AWS Networking and Security 101
For any additional questions you have about this concept, check out our FAQ page.
Is the virtual machine, or as AWS calls them, instances.
This is Identity and Access Management, and it allows users to get access to the instances or applications.
This is a Virtual Private Cloud, which is essentially a data center in the cloud.
This allows users to access storage using a Public IP Address.
Helps users connect their on-premise Data Center to AWS.
It’s the DNS System that allows users to build applications and different services using a domain name resolution.
Allows users to connect their remote branches to the closest point in the AWS System.
This caches frequently used data. This is the CDN service.
The AWS Cloud Computing Structure and Components
- In a region…
- The first thing to do is to create a VPC using a specified CIDR. VPC’s are regional concepts in AWS.
- Specify an AZ within the VPC.
- Specify a subnet in the AZ.
- This will be part of the CIDR that was already created.
- There is now an AZ to subnet affinity.
- Define or deploy the instances within the subnet.
- Once the instances are defined, users must now define a level of security.
- Create a security group and apply it to multiple instances, or have one security group per instance.
- Network ACL
- This is a stateless Access Control List that is applied at a subnet level.
- Route-table and router
- Users have basic access to the route-table, but do not have access to the actual router.
Some AWS Gateways
Internet Gateway (IGW)
A service that provides internet connection to the Virtual Machine.
Virtual Private Gateway (VGW)
A service that allows users to build IPSec tunnels.
This gateway allows private subnets to connect to the Internet.
Transit Gateway (TGW)
This provides hub and spoke connectivity for the VPCs in the system.
This connects the on prem network to the VPC or creates a hub and spoke technology between third party VPN devices and the AWS VPN Gateway.
Customer Gateway (CGW)
This is allows users to create a shell or definition for the gateway sitting on the on-prem site and then apply the configuration on the actual router.
Direct Connect Gateway (DXGW)
This is a service that allows multiple regions to connect to a physical Direct Connect circuit.
The Architecture of the AWS Gateways
- The region holds the VPC’s.
- These VPC’s connect to their own TGW’s.
- The CGW connects to the DXGW.
- The DXGW connects to the TGW’s.
AWS Transit Gateway (AWS TGW)
- This allows many VPCs to talk to each other without VPC Peering.
- The difference between using VPC Peering or using the TGW is that the VPC peering doesn’t allow transitive routing while the TGW does.
- This native service supports multiple route tables and also has a VPN attachment type.
- However, this has its own limitations.
- The enterprises are responsible for programming the VPC routes manually when using the AWS platform without Aviatrix.
- The IPSec Tunnel throughput is only about 1.25Gbps.
- The scalability is a problem.
- There is no overlapping IP support.
How Aviatrix Solves for the Limitations of the AWS Transit Gateway
- Aviatrix manages and controls the AWS TGW which removes the routing limitations.
- Aviatrix takes care of the initial configuration of the routes and any updates.
- It helps to simplify the BGP over Direct Connect.
- Aviatrix provides network correctness and propagates all the on-prem routes to the VPCs.
For more information, watch the video above.
The video mentions the speed of the AWS direct connect as 1, 10Gb. In my last company when we purchased the transit it was through a transit provider and the max speed they offered was 5Gb (AWS limit). We purchased 3Gb with the intention of upgrading the line to 10Gb when we needed the bandwidth. We didn't realize that limit existed because we purchased it through our colocation provider who advertised to us we could increase the transit up to 10Gb.