Resourceschevron right
Networking
chevron right
AWS Networking Guide for Enterprise Network Administrators

AWS Networking Guide for Enterprise Network Administrators

Posted by
Richard Gargan
published
July 12, 2024
TABLE OF CONTENTS
Build Your Dream Network Architecture
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.
Get Started FreeBrowse Solutions

Amazon Web Services (AWS) provides a wide range of networking services that cater to every need. Its networking capabilities meet the most stringent requirements globally. 

The AWS Region/Availability Zone (AZ) model, for example, is recognized by industry analysts as the best approach for running enterprise applications that require high availability. This model ensures that your mission-critical workloads maintain the highest levels of availability.

AWS stands out for its performance, equipping network administrators with the tools to run high workloads, using the highest throughput and lowest latency cloud network. This means your applications will be faster and more responsive, providing a better experience for your customers.

AWS offers a suite of hybrid connectivity solutions, network foundation, coverage, and security tools that enhance network management and security. With these services that we will review in depth in this article, you can build a secure, high-performing, and reliable network that can meet the needs of any modern enterprise.

Features of a VPC and their role in AWS networking

Amazon Virtual Private Cloud (Amazon VPC) is an essential AWS feature that allows you to establish virtual networks in the cloud. VPC lets you launch AWS resources in a logically isolated virtual network that you've defined. 

This virtual network closely resembles a traditional network that you'd operate in your own data center, but with it you get the benefits of using the scalable infrastructure of AWS.

For example, you can create a VPC with subnets in multiple Availability Zones. This setup ensures high availability and fault tolerance. In your VPC, you can have EC2 instances running in each subnet, and an internet gateway to allow communication between these instances and the internet. Essentially, you get your own isolated network within the AWS cloud.

Subnets 

When you create a VPC, you can start defining subnets, which are just a range of IP addresses in your VPC. Each subnet must reside within a single Availability Zone. Once you have subnets, you can launch AWS resources like EC2 instances within them. It's like having different departments in your virtual office, each with its own unique address range.

IP addressing is another critical element of a VPC. You can assign both IPv4 and IPv6 addresses to your VPCs and subnets. It's even possible to bring your public IPv4 addresses and IPv6 GUA addresses into AWS, allocating them to resources in your VPC. This flexibility lets you use familiar IP addresses and ensures seamless integration with existing networks.

Route tables

Routing in a VPC is managed with route tables. These tables determine where network traffic from your subnet or gateway is directed. It's like setting up a map that directs data to the right destination. 

For instance, you can use an internet gateway to connect your VPC to the internet, or a VPC endpoint to connect to AWS services privately without needing an internet gateway.

Gateways 

Gateways are essential for connectivity. They link your VPC to other networks. For example, an internet gateway connects your VPC to the internet. If you want a secure connection to AWS services without using the internet, you can use a VPC endpoint.

Sometimes, you need to connect different VPCs. VPC peering connections allow you to route traffic between resources in two VPCs, much like creating a bridge between two separate office buildings.

Security and monitoring are goals with the VPC architecture. Traffic mirroring allows you to copy network traffic from network interfaces and send it to security and monitoring appliances for deep packet inspection. This helps you monitor what's happening in your network.

For complex setups, a transit gateway acts as a central hub that routes traffic between your VPCs, VPN connections, and AWS Direct Connect connections. 

VPC flow logs 

These logs capture information about the IP traffic going to and from network interfaces in my VPC. This logging feature is invaluable for monitoring and troubleshooting network activity.

For secure connections from my on-premises networks to my VPCs, I can use AWS Virtual Private Network (AWS VPN). This makes it easy to extend my data center into the cloud, maintaining secure and reliable connections.

With these features, I can configure a VPC to provide the connectivity that my applications need, using the scalable and reliable infrastructure of AWS.

How subnets work when networking in AWS

Think of subnets as building blocks for creating isolated network segments inside your VPC. You can choose to create subnets that serve different purposes, such as handling public-facing applications, internal services, or secure database access.

Each subnet must be restricted to a single Availability Zone. This design helps ensure failover and redundancy. For instance, by deploying resources across multiple Availability Zones, you protect your application from the failure of a single zone.

When you create a subnet, you specify its IP addresses depending on the VPC configuration. You have three primary options:

  • IPv4 only: This subnet has an IPv4 CIDR block but no IPv6 block. Resources can only communicate using IPv4.
  • Dual stack: The subnet has both IPv4 and IPv6 CIDR blocks, allowing resources to communicate over either protocol.
  • IPv6 only: The subnet has an IPv6 CIDR block without an IPv4 block. Resources communicate solely using IPv6. Resources in IPv6-only subnets are assigned IPv4 link-local addresses (169.254.0.0/16) for communicating with VPC services like the Instance Metadata Service (IMDS).

Subnets are categorized based on how they route traffic:

  • Public subnets route traffic directly to an internet gateway. Resources in this subnet can access the internet.
  • Private subnets lack a direct route to an internet gateway. Resources need a NAT device to access the internet.
  • VPN-only subnets route traffic to a site-to-site VPN via a virtual private gateway. They don’t provide a route to an internet gateway.
  • Isolated subnets have no routes to destinations outside the VPC. Resources can only communicate internally within the VPC.

Picture a VPC with public and private subnets in a diagram. It might also show optional subnets in a Local Zone, which brings AWS services closer to your end users for lower latency. Suppose you're running applications that need single-digit millisecond response times. Deploying subnets in a Local Zone can make a big difference.

Routing within subnets is defined by route tables. Each subnet must be linked to a route table that specifies allowed outbound routes. By default, new subnets are associated with the VPC’s main route table. You can modify this association or the route table itself.

Subnet settings can be adjusted for auto-assigning public IPs and configuring DNS settings. For example, you might configure the subnet to automatically request a public IPv4 or IPv6 address for new network interfaces. Additionally, hostname types for EC2 instances in the subnet can be specified, affecting how DNS queries are handled.

From a security perspective, using private subnets is recommended. Resources in private subnets can use bastion hosts or NAT devices to access the internet securely. Security groups and network ACLs help control traffic. 

Security groups manage traffic for associated resources like EC2 instances, while network ACLs operate at the subnet level. Although security groups are usually sufficient, using network ACLs provides an extra security layer.

Each subnet must be linked to a network ACL, which defaults to allowing all inbound and outbound traffic. You can update the default ACL or create custom ones to tailor traffic control. For monitoring and security analysis, VPC Flow Logs can capture traffic data for your subnet or individual network interfaces, providing insights into IP traffic patterns.

Public vs. private subnets 

With subnets, you are essentially carving out smaller networks within your larger VPC (Virtual Private Cloud). Now, why would you want to do that? Well, to manage and secure your resources more effectively.

A public subnet is one where the instances can directly communicate with the internet. Think about the public subnet as the front porch of your house. Everyone can knock on your door, but you probably don’t want to put sensitive stuff out there. In AWS, instances in a public subnet have a route to the internet gateway. 

Let’s take an example. Say you have a couple of web servers that need to serve customer requests over the internet. These web servers need to be in a public subnet. Why? 

Because they need to respond to HTTP or HTTPS requests from users around the world. You give these servers public IP addresses, and voila, they’re accessible from anywhere.

Conversely, a private subnet is like private, internal rooms of your house. Only trusted family or friends can access these areas. Instances in a private subnet have no direct route to the internet. This is super useful for resources that don’t need to be exposed directly to the internet, like databases or internal application servers.

For instance, your database server containing customer information doesn't need to be accessed by everyone. So, you put it in a private subnet. It can still talk to the web servers for fetching or storing data, but it remains hidden from the outside world. This setup adds an extra layer of security.

Here’s a concrete setup: you could have your web servers in the public subnet and the database servers in the private subnet. The web servers handle the requests from the internet and then securely communicate with the database servers in the private subnet. No one from the outside world can directly access your database server, reducing the attack surface significantly.

AWS also provides some cool tools to make this setup robust. For instance, you can use a NAT Gateway if instances in your private subnet need to initiate outbound connections to the internet for updates or other tasks. The NAT Gateway sits in your public subnet and allows instances in private subnets to reach the internet without exposing them to inbound traffic.

Public and private subnets help you create a secure, layered network architecture. By putting the right resources in the right subnets, you make it harder for bad actors to get to our sensitive data while keeping your services accessible to those who need them.

How to create and manage subnets in AWS

-> Specify an IPv4 CIDR block from your Virtual Private Cloud (VPC). 

Optionally, you can add an IPv6 CIDR block if it’s associated with your VPC. If you create an IPv6-only subnet, instances launched within it will only have an IPv6 address and won't get an IPv4 address. Be aware that instances in an IPv6-only subnet need to be built on the Nitro System.

-> Navigate to the Amazon VPC console

Once in the VPC console, head over to the "Subnets" section. Click on "Create subnet" to get started. Here, select the VPC for the subnet. Naming the subnet is optional but helpful for organizational purposes. AWS will create a tag with the key “Name” and the value I specify.

-> Choose an Availability Zone

Choose an Availability Zone (AZ) for the subnet or leave it as “No Preference” to let AWS select one. For the IPv4 CIDR block, you can enter something like "10.0.1.0/24". If using Amazon VPC IP Address Manager (IPAM), you have the option to allocate a CIDR block from IPAM.

The IPv6 CIDR block follows a similar process. You can manually input the desired block or allocate it from IPAM if using it for address management. Now, select an IPv6 VPC CIDR block and specify an IPv6 subnet CIDR block within the range of the VPC CIDR.

-> Configure the subnet

Once the subnet is created, it's time to configure it. Configuring routing is essential. Create a custom route table and routes that direct traffic to a gateway associated with your VPC, such as an internet gateway. This setup ensures that instances within the subnet can communicate with the outside world.

You also have to decide on IP address behavior. You can set whether the instances will receive a public IPv4 address, an IPv6 address, or both. Additionally, you can manage Resource-based Naming (RBN) settings, which are crucial for instance naming and DNS configurations.

Subnets must have security. You can use security groups to allow inbound and outbound traffic for resources like EC2 instances. For an extra layer of protection, network ACLs (Access Control Lists) can be configured at the subnet level. These ACLs help control inbound and outbound traffic, providing another security layer.

Managing subnets in AWS is flexible. You can configure auto-assign IP settings so that new instances receive a public IP address automatically. Through subnet sharing, you can share a subnet with other AWS accounts, enabling collaborative environments. Options to create or modify network ACLs are available to enhance subnet security further.

By using VPC Flow Logs, you can log traffic that moves in and out of the subnets. This logging is crucial for monitoring and auditing purposes, helping you maintain the security and integrity of your network infrastructure.

What are AWS elastic IPs?

Elastic IP addresses (EIPs) are static, public IPv4 addresses designed for the dynamic cloud environment. They provide the flexibility and resilience needed for managing a dynamic AWS environment, allowing you to maintain consistent and reliable access to my resources.

You can associate an Elastic IP with any instance or network interface in your Virtual Private Cloud (VPC). That flexibility lets you mask instance failures by remapping addresses to another instance within your VPC quickly. 

For example, if an instance experiences an unexpected outage, you can promptly remap the associated EIP to another instance, ensuring your applications maintain a consistent public endpoint.

Elastic IPs offer significant advantages for network management and resilience. By programmatically associating and disassociating these addresses, you can direct traffic based on evolving business needs. 

Let's say you have a web application experiencing a surge in traffic. you can easily scale up by directing traffic to new instances without changing external configurations.

Another use of Elastic IPs is for maintaining stable identifiers for cloud resources. This is particularly helpful when configuring external services like DNS records or firewall rules. For example, if you need a consistent IP for your email server to avoid getting flagged as spam, you can assign an EIP with a static reverse DNS record.

Elastic IPs come with a few considerations. They are static and region-specific, meaning you can't move an EIP to a different region. Also, each AWS account has a default limit of five Elastic IP addresses per region, though you can request a quota increase if needed. 

It's also worth noting that AWS charges for all public IPv4 addresses, including EIPs that aren't associated with a running instance. So, you should manage these addresses wisely to avoid unnecessary costs.

In a typical AWS environment, you can allocate an EIP from Amazon's pool of IPv4 addresses and associate it with your instance or network interface. This address then gets tied to the instance's primary network interface. 

If your instance already has a public IPv4 address, AWS replaces it with the EIP, releasing the former back into the pool. For instance, if you previously had a public IP on your web server, associating an EIP will replace it, ensuring your server remains reachable under the new EIP.

If you need to transfer an EIP between AWS accounts, for example, during organizational restructuring or a disaster recovery scenario, AWS provides a two-step handshake process for the transfer. This feature is beneficial for quickly moving workloads or maintaining a centralized security administration.

IPv4 vs. IPv6 and AWS networking

IPv4 has been around for a long time and is what most of us are familiar with. It uses a 32-bit address scheme, which gives us about 4.3 billion unique addresses. That seemed like a lot back in the day, but we've pretty much run out of them. This is why IPv6 came along.

IPv6 uses a 128-bit address scheme. This means it can provide an almost unlimited number of unique addresses. Think of it as moving from a crowded city with limited housing (IPv4) to an expansive countryside with plenty of room to grow (IPv6). AWS supports both IPv4 and IPv6, so you can choose what's best for your network.

In AWS, IPv4 addresses are still the default. Most of the time, when you spin up a new EC2 instance or set up a VPC, you'll be using IPv4 addresses. 

For example, when you launch an EC2 instance, it’s automatically assigned a private IPv4 address from the subnet's IPv4 CIDR. If you need to, you can also assign a public IPv4 address for your instance to communicate with the internet.

But what about IPv6? 

AWS makes it easy to work with IPv6 as well. When creating a VPC, you can associate an IPv6 CIDR block with it, alongside the IPv4 block. This way, each instance in your VPC can have both an IPv4 and an IPv6 address. 

One good example is setting up a dual-stack environment. Your resources can communicate over IPv4 with older systems and use IPv6 for newer, IPv6-enabled networks. It’s like having the best of both worlds.

Security groups and network ACLs are crucial to consider here. If you're using IPv6, you must account for it in your security rules. AWS allows you to create security group rules specifically for IPv6 traffic. 

For instance, if your application is listening on port 80, you can add an inbound rule for IPv6 traffic on port 80 to ensure it's reachable from the internet. 

Another feature to consider is the Elastic Load Balancer (ELB). AWS supports IPv6 for both Application Load Balancers (ALB) and Network Load Balancers (NLB). This means your load balancer can accept IPv6 traffic and forward it to your instances. This is especially useful for handling a large number of client connections.

Route 53, which is AWS's DNS service, supports both IPv4 (A records) and IPv6 (AAAA records). This means you can route traffic to your resources using either protocol. If you're planning a smooth transition to IPv6, you can start by adding both A and AAAA records for your domain and gradually shift your traffic.

In practice, IPv6 adoption might be slow, but planning for it is a smart move. Over time, as more devices and networks support IPv6, having your AWS infrastructure ready will save you from potential headaches. Plus, it positions you well for future growth, especially as the Internet of Things (IoT) expands and demands more addresses.

So, while IPv4 is still widely used, IPv6 is the future. Embracing both in your AWS network setup can provide flexibility, scalability, and readiness for what's next.

The function of security groups in AWS

Security groups in AWS act as virtual firewalls. They control the traffic that is allowed to reach and leave the resources they are associated with. For instance, when you associate a security group with an EC2 instance, it manages the inbound and outbound traffic for that instance.

When you create a VPC, it comes with a default security group. You can also create additional security groups tailored to your needs. Each security group has its unique set of inbound and outbound rules. For inbound rules, you specify the source, port range, and protocol. For outbound rules, you specify the destination, port range, and protocol.

Imagine a VPC with a subnet, an internet gateway, and a security group. The subnet contains an EC2 instance, and the security group is assigned to this instance, acting as a virtual firewall. The traffic reaching the instance is only what the security group rules allow. 

For example, if the security group allows ICMP traffic from your network, you can ping the instance from your computer. But if it doesn’t allow SSH traffic, you can’t connect using SSH.

You can assign a security group only to resources in the same VPC as the group itself. You can assign multiple security groups to a resource. When creating a security group, it needs a name and a description. The name must be unique within the VPC and include up to 255 characters, including letters, numbers, spaces, and special characters like ._-:/()#,@[]+=&;!$*.

Security groups are stateful. If you initiate a request from an instance, the response traffic is allowed regardless of the inbound rules. Similarly, responses to allowed inbound traffic can leave the instance regardless of the outbound rules.

It's important to note that security groups do not filter traffic for Amazon Domain Name Services (DNS), Dynamic Host Configuration Protocol (DHCP), instance metadata, ECS task metadata endpoints, Windows instance license activation, Amazon Time Sync Service, and reserved IP addresses used by the default VPC router.

For best practices, always authorize only specific IAM principals to create and modify security groups. Keep the number of security groups to a minimum to reduce the risk of error. Use each security group to manage access to resources with similar functions and security requirements. 

Be cautious with ports 22 (SSH) or 3389 (RDP) and avoid opening them to the world. Instead, specify only necessary IP ranges. Also, avoid opening large port ranges unless absolutely necessary. Consider creating network ACLs with rules similar to those of your security groups for an added layer of security.

Let's look at a practical example. Suppose you have a VPC with two security groups and two subnets. The instances in subnet A have the same connectivity requirements, so you associate them with security group 1. 

Instances in subnet B, with different requirements, use security group 2. Security group 1 might allow SSH traffic from a specific network range and all traffic between instances in subnet A. Security group 2 might permit internal communication within subnet B and SSH traffic from instances in subnet A.

Both security groups in this example could use the default outbound rule, which allows all outbound traffic. This setup ensures controlled and secure communication based on your security needs.

What are NACLs used for in AWS?

When networking on AWS, Network Access Control Lists (NACLs) play a crucial role in managing the traffic flowing in and out of subnets. They act as an extra security layer that functions like a firewall at the subnet level. 

NACLs give you granular traffic control at the subnet level, complementing you security groups for a more robust security posture. Unlike security groups which operate at the instance level, NACLs control traffic for entire subnets.

Many people usually start with the default NACL that comes with their VPC. But if you need more control, you create custom NACLs to tailor the rules to your specific needs. For instance, you might restrict certain IP addresses from accessing your subnet or block specific types of traffic to add another layer of protection.

Imagine you have a VPC with two subnets. Each of these subnets can have its own NACL. Say, subnet 1 has a NACL (let's call it Network ACL A). This NACL will filter the traffic entering and leaving subnet 1. Similarly, subnet 2 has Network ACL B for its traffic control. 

When traffic enters the VPC, whether from a peered VPC, a VPN connection, or the internet, a router directs this traffic to its intended subnet. Network ACL A will decide if this traffic can enter subnet 1 or exit from it. The same is true for Network ACL B and subnet 2.

In AWS Managed Multi-Account Landing Zones, the story changes slightly. The use of NACLs gets restricted to ensure seamless management and monitoring by AWS. 

For example, NACLs are not supported in core accounts like Management, Networking, Shared-Services, Logging, and Security. But in Application accounts, NACLs can be used as a "Deny" list while maintaining an "Allow All" rule to let AWS monitor and manage the infrastructure effectively.

For large-scale deployments, you can sometimes leverage centralized egress firewalls or AWS Transit Gateway routing tables. These tools help segregate traffic among VPCs and add another layer of traffic control.

Benefits of combining VPN and Direct Connect in AWS

When networking in AWS, combining VPN and Direct Connect provides a powerful, secure, and efficient way to connect your on-premises networks to AWS. You can use AWS Direct Connect plus AWS Site-to-Site VPN to establish a dedicated network connection combined with a managed VPN solution. 

Direct Connect public virtual interfaces (VIFs) create a secure link between your network and AWS resources. For instance, you can set up IPsec connections to Amazon VPC virtual private gateways. This setup benefits from the end-to-end secure IPsec connection and the low latency of Direct Connect.

Picture a scenario where you establish a Direct Connect public VIF with a dedicated link to AWS. With this connection in place, creating IPsec VPN tunnels to VPC virtual private gateways becomes straightforward. This hybrid approach offers a more consistent network experience compared to internet-based VPNs. 

Your BGP session with AWS Direct Connect on the public VIF, coupled with another BGP session or static routes on the VPN tunnels, ensures a smooth and secure connection.

But maybe you need your connection to be even more private. That’s where Private IP VPN over AWS Direct Connect comes in. This method is great for financial, healthcare, and federal industries aiming to meet regulatory and compliance goals. 

How to deploy IPsec VPN over Direct Connect using private IPs

With private IP VPN, you can avoid public addresses and keep your traffic secure. It simplifies network operations because you don't need to deploy your own VPN infrastructure. Instead, you utilize AWS Direct Connect transit VIFs for encryption, boosting both security and route scalability.

Here’s how to set it up: 

-> Create a customer gateway in AWS that represents your on-premises device. You’ll need a private IP address for it.

-> Prepare a transit gateway with a non-overlapping private IP CIDR block. 

-> Create a Direct Connect gateway and associate it with your transit gateway. 

-> Configure the VPN connection using private IPs for the tunnel endpoints on both the AWS and customer gateway sides. 

This setup ensures private, encrypted connectivity between your networks and AWS.

If managing multiple VPN connections to various VPCs is on your mind, AWS Direct Connect combined with AWS Transit Gateway and AWS Site-to-Site VPN can ease the load. 

By setting up a Direct Connect public VIF, you link directly to AWS resources. Then, establish an IPsec connection to AWS Transit Gateway. This setup minimizes cost and complexity while providing the low latency benefits of a private connection. You establish BGP sessions both on the Direct Connect link and on the IPsec VPN tunnel, creating a seamless and efficient network experience.

By leveraging these hybrid options, you get the best of both worlds: the security and privacy of IPsec connections and the performance and dependability of AWS Direct Connect. Whether it's a private IP VPN or integrating with a transit gateway, these methods cater to varying network needs, making AWS networking both versatile and robust.

The function of route tables in AWS

Route tables in AWS are the traffic directors for your VPC, ensuiring data packets find their way efficiently and securely. They contain rules, or routes, that dictate where network traffic should go. The GPS for your VPC, they guide data packets to their destinations.

In AWS, a route table is a set of rules, known as routes, used to determine where network traffic from your VPC (Virtual Private Cloud) or subnet is directed. Here are some key points about route tables in AWS:

  • Association: Each subnet in a VPC must be associated with a route table. By default, subnets are associated with the main route table of the VPC unless specified otherwise.
  • Routes: A route table contains a set of rules (routes) that determine where network traffic should go. Each route specifies a destination (such as a specific IP address range) and a target (where to send the traffic).
  • Default Route: Typically, a route table includes a default route (0.0.0.0/0) that directs all non-local traffic to a gateway. This gateway could be an Internet Gateway (IGW) for public subnets or a Virtual Private Gateway (VGW) for private subnets accessing an on-premises network via VPN.
  • Custom Routes: You can add custom routes to route traffic to specific destinations. For example, you might add a custom route to direct traffic to a NAT Gateway for outbound internet access from private subnets.
  • Propagation: Route tables can propagate routes from a VPN connection or a Direct Connect connection, allowing traffic to flow between your VPC and your network.
  • Associations: Subnets can only be associated with one route table at a time, but a route table can be associated with multiple subnets.
  • Security: Route tables do not provide security; they are used for routing network traffic within the VPC. Security Groups and Network ACLs (Access Control Lists) are used for controlling access to instances.

Route tables in AWS are critical for routing traffic within your Virtual Private Cloud, ensuring that network packets are directed to their intended destinations based on defined rules and configurations.

Longest prefix match

When directing traffic, AWS uses the most specific route that matches the traffic. This method is known as the longest prefix match. 

Let's say your route table has an entry for `0.0.0.0/0` pointing to an internet gateway and another entry for `172.31.0.0/16` pointing to a peering connection (`pcx-11223344556677889`). Traffic destined for `172.31.0.0/16` will use the peering connection because it’s more specific than the broader `0.0.0.0/0` route. Traffic heading to any IP within `10.0.0.0/16` will stay within the VPC, thanks to the `local` route.

Route priority and propagated routes

If you're using a virtual private gateway and have enabled route propagation, AWS automatically adds VPN routes to your table. But, what if these propagated routes overlap with your static routes? 

The static routes take priority. For example, if both a propagated route and a static route have `172.31.0.0/24` as their destination, the static route will be used if its target is an internet gateway, NAT gateway, network interface, instance ID, gateway VPC endpoint, transit gateway, VPC peering connection, or Gateway Load Balancer endpoint.

Route priority and prefix Lists

When your route table references a prefix list, a few rules come into play. If there's a static route with a destination CIDR block that overlaps a static route referencing a prefix list, the route with the CIDR block wins. 

If a propagated route matches a route referencing a prefix list, the prefix list route takes priority. For overlapping routes, regardless of whether they’re propagated, static, or referencing prefix lists, the more specific one always takes precedence. 

If multiple prefix lists overlap to different targets, AWS randomly chooses which route takes priority initially and sticks with that choice.

Take, for instance, a route table with the following entries:

  • `10.0.0.0/16` to `local`
  • `172.31.0.0/16` to `pcx-11223344556677889`
  • `0.0.0.0/0` to `igw-12345678901234567`

Here, traffic destined for `172.31.0.0/16` will always use the peering connection, while traffic to `0.0.0.0/0` will go through the internet gateway. If there's a propagated route to a virtual private gateway with the same destination as a static route to an internet gateway, the static route takes priority.

NAT gateways vs. NAT instances. Which should you use?

The differences between NAT gateways and NAT instances are significant. Our advice is to use NAT gateways. They offer better availability, bandwidth, and less administrative effort. 

For example, NAT gateways are highly available and implemented with redundancy in each Availability Zone. This means if one zone fails, the others still operate. In contrast, NAT instances require a failover script to manage instance failure, which is more cumbersome.

In terms of bandwidth, NAT gateways can scale up to 100 Gbps. That's a lot of data flowing smoothly without you needing to worry about bottlenecks. NAT instances, however, depend on the bandwidth of the instance type you choose. If you need more bandwidth, you'd have to upgrade your instance, which adds complexity.

Maintenance is another area where NAT gateways shine. AWS manages them completely. You don’t need to worry about software updates or operating system patches. But with NAT instances, you’re on the hook for all maintenance tasks, from software updates to patching.

Performance is also optimized in NAT gateways as the software is specifically tuned for handling NAT traffic. NAT instances, on the other hand, use a generic AMI configured to perform NAT.

Cost depends on your usage for both NAT gateways and instances. For NAT gateways, you’re charged based on the number of gateways, duration of usage, and data volume. With NAT instances, costs depend on the number of instances, their type and size, and usage duration.

When it comes to public IP addresses, with a NAT gateway, you can associate an Elastic IP address when creating it. This isn't as flexible as with NAT instances, where you can change the public IP by associating a new Elastic IP address at any time.

For private IP addresses, NAT gateways automatically select from the subnet's range. With NAT instances, you have to assign a specific private IP address from the subnet’s range when launching the instance.

NAT gateways don’t support security groups. You can only associate security groups with the resources behind the NAT gateway. NAT instances, on the other hand, allow you to associate security groups directly with them, providing more control over inbound and outbound traffic.

Both NAT gateways and instances use network ACLs to control traffic to and from their subnets and support flow logs for capturing traffic. However, NAT gateways don’t support port forwarding and can’t act as bastion hosts. NAT instances can be manually configured for port forwarding and can also function as bastion servers.

In terms of monitoring, you can view CloudWatch metrics for both NAT gateways and instances. However, the behavior during connection timeouts differs. NAT gateways return an RST packet to the resources behind it, while NAT instances send a FIN packet to close the connection.

NAT gateways support forwarding of IP fragmented packets for UDP but not for TCP and ICMP. NAT instances support the reassembly of fragmented packets for UDP, TCP, and ICMP.

If you're using a NAT instance and considering migration to a NAT gateway, the process involves creating a NAT gateway in the same subnet as your NAT instance and updating the route table. You can even use the same Elastic IP address by first disassociating it from the NAT instance. However, be cautious as any ongoing connections will be dropped and need re-establishment.

This comparison clearly shows the advantages of NAT gateways over NAT instances, especially in terms of availability, bandwidth, and ease of management. But for specific scenarios requiring features like port forwarding or acting as bastion hosts, NAT instances might still be the way to go.

What is a transit gateway in AWS?

AWS Transit Gateway provides a hub-and-spoke design for connecting VPCs (Virtual Private Clouds) and on-premises networks as a fully managed service. This means you won't need to provision third-party virtual appliances. No VPN overlay is required, and AWS takes care of high availability and scalability.

Imagine you have multiple VPCs that you want to connect. Transit Gateway makes it easy by allowing you to connect thousands of VPCs without managing complex peering relationships. You can also attach all your hybrid connectivity (like VPN and Direct Connect connections) to a single gateway. This centralizes and simplifies your organization's entire AWS routing configuration. 

Let's say you have ten VPCs in different accounts that need to communicate. Instead of setting up multiple peering connections, you just attach each VPC to a transit gateway. 

That setup uses route tables to control traffic flow between connected networks. It's a hub-and-spoke model, making management much easier and operational costs lower. With this model, each VPC only needs to connect to the Transit Gateway to access other connected networks.

Another handy feature of the transit gateway is it’s a regional resource. You can connect thousands of VPCs within a single AWS Region. For instance, if you have VPCs in the US-East region and others in the US-West region, you can connect them over a single Direct Connect connection for hybrid connectivity. 

Typically, you'd use one transit gateway per region, leveraging its inherent high availability. But for redundancy, you might still want a single gateway per region.

With transit gateway peering, you can peer multiple transit gateways within the same or different regions and route traffic between them. This feature uses the same infrastructure as VPC peering, ensuring data is encrypted. 

Consider a scenario where you need to connect your US-East and Europe VPCs. You can peer the transit gateways in each region and have secure, reliable communication without extra VPNs. AWS Transit Gateway supports global networks by allowing inter-Region peering, using the same encryption as VPC peering.

Additionally, you can establish connectivity between SD-WAN infrastructure and AWS using Transit Gateway Connect. This feature is handy for high-performance needs, supporting up to 20 Gbps total bandwidth per connect attachment. 

For example, if your on-premises SD-WAN infrastructure needs high-speed access to AWS, you can set up a Transit Gateway Connect attachment. It uses Border Gateway Protocol (BGP) for dynamic routing and GRE (Generic Routing Encapsulation) for high performance.

You might also place your organization's transit gateway instance in its network services account for centralized management. This setup is beneficial for network engineers who manage the Network Services account. 

AWS Resource Access Manager (RAM) allows you to share a transit gateway instance for connecting VPCs across multiple accounts in your AWS Organization within the same Region. For instance, if you have different departments with separate AWS accounts, you can share a single transit gateway for seamless connectivity.

It's worth mentioning that AWS transit gateway supports dynamic routing and integration with SD-WAN appliances running in the cloud. For example, if you run SD-WAN appliances in a VPC, you can use a Transit Gateway Connect attachment for seamless integration.

AWS Transit Gateway simplifies network management, provides high availability, and allows easy scaling as your network grows. It's a robust solution for organizations looking to connect multiple VPCs and on-premises environments efficiently.

How to integrate AWS Networking with on-premises networks

Integrating AWS networking with on-premises networks brings together the best of both worlds, allowing for scalability, redundancy, and high performance. It creates a hybrid cloud that connects traditional networks with modern cloud infrastructure, making everything work seamlessly together.

We have already covered the AWS transit gateway. Let's discuss the two other AWS networking products that make this hybrid cloud possible. 

AWS site-to-site VPN

AWS Site-to-Site VPN creates a secure connection between your data center or branch office and AWS using IPSec tunnels. By establishing a VPN connection, you can connect to both your Amazon VPCs and AWS Transit Gateway, enhancing the network's redundancy.

Two tunnels per connection are used, providing high availability. If one tunnel goes down, traffic continues to flow through the other. One example is setting up a primary tunnel for main data traffic and a secondary tunnel for backup. This way, your network remains stable and reliable, even during disruptions.

For globally distributed applications, the accelerated site-to-site VPN option is beneficial. It works with AWS Global Accelerator to route your traffic to the nearest AWS network endpoint with the best performance. Imagine your application running smoothly across multiple continents with minimized latency.

Security is a key feature of the AWS site-to-site VPN. You can establish secure and private sessions using IPSec. This setup allows you to treat your Amazon VPC or AWS Transit Gateway just like your on-premises servers. For instance, your data remains encrypted and secure as it travels between your headquarters and remote branch offices.

The VPN also integrates with Amazon CloudWatch, providing robust monitoring capabilities. You gain visibility into your network's health and can monitor the reliability and performance of your VPN connections. For example, you can set up CloudWatch alerts to notify you if one of your VPN tunnels goes down, ensuring you can respond swiftly.

Another great use case is application migration. Moving your applications to the cloud becomes seamless with a Site-to-Site VPN connection. You can host Amazon VPCs behind your corporate firewall, making it easier to shift IT resources without changing how users access them. This setup benefits companies looking to modernize their infrastructure while maintaining efficient operations.

For remote sites, AWS site-to-site VPN enables secure communication. Take multiple branch offices, for example. You can securely interconnect them using AWS's VPN capabilities. This setup ensures that your internal communications remain protected, minimizing the risk of data breaches.

Using a site-to-site VPN can simplify your cloud journey. For instance, you can quickly establish a secure connection to AWS, ensuring your data is protected while benefiting from AWS's scalable and flexible infrastructure. And with the integration capabilities of AWS services like CloudWatch, maintaining this connection becomes even more manageable.

AWS Direct Connect

AWS Direct Connect gives you a dedicated network connection straight to AWS. It’s like having your own private lane on the highway, reducing the noise and traffic you’d usually get online. 

Imagine you need to handle sensitive data or large databases. Using AWS Direct Connect, you can transfer that data more securely and faster than a standard internet connection. 

For example, say you have a financial application that constantly syncs data with AWS. Instead of sending this data over the public internet, you use Direct Connect. This helps you with lower latency and more stable performance.

Another benefit is you don’t need to worry as much about bandwidth. If you have got a bunch of applications or services communicating with AWS, the dedicated bandwidth can handle way more data without slowing down. 

Think of a media company streaming high-definition videos. With AWS Direct Connect, they avoid buffering issues that might occur with a regular internet connection.

Setting it is straightforward. You reach out to an AWS partner and get a physical connection in place. Let’s say you are based in New York. you would connect your data center to an AWS Direct Connect location in an AWS region like US East (N. Virginia). Once that's done, it's almost like AWS is an extension of your own data center.

That delivers the benefit of flexibility. You can choose the connection speeds that suit your needs, from 1 Gbps to 100 Gbps. Maybe you start small with a 1 Gbps connection and scale up as your traffic grows. 

Direct Connect works well with your existing network setup, too. You can create private virtual interfaces to connect to your VPCs, or public ones to access AWS services like S3 or DynamoDB.

Put simply, AWS Direct Connect makes your network faster, more reliable, and enhances security for your cloud-based operations. It’s like having a VIP pass to AWS resources and services.

Build Your Dream Network Architecture
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.
Get Started FreeBrowse Solutions
More posts
October 31, 2024
How OT Asset Discovery Works: Key Methods and Techniques
Networking
October 31, 2024
How to Achieve a Secure Edge: Key Strategies and Techniques
Networking
Security
September 3, 2024
Networking With Docker Compose (Quick Guide)
Networking

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Get Started
Request Demo

WireGuard is a registered trademark of Jason A. Donenfeld.

Star us on GitHub
Can we use Cookies?  (see  Privacy Policy).
PreferencesReject
Accept