In this article I want to explore patterns and building blocks (AWS managed services) used when designing systems in AWS.
Global:
- Choose region(s)
- Eeach region contains Availability Zones
Networking:
- VPC
- one or more - per Region
- can be default or nondefault
- CIDR
- Default VPC CIDR is 172.31.0.0/16.
- VPC CIDR needs to be within the allowed range of private IP addresses:
- 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
- 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
- 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
- Subnets
- one or more - per AZ
- CIDR
- e.g. VPC is 10.0.0.0/16
- 10.0.0.0/24 - for range of 256 addresses: 10.0.0.0 to 10.0.0.255 (255 assignable as x.x.x.255 is for broadcast)
- 10.0.1.0/24 - for range of 256 addresses: 10.0.1.0 to 10.0.1.255
- 10.0.0.0/20 - to get a bit larger subnet - with 2^(32-20)=2^12=4096 IP addresses.
- To calculate the adjacent range: 20 means that first 2 octets and first 4 bits from 3rd octet are fixed. In 3rd octet we have 0000xxxx where xxxx can go from 0000 = 0 to 1111 = 15 so the first subnet is 10.0.0.0 - 10.0.15.255. So, the next subnet is 10.0.16.0/20. Use ipcalc tool for faster results (IP Calculator / IP Subnetting).
- access to Internet
- Private
- assigned a 'private' routing table which routes entire (non-local) traffic to NAT Gateway (they don't have direct routes to IGW)
- if destination is within local CIDR range, traffic goes to "local"
- Public
- assigned a 'public' route tables which routes all (non-local) traffic to IGW so they have direct routes to IGW
- instances launched into these subnets will be assigned a public IP address (AWS charges for these public IP addresses until instance is terminated and IP address is released)
- if destination is within local CIDR range, traffic goes to "local"
- Internet Gateway
- Attached to VPC (can be default or nondefault)
- allows instances with public IPs to access the Internet
- There is no charge for an internet gateway, but there are data transfer charges for EC2 instances that use internet gateways.
- (Public) NAT Gateway
- required only if instances in private networks need to access Internet
- used by instances in private subnets (these instances have no public IP assigned) so they can reach Internet but prevents the Internet from initiating a connection directly to the instances
- must be created in (it is attached to) a public subnet (so its traffic can be routed to Internet Gateway)
- that's why this NAT is called a 'public'
- that's why it's bound to a single AZ
- has to have Elastic IP Address (public IPv4 address) attached to it
- NAT Gateway's traffic is routed to Internet via Internet Gateway
- Routing Tables
- Route Destination = cidr_block
- Route Target = gateway_id, nat_gateway_id
- types by routing to IGW
- public
- routes all traffic (0.0.0.0/0) to IGW
- private
- routes all traffic (0.0.0.0/0) to NAT GW
- Transient Gateways
Compute:
- EC2
- standalone or created by ASG
- ASG
- gets assigned (operates on) a list of subnets - it will create new instances in them
- ALB
- Target Groups:
- associated with ASG; this is how ALB knows which instances it works with
- Listeners
- Lambda
Storage:
- EBS
- root and data volumes
- gets mounted to EC2 instances
- EFS
- gets mounted to EC2 instances
- connected to network, has DNS name => can be attached across networks/AWS accounts! (so this is another way to share data across AWS accounts, apart from S3 or DB)
- RDS
- S3
- global; bucket needs to have a unique name
Logging, Monitoring, Alerting:
Security:
- IAM
- users
- user groups
- roles
- policies
- KMS
References:
No comments:
Post a Comment