Lou (đ Open Up The Cloud âď¸)Have you ever been into the AWS console and been completely baffled about all the concepts and jargon? Youâve got: Security Groups, Inbound rules, VPCâs, Subnets, Internet Gateways, NAT, ENIâs and all of them are related to networking somehow. Put simply: thereâs a lot to AWS networking. So if youâre going to break into it somehow you need to know what to focus on: the fundamentals.
Today weâre going to be going through the main networking components you should be familiar with in AWS. Weâll talk you through why youâd need the component, what it is and how youâd use it. Throughout the article weâll be building up an example of running a web server in a public subnet as part of our own VPC.
By the end of this article youâll understand the main networking concepts: Private IPâs, Virtual Private Cloud (VPC), Classless Inter Domain Routing (CIDR), Subnets, Internet Gateways and Security Groups and use these to implement a basic network design.
3 important reasons to learn AWS networking fundamentals
Maybe right now youâre thinking:
But, Iâm a software engineer? Do I really need to know about networking? Isnât that the job of operations or something? I already have a lot on my plate, why would I take on one more thing?
But youâd be right to ask the question!
If thatâs you, and youâre not yet convinced about why you should learn AWS networking fundamentals then let me give you two big reasonsâŚ
1. AWS cloud is much harder when you donât know AWS networking fundamentals.
Whether youâre launching a simple EC2 or even Lambda these networking topics: VPCâs, security groups etc will arise. And theyâll pose a constant distraction where youâre saying âOh, Iâll just ignore that for nowâ. And you ignore it, and you ignore it.
But over time not understanding these fundamentals will start to waste your time, as you wrestle with features you donât really understand. Even if youâre a bog-standard application developer at some point youâre going to come into contact with the AWS networking fundamentals weâre covering today and itâs going to make your life a lot easier.
2. Understanding AWS networking fundamentals allows you to implement fundamentally better solutions.
If youâve got a hammer â everythingâs a nail.
If youâre not aware of whatâs possible at a network level youâll perpetually implement sub-optimal solutions at the application level. Iâm guilty of doing this in the past, implementing things like IP whitelisting inside of the application when ideally they should be in the network level.
When you know what is possible at the network level (even if you canât necessarily implement it) it will allow you to challenge your own architectures and designs to come up with fundamentally better software.
3. Cloud Native is on the rise, and engineers need AWS networking skills.
Working in cloud native environments is becoming more and more common. Engineers are now required more than ever to step out of the realms of pure application development and to actually understand infrastructure concerns, like networking. More is demanded of you.
How weâll use Terraform to explain the AWS networking fundamentals.
Okay so that concludes why weâd want to learn these networking concepts â letâs talk about how weâre actually going to do it.
My preferred way of learning in the cloud is via infrastructure-as-code.
Why? Because it allows me to write the infrastructure as code in my own time, prepare the changes and execute them when Iâm ready.
Not only does infrastructure-as-code enable a nice workflow, but undo-ing mistakes and keeping a history in version control simply makes life that bit less stressful.
So as we go through the networking concepts today Iâll also give you snippets of terraform infrastructure-as-code. Donât worry if youâre not familiar with Terraform as the snippets are small you shouldnât need any prior knowledge. The snippets are mainly there to show you what types of arguments (or properties) that youâd need to pass when creating those resources.
And of course, practical learning is the best. So when weâre done with reading the article, you can find, clone and run the full code example from this repo and experiment with the infrastructure as you please.
Understanding IP and the need for private addresses.
Rightio â thatâs enough of the intro, letâs get to it!
First up, we need go through a bit of theory about IP and IP addresses, but stick with me, itâs worth it. Remember, this post is about fundamentals, so resist the urge to skip ahead!
IP addresses are a series of unique numbers that are assigned to a computer to make it accessible within a given network. IP addresses look like: 123.122.11.56. Typically when we talk about IP addresses weâre talking in the context of the public internet. The public internet is an open network available around the world.
But, on the internet we donât come into contact with these raw IPâs all that often. And thatâs because DNS (the Domain Name System) maps these machine relevant IPâs to friendlier names that we use more often.
If youâre interested try putting 34.242.183.30 into your search bar. Thatâs the current elastic IP address of this website. Or to be more precise, itâs an IP owned by amazon that is currently routing to an EC2 machine that is running wordpress.
My website is an example of something thatâs public on the internet, and I want it to be! However, not every machine needs to be on the internet. Such as back-office business functions like accounting. These machines need to be accessed by someone, but not anyone on the internet.
And to do enable this, we use private address space.
When the internet was coming of age, a decision was taken to reserve the following address spaces for private use:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
Youâll recognise the IP address format, but youâll notice the numbers are followed by a number: /12. That number is known as a netmask, and it defines a range of IP addresses. But, weâll cover that in more detail later. All you need to know for now is that there are a (large!) number of IP addresses that are reserved for private use, i.e not on the public internet. And we can use these private address spaces to our advantage.
And that neatly brings us to what weâll be building today! Which is a VPC network, that contains a private network (using the above address spaces) and is broken down into three smaller subnetworks. One subnetwork will be granted internet access, and weâll deploy into it a web server. The other two subnets will be private, and could be used for things like internal business functions as we said before.
Todays reference architecture.
Weâll go through the components weâd need to build this type of architecture component-by-component.
So letâs go ahead and start with the most important topic: Virtual Private Clouds.
What is a Virtual Private Cloud (VPC)?
A VPC or Virtual Private Cloud is a way to logically separated resources when youâre working in AWS. AWS own lots of machines so a VPC is basically a way to lay claim to the machines that belong to you so that no-one else can access them. When we have a VPC the resources contained within it can only communicate with other VPC resources. Well, unless we do some special tricks to connect VPCâs, but weâll not be covering that today.
VPCâs are therefore simply a way to ring-fence a business, or even sub-sections of a business. We could even use VPCâs to implement different environments, such as demo, test, staging and production environments. Since production environments donât need access to our test environments, and vice versa. There are many different use cases for the VPC.
A VPC, being a network has an allocated address space. When we create resources in our VPC they have to sit within our VPCâs dedicated address space. Remember the private address ranges we talked about before?
Well, a VPC in AWS can be as big as 64,000 unique IPâs right down to as small as 16.
But what determines the size? Well, many factors including our prediction of future growth, but letâs not worry too much about that now.
A final thing to consider about VPCâs, or any private network are: namespace collisions.
What do I mean?
Well if we want to connect two VPCâs together and they are using the same private address space itâs going to cause issues. Which means that weâll likely want to create all our private networks with different IP address ranges if we can.
Letâs take a look at what creating a VPC in Terraform looks likeâŚ
Creating a VPC with Terraform
As you can see from above all thatâs required to create a new VPC is the address range, which is a CIDR block.
If you are wondering what that weird looking IP is donât worry â weâll cover it soon.
All you need to know is that a VPC is created when we define a range of private IPâs to allocate to it. Simple.
What is a Subnet?
But before we talk about those IP address ranges, CIDR blocks, letâs introduce subnets as they are closely related to VPCâs.
A subnet is (one of the few intuitively named fundamentals that weâll cover today!) very much what it sounds like. A subnets is simply a smaller piece of a larger network. A network can be chopped up into smaller pieces so that different networking rules can be applied to them.
Letâs take a look at the Terraform:
Here you can see weâre creating the VPC (as before). But now weâre also creating a subnet. In order to create the subnet we need to define the availability zone, since they can only exist in one, the VPC it belongs to, and itâs size.
But, thereâs that strange looking IP address thingy again (the CIDR block)âŚ
Iâve stalled enough about talking about it, so letâs cover off the Netmask, what it is and how it lets us define ranges for VPCâs and subnets.
What is a Netmask?
Netmasks can seem a little daunting at first â theyâre probably the most confusing AWS networking fundamental weâll cover today.
But when the fog clears youâll be much better for knowing them, theyâre useful and they come up a lot.
A CIDR block with a Netmask looks like this:
10.0.0.0/24
Youâll see this CIDR block format in AWS all the time â and it might have you wondering about what exactly it is.
IP Address blocks
The first part of the CIDR block, the four numbers 10.0.0.1 (separated by dots) represent a number up to 256 each. Why 256? because each chunk is 8 bits, and 8 bits can represent 2^8 numbers in total.
Thatâs the anatomy of an IP address.
Well, in reality an IP address looks like this:
10101001.11100010.01010001.11011010.
Thatâs 4 blocks of 8 bits (so 32 in total) where each block holds up to 256 unique address spaces.
So why donât we just use the long binary representation? Because the base 10 equivalent (e.g. 10.256.0.0) is shorter to write and easier to read (eventually!). However â do keep in mind the underlying binary equivalent as itâs important when youâre making CIDR calculations.
Understanding Netmask ranges
The second part of the number, in the previous example: /24 is whatâs called a Netmask. A Netmask defines where a network range ends. When combined with the IP (the four numbers with dots) we then have a range which starts at the IP and ends after the Netmaskâs specified number of addresses. The Netmask represents the number of bits in an IP (out of 32) that are dedicated to the outside network. So whatever is left (out of the original 32) is what is given to our network.
To understand this better, letâs look at an exampleâŚ
For instance, a Netmask of /24 gives up 24 bits to the network. Which leaves us with 8 bits left because 32 - 8 = 24. And 8 bits is equal to 2^8 total addresses which is 256 spaces.
Why is it 2^8 you might be wondering? Because thatâs how binary works. For every additional bit space we have, it squares the number of possibilities of numbers. The binary 0 has two possible values 0 or 1 , which is equal to: 2^1 = 2. The binary 00has four possible values: 00, 01 10 and 11 which is equal to 2^2 = 4.
So to recapâŚ
To calculate a netmask, take the /22 number, subtract from 32 and put the remainder as the power of 2. So: 32 -22 = 10 therefore a netmask of 22 gives our network a potential 2^10 =1024address spaces!
As we said before, 64,000 is the limit to the size of a network in AWS â which is a /16 bit Netmask. Whereas the smallest range that you can have is 16, which means that you have four bits: 2^4 .
Remember â a Netmask simply defines a range of IPâs, starting from the IP and ending at the Netmask determined endpoint.
If youâre interested to play around more with CIDR address ranges a subnet calculator would be a smart choice.
A subnet calculator cidr.xyz
A good exercise to do with the calculator is imagine youâre implementing a VPC and associated child networks. Have a go putting in different networks, look at their size and try to guess which answers youâd get right.
What is a route table?
Next up on our list of fundamentals for AWS networking is a route table.
A route table is heavily related to a subnet, as a route table is what decides how traffic flows between subnets. Do you need to move traffic from your public to your private network? Routing tables would need to be setup in order to define where services can access.
Example creation of 2 route tables (private and public)
The above code is quite granularly broken down but you can see weâre creating two route table entries, a private route entry with no routes allowed (truly private) and another that is connected to the VPCâs internet gateway. We can re-use our private route table with both of our private subnets.
Without routing tables weâd have chunks of network with no rules about who can talk to who and how. The final record in the above merely binds together the two parts: our subnet and our route table (public).
Using this code weâre now enabling allowing traffic to flow to and from our public subnet! Well, nearly we need one more componentâŚ
What is an internet gateway?
An internet gateway is an AWS component that when attached to a VPC, gives the VPC public internet access.
But⌠letâs take it back a step first! Remember, a subnet can be public or private. A public network is simply a network that has internet access.
However, itâs worth pointing out that currently you canât create a private or public subnet in AWS directly as such.
What do I mean?
Well, to create a public subnet we need to create a regular subnet, but update itâs route table to point to the internet, and ensure that our VPC is setup with an internet gateway.
The topic of internet gateways gets a little more confusing when we start thinking about internet access. Why? Because some services need internet coming in (like a static website). Whereas other services need traffic that flows out, but not in â such as an internal private micro-service that needs to pull in dependencies from other internet based services.
Setting up an internet gateway is simple, merely create the resource and attach it to a VPC.
By this point if you were following along with the code we have a VPC and some subnets, weâve made one of our subnets public by attaching a route table and an internet gateway. Now itâs time to place a resource, our EC2 instance (a web server) into our public subnet so that it can be accessed by the world. Yay!
Well⌠actually not so fast. Because weâve got one more issue. Now traffic can come from the internet, through the internet gateway, into our public subnet and knock on the door of our instance, but it canât get in. Why? Because instances have firewalls. And these firewalls are called security groups. In order to allow our instance to be accessed we need to enable public traffic through our security group.
What is a security group?
A security group is a set of networking rules that are applied to a resource. A security group is responsible for defining what traffic (based on port and protocol) can enter or leave certain resources. A single resource can reference many different security groups to aggregate different types of access. For instance, we might want to have a security group that allows HTTP and HTTPS traffic into our website. However we might want SSH access for our service, but weâll want to ensure the SSH access is limited by IP for instance and not the whole internet.
Letâs see what a security group looks like in TerraformâŚ
An example of a subnet.
Here we can see that weâve got an ingress rule, which means traffic that is flowing into our firewall has to adhere to the rule, which is allowing TCP traffic on port 80. Which is to allow basic web request access. Weâve also got an egress rule, which allows all traffic. The egress rule allows the instance to perform calls out to the internet however it wants, in our case weâre allowing it to do so because we need to install our web server, which requires access to the internet.
And with our subnet in place traffic can now get to our public instance via our API gateway, it uses the route table entry to flow traffic into our public subnet, the security group allows traffic to hit the instance and voila! We have our a working web server running inside a public subnet in a custom VPC â Awesome!
In Summary
We covered a lot of AWS networking fundamentals today, so I want to quickly re-cap everything:
- IP â Address used to map requests to machines, can be public or private.
- VPC â A slice of the AWS cloud infrastructure
- Subnet â A portion of a larger network, usually a subnetwork of a VPC.
- Netmask â A way of denoting a range of IP used to splice up a network into subnets.
- Route Table â A set of rules that are assigned to a subnet which define how subnets communicate.
- Internet Gateway â An AWS resource that gives a subnet access to the public internet.
- Security group â Essentially a firewall that dictates which traffic (via protocols and ports) can access a resource.
Create your own network
And thatâs all we have time for today. We covered a lot, I know. But I wanted to just touch the surface of these important concepts. If you focus your energy on learning anything related to AWS networking, focus on these aspects first.
And as always remember that the best way to learn concepts is to get your hands dirty. So take the code examples, we discussed, try to break them and generally have fun with them. Just make sure to setup your AWS account correctly first. The repo has the Terraform to create your VPC, Subnets, Internet Gateway, Route Table entries, a web server instance and a security group. Try using it as a reference and re-building your very own VPC piece-by-piece.
I hope the fog cleared a little more for you today, stick at it, keep reading and youâll get there. Donât forget to sign-up to the newsletter where every two weeks youâll get articles on fundamentals of cloud native, the latest news and generally stay up-to-date.
Speak soon!
What were the hardest networking concepts youâve come into contact with so far?
The post AWS networking fundamentals: A simple guide for software engineers. appeared first on The Dev Coach.
