Thursday 1 August 2024

Designing Systems Architecture in AWS


In this article I want to explore patterns and building blocks (AWS managed services) used when designing systems in AWS.

Global:

  • Choose region(s)
  • Eeach region contains Availability Zones

Networking:

  • VPC
    • one or more - per Region
    • can be default or nondefault
    • CIDR
      • Default VPC CIDR is 172.31.0.0/16.
      • VPC CIDR needs to be within the allowed range of private IP addresses:
        • 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
        • 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
        • 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
  • Subnets
    • one or more - per AZ
    • CIDR
      •  e.g. VPC is 10.0.0.0/16
        • 10.0.0.0/24 - for range of 256 addresses: 10.0.0.0 to 10.0.0.255 (255 assignable as x.x.x.255 is for broadcast)
        • 10.0.1.0/24 - for range of 256 addresses: 10.0.1.0 to 10.0.1.255
        • 10.0.0.0/20 - to get a bit larger subnet - with 2^(32-20)=2^12=4096 IP addresses. 
          • To calculate the adjacent range: 20 means that first 2 octets and first 4 bits from 3rd octet are fixed. In 3rd octet we have 0000xxxx where xxxx can go from 0000 = 0 to 1111 = 15 so the first subnet is 10.0.0.0 - 10.0.15.255. So, the next subnet is 10.0.16.0/20. Use ipcalc tool for faster results (IP Calculator / IP Subnetting).
    • access to Internet
      • Private
        • assigned a 'private' routing table which routes entire (non-local) traffic to NAT Gateway (they don't have direct routes to IGW)
        • if destination is within local CIDR range, traffic goes to "local"
      • Public
        • assigned a 'public' route tables which routes all (non-local) traffic to IGW so they have direct routes to IGW
        • instances launched into these subnets will be assigned a public IP address (AWS charges for these public IP addresses until instance is terminated and IP address is released)
        • if destination is within local CIDR range, traffic goes to "local"
  • Internet Gateway
    • Attached to VPC (can be default or nondefault)
    • allows instances with public IPs to access the Internet
    • There is no charge for an internet gateway, but there are data transfer charges for EC2 instances that use internet gateways.
  • (Public) NAT Gateway
    • required only if instances in private networks need to access Internet
    • used by instances in private subnets (these instances have no public IP assigned) so they can reach Internet but prevents the Internet from initiating a connection directly to the instances
    • must be created in (it is attached to) a public subnet (so its traffic can be routed to Internet Gateway)
      • that's why this NAT is called a 'public'
      • that's why it's bound to a single AZ
    • has to have Elastic IP Address (public IPv4 address) attached to it
    • NAT Gateway's traffic is routed to Internet via Internet Gateway
  • Routing Tables
    • Route Destination = cidr_block
    • Route Target = gateway_id, nat_gateway_id
    • types by routing to IGW
      • public
        • routes all traffic (0.0.0.0/0) to IGW
      • private
        • routes all traffic (0.0.0.0/0) to NAT GW 
  • Transient Gateways

Compute:

  • EC2
    • standalone or created by ASG
  • ASG
    • gets assigned (operates on) a list of subnets - it will create new instances in them
  • ALB
    • Target Groups:
      • associated with ASG; this is how ALB knows which instances it works with
    • Listeners
  • Lambda
    • API Gateway


Storage:

  • EBS
    • root and data volumes
    • gets mounted to EC2 instances
  • EFS
    • gets mounted to EC2 instances
    • connected to network, has DNS name => can be attached across networks/AWS accounts! (so this is another way to share data across AWS accounts, apart from S3 or DB)
  • RDS
    • MySQL
  • S3
    • global; bucket needs to have a unique name

Logging, Monitoring, Alerting:

  • CloudWatch

Security:

  • IAM
    • users
    • user groups
    • roles
    • policies
  • KMS



image source: NAT gateway use cases - Amazon Virtual Private Cloud




image source: Load balancer subnets and routing - AWS Prescriptive Guidance


image source: Example: VPC with servers in private subnets and NAT - Amazon Virtual Private Cloud



image source: Example: VPC for web and database servers - Amazon Virtual Private Cloud



References:


No comments: