Saturday, July 27, 2019

AWS VPC What is Subnet NAT CIDR Route Concepts Tutorial Practical Steps


What is AWS VPC

Amazon VPC is your own private network inside Amazon’s cloud infrastructure. It is an alternative to maintaining your own data centre and is cheaper since it creates resources on demand. It is also more secure since Amazon takes care of the infrastructure security for you.

What is a Subnet

We will not go into much detail about subnets from a networking point of view, but for this tutorial, you should know that subnet is a part of your VPC that can contain resources that share a common subnet mask and that contain instances and resources that can normally only be accessed within that subnet except if you use an internet gateway to make them public.

What is an Internet Gateway?

An Internet Gateway allows you to make a subnet public by providing a route to the internet. All instances within the subnet can access the internet only through this gateway. Also, resources from the internet can access the instances in your subnet using this gateway.

What is a NAT Gateway

You can allow instances from your private subnet to connect to the internet using a NAT gateway. The instances in the private subnet do not have an IP address, so the NAT gateway translates the private IP to a public IP before routing the traffic out to the internet. NAT stands for Network Address Translation and it does just that – translates private IPs to public IP.

What is a CIDR block

CIDR or Classless Inter-Domain Routing is used to allocate IP address within a network. We will use CIDR blocks to mark a range of IP addresses for each subnet within a VPC. The VPC itself would have a CIDR block that lists all the IP addresses available with it.

What is a Route table

A route table contains rules for routing traffic within a subnet and from the subnet to outside world. Amongst other things, we use routing tables to add internet gateways and NAT gateways to the subnet.

Problem Statement for AWS VPC Tutorial

Here’s the network that we are planning to build today. It has the following components:
  1. A VPC spanning a region
  2. Two public and two private subnets in two Availability Zones (AZ). (one AZ contains one public and one private network)
  3. Internet Gateways for each public subnet in each AZ
One NAT Gateway for each private subnet.
In the Next part, we will look at how to create the CIDR block for creating the subnets. We will also see how to create the VPC and the Subnets. In the third part we will see how to create internet gateways, NAT gateways and route tables.

Why a NAT Gateway?

Before we explain why we need a NAT Gateway, here’s a network diagram of what we are trying to accomplish.
The two private networks need to talk to the internet for things like updating the operating system or installing software. Since the instances in the private network do not have a public IP, they need a NAT (Network Address Translation) Gateway that can convert the private IP to public IP for routing traffic to the internet and back. AWS provides two kinds of NAT resources – NAT instances and NAT gateways. The gateways are completely managed by AWS and so they are preferred over NAT instances.

What are Elastic IP addresses

We will build a NAT gateway, however, the gateway needs an IP address. AWS provides Elastic IP addresses, that you can create on demand. These IP addresses can be attached to instances and resources and detached when not required.

Steps to create AWS Elastic IP Address

Click on Elastic IPs in the VPC console of AWS.
If you haven’t created an IP address before you should see an empty table. Click on ‘Allocate New Address’ to add a new IP address. AWS will start creating the IP address for you.
Create two Elastic IPs for the two Gateways in each AZ.

Steps to create the NAT gateway

Once the IP address is created, click on NAT Gateway to open up the NAT gateway homepage. Click on ‘Create NAT Gateway’ to create a new NAT Gateway. In The field that says ‘Elastic IP Allocation ID’ select the new IP that you just created and then hit ‘Create NAT Gateway’. This will create the NAT Gateway.

Create a Route Table for NAT

The next step is to create the route table that will direct all traffic in the private subnet through the NAT Gateway. Click on the ‘Route Table’ section and click on ‘Create Route Table’. In the Routes section, add a route that maps all traffic (0.0.0.0/0) to the NAT gateway that we just created.
The Route table would need to be created for both the NAT Gateways.

Recap of the AWS VPC Tutorial

Our first VPC setup is done. To recap, we created a VPC with four subnets. Two of the subnets were made public by attaching an internet gateway to it and the other two subnets were private. However, the private subnets were allowed to connect to the internet using a NAT gateway. The instances in the public subnet will have public IP addresses. We can configure the subnet to assign a public IP address to all instances that are created in the subnet, OR, during instance creation we can specify the instance to have an auto-assigned public IP.

Network Access Control Lists (ACL)

By default, a VPC will come with a Network ACL and it will allow all inbound and outbound traffic. However, if you create a default Network ACL, it will block all inbound and outbound traffic, and you will have to manually allow traffic yourself.
Each subnet within a VPC must be connected to a Network ACL, however, each subnet can only be connected to 1 VPC at a time. The ACL, however, can be connected to multiple different subnets.
Things to remember:
  • The Network ACL contains an ordered list of rules to allow traffic
  • The convention is to start from 100 rules and go up in increments of 100.
  • The rules will be considered in order to make sure if you want to allow all ssh access apart from a certain IP address, that you add your block rule before your allow all rule.
  • There are separate rules for inbound and outbound traffic, so you must set up rules for each.
  • They are stateless meaning responses to inbound traffic are dependent on outbound traffic rules and this applies the other way around.
  • Block IP address using Network ACL’s and not Security groups

Resiliency

For resiliency, it is advisable to always have 2 public and 2 private subnets and ensure they are both in different availability zones. The same applies to Elastic Load Balancers.
NAT Instances are a little more difficult to make highly available so it's advised to use NAT Gateways instead, as all of this is taken care of and requires no manual effort.
You can always monitor traffic within your VPC by turning on VPC flow logs.
VPC connectivity options
One of the major features of AWS VPC is the connectivity options it provides for securely connecting various networks with their AWS networks. In this section, you will learn about various connectivity options for AWS VPC, such as connecting remote customer networks with VPC, connecting multiple VPCs into a shared virtual network, and so on. We will look at three connectivity options in detail:
  • Connecting the user network to AWS VPC
  • Connecting AWS VPC with another AWS VPC
  • Connecting the internal user with AWS VPC
Connecting user network to AWS VPC
You can extend and integrate your resources in your remote networks, such as compute power, security, monitoring, and so on, by leveraging your resources in AWS VPC. By doing this, your users can access all resources in AWS VPC seamlessly like any other resource in internal networks. This type of connectivity requires you to have non-overlapping IP ranges for your networks on the cloud and on-premises, so ensure that you have a unique CIDR block for your AWS VPC. AWS recommends that you use a unique, single, non-overlapping, and contiguous CIDR block for every VPC. You can connect your network with AWS VPC securely in the following ways:
  • Hardware VPN: You can configure AWS-compatible customer VPN gateways to access AWS VPC over an industry standard, encrypted IPsec hardware VPN connection. You are billed for each VPN connection hour; that is, for every hour your VPC connection is up and running. Along with it, you are charged for data transfer as well.
This option is easier to configure and install and uses an existing internet connection. It is also highly available as AWS provides two VPN tunnels in an active and standby mode by default. AWS provides virtual private gateway with two endpoints for automatic failover. You need to configure customer gateway side of this VPN connection; this customer gateway could be software or hardware in your remote network.
On the flip side, hardware VPN connections have data transfer speed limitations. Since they use an internet to establish connectivity, the performance of this connection, including network latency and availability, is dependent on the internet condition.
  • Direct connect: You can connect your AWS VPC to your remote network using a dedicated network connection provided by AWS authorized partners over 1-gigabit or 10-gigabit Ethernet fiber-optic cable. One end of this cable is connected to your router, the other to an AWS Direct Connect router. You get improved, predictable network performance with reduced bandwidth cost. With Direct Connect, you can bypass the internet and connect directly to your resources in AWS, including AWS VPC.
You can pair Direct Connect with a hardware VPN connection for redundant, highly available connectivity between your remote networks and AWS VPC. The following diagram shows the AWS Direct Connect service interfacing with your remote network:
  • AWS VPN CloudHub: You might have multiple remote networks that need to connect securely with AWS VPC. For such scenarios, you will create multiple VPN connections, and use AWS VPN CloudHub to provide secure communication between these sites. This is a hub and spoke model that can be used either for primary connectivity or as a backup option. It uses existing internet connections and VPN connections.
You create a virtual private gateway for your VPC with multiple customer gateways for your remote networks to use AWS VPN CloudHub. These remote networks should not have overlapping IP networks. The pricing model for this option is similar to that of a hardware VPN connection.
  • Software VPN: Instead of a hardware VPN connection, you can also use an EC2 instance in your VPC with a software VPN appliance running in order to connect your remote network. AWS does not provide any software VPN appliance; however, you can use software VPN appliances through a range of products provided by AWS partners and various open source communities present on AWS marketplace. It also uses the internet for connectivity; hence, reliability, availability, and network performance are dependent on the internet speed.
This option, however, supports a wide variety of VPN vendors, products, and protocols. It is completely managed by customers. It is helpful for scenarios where you are required to manage both ends of a connection, either for compliance purposes or if you are using connectivity devices that are currently not supported by AWS.
Connecting AWS VPC with other AWS VPCs
If you have multiple VPCs in multiple regions across the globe, you may want to connect these VPCs to create a larger, secure network. This connectivity option works only if your VPCs do not have overlapping IP ranges and have a unique CIDR block. Let's look at the following ways to connect AWS VPC with other AWS VPCs:
VPC peering: You can connect two VPCs in the same region using a VPC peering option in AWS VPC. Resources in these VPCs can communicate with each other using private IP addresses as if they are in the same network. You can have a VPC peering connection with a VPC in your AWS account and VPC in other AWS accounts as long as they are in the same region.
AWS uses its own existing infrastructure for this connection. It is not a gateway or a VPN connection that uses any physical device. It is not a single point of failure or a network performance bottleneck.
VPC peering is the most preferred method of connecting AWS VPCs. It is suitable for many scenarios in large and small organizations. Let's look at some of the most common scenarios.
If you need to provide full access to resources across two or more VPCs, you can do that by peering them. For example, you have multiple branch offices in various regions across the globe and each branch office has a different VPC. Your headquarter needs to access all resources for all VPCs for all your branch offices. You can accomplish this by creating a VPC in each region and peering all other VPCs with your VPC.
You might have a centralized VPC that contains information required by other VPCs in your organization, such as policies related to human resources. This is a read-only VPC and you would not want to provide full access to resources in this VPC. You can create a VPC peering connection and restrict access for this centralized VPC.
You can also have a centralized VPC that might be shared with your customers. Each customer can peer their VPC with your centralized VPC, but they cannot access resources in other customers' VPC.
Data transfer charges for a VPC peering connection are similar to charges for data transfer across availability zones. As discussed, VPC peering is limited to VPCs in the same region. A VPC peering is a one-to-one connection between two VPCs; transitive peering is not allowed for a peering connection. In the following diagram, VPC A is peered with VPC B and VPC C; however, VPC B is not peered with VPC C implicitly. It has to be peered explicitly:

AWS VPC Peering?

AWS VPC Peering is a functionality that enables two private networks to communicate with each other by building fast and reliable connections. AWS VPC peering connections can be used to route traffic from one VPC to another VPC network or to provide access to resources of one network to another.

Sourec
http://www.cloudforest.in/2016/09/pass-aws-certification-exam-in-10-days.html
http://www.studytrails.com/amazon-aws/aws-vpc-tutorial-part-iii/
https://www.networkcomputing.com/networking/aws-security-tutorial-vpc-setup
https://sites.google.com/site/awsarticles/home/aws-architect-notes/vpc-overview-components/vpc-exam-questions

AWS Individual Classes English / Sinhala /Tamil
Call 0777337279

Tuesday, July 16, 2019

AWS EC2 Elastic Compute Cloud Instance in Step by Step Tutorial exam dumps for students classes

Introduction to Amazon EC2

PrintPrint
The Amazon Elastic Compute Cloud (EC2) is an infrastructure as a service (IaaS) cloud. This means that it provides computing power and resources that you can use for a fee. You take care of running the software; Amazon EC2 provides the hardware.
To understand Amazon EC2, it’s important to understand the concept of virtualization. When you use your computer at home, it’s very likely that you have one physical “box” sitting on or below your desk, with a power button, disk drives, a video card, and so on. The relationship between the physical machine and the machine you log into is 1 to 1. Virtualization, however, is the idea of hosting multiple “virtual machines” on a single physical box. These virtual machines share some hardware resources, but they appear to the end user as distinct machines that can be logged into and administered separately.
You may have used virtual machines at your place of employment; many companies are using them in the workplace because they are more flexible and cost efficient. Most often, an IT administrator will purchase or choose a powerful machine and configure it to be a “virtual server”, which is a physical machine that hosts multiple virtual machines. Obviously, it takes a powerful computer to act as a virtual server, and it takes a fair amount of IT administration skill to set one up.
Enter Amazon EC2. When you work with Amazon EC2, you create and run virtual machines in Amazon’s data centers. You don’t have to know too much about the details of the virtual servers (nor does Amazon want to reveal this). The idea is that you can focus on the software on your server and let Amazon take care of the hardware needs.
Of course, there is a cost for using these resources. You are charged hourly fees for the computing power used, and for the amount of data that you store on Amazon EC2. Most of the things you can do or use on Amazon EC2 have some sort of fee associated with them, but unless you are running a high-traffic site with many gigabytes of data, computing power and disk space are the two biggest cost concerns.

Advantages of Amazon EC2

The benefits of Amazon EC2 can be enormous in some situations. Here are a few of the immediate advantages:
  • You don’t have to purchase or set up a virtual server; instead, you use Amazon’s hardware infrastructure. This is especially useful if you don’t have an IT person on staff, or if you don’t have the money to purchase a virtual server. As you will see later in this lesson, it’s relatively painless to set up your own virtual machine on Amazon EC2.
  • You can easily obtain a machine to prototype or test a new application. If your organization is in a financial crunch, all of your machines may be in use or out of date, making it difficult to try new things. With Amazon EC2 you can obtain a machine for a few days or weeks for a relatively low cost, in order to test or learn new software and applications. In essence, this is what you’ll do in this course, as you use Amazon EC2 for just a few weeks so you can learn ArcGIS Server.
  • You can easily obtain a server that is public-facing (in other words, that can be accessed by anyone on the Internet). In some organizations it takes a fair amount of paperwork, official approval, and coordination with IT staff to get a public-facing server. This is for good reason, since any time you open up a server to the world, there are a lot more security risks that come into play. Setting up a public-facing server on Amazon EC2 carries somewhat less risk because the machine is not running on your organization’s hardware and can be completely isolated from your network if you choose.
  • You can add “auto scaling” rules that add or remove machines depending on how busy your site is at any given time. This is how Amazon EC2 gains the “Elastic” part of its name. This elasticity can be incredibly cost-efficient for certain types of sites, such as those responding to natural disasters. Suppose that you administer a weather site, and one afternoon a string of serious tornados hits. Your site will see a lot more traffic that day, especially if your site gets linked to by other sites. If you were hosting your site on premises you might run out of hardware, or it might take some time to add new machines. If you were hosting your site on Amazon EC2 with auto scaling rules, your site could temporarily expand to use whatever amount of hardware was needed.

EC2 instances and AMIs

Before going forward, there are two important vocabulary terms that you should understand regarding Amazon EC2:
  • EC2 instance – An EC2 instance is a virtual machine running on Amazon EC2.
  • AMI – An Amazon Machine Image (AMI, sometimes pronounced “ah-mee” or "Amy") determines the files, settings, and software that are applied when you create a new EC2 instance. You can think of an AMI as a blueprint for creating an EC2 instance. Also, when you work with an EC2 instance, you can save a “snapshot” of your work at any time by creating an AMI. This way, if something ever happens to your instance, you can create a new instance and continue where you left off.

How do you get software like ArcGIS Server running on Amazon EC2?

Esri has created an AMI that has ArcGIS Server installed and configured. You will use these AMIs to create EC2 instances, thereby getting the server software running on Amazon EC2. Once you get the instance running, you can log into it using an application called Windows Remote Desktop. This is the same way that you would remotely log in to any other computer in your network, except this time the machine is outside your network, running on Amazon EC2.
You can perform all of these steps on your own home computer as long as it has an Internet connection. In fact, it's recommended that you use your home computer because some workplace IT departments have placed restrictions on accessing computers outside the firewall (like Amazon EC2 instances) using Remote Desktop. Please note that you cannot use a personal hotspot through a mobile phone to log in to your EC2 instances.

What is Amazon EC2?


Amazon Elastic Compute Cloud (Amazon EC2) provides ascendable computing capability within the Amazon internet Services (AWS) cloud. Working on Amazon EC2 eliminates your potential to invest in hardware up front, thus you’ll be able to develop and deploy applications quicker. You’ll be able to use AWS EC2 to launch an ample amount of servers or few servers. In addition, it will also manage security and networking, and manage storage. Amazon Elastic Compute Cloud permits you to rescale or right down to handle changes in necessities or when in need.

Do you know What is AWS Storage Gateway?
AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
AWS EC2

3. Features of Amazon Elastic Compute Cloud

Following are the AWS EC2 features such as:
  • Storage volumes for temporary information are deleted once you stop or terminate your instance; this is known as instance store volumes.
  • Virtual computing environments, which is also known as instances
  • It provides pre-configured templates for your instances, which is known as Amazon Machine pictures (AMIs), this feature is required for the server.
  • Amazon EBS provides you persistent storage volumes for your data using Elastic Block Store.
  • AWS EC2 provides you with multiple storage locations for your resources such as instances and EBS volumes which are called regions and availability zones.
  • For creating and assigning the resource’s metadata, known as tags are provided.
  • The Elastic IP address is provided for dynamic cloud computing which is a static IPv4.
  • Various configurations of hardware, memory, storage, and networking capability for your instances called for instance varieties.
  • Virtual networks which you occasionally connect to your network are known as Virtual Private Network.
  • A static IPv4 is provided for dynamic cloud computing. This is known as Elastic IP address.
Let’s revise AWS Application – Utilities of Cloud Computing

4. Getting Started with EC2 in Amazon

After creating the AWS account you will need to set it up. AWS provides you getting started tutorial for EC2. If you are in a need of technical information about an Amazon EC2 feature you can refer technical documentation.
Below are the few terms which you will notice in EC2-
Best AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
Amazon EC2 – Terminologies

a. Instances and AMIs

Amazon Machine Image (AMI) is a template that contains a software configuration such as an operating system, servers, and applications.
AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
AWS EC2 – Instances and AMIs

b. Region and Availability Zones

AWS EC2 host in multiple locations worldwide. These locations are composed of different regions and availability zones.

c. Amazon EC2 Key Pairs

Amazon EC2 uses public– key to encrypt and decrypt login information.

d. Security Groups

AWS security groups associate with EC2 instances and provide security at the protocol and port access level.

e. Amazon EC2 and Amazon VPC

Amazon Virtual Private Cloud allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that is defined by you.
AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
AWS EC2 – Amazon EC2 and Amazon VPC

5. AWS EC2 Storage

Amazon EC2 storage includes two types of storage which are:-
Best AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
Best AWS EC2 Tutorial (Amazon Elastic Compute Cloud)

a. Amazon EBS

Amazon Elastic Block Store helps us with block-level storage which is compatible with the EC2 instance. Moreover, they are highly available and reliable and can attach to any working instance available in the same Zone.
AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
AWS EC2 – Amazon EBS

b. Instance Store

It consists of one or more blocks of the same type. The size of this instance and the available number of devices changes by instance type.
Best AWS EC2 Tutorial (Amazon Elastic Compute Cloud)
Amazon WS EC2 – Instance Store

6. Additional Information for AWS EC2

One can analyze EC2 resources, such as instances and volumes, directly using AWS EC2. Moreover, there are myriads of tools available which can use to monitor EC2 resources such as-
  • AWS cloud formation user guide.
  • AWS Elastic Beanstalk Developers User Guide.
  • EC2 Auto Scaling User Guide.
  • AWS Ops Work User Guide.

7. Elastic Load Balancing

AWS ELB automatically distribute incoming application traffic across multiple instances. You can add and remove compute resources from your load balancer as your needs change, without interrupting the overall flow of requests to your applications.

8. Amazon Cloudwatch

You can use Amazon Cloudwatch to monitor basic statistics for your instances and Amazon EBS volumes. Amazon Cloud Watch Events informs a near real-time stream of system events that describe changes in Amazon Web Services resources. Activating Lambda function whenever a new AWS EC2 instance starts, done with the help of Cloudwatch in Amazon.

9. Amazon Cloudtrail

Amazon Cloudtrail provides surveillance to the calls made to the AWS EC2 API for the personal account. It can use for calls made by AWS Management Console, command line tools, and other services.
10. Amazon EC2 Access
EC2 provides a web-based UI known as Amazon EC2 console. One can access the Amazon EC2 console by signing into the AWS Management Console and selecting EC2. Amazon Elastic Compute Cloud can access in two ways-
  • AWS Command Line Interface.
  • AWS Tools for Windows Power Shell.
So, this was all about AWS EC2 Tutorial. Hope you like our explanation.


Source