AWS Module-3.2.pdf

Full Transcript

Content Delivery
Network (CDN)
Content Delivery Network (CDN)
❑ CDN can stand for Content Delivery Network or Content
Distribution Network.
❑ A Content Delivery Network (CDN) is a geographically distributed
network of servers that work together to provide fast delivery of
Internet content.
❑ The servers are strategically placed at various locations across the
globe to cache and serve content from the closest possible location to
each user.
❑ This reduces latency and improves performance by bringing the
content closer to the users requesting it.
❑ CDNs are designed to serve a wide variety of content including web
objects (text, graphics, scripts), downloadable objects (media files,
software, documents), applications (e-commerce, portals), live
streaming media, and social networks.
How Do CDNs Work?
❑ Here's a simplified overview of how a CDN works:
A user requests content from a website

The request is routed to the closest CDN server instead of the origin

server
If the content is already cached on the CDN server, it is delivered to the

user
If not, the CDN server requests the content from the origin, delivers it to

the user, and caches it for future requests
All subsequent requests for that content will be served from the CDN

cache
❑ By caching content at the "edge" of the network, closer to end users, a CDN
reduces the distance data has to travel. This improves site speed and
performance.
Key Benefits of Using a CDN
❑ Faster performance - CDNs reduce latency and improve load times by serving
content from edge servers closer to users. Studies show CDNs can cut load times
by 50% or more.
❑ Increased reliability - CDNs provide redundancy and failover mechanisms to
ensure high availability even if some servers go down. They can also absorb
traffic spikes and DDoS attacks.
❑ Cost savings - By caching content and optimizing delivery, CDNs reduce the
amount of data an origin server must provide, thus lowering hosting and
bandwidth costs.
❑ Improved security - Many CDNs provide DDoS mitigation, WAF protection,
and other security enhancements to defend websites from attacks.
❑ Global scalability - CDNs make it easy to scale content delivery capacity up or
down as needed to reach users across the world.
❑ Better user experience - Faster sites with more reliability and uptime lead to
higher engagement, conversions, and customer satisfaction
AWS Networking and
Content Delivery
AWS Networking and Content Delivery
❑ AWS offers a wide range of networking and content delivery services
that enable customers to build secure, high-performing, and scalable
networks in the cloud.
❑ These services fall into four main categories:
Networking Foundations - Services like Amazon VPC that provide
the basic building blocks for creating virtual networks in the AWS
cloud.
Global and Hybrid Connectivity - Services that allow you to

securely connect your on-premises networks and remote users to your
AWS resources.
Edge Networking and Content Delivery - Services that optimize the

delivery of content to end users and enhance application performance.
Application Networking - Services that facilitate communication
between microservices and containerized applications.
 Amazon VPC

Amazon VPC (Virtual Private
Cloud)
Amazon VPC (Virtual Private Cloud)
❑ Amazon Virtual Private Cloud (VPC) is a service that lets you
launch AWS resources in a logically isolated virtual network
that you define.
❑ It is a virtual network closely resembling a traditional network
that you'd operate in your own data center, but with the
scalability and benefits of using the AWS infrastructure.
❑ With Amazon VPC, you have complete control over your
virtual networking environment, including selection of your
own IP address range, creation of subnets, and configuration of
route tables and network gateways.
❑ You can customize the network configuration to fit your
specific business needs.
Benefits of Amazon VPC
❑ Customizable virtual network - Choose your own IP address range,
create subnets, and configure route tables and gateways.
❑ Secure connection - Perform inbound and outbound filtering at the
instance and subnet level. Restrict access to data stored in Amazon S3.
❑ Easy to set up - Use the AWS Management Console or CLI to quickly
set up your VPC and subnets.
❑ Increased security - Secure and monitor connections, screen traffic,
and restrict instance access inside your virtual network.
❑ Scalability - Scale your infrastructure up or down based on demand
without having to invest in hardware.
❑ Fully controlled environment - Customize your virtual network by
choosing your own IP address range, creating subnets, and configuring
route tables.
Common Use Cases for Amazon VPC
❑ Hosting public-facing websites - Create a public subnet for
your web servers with direct internet access while keeping
backend systems in a private subnet.
❑ Multi-tier web applications - Define connectivity between
web servers, application servers, and databases across public
and private subnets.
❑ Hybrid cloud architectures - Extend your on-premises
network to the cloud and seamlessly connect cloud resources to
internal systems.
Amazon VPC Components
❑ Subnets
A subnet is a range of IP addresses within your VPC

A subnet is tied to a single Availability Zone

Subnets can be public (accessible from the internet) or private (not

accessible from the internet)
❑ Route Tables
Route tables determine where network traffic from your subnets is
directed
Each subnet must be associated with a route table

The route table specifies the allowed routes for outbound traffic from the
subnet
❑ Internet Gateway
Allows communication between your VPC and the internet

Provides a target in your VPC route tables for internet-routable traffic
Amazon VPC Components
❑ NAT Gateway
Allows instances in a private subnet to connect to the internet or
other AWS services, but prevents the internet from initiating
connections with the instances
NAT gateways are fully managed by AWS and provide better
availability and bandwidth than NAT instances
❑ Security Groups
Act as a virtual firewall for your instances to control inbound and
outbound traffic
Can specify allow rules, but not deny rules

Are stateful - if you send a request from your instance, the
response traffic is allowed to flow in regardless of inbound rules
Amazon VPC Components
❑ Network ACLs
Act as a firewall for associated subnets, controlling both inbound
and outbound traffic at the subnet level
Are stateless, so responses to allowed inbound traffic are subject to
the rules for outbound traffic (and vice versa)
Can have both allow and deny rules

❑ VPC Peering
Allows you to connect one VPC with another via a direct network
route using private IP addresses
Instances in either VPC can communicate with each other as if

they are within the same network
VPC Subnets
VPC Subnets
❑ A subnet is a range of IP addresses in your VPC.
❑ It is a subdivision of a VPC's IP address range where you can
place groups of isolated resources.
❑ Key points about VPC subnets:

A subnet must reside entirely within one Availability Zone

and cannot span zones
After you create subnets, you can deploy AWS resources like

EC2 instances into specific subnets
Subnets allow you to segment your VPC's IP address range
into smaller, more manageable blocks to organize resources
and apply different network configurations
VPC Subnets - Types
❑ The subnet type is determined by how you configure routing for
your subnets:
Public subnet - Has a direct route to an internet gateway.
Resources in a public subnet can access the public internet.
Private subnet - Does not have a direct route to an internet

gateway. Resources in a private subnet require a NAT device to
access the public internet.
VPN-only subnet - Has a route to a Site-to-Site VPN

connection through a virtual private gateway. Does not have a
route to an internet gateway.
Isolated subnet - Has no routes to destinations outside its VPC.

Resources can only access or be accessed by other resources in
the same VPC.
VPC Subnets
❑ Subnet Routing
Each subnet must be associated with a route table, which
specifies the allowed routes for outbound traffic leaving the
subnet.
The route table determines where network traffic from the
subnet is directed.
❑ Subnet Security

Security groups act as a virtual firewall for EC2 instances to

control inbound and outbound traffic at the instance level.
Network ACLs control inbound and outbound traffic at the
subnet level.
Route Table
Route Tables
❑ A route table contains a set of rules, called routes, that
determine where network traffic from your VPC is directed.
❑ Each route specifies a destination and a target.

❑ The destination is the range of IP addresses where you want
traffic to go (destination CIDR), and the target is the
gateway, network interface, or connection through which to
send the traffic.
❑ Each subnet in a VPC must be associated with a route table,
which controls the routing for the subnet.
❑ A subnet can only be associated with one route table at a
time, but a route table can be associated with multiple
subnets.
Route Tables
❑ Main Route Table: The default route table that automatically
comes with your VPC. It controls the routing for all subnets that
are not explicitly associated with any other route table.
❑ Custom Route Table: A route table that you create for your VPC
in addition to the main route table.
❑ Routes: Each route table contains a local route for communication
within the VPC. You can add additional routes to direct traffic to
other destinations, such as an internet gateway, virtual private
gateway, NAT gateway, VPC peering connection, etc.
❑ Subnet Associations: Each subnet must be associated with a
route table, either explicitly or implicitly with the main route
table.
Security Groups
Security Group
❑ A security group acts as a virtual firewall for your EC2 instances to
control incoming and outgoing traffic.
❑ Security groups operate at the instance level, not the subnet level. You
can specify allow rules, but not deny rules.
They regulate access to ports, authorized IP ranges and control
inbound (ingress) and outbound (egress) traffic at the instance level
They are stateful - if you send a request from your instance, the
response traffic is allowed to flow in regardless of inbound security
group rules
By default, a security group includes an outbound rule that allows all
outbound traffic. You can remove the rule and add outbound rules that
allow specific outbound traffic only.
There are no "deny" rules. Traffic is blocked by default unless an
allow rule is explicitly specified.
Security Group Rules
❑ When you create a security group, you add rules that control
the inbound traffic (ingress) and a separate set of rules that
control the outbound traffic (egress).
Inbound rules - control incoming traffic to your instance.
Specify the source of the traffic (by IP address range or
another security group), the protocol, and the destination port
or port ranges.
Outbound rules - control outgoing traffic from your

instance. Specify the destination of the traffic (by IP address
range or another security group), the protocol, and the
destination port or port ranges.
Security Group
❑ Default and Custom Security Groups
Default security group - Every VPC comes with a default security

group. If you don't specify a security group when you launch an
instance, it's automatically associated with the default security group.
Custom security groups - You can create your own security groups
to reflect the roles of the instances in your VPC. For example, you can
create a security group for web servers that allows inbound HTTP and
HTTPS access.
❑ Security Group Limits
You can assign up to five security groups to an instance.

You can have up to 60 inbound and 60 outbound rules per security
group.
You can specify allow rules, but not deny rules.

You can specify separate rules for inbound and outbound traffic.
Analyze the Security
Group process in the
diagram
VPC Peering
VPC Peering
❑ VPC Peering is a networking connection between two Virtual Private
Clouds (VPCs) that enables you to route traffic between them using
private IPv4 addresses or IPv6 addresses.
❑ Instances in either VPC can communicate with each other as if they
are within the same network.
❑ Key Features
It is a direct network connection between two VPCs

Allows communication between VPCs using private IP addresses

Can be established between your own VPCs, or with a VPC in
another AWS account
Supports both inter-region and intra-region peering connections

Traffic between peered VPCs stays on the AWS global network
and does not traverse the public internet
VPC Peering
❑ Enhanced Security - Enables private connectivity between
VPCs without exposing traffic to the public internet, reducing
risk.
❑ Cost Savings - Peering traffic stays on the AWS network,
reducing data transfer costs compared to traversing the public
internet. No additional charges for peering within the same
region.
❑ Improved Performance - Direct connections between VPCs
minimize latency and maximize bandwidth compared to
internet-based connections.
❑ Simplified Network Architecture - Makes it easier to connect
and manage communication between multiple VPCs without
complex networking setups
Limitations and Rules of VPC Peering
❑ VPCs cannot have overlapping CIDR blocks
❑ Transitive peering is not supported - VPCs must be directly
peered, cannot route through an intermediary VPC
❑ Some cross-region limitations apply, like no IPv6 support and
MTU constraints
❑ VPC peering does not support edge to edge routing - external
connections must be initiated from within a VPC

❑ CIDR - Classless Inter-Domain Routing
❑ MTU - Maximum Transmission Unit
Use Cases for VPC Peering
❑ Connecting VPCs of different departments or business units
within an organization
❑ Isolating customer environments while still allowing access to
shared resources
❑ Enabling communication between production and development
environments
❑ Connecting on-premises data centers to cloud VPCs via AWS
Direct Connect and a peered VPC
 AWS
Direct Connect
AWS Direct Connect
❑ AWS Direct Connect is a cloud service that establishes a
dedicated private network connection between your on-
premises data center, office, or colocation environment and
AWS.
❑ This connection bypasses the public internet, providing a more
consistent network experience, reducing costs, and increasing
bandwidth throughput.
 Key Features
❑ Dedicated Connection:
✓ AWS Direct Connect provides a dedicated Ethernet connection
between your network and an AWS Direct Connect location.
✓ This connection can be either a dedicated connection, which is a
physical Ethernet connection associated with a single customer, or a
hosted connection, which is provisioned by an AWS Direct Connect
Partner and shared with you
❑ High-Speed Connectivity:
✓ AWS Direct Connect supports high bandwidth connections, with
speeds ranging from 50 Mbps to 100 Gbps, depending on the type of
connection and the AWS Direct Connect Partner involved
❑ Improved Performance:
The dedicated connection provides a more consistent network
experience by reducing latency and avoiding internet congestion
Key Features
❑ Virtual Interfaces:
You can create virtual interfaces to connect to public AWS services

(such as Amazon S3) or to your Amazon VPC.
There are three types of virtual interfaces:

❑ Public Virtual Interface: Connects to public AWS services.

❑ Private Virtual Interface: Connects to your VPC.

❑ Transit Virtual Interface: Connects to AWS Transit Gateway
for accessing multiple VPCs
❑ Reduced Costs:

By using AWS Direct Connect, you can reduce your bandwidth

costs as data transferred over the dedicated connection is charged
at a lower rate compared to data transferred over the internet.
How AWS Direct Connect Works
❑ Establish a Connection:
Set up a connection at an AWS Direct Connect location.

This involves connecting your on-premises network to an AWS
Direct Connect router using a standard Ethernet fiber-optic cable
❑ Configure Virtual Interfaces:
Create virtual interfaces to access AWS services. Public virtual

interfaces allow access to public AWS services, while private
virtual interfaces allow access to resources within your VPC.
❑ Use Direct Connect Gateway:
For connecting to multiple VPCs across different AWS Regions,

you can use a Direct Connect gateway.
This allows you to manage connections to multiple VPCs from a
single location.
Use cases of AWS Direct Connect
❑ Hybrid Cloud Solutions:
✓ Connect on-premises data centers with AWS to create a
seamless hybrid cloud environment.
❑ High-Performance Applications:

✓ Use for applications that require low latency and high
bandwidth, such as real-time data processing and large-
scale data transfers.
❑ Secure Data Transfers:

✓ Transfer sensitive data securely by bypassing the public
internet and using a private connection.
 Analyze the highly
resilient network
connections based on
the diagram
Amazon
CloudFront
Amazon CloudFront
❑ Amazon CloudFront is a fast content delivery network (CDN)
service that securely delivers data, videos, applications, and APIs
to customers globally with low latency and high transfer speeds.
❑ It accelerates the distribution of static and dynamic web content,
such as HTML, CSS, JavaScript, and image files, to users
globally.
❑ By leveraging a worldwide network of data centers known as
edge locations, CloudFront ensures that content is delivered with
low latency and high transfer speeds.
❑ CloudFront integrates with other AWS services to provide
developers and businesses with a reliable and scalable solution for
content delivery.
Key Features
❑ Global Network of Edge Locations:
CloudFront uses a global network of edge locations and regional edge caches
to cache content closer to end-users, reducing latency.
❑ Dynamic and Static Content Delivery:
Supports the delivery of both static content (e.g., images, CSS, JavaScript)
and dynamic content (e.g., APIs, live streaming).
❑ Security:
Offers several security features, including AWS Shield for DDoS protection,
AWS WAF for application firewall, and SSL/TLS encryption.
❑ Customizable:
Allows you to customize content delivery with Lambda@Edge, which lets

you run code closer to users.
❑ Integration with AWS Services:
Seamlessly integrates with other AWS services like Amazon S3, EC2, Elastic
Load Balancing, and AWS Elemental Media Services
Benefits of Amazon CloudFront
❑ Low Latency and High Transfer Speeds:
Delivers content with low latency and high transfer speeds by leveraging
a global network of edge locations.
❑ Scalability:
Automatically scales to handle traffic spikes and high volumes of

requests.
❑ Security:
Provides robust security features to protect your content and applications.

❑ Cost-Effective:
Pay-as-you-go pricing model with no upfront fees or long-term contracts.

❑ Ease of Use:
Simple to set up and manage through the AWS Management Console,

SDKs, and APIs.
 How Does AWS CloudFront Work?
Step 1
The client accesses a website and requests to download a file (like
image file).

Client access

Step 2
Now, the DNS routes the client request to the nearest edge location
through CloudFront to serve the user request.

Serve user request
 How Does AWS CloudFront Work?
Step 3
At edge location, CloudFront looks for its requested cache file. Once the file is
found, CloudFront sends the file to the user.

Cache file - CloudFront
Step 4
But, if the file is not found then CloudFront compares the requirements with the
specifications and shares it with the respective server.

Web server - CloudFront
 How Does AWS CloudFront Work?
Step 5
The web server responds to the request by sending the files back to
the CloudFront edge location.

Share File

Step 6:
As soon CloudFront receives the file, it shares it with the client and
adds the file to the edge location.
Use Cases
❑ Website Acceleration:
Improve the performance of your websites by caching content closer
to users.
❑ Live and On-Demand Video Streaming:
Deliver high-quality video content to a global audience.

❑ API Acceleration:
Speed up the delivery of APIs to improve the performance of web and

mobile applications.
❑ Software Distribution:
Efficiently distribute software updates and patches to users
worldwide.
❑ Security and DDoS Protection:
Protect your applications from DDoS attacks and other security
threats.
Create a Distribution
Network for
CloudFront
Thank You !!!

56