  • NACLs are associated with subnets, every subnet has a NACL associated to it
  • Connection inside a subnet are not affected by NACLs
  • NACls can be considered stateless firewalls, so we can talk about the following type of rules:
    • Inbound rules: affect data coming into the subnet
    • Outbound rules: affects data leaving from the subnet
  • Rules can explicitly ALLOW and explicitly DENY traffic
  • Rules are processed in order:
    1. A NACL determines if a the inbound or outbound rules apply
    2. It starts from the lower rule number, evaluates traffic against each rule until is a match (based on IP range, port, protocol)
    3. Traffic is allowed/denied based on the rule
  • Last rule is an implicit deny in every NACL, if no rule before that applies, traffic will be denied
  • Default NACL: when a VPC is created, a default NACL is attached to it. The default NACL is allowing all traffic
  • Custom NACL: we can create them and attach them to subnets. The default NACL denies by default all traffic. Can be associated with many different subnet, however each subnet can have only one NACL associated to it at any time
  • NACL are not aware af any logical resources within a VPC, they are aware of IPs, CIDRs and protocols

SG - Security Groups

  • Security Groups are stateful firewalls, meaning they detect response traffic to a request and they automatically allow traffic
  • SGs do not have explicit DENY rules, they can be used to block bad actors (use NACLs for this)
  • SGs support IP/CIDR rules and also allow to reference logical resources
  • SGs are attached to Elastic Network Interfaces (ENI), when we attach a SG to an EC2, the SG will be attached to the primary ENI
  • SGs are capable to reference logical resources, ex. other security groups or self referencing

alt text

AWS Site-to-Site VPN

  • Site-to-Site VPN: it is a logical connections between a VPC and an on-premise network running over the public internet. The connection is encrypted using IPSec
  • Can be fully HA if it is implemented correctly
  • It is quick to provision, it can be provisioned in less than an hour (contrast to DX)
  • Virtual Private Gateway (VGW): it is a gateway object which can be the target of one or more rules in a Route Tables. It can be associated to a single VPC
  • Customer Gateway (CGW): can refer to 2 different things:
    • Often is referred to the logical configuration in AWS
    • Physical on-premises router which the VPN connects to
  • VPN Connection: the connection linking the VGW from the AWS to the CGW
  • Static vs Dynamic VPN:
    • Dynamic VPN uses BGP protocol, if customer router does not support BGP, we can not use dynamic VPNs
    • Static VPN uses static network configuration: static routes are added to the route tables AWS side, static networks has to be identified on the VPN connection on-premise side. It is simple, it just uses IPSec, works anywhere, having limitation on terms of HA
    • Dynamic VPN uses BGP. Allows routing on the fly, allows multiple links to be used at once between the same locations. Allows using HA available architectures.
      • Route propagation: if enabled means that routes are added ro the Route Table automatically
  • Speed Limitation for VPN: 1.25 Gbps, AWS limitation
  • Latency considerations: inconsistent, traffic goes through the public internet
  • Cost: hourly cost for outgoing traffic
  • VPN can be used for Direct Connect backup or they can be used over the Direct Connect for adding a layer of encryption

AWS Transit Gateway

  • It is a network transit hub which connects VPCs to each other and to on-premise networks using Site-to-Site VPNs and Direct Connects
  • It is designed to reduce the network architecture complexity in AWS
  • It is a network gateway object, it is HA and scalable
  • Attachments: we create attachments in order for the TGW to connect to VPCs and on-premise networks. Valid attachments are:
    • VPC attachments
    • Site-to-Site VPN attachments
    • Direct Connect Gateway attachments
  • Attachments are configured in each subnet of the connected VPCs
  • We can also peer transit gateways across cross regions and/or cross accounts
  • We can also attach transit gateways to the DX connections
  • Transit Gateway Considerations:
    • Supports transitive routing: single transit gateway with multiple attachments using route tables
    • Can be used to create global networks with peering
    • We can share transit gateways using AWS RAM
    • Transit Gateways offer less complex architectures compared to VPC peering solutions

Advanced VPC Routing

alt text
alt text
alt text

  • Subnets are associated with 1 route table (RT) only, no more no less!
  • This route tables is either the main route table from the VPC or a custom route table
  • In case of a custom route table association with a subnet, the main route table is disassociated. In case the custom RT is removed, the main RT is associated again with the subnet
  • RT can associated with an internet gateway (IGW) or virtual private gateway (VGW)
  • IPv4/6 are handled separately within a RT
  • Routes send traffic based on a destination to a target
  • Route tables have a maximum of 50 static routes and 100 dynamic routes
  • When a traffic arrives to an interface (IGW, VGW), it is matched to the relevant route table
  • All routes from a route table are evaluated - highest-priority matching is used
  • Route tables can contain 2 types of routes:
    • Static routes: added manually by us
    • Propagated routes: added when enabled by us on the VPC or on any individual RT
  • Evaluation rule for the routes:
    1. Longest prefix wins, example /32 wins over /24, /16 or /0. More specific routes always win!
    2. Static routes take priority over propagated routes
    3. For any routes learned by propagation:
      1. DX
      2. VPN Static
      3. VPN BGP
      4. AS_PATH (distance within two logical systems)

Ingress Routing

  • All outgoing traffic is routed to a security appliances
  • The security appliance is sitting in the public subnet which has a RT assigned to it. This RT sends all unmatched traffic out through the IGW and anything for the corporate network through the VGW
  • Ingress routing allows to assign route tables to gateways (Gateway route tables). Gateway route tables can be attached to internet gateways or virtual gateways and can be used to take action on inbound traffic (route to a security instance for assessment) alt text

Accelerated Site-to-Site VPN

  • Performance enhancement for AWS Site-to-Site VPN that uses the AWS global network, the same network used for Global Accelerator and CloudFront
  • Using a classic Site-to-Site VPN, the traffic goes through the public internet. In order to avoid this, some companies use a Site-to-Site VPN over Direct Connect. Direct Connect offers more better performance, but at a higher cost. Since DX is not an option for everybody, accelerated Site-to-Site VPN was created to improve performance compared to classic Site-to-Site VPNs
  • Accelerated Site-to-Site VPN architecture: alt text
  • Acceleration can be enabled when creating a Transit Gateway attachment only! Not compatible with VPNs using virtual gateways (VGW) alt text
  • Accelerated Site-to-Site VPN has a fixed accelerator cost fee and a transfer fee

VPC Endpoints

Gateway Endpoints

  • Gateway endpoints provide private access to supported services: S3 and DynamoDB
  • They allow any resource in a private only VPC to access S3/DynamoDB
  • We crate a gateway endpoint per service per region and associate it to one or more subnets in a VPC
  • We allocate a gateway endpoint to a subnet, a Prefix List is added to the route table for the subnet
  • Any traffic targeted to S3/DynamoDB will go through the gateway endpoint and not through the internet gateway
  • Gateway endpoints are highly available across all AZs in a region, they are not directly inside a VPC/subnet
  • Endpoint policy: allows what things can be connected to the by the endpoint (example: a particular subset of S3 buckets)
  • Gateway endpoints can be used to access services in the same region only
  • Gateway endpoints allow private only S3 buckets: S3 buckets can be set to private allowing only access from the gateway endpoint. This will help prevent Leaky Buckets
  • Gateway endpoints are logical gateway objects, they can be only accessed from inside the assigned VPC

Interface Endpoints

  • Interface endpoints provide private access to AWS public services similar to Gateway Endpoints
  • Historically they have been used to provide access to services other than S3 and DynamoDB, recently AWS allowed interface endpoints to provide access to S3 as well
  • Difference between gateway endpoints and interface endpoints is that interface endpoints are not HA. Interface endpoints are added to subnets as an ENI
  • In order to have HA, we have to add an interface endpoint to every subnet per AZ inside of a VPC
  • Interface endpoints are able to have security groups assigned to them (gateway endpoints do not allow SGs)
  • We can also use endpoints policies, similar to gateway endpoints
  • Interface endpoints support TCP only over IPv4
  • Interface endpoints use PrivateLink behind the scene
  • Gateway endpoints use prefix lists, interface endpoints use DNS. Interface endpoints provide a new DNS name for every service they are meant communicate with
  • Interface endpoints are given a number of DNS names:
    • Endpoint Region DNS
    • Endpoint Zonal DNS
    • PrivateDNS overrides the default service DNS with a new version pointing to interface endpoint

VPC Endpoints Policies

alt text
alt text
alt text

  • Endpoints policies don't grant access to any AWS services in isolation
  • Identities accessing resources still need they permissions to access resources
  • An endpoint policy only limits access if the service is accessed to the specific endpoint
  • The endpoint policy contains a policy and conditions (who has access to what)
  • Policies are commonly used to limit what private VPCs can access

Advanced VPC DNS and DNS Endpoints

  • In every VPC the VPC.2 IP address is reserved for the DNS
  • In every subnet the .2 is reserved for Route53 resolver
  • Via this address VPC resources can access R53 Public and associated private hosted zones
  • Route53 resolver is only accessible from the VPC, hybrid network integration is problematic both inbound and outbound alt text
  • Solution to the problem before Route53 endpoints were introduced: alt text
  • Route53 endpoints:
    • Are deliver as VPC interfaces (ENIs) which can be accessed over VPN or DX
    • 2 different type of endpoints:
      • Inbound: on-premises can forward request to the R53 resolver
      • Outbound: interfaces in multiple subnets used to contact on-premises DNS
      • Rules control what requests are forwarded
      • Outbound endpoints have IP addresses assigned which can be whitelisted on-prem
  • Route53 endpoint architecture: alt text

IPv6 Capability in VPCs

  • IPv6 addresses are all publicly routable
  • NAT is not used for IPv6, IPv6 does not need network address translation simply because of the huge number of available IPv6 addresses
  • IPv6 needs to be manually enabled on a VPC. We can either bring our own IP address in a VPC or utilize an AWS provided range
  • In case of AWS provided IPv6 addresses, AWS will allocate an uniq /56 range to the VPC. This range will be entirely uniq and all addresses will be publicly routable
  • If we chose to allocate an IP range for a VPC, AWS will use a hex pair to uniquely allocate IP addresses to the subnets
  • Routing is handled separately for the IPv6 addresses, we will have IPv4 routes and IPv6 routes
  • Egress only internet gateway: similar to NAT gateway, allows outbound traffic denying inbound traffic in case of IPv6 addressing. NAT gateways or instances do not support IPv6!
  • We can have both internet gateway and egress only interne t gateway associated to the same subnet alt text
  • IPv6 can be set up while creating a VPC/subnet or we can migrate an existing VPC to IPv6
  • We can enable IPv6 on specific subnets only
  • We can point IPv6 traffic to internet gateway and egress only internet gateways as well
  • Not every service in AWS supports IPv6!

Advanced VPC Structure - Subnets and Tiers

  • Public subnets can be configured to not give public IP addresses to all instances by default. We can explicitly allocate public IP addresses to some resources
  • If no public IP is addressed to a resource in a public subnet, it wont be accessible from the outside
  • Security groups: we can restrict inbound traffic by allowing traffic from only selected instances
  • How many subnets does an app need:
    • We don't need public and private subnets for addressing and security. This can be configured within one subnet. Exception to this: filter traffic using a NACL
    • We need different subnets for different routing
    • Internet-facing load balancers can communicates with private instances. Internet facing load balancer needs to run in a public subnet
    • Number of subnets needed: number of subnets needed for the APP * AZs

BGP - Border Gateway Protocol

alt text

  • BGP is a routing protocol
  • Used to control how data flows from point A to point B
  • BGP is made up from a lot of self managing networks know as Autonomous Systems (AS)
  • AS could be a large network, collection of routes etc. and is viewed as a black box from BGP perspective
  • Each AS is allocated a number by IANA, named ASN
  • ASNs are 16 bit in length and range from 0 to 65535, the range from 64512 to 65534 is private
  • ASNs are used by the BGP to identify different entities on the network
  • BGP is designed to be reliable and distributed, and it operates of TCP/179
  • It is not automatic, the communication between to AS should be done manually
  • AS do exchange network topology information between them
  • BGP is a path-vector protocol: it exchanges the best path to a destination between peers, the path is called ASPATH (Autonomous System Path)
  • iBGP - internal BGP, routing within an AS
  • eBGP - external BGP, routing between AS's
  • BGP always choses the shortest path. There are ways to influence the path by artificially expending the path (prepending itself to the path)

AWS Global Accelerator

  • Designed to optimize the flow of data from user to AWS
  • Similar to CloudFront, both improve performance when communicating with services hosted in AWS
  • Global Accelerator provides 2 anycast IP addresses
  • Normal IP addresses are called unicast IP addresses, these refer to one device on the network
  • In contrast anycast IP addresses can be used by multiple devices at the same time, the traffic will be routed to the device closest to the source
  • Global Accelerator uses the AWS Edge Location. Since multiple locations advertise the given anycast IP addresses, the traffic will be routed to the Edge Location closer to the user
  • AWS has its own dedicated network consisting in fiber links. Edge Locations relay traffic to this network improving performance

CloudFront vs Global Accelerator

  • CloudFront moves the content closer to the customer by caching it on the Edge Location. Global Accelerator moves the customer closer to the service pe providing access to the AWS global network
  • Global Accelerator is a network product: works on any TCP/UDP applications including web apps (HTTP/HTTPS). CloudFront only caches HTTP/HTTPS content
  • Global Accelerator does not cache anything. It does not understand the HTTP/HTTPS protocol.

DX - Direct Connect

  • It is a physical entry point into the AWS network
  • It is a physical fibre connection through which we can access AWS services without sending traffic through the public internet
  • In order to get a Direct Connect we have to create a connection (logical entity) inside an AWS account. This connection will have an unique ID
  • We we create the connection, we have to specify a few details, the most important being:
    • The connection speed required (1 Gbps or 10 Gbps)
    • DX location
  • AWS will allocate a DX port in the selected DX location, which is a fibre port on AWS DX router. Depending on the speed we will interface with it using 1000-Base-LX or 10GBASE-LR standards
  • We will have to install a cross-connect in our network alt text
  • Virtual Interface (VIF): VLAN (which provides isolation) and BGP session, grant access to AWS services
  • Direct Connect ordered directly from AWS can have up to 50 VIFs per DX (+transit VIFs)
  • Direct Connect ordered from AWS partner can have restrictions for the number of VIFs
  • 3 types of VIFs can be run over DX:
    • Private VIF (VPC)
    • Public VIF (Public Zone Service)
    • Transit VIF
  • Private VIF:
    • Provides private network connectivity, connects on-prem networks with VPCs
    • By default a private VIF can only connect to VPC in the same region where the connection is
  • Public VIF:
    • Grants access to public AWS services such as S3, DynamoDB, SNS, SQS, etc.
    • Public VIF can not be used to access the public internet
  • Hosted VIFs: we can share VIFs with other AWS accounts. Can be connected to a virtual private gateway in a VPC of the other account

Direct Connect Types

  • There are a few ways to get a DX:
    • Get the connection directly from AWS
      • Offers to speed options 1Gbps and 10Gbps
      • We get a port at a DX location, from which we have to arrange to connection to our location
      • We can run 50 VIFs + 1 transit VIF
    • Get the connection via partner
      • Offers wider range of speeds from 50Mbps up to 10Gbps
      • Hosted Connection: DX connection hosted an managed by the partner with one VIF
      • Hosted VIF individually: less ideal than a hosted connection, no dedicated bandwidth allocated

Direct Connect - Other Notes

  • Direct Connect offers no encryption!
  • To overcome this: create a public VIF and establish a Site-to-Site VPN over it
  • With direct connect we do not share any data cap with internet providers
  • No transit over the internet, which means low and consistent latency
  • DX offers cheaper data transfers and faster speeds compared to other methods
  • VPC endpoints can not be accessed through Private VIFs!

Direct Connect Resilience and HA

  • Improve resilience:
    • Order 2 DX ports instead of one => 2 cross connects, 2 customer DX routes connecting to 2 on-premises routes
    • Connect to 2 DX locations, have to customer routers and 2 on-premises routers in different buildings (geographically separated)
  • Not resilient DX architecture: alt text
  • Resilient DX architecture: alt text
  • Improved resilient DX architecture: alt text
  • Extreme resilient DX architecture: alt text

Direct Connect Link Aggregation Groups (LAG)

  • LAG: allows to take multiple physical connections and configure them to act as one
  • From speed perspective: the speed is increases linearly depending on the number of connections
  • LAG do provide resilience, although AWS does not market them as such. They do not provide any resilience regarding hardware failure or the failure of entire location
  • LAGs use an Active/Active architecture, maximum 4 connection can be part of the LAG
  • All connections must have the same speed and terminate at the same DX location
  • MinimumLinks: the LAG is active as long as the number of working connections is greater or equal to this value alt text

Direct Connect Gateway and Transit VIFs

  • Direct Connect is a regional service
  • It is a link from a customer premises to one or more DX locations
  • Public VIFs can be used to access public services in all public AWS regions
  • Private VIFs can only connect to VPCs in the same region by default via VGWs
  • Direct Connect Gateway:
    • It is a global network device accessible in all regions
    • Direct Connect integrates with a Direct Connect Gateway using a private VIF. This VIF is associated with the Direct Connect Gateway (not with the VGWs from the VPC)
    • On the AWS side we create VGW associations in any VPC in any regions. This connects those VPCs to the DX gateway and onwards using the private VIF into on-premises network
    • Direct Connect Gateway does not allow VPCs to communicate with each other, it allows only on-prem network to communicate with AWS VPCs
  • We can have 10 VGW attachments per DX Gateway alt text
  • Integrate DX Gateways with Transit Gateways:
    • Transit Gateways can be integrated with DX Gateways using a transit VIF
    • We can have 1 transit VIF per DX connections
    • Transit VIF is associated with DX gateway and allows associations between the DX gateways and 3 transit gateways
    • Transit gateways can be peered alt text

Route53

DNS Fundamentals

  • DNS is a discovery service, translate information which machines need into information that humans need and vice-versa
  • Example: www.amazon.com => 104.98.34.131
  • DNS database is a huge distributed database
  • DNS allows a DNS resolver server to find a Zone File ona Name Sever (NS) and query the it, retrieving the necessary IP address for a DNS name

DNS Terminology

  • DNS Client: refers to a customer PC, laptop, tablet, etc.
  • DNS Resolver: software running on a device or a server which queries DNS on our behalf
  • DNS Zone: a part of the DNS database (example: amazon.com)
  • Zone file: it is a physical database for a zone, contains all the DNS information for a particular domain
  • DNS Name server: a server which hosts the zone files

DNS Root

  • DNS is structures like a tree, DNS root is at the top of the tree
  • DNS root is hosted in 13 special nameservers, known as DNS Root Servers
  • Root hints file: an OS file containing the address of all root servers
  • Authority: when something is trusted in DNS, example root hints file
  • Delegation: trusted authorities can delegate a part of themselves to other entities, those entities becoming authoritative for the part delegated

Route53 Introduction

  • It is a managed DNS product
  • Provides 2 main services:
    • Register domains
    • Can host zone files on managed nameservers
  • It is a global service, its database is distributed globally and resilient

Hosted Zones

  • DNS as a service
  • Let's us create and manage zone files
  • Zone files are hosted on four managed nameservers
  • A hosted zone can be public, accessible for the public internet, part of the public DNS system
  • It can be private, linked to a VPC(s)
  • A hosted zone stores DNS records (recordsets)

DNS Record Types

  • Nameserver (NS): allow delegation to occur in DNS
  • A and AAAA records: map host names to IP addresses. A records maps a host name to IPv4, AAAA maps the host to IPv4 addresses
  • CNAME (canonical name): maps host to host records, example ftp, mail, www can reference different servers. CNAME can not point directly to IP addresses, they can point to other names only
  • MX records: used for sending emails. Can have 2 parts: priority and value
  • TXT (text) records: arbitrary text to domain. Commonly used to prove ownership

DNS TTL - Time To Live

  • Indicates how long records can be cached for
  • Resolver server will store the records for the amount of time specified by the TTL in seconds
  • TTL is a balance: low values means less queries to the server, high values mean less flexibility when the records are changed

Route53 Public Hosted Zones

  • A hosted zone is DNS database for a given section of the global DNS database
  • Hosted zones are created automatically when a domain is registered in R53, they can be created separately as well
  • There is a monthly fee for each running hosted zone
  • A hosted zone hosts DNS records, example A, AAAA, MX, NS, TXT etc.
  • Hosted zones are authoritative for a domain
  • When a public hosted zone is created, R53 allocates 4 public name servers for it, on these name servers the zone file is hosted
  • We use NS records to point at these name servers to be able to connect to the global DNS
  • Externally registered domains can point to R53 public zone

Route53 Private Hosted Zones

  • Similar to a public hosted zone except it can not be accessed from the public internet
  • It is associated with VPCs from AWS and it only can be accessed from VPCs from the account. Cross account access is possible
  • Split-view: it is possible to create split-view (split-horizon) DNS for public and internal use with the same zone name. Useful for accessing systems from the private network without accessing the public internet

CNAME vs ALIAS Records

  • The problem with CNAME:
    • An A record maps a NAME to an IP Address
    • A CNAME records maps a NAME to another NAME
    • We can not have a CNAME record for an APEX/naked domain name
    • Many AWS services use DNS Name (example: ELBs)
  • For the APEX domain to point to another domain, we can use ALIAS records
  • An ALIAS record maps a NAME to an AWS resource
  • Can be used for both apex and normal records
  • There is no additional charge for ALIAS requests pointing at AWS resources
  • An alias is a subtype, we can have an A record alias and a CNAME record alias

Route53 Simple Routing

  • With simple routing with can create one record per name
  • Each record can have multiple values
  • In case of a request, all the values for the record are returned to the client
  • The client choses one of the values an connects to the server
  • Limitations: does not support health checks!

Route53 Health Checks

  • Health checks are separate from, but used by records in Route53
  • They are created separately and they can be used by records in Route53
  • Health checks are performed by a fleet of health checkers distributed globally
  • Health checks are not just limited to AWS targets, can be any service with an IP address
  • Health checkers check every 30s (or 10s at extra cost)
  • Health checks can be TCP, HTTP, HTTPS, HTTP(S) with String Matching. A TPC connections should be completed in 4s and endpoint should respond with a 2xx or 3xx status code within 2s after connections
  • In case of string matching the text should be present entirely in the first 5120 characters of the request body or the endpoint fails the health check
  • Based on the health checks the service can be categorized as Healthy or Unhealthy
  • Health checks can be of 3 types:
    • Endpoint
    • CloudWatch Alarm
    • Calculated (status of other health checks)

Route53 Failover Routing

  • We can add 2 records of the same name (a primary and a secondary)
  • Health checks happen on the primary record
  • If the primary record fails the health checks, the address of the secondary record is returned
  • Failover routing should be used when we configure active-passive failover

Route53 Multi Value Routing

  • Multi Value Routing is mixture to simple and failover routing
  • With multi value routing we can create many records with the same name
  • Each record can have an associated health check
  • When queried, 8 records are returned to the client. If more than 8 records are present, 8 records will be randomly selected and returned
  • The client picks one a of the values and connects to the service
  • Any records which fails the health checks won't be returned when queried
  • Multi value routing is not a substitute for an actual load balancer

Route53 Weighted Routing

  • Weighted Routing can be used when looking for a simple form of load balancing or when we want to test new versions of an API
  • With weighted routing we can specify a weight for each record
  • For a given name the total of weight is calculated. Each record is returned depending on the percentage of the record compared to the total weight
  • Setting a weight to 0, the record will not be returned
  • Weighted routing can be combined with health checks. Health checks don't remove records from the calculation of the total weight. If a record is selected, but it is unhealthy, another selection will be made until a healthy record is selected

Route53 Latency-Based Routing

  • Should be used when we trying to optimize for performance and better user experience
  • For each record we can specify an region
  • AWS maintains a list of latencies for each region from the world (source - destination latency)
  • When a request comes in, it will be directed to the lowest latency destination based on the location from where the request is coming from
  • Latency-based routing can be combined with health checks. If the lowest latency record fails, the second lowest latency record will be returned to the client
  • The database maintained by AWS is not updated in real time

Route53 Geolocation Routing

  • It is similar to latency-based routing
  • The location of customer and the location of the resource are used to influence resolution decisions
  • When a record is created, it is tagged with a location (country, continent or default)
  • Subdivision: in America we can tag records with a state
  • Geolocation does not return the closest record, it will return the relevant record
  • Geolocation record matching:
    1. R53 checks the state (US only)
    2. R53 checks the country
    3. R53 checks the continent
    4. Returns default if not previous match
  • Geolocation is ideal for restricting content based on the location of the user
  • Can be used to load balance based on the user location or deliver language based content

Route53 Geoproximity Routing

  • Geoproximity aims to provides records as closer to the customer as possible
  • Aims to calculate the distance to the customer and returns the record closer to the customer
  • Records can be tagged with an AWS Region or latitude an longitude coordinates
  • We can define a bias value: plus or minus value altering the effective area of the resource
  • Bias can be used to redirect more (or less) traffic to a given resource

Route53 Interoperability

  • Route53 acts as a domain registrar and as a domain hosting
  • We can also register domain using other external services
  • Steps happening when we register a domain using R53:
    • R53 accepts the registration fee
    • Allocates 4 Name Servers
    • Creates a zone file (domain hosting) on the NS
    • R53 communicates with the registry of the top level domain and adds the address of the 4 NS for the given domain
  • Route53 acting as a registrar only:
    • We pay for the domain for Route53 but the name servers are allocated by other entity
    • We have to allocate the name servers to Route53 which will communicate with the top level domain registry
  • Using Route53 for hosting only:
    • Generally used for existing domains. The domain is registered at third party
    • We create a hosted zone inside R53 and provide the address of the name servers to the third party

Ref

Bình luận


White
{{ comment.user.name }}
Bỏ hay Hay
{{comment.like_count}}
Male avatar
{{ comment_error }}
Hủy
   

Hiển thị thử

Chỉnh sửa

White

Nguyễn Huy Hoàng

17 bài viết.
10 người follow
Kipalog
{{userFollowed ? 'Following' : 'Follow'}}
Cùng một tác giả
White
11 4
(Ảnh) Tại hội nghị Build 2016 diễn ra từ ngày 30/3 đến hết ngày 1/4 ở San Francisco, Microsoft đã đưa ra 7 thông báo lớn, quan trọng và mang tầm c...
Nguyễn Huy Hoàng viết hơn 4 năm trước
11 4
White
7 0
Viết code chạy một cách trơn tru ngay lần đầu tiên là một việc rất khó, thậm chí là bất khả thi. Do đó debug là một kỹ năng vô cùng quan trọng đối ...
Nguyễn Huy Hoàng viết hơn 4 năm trước
7 0
White
1 0
MultiFactor Authentication (MFA) Factor: different piece of evidence which proves the identity Factors: Knowledge: something we as users know: ...
Nguyễn Huy Hoàng viết 2 tháng trước
1 0
Bài viết liên quan
White
0 0
FSx FSx For Windows File Servers FSx for Windows are fully managed native Windows file servers/file shares Designed for integration with Wind...
Nguyễn Huy Hoàng viết 2 tháng trước
0 0
White
0 0
CloudFront It is a content deliver network (CDN) Its job is to improve the delivery of content from its original location to the viewers of the...
Nguyễn Huy Hoàng viết 2 tháng trước
0 0
{{like_count}}

kipalog

{{ comment_count }}

bình luận

{{liked ? "Đã kipalog" : "Kipalog"}}


White
{{userFollowed ? 'Following' : 'Follow'}}
17 bài viết.
10 người follow

 Đầu mục bài viết

Vẫn còn nữa! x

Kipalog vẫn còn rất nhiều bài viết hay và chủ đề thú vị chờ bạn khám phá!