Reviews core networking concepts relevant for the Cloud practitioner. We use AWS as the platform. However the content is generally applicable across clouds.
Note: The instructor-led version of this presentation is at:
https://www.udemy.com/course/primer-for-the-aws-cloud-networking/
The Udemy.com course titled Primer for the AWS Cloud: Networking.
Boost Fertility New Invention Ups Success Rates.pdf
Networking Brush Up for Amazon AWS Administrators
1. Brush Up for
AWS Admins:
A Review of Basic Networking topics useful inAmazon AWS
A. Akpaffiong
September 2017
Networking
2. Topic Introduction
• The reason:
– In presentations/workshops on Introductory AWS, I review basic
networking and security topics to get everyone up to the same level
– Here’s a compilation of the networking discussions
– My contribution to the communal learning process
• The goal:
– Review basic networking topics relevant to AmazonAWS
• The secret:
– This is not just forAWS Admins
• The result:
– Let me know
We reject kings, presidents and voting.
We believe in: rough consensus and running code.
– David Clark, IETFTalk
4. Communication Model
Connecting devices can pose a problem of compatibility
A network
communications model
enforces protocols
defines how devices interact over a medium
separates networking functions into discrete layers
Examples include:
IBM SNA
DECNET
TCP/IP
ISO-OSI
TCP/IP and ISO-OSI represent a layered, and modular communications models
electrical signals packet delimiters addressing data formats etc...
5. Layer Layer Name Protocol Data
Unit (PDU)
Main Function Example
Protocol
AddressType
7 Application Data Interaction with user.
Provides services to app.
FTP Hostname
example.com
6 Presentation Data Data representation
(Converts/Encrypts)
XDR, XML Hostname
example.com
5 Session Data Connection dialog
(Start/Stop/Order)
RPC, SOCKS Socket
172.16.3.24:80
4 Transport Segment (TCP)
Datagram (UDP)
End-to-End Delivery
(Reliable vs. Unreliable)
TCP, UDP Port number
80
3 Network Packet Routing and Addressing IP, IGMP IP Address
172.16.3.24
2 Data Link Frame Node-to-node
(Access to media)
Ethernet,
MPLS
MAC
1C98ECA8EC30
1 Physical Bit Distance and electrical
(Low level parameters)
RS232,
DOCSIS
N/A
Application
Transport
Internet
Link
Communication Model
ISO-OSI
7 Layer Model
6. Transport Protocols
Protocol Name RFC Goal
ICMP* Internet Control Message Protocol 792 Error-reporting protocol
DCCP† DatagramCongestionControl Protocol 4340
Control over tradeoffs btw
delay and in-order delivery
TCP TransmissionControl Protocol 793 Reliable, ordered byte stream
UDP User Datagram Protocol 768 Unreliable packet delivery
SCTP† Stream ControlTransmission Protocol 4960 Reliable, ordered byte stream
*ICMP is not a transport protocol
† SCTP and DCCP not currently available in AWS
7. Port Number Ranges
0 – 1023
1024 –
49,151
49,152 –
65,535
Well-known ports
(System Ports)
Ports in the Well-known Ports range are
reserved for privileged applications.
Registered ports
(User Ports)
Ports in the Registered Ports range can
be used by ordinary user applications;
require known and stable port number.
Dynamic ports
(Private Ports)
Ports in the Dynamic Ports range are
set aside for local and dynamic use and
cannot be registered. Usable by any
application in a dynamic fashion.
9. AWord From Our Sponsors – Request For Comments (RFC)
• Created in 1969 by Steve Crocker as unofficial records on the development of the
early Internet (known then as ARPAnet).
• RFCs have evolved to become official documentation of Internet specifications,
communications protocols, procedures, and events.
• Researchers publish RFCs to offer best practices and solicit feedback on Internet
technologies.
• Helped initiate a culture of openness, sharing and voluntary contributions.
• The official online source for RFCs is the RFC Editor: https://www.rfc-editor.org
• Example RFCs:
– Private IPv4 Addresses (RFC 1918)
– IPv4 Specification (RC 791)
– IPv6 Specification (RFC 8200)
– Border Gateway Protocol (RFC 4271)
11. Number Systems
• Binary Notation
– Base 2
– Made up of only 0’s and 1’s
– Number positions:
• ones, twos, fours, eights, sixteens, etc.
eights twos
fours ones
1 0 11 = 1x20 + 1x21 + 0x22 + 1x23
= 11 (in decimal)
= 1 + 2 + 8+ 0
12. Number Systems
• Hexadecimal Notation
– Numerical values prefixed with “0x”
– Base 16
– Number positions:
• ones, sixteens, two hundred and fifty six (i.e. 16x16), etc.
– Values:
• 0 thru 9,A thru F
• E.g. 0xFF = 15*160 + 15*161 = 255
Decimal 0 1 … 8 9 10 11 12 13 14 15
Hexadecimal 0 1 … 8 9 A B C D E F
13. IP Address
An IP Address
uniquely identifies a
node on aTCP/IP
network.
Each of the four
numbers in an IP
address can range
from 0 to 255.
IP address can also be
written as four sets of
binary octets:
10000000 11100000 00001100 01100001
IP address can be
written in dotted
decimal notation (i.e.
a sequence of four
decimal numbers:
128.224.12.97
How do we convert dotted decimal to binary notation?
Each octet consists of
eight binary digits, 1’s
and 0’s.
The numbers are
separated by a dot.
The “binary notation”.
14. 128.224.12.97 Dot- or dotted decimal notation
10000000 11100000 00001100 01100001 Binary notation
Octet
8 bits
28 bits = 256
0 – 255
Four Octets
4 x 8 bits = 32 bits
232 = 4,294,967,296
0 – 255. 0 – 255. 0 – 255. 0 – 255
This is why an IP address is
said to be a 32-bit number.
Internet Protocol version 4 (IPv4)
15. IP Address
A. All numbers from 0 to 255.
Imagine that the following, are
the only numbers in your universe:
Q.What are the results of adding one or
more of the above numbers together?
(Using each number only once per calculation.)
132.224.12.97
For example, take this IP address:
By columns, put a “1” in the cell next to each number that will add up to
each one of the four numbers in the IP address. Otherwise put a “0”
132 224 12 97
1
1
0
0
0
0
0
0
1
0
0
0
0
1
1
0 1
0
0
0
0
0
0
1 0
0
0
1
1
0
0
1
1 2 4 8 16 32 64 128
1 32+ = 97
0
128
1
2
4
8
16
32
64
64+
132 = 1 0 0 0 0 1 0 0 = 128 + 4
224 = 1 1 1 0 0 0 0 0 = 128 + 64 32+
12 = 0 0 0 0 1 1 0 0 = 8 + 4
97 = 0 1 1 0 0 0 0 1 = 64 + 32 1+
16. IP Address
A. All numbers from 0 to 255.
Imagine that the following, are
the only numbers in your universe:
Q.What are the results of adding one or
more of the above numbers together?
(Using each number only once per calculation.)
132.224.12.97
For example, take this IP address:
By columns, put a “1” in the cell next to each number, that will add up to
each one of the four numbers in the IP address. Otherwise put a “0”
132 224 12 97
1
1
0
0
0
0
0
0
1
0
0
0
0
1
1
0 1
0
0
0
0
0
0
1 0
0
0
1
1
0
0
1
1 2 4 8 16 32 64 128
1 32+ = 97
0
128
1
2
4
8
16
32
64
64+
132. 224. 1 2. 97
1 0 000100 1 1 1 00000 00001 100 01 1 00001
(dotted decimal notation)
(binary notation)
17. Internet Protocol version 4 (IPv4) – Design
Original
“Classful” IP
Addresses
A, B, C, D, E
“Classless”
IP Addresses
/ notation
32-bit Address
Space
28 or 256 total global
network identifiers
each with up to 224 or
16,777,216 devices
Goal – improve
management of
address space
Network fixed: 8 bits
Device fixed: 24 bits
Original design Subsequent redesign
Hierarchical Flexible
CIDR
RFC 760
RFC 791
RFC 4632
18. Internet Protocol version 4 (IPv4)
Subnetwork A Subnetwork B
Network ID Device Addresses
10.1.4.56
IP Address is composed of two parts:
network and device
Network part identifies
the network the address
belongs on
Device part identifies a
particular device on the
network
10.1.0.0/16 10.2.0.0/16
10.1.4.56
10.1.4.22 10.2.5.11
19. • 4.3 billion addresses for global identification of network devices
• 5 classes:
– A, B, C, identifies network devices
– D multicast addressing
– E is reserved
• Notation
– Dotted Decimal, e.g. 128.224.12.97
– Binary Octets, i.e. four sets of eight bits, or octets, total of 32-bits
10000000 11100000 00001100 01100001
2nd Octet1st Octet 3rd Octet 4th Octet
128 . 224 . 12 . 97
Internet Protocol version 4 (IPv4) – Design
Same address is represented in
decimal (128.224.12.97) or
binary (10000000 11100000 00001100 01100001)
notation
Classful
21. Internet Protocol version 4 (IPv4) – Design
• Class A – for large networks
– Network part fixed as the 1st octet, or 8-bits
• 1st bit of first octet always set to “0” (zero)
• Results in 27 or 128 possible classA addresses, globally:
• 00000000 – 01111111 (in binary) and 0 – 127 (in decimal)
– Device part fixed as the remaining three octets, or 24-bits
• Results in a total of 224
or 16,777,216 device addresses
for each of the 127
network addresses
Classful
– Class A IP Addresses range from
0.x.x.x to 127.x.x.x.
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
00000000 – 01111111
0 – 127
Note: 256 * 256 * 256 = 16777216
256 256256
22. • Class B – for medium-sized networks
– Network part fixed as the first 16-bits or two octets
• 1st two bits of first octet is always set to “10”
• Results in 214 (i.e. 26+8), or 16384 network addresses
• 10000000 – 10111111 (in binary) and 128 – 191 (in decimal)
– Device part fixed as the remaining two octets, or 16-bits
• Results in a total of 216
or 65,536 device addresses
for each of the 16384
network addresses
Internet Protocol version 4 (IPv4) – Design
Classful
– Class B IP Addresses range from
128.0.x.x to 191.255.x.x.
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
10000000 – 101111111
128 – 191
00000000 – 111111111
0 – 255
256 * 256 = 65536
256 256
23. • Class C – for small networks
– Network part fixed as the first 24-bits or three octets
• 1st three bits of first octet is always set to “110”
• Results in 221 (i.e. 26+8+8), or 2,097,152 network addresses
• 11000000 – 11011111 (in binary) and 192 – 223 (in decimal)
– Device part fixed as the remaining one octet, or 8-bits
• Results in a total of 28
or 256 device addresses
for each of the 2,097,152
network addresses
Internet Protocol version 4 (IPv4) – Design
Classful
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
11000000 – 11011111
192 – 223
00000000 – 111111111
0 – 255
– Class C IP Addresses range from
192.0.0.x to 223.255.255.x.
256
24. Internet Protocol version 4 (IPv4)
Classful
7 bits
14 bits
21 bits
# of bits for network portion
24 bits
16 bits
8 bits
# of bits for device portion
Class
A
B
C
Bits Set
1
2
3
25. • Class D – for multicast networks
– Multicast protocol enables one-to-many packet transmission
– A multicast address is not divided into a network and device portion
• 1st four bits of first octet is always set to “1110”
• Remaining 28-bits identify the devices in a multicast group
– Class D IP Addresses range from 224.0.0.0 to 239.255.255.255
– Note: no subnet mask used for class D
• Class E – for experimental purposes
– 1st four bits of first octet is always set to “1111”
– IP addresses in this class range from 240.0.0.0 to 255.255.255.254
– Note: no subnet mask used for class E
Internet Protocol version 4 (IPv4) – Design
Classful
26. Internet Protocol version 4 (IPv4) – Design
Classful
2nd Octet 3rd Octet 4th Octet
Network Device
In this generation of IP addressing, a fixed number of bits were used
to delineate the network and host portions of an IP address.
Class A
The first octet (or 8-bits) set aside for the
network portion
1st Octet
1111 1111
27. 2nd Octet
Internet Protocol version 4 (IPv4) – Design
Classful
1st Octet 3rd Octet 4th Octet
Network Device
In this generation of IP addressing, a fixed number of bits were used
to delineate the network and host portions of an IP address.
Class B
The first two octets (or 16-bits) set aside for
the network portion
1111 1111 1111 1111
28. 2nd Octet2nd Octet
Internet Protocol version 4 (IPv4) – Design
Classful
1st Octet 4th Octet
Network Device
In this generation of IP addressing, a fixed number of bits were used
to delineate the network and host portions of an IP address.
Class C
The first three octets (or 24-bits) set aside for
the network portion
1111 1111 1111 1111 1111 1111
29. • Not enough addresses
– Class A
• Only 127 possibleClassA networks
• Each ClassA network, with 16 million possible hosts is too big for most organizations
– Class C
• Only 2,097,152 possibleClass C networks
• Each Class C network, with 256 possible hosts is too small for most organizations
• To meet host need, organizations acquired multiple Class C addresses
– Class B
• Only 16384 possible Class B networks
• Each Class B network, with 16384 hosts is adequate for most organizations
• Class B address space in high demand
• Rapid exhaustion and waste of IPv4 address space
Internet Protocol version 4 (IPv4) – Design
Classful Issues
Everybody
wants one
Too big
Too small
30. AWS Elastic IP
• An AWS Elastic IP address is :
– a static IPv4 address
– a persistent public IPv4 address
– allocated to AWS account, not a resource
– reusable, unlike a Public IP address
• To access the Internet, an Instance can be given a Public IP or Elastic IP
address
• Elastic IP address, can be migrated or rapidly remapped from one
instance to another in your account
• Elastic IP addresses are free, unless more than one per Instance is used
or it is associated with a non-running Instance.
31. Only 3.7 billion IPv4 addresses are usable by ordinary Internet access
devices.The rest are used for special protocols, like IP Multicasting.
Almost three and a half billion addresses was enough for the Internet
envisioned in the 1980s, it is not enough for today’s production
network.
https://www.icann.org/en/system/files/files/ip-addresses-beginners-guide-04mar11-en.pdf
33. • IPv4 address space is exhausted
– 232 or 4,294,967,296 theoretical addresses
– designed to uniquely identify each network device
– i.e. there are more devices online than available in IPv4 address space
• Measures to extend life of IPv4 include:
– Private IP
– Network AddressTranslation (NAT)
– Classless Inter-Domain Routing (CIDR)
Private IP Address – IPv4
Private IP, NAT, CIDR
34. • IPv4 addresses classified as either “public” or “private” addresses
– Devices with “Public” addresses can communicate on the Internet
– Router prevents “Private” addresses from reaching the Internet
Private IP Address – IPv4
Public IP Address Private IP Address
Border Firewall
Internet Internal Network
Private IP, NAT, CIDR
35. • Subsets of IPv4 address space set aside as “private” addresses:
Private IP Address – IPv4
0 255
I P A d d r e s s R a n g e
10/8 prefix 172.16/12 prefix 192.168/16 prefix
begins with 10. begins with 172.16. through 172.31. begins with 192.168.
Private IP, NAT, CIDR
36. • Special Use Addresses
– In addition to the private-use addresses…
– other portions of the IPv4 and IPv6 address space are set aside
– Described in RFC 6890
– Examples
Private IP Address – IPv4
Private IP, NAT, CIDR
Special-Use Address Description
127.0.0.0/8 LoopbackAddress
169.254.0.0/16 Link Local
::1/128 LoopbackAddress (IPv6)
::ffff:0:0/96 IPv4-mapped Address
37. • A NAT device
– enables Instances in a private subnet to connect to the Internet
– blocks external resource from initiating connections to the local Instances
– forwards traffic from the instances in the private subnet to the Internet, and then sends the
response back to the instances.
• A NAT device works by:
– replacing the source IPv4 address with that of the NAT device
– on return, the NAT receives the response traffic and forwards it to the initiating instance
• AWS offers two kinds of NAT devices:
– NAT gateway – a managed service with better availability and bandwidth
– NAT instance – a NAT instance, launched from a NAT AMI and managed by the customer
Network AddressTranslation – NAT
Private IP, NAT, CIDR
38. Network AddressTranslation – NAT
192.17.1.1
Internet
NAT-enabled device
Maps private to public addresses
and accepts the return traffic on
behalf of the Instance
Internet with only
public addresses
10.1.1.16
10.1.1.20
Devices with private IP
addresses on the intranet
intranet
Blocks private IP addresses
from leaving intranet
10.1.1.15
Private IP, NAT, CIDR
39. • NAT rewrites the source and/or destination addresses
– hides address of internal devices
– intercepts private/non-unique address and uses pre-configured
public/unique addresses
• Benefits of NAT includes:
– Multiple internal devices can access the Internet using a single public IP
address, conserving IPv4 addresses
– Privacy of the internal network map
– Protect internal device from external access
Network AddressTranslation – NAT
Private IP, NAT, CIDR
40. • A notation that flexibly describes an IP address range
• A strategy to extend the longevity of IPv4 addresses
– flexible management
– address space conservation
• Introduced the slash (/) notation to highlight the number of bits
used to identify the network portion of the address
• Allows address space to be allocated based on actual need rather
than rigid Classful address structure
• Described in RFC 4632
Classless Inter-Domain Routing – CIDR
Private IP, NAT, CIDR
41. • Network 128.125
– Device address
• 128.125.0.7
• 10000000 01111101 00000000 00000111
– Subnet Mask
• 255.255.0.0
• 11111111 11111111 00000000 00000000
– Notation
• Classical: 128.125.0.7 IP address with 255.255.0.0 subnet mask
• CIDR (Slash): 128.125.0.7/16
• Aside:
– 128.125.0.7/32 identifies a single host, with IP address 128.125.0.7
Classless Inter-Domain Routing – CIDR
Private IP, NAT, CIDR
42. Private IP, NAT, CIDR
• CIDR example
– 10.10.0.0/16
– 10.10.101.0/24
– 0.0.0.0/0
– 10.10.101.5/32
Classless Inter-Domain Routing – CIDR
Creates subnet 10.10.0.0
with 232-16 device addresses
Creates subnet 10.10.101.0
with 232-24 device addresses
This describes any device
on the local subnet
The /32 notation describes
a single IP address
www.aws.training
44. Subnet/Netmask Math
• Every IP address belongs to a specific network or subnet, depending on the
subnet mask or CIDR used.
• We can use binary arithmetic to discover which network an IP address
belongs to.This is called finding the Network Address of an IP Address.
• Use Case
– Routers perform this operation to forward a packet to the right destination network
– Network designers do this to generate the proper design and layout of the network
128.125.1.105
128.125.1.11
128.125.1.10
128.125.1.21
128.125.1.7
128.125.2.15
128.125.2.87
128.125.2.11
128.125.1.21
128.125.2.152
128.125.2.26
255.255.255.0
/24
Subnet A Subnet B
45. Subnet/Netmask Math
• The TruthTable demonstrates
the Logical AND operation.
• The basic operation is the Logical AND binary operator.
– implemented in electronics as a logic gate
– performs a logical operation on binary inputs,
producing a single binary output
• Output (A AND B) is:
– 1 if-and-only-if both Inputs are 1
– 0 otherwise
AND
Gate
A
B
A AND B
I n p u t O u t p u t
A B A and B
0 0 0
0 1 0
1 0 0
1 1 1
Tr u t h Ta b l e
Inputs A and B can be
either 0 or 1.The output
of the Logical AND is
always o, unless both
inputs are 1, then the
output is also a 1.
46. Subnet/Netmask Math
AND
Gate
A
B
A AND B
I n p u t O u t p u t
A B A and B
0 0 0
0 1 0
1 0 0
1 1 1
Tr u t h Ta b l e
When router sees a packet with a destination IP address, it determines the network
(or subnet) to forward the packet to.
It does this via a Logical AND of the binary form of the IP address and the Netmask.
47. Subnet/Netmask Math
First, convert the IP address and subnet mask to binary.
Then, line up the two numbers and perform a bitwise Logical AND.
255.255.255.0 11111111 11111111 11111111 00000000
128.125.2.15 10000000 01111101 00000010 00010000IP Address
Subnet Mask
Network Address 128.125.2.0 10000000 01111101 00000010 00000000
The resulting value identifies the network/subnet the IP packet is to be routed to.
AND
Gate
A
B
A AND B
Let’s assume:
The IP Address is input A Output A AND B, the
logicalAND of both inputs
is the Network AddressThe Subnet Mask is input B
48. Example – Determine which network an IP address belongs to
• Network: 193.239.32.0/20 11000001.11101111.00100000.00000000
• NetMask: 255.255.240.0 11111111.11111111.11110000.00000000
• A server in network 193.239.32.0 wants to send a packet to IP address
193.239.52.210. Is that IP in the same or different network?
• IP: 193.239.52.210 11000001.11101111.00110100.11010010
• Mask: 255.255.240.0 11111111.11111111.11110000.00000000
• Bitwise AND 11000001.11101111.00110000.00000000
• Destination Network:
• Result:
– The IPAddress 193.239.52.210 is in network 193.239.48.0, which is NOT 193.239.32.0
193 243 48 0. . .
www.udemy.com/aws-certified-solutions-architect-guide-question-bank-i/learn/v4/content
49. • The Classful IP address scheme provides a fixed number of Networks and
fixed number of Devices per network.
Internet Protocol version 4 (IPv4) – Design
Subnets
2nd Octet1st Octet 3rd Octet 4th OctetClass A:
2nd Octet1st Octet 3rd Octet 4th OctetClass B:
2nd Octet1st Octet 3rd Octet 4th OctetClass C:
Network Device
128 networks; 16,777,216 devices
16384 networks; 65,536 device
2,097,152 networks; 256 devices
• Subnetting enables the creation of multiple (sub)networks from a single
classful network.
• It takes space from the Device portion to create addition Networks.
50. • A subnet (or subnetwork) is an identifiably separate part of an
organization's network. It is a logical grouping of connected network
devices.
• Network engineers employ subnets as a way to partition networks into
smaller logical segments to improve performance and security and
administration.
Internet Protocol version 4 (IPv4) – Design
Subnets
Diagram showing one network
partitioned into 4 smaller (sub)networks.
Subnet A
Subnet B
Subnet C
Subnet D
Network
51. • An IP address is composed of up two parts: a network and device part.
Internet Protocol version 4 (IPv4) – Design
Subnets
• E.g. a Class A address of 10 has one network ID (10) and 16 million device IP
addresses, e.g. 10.0.0.1, 10.0.0.2, etc.
– 16 million devices on one network introduces an unmanageable amount of chaos.
Network ID Device Addresses
10 0.0.0 – 255.255.255
(additional networks) (reduced)
Device AddressesNetwork ID Subnet
Subnetting carves out a
portion of the device
address space to create
additional networks, or
subnets Network ID
Subnet 1
Subnet n
+=
52. • Example, create 5 networks from one Class B network ID, 128.125.0.0
– First, convert the IP address into binary notation.
Internet Protocol version 4 (IPv4) – Design
Subnets
– Use enough “bits” from the device portion to create desired number of subnets
10000000 01111101 00000000 00000000128.125.0. 0
network network device
10000000 01111101 11100000 00000000
network devicesubnet
– 3-bits will create 23 or 8 subnets
53. Internet Protocol version 4 (IPv4) – Design
23 or 8
subnets
Subnets
10000000 01111101 11100000 00000000
network devicesubnet
10000000 01111101 00000000 00000000 128.125.0. 0=1
10000000 01111101 00100000 00000000 128.125.32. 0=2
10000000 01111101 01000000 00000000 128.125.64. 0=3
10000000 01111101 01100000 00000000 128.125.96. 0=4
10000000 01111101 10000000 00000000 128.125.128. 0=5
10000000 01111101 10100000 00000000 128.125.160. 0=6
10000000 01111101 11000000 00000000 128.125.192. 0=7
10000000 01111101 11100000 00000000 128.125.224. 0=8
In some older
implementations, the
first and last subnets
are reserved.
Corresponds to IP
addresses where
subnet bits are all “0”
or all “1”.
Each of these subnets has 216-3, i.e. 213 or 8192 device IP addresses
54. Internet Protocol version 4 (IPv4) – Design
Subnets
10000000 01111101 10000000 00000000128.125.128. 0 =
Subnet 128.125.128. 0 has 216-3, i.e. 213 or 8192 device IP addresses 213
10000000 01111101 10000000 00000000
10000000 01111101 10000000 00000001
10000000 01111101 10000000 00000010
10000000 01111101 10000000 00000011
10000000 01111101 10011111 11111111
...
The first 4 and the
last IP address in this
and every subnet in
AWS is reserved.
Subnet Address
Broadcast Address
VPC Router
DNS
Future Use
55. • AWS reserves 5 IP address in each subnet CIDR block. Cannot be assigned to an instance
– the first 4 addresses are reserved for infrastructure services
– the last 1 IP address is the broadcast
• E.g., in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
Internet Protocol version 4 (IPv4) – Design
Subnets
IP Address Status Description
10.0.0.0 Subnet address. Network
10.0.0.1 Reserved by AWS for theVPC router. Gateway
10.0.0.2 DNS DNS server
10.0.0.3 Reserved by AWS for future use. Reserved
10.0.0.255 Network broadcast address. Broadcast not supported inVPC.
56. • Classless Inter-Domain Routing (CIDR) as the name implies, eliminates
the concept of IP address classes
– A step beyond subnetting
– Virtualizes the Classful IP address space
– Introduced the slash notation which identifies the mask (fixed bits)
• 192.168.16.0/24 fixes the 1st 24 bits from the left, as the Network ID
• the remaining 8 bits, are used for Device addressing
– The subnet mask (or fixed bits) can be expressed in one of three notations:
• Binary – 11111111.11111111.1110000.0000
• Decimal – 255.255.224.0
• Slash – /19
– The binary notation is a contiguous string of “1”s, counted from the left
Internet Protocol version 4 (IPv4) – Design
Classless
57. • Classless Inter-Domain Routing (CIDR)
– Is a type of variable length subnet masks (VLSM)
– Provides a mechanism to vary the number of “fixed bits” of an IP address
– Allowing flexible management of the IP address space of a network ID
Internet Protocol version 4 (IPv4) – Design
Classless
– …“borrows” two bits from the device portion to create four additional
(sub)networks
DeviceNetwork =
11111111 11111111 00000000 00000000 11111111 11111111 00000000 00000000
DeviceSubnet 1
DeviceSubnet 2
DeviceSubnet 3
DeviceSubnet 4
To partition a singleClass
B (/16) network into four
sub-networks (/18)…
58. • A service provider may need to break a Network ID into multiple (sub)networks and
assign each one to a separate subscriber
• They do this via CIDR
Internet Protocol version 4 (IPv4) – Design
Classless
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
00101000
40
00000000
0
00000000
0
00000000
0
• To create 1024 subnets from the one Class A network on the left, take 10 bits from
the Device portion to create 210 subnets
• Instead of one network, the SP has 1024 networks to share with its subscribers
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
00101000
40
11111111
0 - 255
11000000
0 - 192
00000000
0
59. • Logically partitions network into subnetworks
• Starts by assuming a Classful IP address
• It then moves the subnet mask size to the right
• Uses the device bits to create additional subnets
• Result: the network gets partitioned into multiple subnetworks
Subnetting
• Partitions network into subnets or summarize subnets into network
• No reference to Class
• Enables hierarchical network management
• Moves “subnet mask size” left or right
• Enables flexible and efficient grouping of IP addresses
CIDR
Internet Protocol version 4 (IPv4) – Design
CIDR vs Subnetting
60. Internet Protocol version 4 (IPv4) – Design
iana
ARIN
RIPE
NIC APNIC
IP Registry
There are five Regional
Internet Registries (RIRs)
around the world.
ICANN, under the auspices of the Internet
Assigned Numbers Authority (IANA), allocates
blocks of IP addresses to the five RIRs
A RIR allocates CIDR blocks to
individual organizations and
people.
62. Types of IP Addresses
IPv6
IPVersion 6
128-bit address
space (2128 potential
addresses)
Hexadecimal notation
(2001:0DB8:85A3:0000:
0000:8A2E:0370:7334)
Standardized in 1996.
First production
allocations in 1999.
IPv4
IPVersion 4
32-bit address space
(232 potential
addresses)
Dotted decimal
notation
(128.125.253.136)
Address Depletion
Countermeasures:
• CIDR, NAT, Private IP
63. 4 hexadecimal digits
Field
16 bits
Eight 16-bit Fields
8 x 16 bits = 128 bits
2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff
2001:0db8:00a3:0000:0000:8a2e:0370:7334
Internet Protocol version 6 (IPv6)
This is why an IPv6 address is
said to be a 128-bit number.
64. 4 hexadecimal digits
Field
16 bits
2001:0db8:00a3:0000:0000:8a2e:0370:7334
2001:db8:a3:0:0:8a2e:370:7334
2001:db8:a3::8a2e:370:7334
Internet Protocol version 6 (IPv6)
65. Internet Protocol version 6 (IPv6)
• IPv6
– Developed by the Internet EngineeringTask Force (IETF)
– Defined in RFC 8200
– Addresses devices on the network
– Replacement for IPv4
– 2128 (or approximately 340 trillion trillion trillion) addresses
– Usually written in hexadecimal format
• e.g. 2A03:2880:F122:0083:FACE:B00C:0000:25DE
– In binary format: 8 bits separated by colon
• e.g. 0010 1010 0000 0011 0010 1000 1000 0000 1111 0001 0010 0010 0000 0000 1000 0011
1111 1010 1100 1110 1011 0000 0000 1100 0000 0000 0000 0000 0010 0101 1101 1110
– New features, e.g. Stateless Address Autoconfiguration (SLAAC)
66. Ridiculously Large Numbers
Name # of Zeros Long Form
million 6 1,000,000
IPv4
(4.3 billion)
billion 9 1,000,000,000
trillion 12 1,000,000,000,000
quadrillion 15 1,000,000,000,000,000
quintillion 18 1,000,000,000,000,000,000
sextillion 21 1,000,000,000,000,000,000,000
septillion 24 1,000,000,000,000,000,000,000,000
octillion 27 1,000,000,000,000,000,000,000,000,000
nonillion 30 1,000,000,000,000,000,000,000,000,000,000
decillion 33 1,000,000,000,000,000,000,000,000,000,000,000
IPv6
(340 undecillion)
undecillion 36 1,000,000,000,000,000,000,000,000,000,000,000,000
67. There are 232 possible IPv4 addresses.They have now all been claimed.
Various solutions such as CIDR, NAT and Private Addresses were
developed to extend its life.That effort has run its course.
IPv6, the next generation IP address scheme, with 2128 possible
addresses is in the initial phase of deployment.
68. Types of IP Addresses
128 125 253 136. . .
1 0000100 01 1 1 1 101 1 1 1 1 11 01 1 0001 000
E i g ht bi ts = O n e O c te t = 1 By te
Four oc te ts = 32- bi ts
An IPv4 Address
69. Types of IP Addresses
2001 0db8 85a3 0000:
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1
An IPv6 Address
: : 0000 : 8a2e: 0370: 7334:
0 0 0 0 1 1 0 1 1 0 1 1 1 0 0 0
1 0 0 0 0 1 0 1 1 0 1 0 0 0 1 1 1 0 0 0 1 0 1 0 0 0 1 0 1 1 1 0
0 0 0 0 1 1 0 1 1 0 1 1 1 0 0 0
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1
E i g ht g roup s of f our he xade c i mal di g i ts de li mi te d by c olon s
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
H e xte t
(or f i e ld)
Colon delimiter
between hextets
32 he xade c i mal di g i ts = e i g ht he xte ts = 1 28 bi ts
70. Types of IP Addresses
• A single IPv6 address can be represented in different ways:
– 2001:0db8:0000:0000:0001:0000:0000:0001
– 2001:db8:0:0:1:0:0:1
– 2001:0db8:0:0:1:0:0:1
– 2001:db8::1:0:0:1
– 2001:0db8::1:0:0:1
– 2001:db8:0:0:1::1
– 2001:db8:0000:0:1::1
– 2001:DB8:0:0:1::1
• There are best practice rules to produce the correct
representation…
71. Recommendations for IPv6Text Representation
• Suppressed leading zeros
– E.g., 2001:0db8::0001 to 2001:db8::1.
A single 16-bit 0000 field MUST be represented as 0
• Shorten Contiguous Zeros as Much as Possible
– E.g., 2001:db8:0:0:0:0:2:1 to 2001:db8::2:1.
Likewise 2001:db8::0:1 to 2001:db8::1
• Don’t Use “::” to Shorten Just One 16-bit Field
– E.g., 2001:db8:0:1:1:1:1:1 not 2001:db8::1:1:1:1:1
• Longest run of consecutive 16-bit “0” fields MUST be shortened
– E.g. 2001:0:0:1:0:0:0:1 is shortened to 2001:0:0:1::1.
If the fields are equal, the first sequence of zero bits MUST be shortened, e.g.
2001:db8:0:0:1:0:0:1 to 2001:db8::1:0:0:1
• Use Lowercase
– "a", "b", "c", "d", "e", and "f" MUST be represented in lowercase
73. Ethernet
Ethernet v2
• also known as Ethernet II
• originally DIX – Digital, Intel, Xerox
• contains the Type field
• maximum Ethernet payload size is 1500 bytes
• RFC 894: specification for IPv4 encapsulation
IEEE 802.3 + 802.2 LLC
• Implementation of the OSI Data Link layer
• LLC – logical link layer – enables error
correction and flow control
• Type field replaced by Length field
• maximum Ethernet payload size is 1497 bytes
• RFC 1042: specification for IPv4 encapsulation
Ethernet RAW
• Used by Novell Netware
• encapsulated IPX protocol inside Ethernet
frame
IEEE 802.3 + LLC + SNAP
• Specific vendor proprietary implementations
• SNAP (Sub-NetworkAccess Protocol)
• Type field replaced by Length field
• maximum Ethernet payload size is 1492 bytes
• RFC 1042: specification for IPv4 encapsulation
Most
Common
IEEE or
Proprietary
IEEE or
Proprietary
74. Ethernet Frame
• Ethernet v2 is most common
– IEEE 802.3 is used mainly by certain IEEE or proprietary protocols.
• Ethernet encapsulates higher layer (L3 – 7) protocols in header fields and a
Frame Check Sequence (FCS) footer field.
Preamble
8 bytes
Destination
6 bytes
Source
6 bytes
Type
2 bytes
Payload
46 – 1500 bytes
FCS
4 bytes
Ethernet v2
MAC layer headerSynchronization
& start of frame
MAC address of
the receiver
MAC address of
the sender
Describes protocol
encapsulated in Payload
Data & header from
higher layer protocol
A CRC value for
frame integrity
Ethernet MTU
76. Media Access Control (MAC) Address
• 48-bit (6-octet) Address Space
– Equally divided into: vendor and device parts
• 248 = 281,474,976,710,656 possible addresses
• Uniquely identity the network interface card (NIC)
• Assigned by the NIC manufacturer
• Media Access Layer of OSI and Data Link Layer ofTCP/IP
78. MaximumTransmission Unit (MTU)
• Maximum transmission unit (MTU) is
– a characteristic of a network connection
– the largest permissible packet that can be passed by a protocol
– measured in bytes
– Different protocols have different MTU values
PayloadOverhead
Ethernet Frame
Fixed Variable
• Ethernet frame consist of the payload,
i.e. the data, and the network overhead
• Large MTU increases data and reduces overhead per packet.
• Smaller values can reduce network delay.
79. Jumbo Frame
Standard Ethernet v2 Frame Format: 1500 bytes
AWS: Jumbo Frame Format: 9001 bytesJumbo Frame Format: 1501 – 9000 bytes
AWS: Jumbo frames are
supported only within aVPC.
81. Gateways
• As the name implies, a gateway:
– Is a key control point into or out of a network
– Exists at the edge of a network
– Controls and inspects traffic going in and out of the network
– Joins two (or more) networks together
• Can operate at any layer of the ISO-OSI model, typically 3 – 7.
• In strict usage, a gateway connects networks with dissimilar
protocols
– E.g.TCP/IP and IBM SNA orTCP/IP and Honeywell Bull DSA
– AWS uses a more relaxed definition of gateways; without the protocol
conversion function
82. Some Gateways Available on AWS
Customer GWInternet Gateway (IGW) VPC Peering
VPC Router VPN Connection NAT Gateway
Direct ConnectVirtual Private Cloud (VPC) Virtual Private Gateway (VGW) Storage Gateway (SGW)
Elastic Load Balancer (ELB)
83. Virtual Private Cloud (VPC)
• AmazonVirtual Private Cloud (AmazonVPC)
– provision a logically isolated section of the AWS Cloud
– launch AWS resources in your defined virtual networks
– control over the virtual networking environment
• selection of your own IP address range
• creation of public and/or private subnets
• configuration of route tables and network gateways
– leverage layers of security, including:
• security groups to control access to instances
• network access control lists, to control access to subnets
84. Subnet 1 Subnet 2
VPC 1
VPC n
Availability Zone 1 Availability Zone 2
Region VPN
Router
Internet GW
VPC Peering
Virtual Private GW
85. VPC Router
• TheVPC router processes the route in a RouteTable, and directs the traffic flow accordingly
• Using the route table
– routers identify the next router in the path
– send packets towards the destination
• Enables EC2 instances to communicate with each other across subnets in the sameVPC
• Enables subnets, Internet gateways, and virtual private gateways to communicate with one
another.
• Route tables contain routes to:
• an instance
• Internet gateway
• virtual private gateway
• NAT gateway
• VPC peer
• VPC endpoint
86. RouteTable
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
Subnet 1 Subnet 2
VPC 1
Availability Zone 1 Availability Zone 2
Router
RouteTable RouteTable
Instances Instances
Route tables are assigned to subnets
87. RouteTable
Each subnet in your VPC must be associated with a route table.
Router
RouteTable A RouteTable B
Subnet 1 Subnet 2
Router
RouteTable A RouteTable B
Subnet 1 Subnet 2
A subnet can be associated
with one route table at a time.
You can associate multiple subnets
with the same route table.
88. RouteTable
Destination Target Status Propagated
172.16.0.0/16 Local Active No
172.31.0.0/24 VGW-id Active Yes
10.10.0.0/24 PL-id Active No
0.0.0.0/0 IGW-id Active No
89. VPC Peering
• AVPC peering connection is
– a networking connection between twoVPCs
– enables you to route traffic between twoVPCs
• Instances in eitherVPC can communicate with each other as if they are
within the same network.
• You can create aVPC peering connection between:
– your ownVPCs
– with aVPC in another AWS account.
• AWS uses the existing infrastructure of aVPC to create aVPC peering
connection
90. Subnet 1
VPC 1
VPC n
Availability Zone 1 Availability Zone 2
Region
Router
Internet GW
VPC Peering
Subnet 3
Subnet 2
Subnet 4
91. Internet Gateway
• An Internet Gateway (IGW)
– is attached to theVPC
– is horizontally scalable, redundant, and highly available
– allows communication between instances in yourVPC and the Internet
• Acts as a control point between an AmazonVPC and the Internet
– providing yourAWS resources access from theVPC subnet to the Internet
92. Virtual Private Gateway (VGW)
• A service that presents an IPsec AWS managedVPN connection
– connectivity from yourVPC to your on-premise data center
– makes the AWS Cloud an extension of a corporate data center
• TheVPN connection consists of:
– a virtual private gateway attached to yourVPC
– a customer gateway located in the corporate data center
• A virtual private gateway is the VPN concentrator on the AWS side of
theVPN connection.
• A customer gateway is a physical device or software appliance on the
corporate side of theVPN connection.
93. Virtual Private Gateway (VGW)
Customer
Gateway
Customer
Network
Internet
Virtual
Private
Gateway
Amazon
VPC
Redundant VPN
Connections with
IPsec
94. VPN Connection
• AVPCVPN Connection:
– establishes an encrypted connection utilizing IPsec
– between an on-premise data center and AmazonVPC over the Internet
• Use cases include:
– quicker deployment (over AWS Direct Connect)
– applications with low to modest bandwidth requirements
– applications that can tolerate the inherent variability in Internet-based
connectivity
– leverage existing data center resources
95. Customer Gateway
• A customer gateway is:
– a physical device or software appliance
– the anchor on corporate side of the connection
• Customer gateway connect to the virtual private gateway on the
AWS side through theVPN connection
Amazon
VPC
Customer
Network
96. Direct Connect
• AWS Direct Connect
– Connects on-premise datacenter to AWS through a private network
connection
– Is an alternative to using the Internet to access the AWS cloud
– Access to all AWS services, including EC2,VPC, S3, and DynamoDB
• Maintains separate network access to public (e.g. S3)
and private resources (e.g. EC2) using 802.1qVLANs
• Benefits: reduced network costs, increase throughput,
consistent network experience
98. 192.17.1.1
Internet
NAT-enabled device
Maps private to public addresses
and accepts the return traffic on
behalf of the Instance
Internet with only
public addresses
10.1.1.16
10.1.1.20
Devices with private IP
addresses on the intranet
intranet
Blocks private IP addresses
from leaving intranet
10.1.1.15
Network AddressTranslation – NAT
99. Storage Gateway
File GW
Vol GW
VTL GW
• On-premise virtual appliance
• Applications connect to S3
• StorageTypes
Storage Gateway
hybrid storage between on-premises environments and the AWS Cloud.
low-latency performance
integration with AWS encryption, identity management, monitoring, and storage services
AWS
S3
100. Storage Gateway
• Each AWS Storage Gateway supports one of three storage
interfaces:
– file gateway
• Use NFS protocol to store and retrieve files as Amazon S3 objects
• configured S3 buckets made available as Network File System (NFS) mount points
– volume gateway
• provides S3 volumes, mounted as iSCSI devices your on-premises application servers
• Runs in cached mode where frequently accessed data is cached locally or stored mode
where entire data is available locally
– tape gateway
• Exposes a virtual tape library (VTL) interface for your backup application
• Virtual tape data is stored inAmazon S3 or archived to Amazon Glacier
101. Routing Protocols
• Border Gateway Protocol (BGP)
– an inter-Autonomous System (AS) routing protocol
– Exchange routing and reachability data between autonomous systems (AS)
– the external routing protocol of choice of tier 1 ISPs
– current version is version 4
– RFC 4271
– UsesTCP as the transport layer protocol
• via port 179
– Used in AWS by the AWS Direct Connect service
103. AWS Notes
• Conserving IPv4
– In the defaultVPC, each Instance launched into a default Subnet has a Private and Public
IPv4 Address. By default, each instance that you launch into a non-default Subnet has a
private IPv4 address, but no public IPv4 address, unless you specifically assign one at
launch, or you modify the subnet's public IP address attribute.
– Public IPv4 addresses are not persistent.They are reused once the Resource is terminated.
To get a persistent Public IPv4, use Elastic IP address.
• Not supported in AWS includes:
2
– Broadcast
– Multicast
– ARP
– DCCP/SCTP
104. Terms
• Ingres vs. Egress
• Well Known Ports
• Ephemeral Ports
• Stateful vs. Stateless
• VLSM
• Supernet
• CIDR Block
• Leading bit