An over

1. AWS Network
Architecture
Simpl(est) way to guarantee uptime.

2. Terms – Regions & Availability Zones
 AZ is the standard abbreviation for Availability Zone.
 From Amazon: Amazon EC2 is hosted in multiple locations world-wide. These
locations are composed of regions and Availability Zones. Each region is a
separate geographic area. Each region has multiple, isolated locations known
as Availability Zones. Amazon EC2 provides you the ability to place resources,
such as instances, and data in multiple locations. Resources aren't replicated
across regions unless you do so specifically.
 RDS & S3 support multi AZ natively (but NOT multi region).
 VPC’s are multi AZ but NOT multi region.
AZ
Region Availability Zone

3. Terms – Virtual Private Cloud
 VPC is the standard abbreviation for Virtual Private Cloud.
 From Amazon: Amazon Virtual Private Cloud (Amazon VPC) lets you provision a
logically isolated section of the Amazon Web Services (AWS) Cloud where you
can launch AWS resources in a virtual network that you define. You have
complete control over your virtual networking environment, including
selection of your own IP address range, creation of subnets, and configuration
of route tables and network gateways.
 Can have public and private subnets, we’ll just be using private which means
no internet access in or out.
 Used to:
 Create our own private network inaccessible from the internet.

4. Terms – Internet Gateway/Router
 From Amazon: By default, instances that you launch into a virtual private
cloud (VPC) can't communicate with the Internet. You can enable access to
the Internet from your VPC by attaching an Internet gateway to the VPC,
ensuring that your instances have a public IP address, creating a custom route
table, and updating your security group rules.
 Like a ‘hardware’ firewall/router, just software based and easily configured.
 Used To:
 Internet Gateway allows public routing of any public IP addresses and load
balancers inside the VPC.
 Router (or routing rules) allow traffic to be directed where it should/can go,
usually be subnets.
Internet Gateway Router

5. Terms – Elastic Load Balancer
 ELB is the standard abbreviation for Elastic Load Balancer.
 From Amazon: Elastic Load Balancing automatically distributes your incoming
application traffic across multiple Amazon EC2 instances. It detects unhealthy
instances and reroutes traffic to healthy instances until the unhealthy
instances have been restored. Elastic Load Balancing automatically scales its
request handling capacity in response to incoming traffic.
 Used to:
 Distribute network load between multiple availability zones.
 Distribute network load between multiple machines in one availability zone.

6. Terms – Elastic IP
 EIP is the standard abbreviation for Elastic IP.
 From Amazon: An Elastic IP address (EIP) is a static IP address designed for
dynamic cloud computing. With an EIP, you can mask the failure of an
instance or software by rapidly remapping the address to another instance in
your account. Your EIP is associated with your AWS account, not a particular
instance, and it remains associated with your account until you choose to
explicitly release it.
 Is just a reusable static IP.
 Used to:
 Create external DNS accessible routing.
 Allows public internet access.

7. Terms – Bastion Instance
 From Wikipedia: A Bastion host is a special purpose computer on a network
specifically designed and configured to withstand attacks. The computer
generally hosts a single application, for example a proxy server, and all other
services are removed or limited to reduce the threat to the computer. It is
hardened in this manner primarily due to its location and purpose, which is
either on the outside of the firewall or in the DMZ and usually involves access
from untrusted networks or computers.
 Is just another EC2 Instance running software.
 Used to:
 Allow software VPN tunnels from developers/administrators access.
 Allow multiple regions to be connected via a live tunnel.

8. Terms – NAT Instance
 NAT stands for Network Address Translation (your router at home does this).
 From Amazon: Instances that you launch into a private subnet in a virtual
private cloud (VPC) can't communicate with the Internet. You can optionally
use a network address translation (NAT) instance in a public subnet in your
VPC to enable instances in the private subnet to initiate outbound traffic to
the Internet, but prevent the instances from receiving inbound traffic
initiated by someone on the Internet.
 Is just another EC2 Instance running software.
 Used to:
 Allow computers inside the private subnet to connect to the internet and resources
like S3 that are routed in public space.
NAT

9. Terms - Subnet
 From Wikipedia: A subnetwork, or subnet, is a logically visible subdivision of
an IP network. The practice of dividing a network into two or more networks
is called subnetting. … Traffic between subnetworks is exchanged
or routed with special gateways called routers which constitute the logical or
physical boundaries between the subnets.
 Essentially divide the IP addresses of computers to make rules for where
traffic should/can go easy to program.
 ‘Public’ subnets are visible from the internet, ‘Private’ ones are not.
 Used to:
 Easily route traffic correctly (like outbound traffic through the NAT instance).

10. region
Web
App
Web
App
Multiple Region Network Topology
Network Ingress
Network Egress
Network Backchannel
Network IPSEC Tunnel
Network Tunneled Connection
Internet
Read/
Write
Read
Region (us-west-1) Region (us-east-1)
NAT NAT

11. NAT
NAT
App
Finer Grain Single Region Multi AZ Topology
Internet
AZ - us-west-1a
Region (us-west-1)
AZ - us-west-1b
Network Ingress
Network Egress
Network Backchannel
Network IPSEC Tunnel
Network Tunneled Connection
AZ = Availability Zone
App
Web
Web
Tunnel to
other region
S3 is already Multi AZ…

12. Finer Grain Single AZ Multi Subnet Topology
NAT
App
Internet
AZ - us-west-1a
Region (us-west-1)
Network Ingress
Network Egress
Network Backchannel
Network IPSEC Tunnel
Network Tunneled Connection
AZ = Availability Zone
Web
Tunnel to
other region
Private Public
Access to other AZ

13. Resources
 Terms:
 Regions & Availability Zones: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-
regions-availability-zones.html
 Virtual Private Cloud: http://aws.amazon.com/vpc/
 Internet Gateway:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
 Elastic Load Balancer: http://aws.amazon.com/documentation/elasticloadbalancing/
 Elastic IP: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
 Bastion Instance: http://en.wikipedia.org/wiki/Bastion_host
 NAT Instance: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
 Subnet: http://en.wikipedia.org/wiki/Subnetwork and
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
 Author: Lawson Caudill – http://www.getthinktank.com