Support Mobycasthttps://glow.fm/mobycastShow DetailsIn this episode, we cover the following topics:Subnet 101Public subnetsUsed for public facing resources which allow inbound connections from the public InternetPrivate subnetsWhat are they?Used for resources that should not be exposed to open InternetDo not allow direct access from open InternetRequire use of network address translation (NAT) for egress-only Internet accessWhy use private subnets?Protect your cloud servers from script kiddiesLimit exposureSecurity groups and routing tables allow resources on public subnets to communicate with private subnetsNAT (network address translation) deep diveWhat is NAT?Remaps one IP address space into anotherDone by modifying network address information in IP header of packets while in transit across routing deviceTool to deal with IPv4 address exhaustionOnly need single public IP address for NAT, which hides entire private network behind itNote: Actual role of NAT device is both address translation and port address translationHow does it work?IP header consists of:Source IPSource portDestination IPDestination portRouting device modifies IP address in packetsOutgoing packets (from private-to-public)Source IP and port changed to NAT valuesI.e. packets appear to originate from NAT (instead of private IP itself)Incoming packets (public-to-private)Dest IP and port changes to private valuesFor TCP/UDPNAT keeps in memory table that maps traffic to private IPsTable includes each active connection (particularly the destination address and port)When reply comes back to router, uses table to determine private IP that reply should be forwarded toPort numbers are changed so combination of IP and port on returned packet can be unambiguously mapped to corresponding private destinationNote: conversation to open Internet has to originate in private network!This is because initial message establishes required information in translation tableHow can a single computer have both public and private IP addresses?A quick primer on IP addresses and network interface cardsMAC (media access control) addressPhysical addressUnique ID assigned to NICIP addressLogical addressNetwork switches maintain Address Resolution Protocol (ARP) tables that map IP addresses to MAC addressesARP table used to know which MAC address to attach to packetSingle NIC can have multiple IP addressesAlas, private subnets are less convenient than public subnets.Instances on private subnet won't be publicly accessible, they can only be accessed from inside the network.This leads to the problem of how to connect to an instance on a private subnet from a remote location?Three broad categories of solutions:Direct ConnectDedicated network connection over private lines straight into AWS backboneRequires network equipment on customer sideCons:Requires dedicated hardwareExpensiveApplicable only when you have an on-prem location that needs to be physically connected to VPCBastion host (jump host)Public-facing server running SSH daemonOnce connected to bastion host, users can then ssh to machines on private subnetTypically have a single instance on public subnetMinimizes surface area to be protectedCons:Adds an extra layer of indirectionssh key management is more complicatedSPOFSecurity risk of protecting the bastion hostVPN (virtual private network)Many different options, ranging in cost and equipment requirementsFor both connecting on-prem location, as well as general remote user accessVPNAvailable optionsManaged VPNManaged IPsec VPN connection over existing internetQuick and usually simple method for making secure connection to VPCCan be used as redundant link for Direct ConnectSupports static routes or BGP peering/routingHow to setup:Designate an appliance to act as your customer gateway (usually the on-prem router)Create VPN connection in AWS and download config file for your customer gatewayConfigure customer gateway with config fileVPN CloudHubConnect locations in hub and spoke manner using Virtual Private GatewayAllows remote locations to communicate with each other via the hub (Virtual Private Gateway in AWS)Each remote location uses Site-to-Site VPN connection to connect to hubReuses existing internet connectionSupports BGP routes to direct traffice.g. use MPLS first then CloudHub VPN as backupHow to setup:Assign multiple Customer Gateways to a Virtual Private Gateway, each with their own BGP ASN and unique IP rangesThird-party software VPNYou provide your own VPN endpoint/softwareUse this option if you must manage both ends of VPN connectionHow to setup:Install VPN software via Marketplace appliance or on EC2 instanceTIL... AWS has increased the optionsManaged VPN is now known as "AWS Site-to-Site VPN"New option: "AWS Client VPN"Fully managed, highly available software-only VPNSupports OpenVPN-based clientsWe'll discuss "AWS Client VPN" in-depth in a future episodeOur choice for this episode: let's setup a third-party software VPN solutionRationale:Not too much $$$Pretty sophisticated solution that's easy to manageLinksVPC with Public and Private Subnets (NAT)Network-to-Amazon VPC Connectivity OptionsNetwork address translationRFC 1631 - The IP Network Address Translator (NAT)Multiple IP AddressesAWS VPNIntroducing AWS Client VPN to Securely Access AWS and On-Premises ResourcesEnd SongZero Gravity by Roy EnglandFor a full transcription of this episode, please visit the episode webpage.We'd love to hear from you! You can reach us at:Web: https://mobycast.fmVoicemail: 844-818-0993Email:

Ver todos los episodios