Network Services in Cloud PDF
Document Details
Uploaded by HealthyHydrogen
Singapore Management University
Tags
Summary
This presentation covers network services in the cloud, including virtual private cloud (VPC), IP addressing, subnets, routing tables, security in network, VPC sharing and peering, load balancer, and cloud CDN. It discusses various aspects of cloud network architecture.
Full Transcript
NETWORK SERVICES IN CLOUD 1 OUTLINE Introduction of CSP global network infrastructure Virtual Private Cloud (VPC) IP addressing Subnets Private subnet and public subnet NAT GW Bastion Host Routing tables Security in Network Firewall Security Gro...
NETWORK SERVICES IN CLOUD 1 OUTLINE Introduction of CSP global network infrastructure Virtual Private Cloud (VPC) IP addressing Subnets Private subnet and public subnet NAT GW Bastion Host Routing tables Security in Network Firewall Security Group Network Access Control List (NACL) VPC sharing and peering Load balancer Cloud CDN 2 Within EU and Japan: 12ms Trans-Atlantic (US-EU): 70ms EU/EMEA-Asia: 120ms Within North America: 30~40ms Trans-Pacific (US-Asia): 100ms EU-India: 350ms 3 4 CSP OWNED SUBMARINE CABLE 5 VIRTUAL PRIVATE CLOUD 6 VIRTUAL PRIVATE CLOUD A virtual private cloud (VPC) is a secure, isolated private cloud hosted within a public cloud There’s a limit of Max.# of VPC a project can have https://docs.aws.amazon.com/vpc/latest/us erguide/amazon-vpc-limits.html Key factors in VPC IP address Subnet Router Firewall Sharing 7 IP SERVICE S 8 IP AND CIDR BLOCKS Do a logical AND operation with the IP address to check if the IP belong to its subnet 9 IP SERVICES IN CLOUD Private IP Public IP Static IP Dynamic IP Explanatio Local address Global address that An address that Dynamic addresses n used in private can be accessed doesn’t change are assigned, as network by routers from unless the machine needed, by Internet is decommissioned Dynamic Host or network Configuration architecture is Protocol (DHCP) changed servers Example/ 10.0.0.0 – google.com — Static IP is used for Dynamic IP is used remark 10.255.255.255 172.217. 22.14 servers that need a for clients that just 172.16.0.0 – Yahoo.com --- fixed address for need an address to 172.31.255.255 22.87. 47.67 customers to access send request and 192.168.0.0 – Public IP – globally the services get response 192.168.255.25 unique 5 Elastic IP: Private IP Reserved public IP in AWS 10 SUBNE T 11 SUBNET VPCs span a region Subnet span a AZ Subnets are allocated as a subset of the VPC CIDR range You can have multiple subnets in each VPC and each AZ 12 PUBLIC & PRIVATE SUBNET Public Subnet can be accessed from Internet Inside resources should have public IP Private Subnet no access from Internet Inside resources only have private IP 13 NAT GATEWAY Concept: Example: NAT allows responses from Internet to reach the Private Subnet 14 BASTION HOST Concept: Example: Bastion host allows SSH/RDP request coming from Internet 15 ROUTING TABLES 16 ROUTING TABLES 2 Types of Route Tables Main Route Table (default) Custom Route Table Each subnet has associated routing table Routing tables can be associated with multiple subnets 17 VPC SECURITY 18 FIREWALL 19 FIREWALL RULES Incoming, outgoing 80(HTTP), 443(HTTPS), 21(FTP), 22(FTPS/SSH), 995(POP3 SSL) HTTP, HTTPS, TCP, TDP, SSH, ICMP, FTP, FTPS 0 (highest) ~ 65535 (lowest) 20 FIREWALL IN GCP AND AWS Firewall Policy 1 Firewall Policy 2 Firewall Rules Firewall Rule Firewall Rule Groups Groups 21 IMPLIED/DEFAULT FIREWALL RULES Every VPC network has two permanent firewall rules which are implicitly defined Default rules-Deny all incoming connections (ingress) & Allow all outgoing connections (egress) Default rules are not shown on console and can NOT be removed Ingress traffic from Internet is free, egress traffic to Internet is chargeable 22 SECURITY GROUPS (AWS) A security group acts as a virtual firewall for instances to control inbound and outbound traffic When you launch an instance in a VPC, you can assign up to 5 security groups to the instance Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups For each security group One set of rules for inbound traffic One set of rules for outbound traffic It filters traffic based on protocols and port numbers It is stateful – the incoming response traffic to the request sent out from an instance is automatically allowed regardless of rules, and vice versa No inbound rules upon creation Default with allow-all outbound rules Instances associated with a security group can't talk to each other unless you add rules allowing the traffic A security group can only be used in the VPC that you specify when you create the security group 23 NETWORK ACCESS CONTROL LIST (NACL) It is an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Network ACLs use rules similar to security groups Security Group Network ACL Operates at the instance level Operates at the subnet level Supports allow rules only Supports allow rules and deny rules Is stateful: Return traffic is automatically allowed, Is stateless: Return traffic must be explicitly allowed regardless of any rules by rules AWS evaluate all rules before deciding whether to AWS process rules in order, starting with the lowest allow traffic numbered rule, when deciding whether to allow traffic Applies to an instance only if someone specifies the Automatically applies to all instances in the subnets security group when launching the instance, or that it's associated with (therefore, it provides an associates the security group with the instance later additional layer of defence if the security group rules on are too permissive) 24 VPC SHARING & PEERING 25 VPC SHARING VPC sharing is more a permissions process. Allowing two or more corporate divisions to have service in the same VPC It is used for different projects to share resources E.g. A service from marketing accesses the customer database managed by IT Shared VPCs are comprised of a host project and one or more service projects The host project contains one or more Shared VPC networks Once a VPC is shared, all its subnets become shared VPC subnets NOT across organizations 26 VPC PEERING VPC Peering is basically a networking process. In old school it is like telling your networking team to create connections and routes between data centres. It enables different VPCs to communicate using private IP address in RFC1918 VPC peering is used as an alternative to using external IP addresses or using VPNs to link networks There is a limit of Max.# of peering connections from a single VPC (for GCP is 25) Peering works among different organizations Advantages: 1. Lower latency as the traffic stay on the CSP’s network 2. Services in the VPC are inaccessible from public Internet 3. No egress charges associated with the traffic 27 TRANSIT GATEWAY √ ? 28 29 LOAD BALANCING 30 ELASTIC LOAD BALANCER Distribute traffic to multiple targets Multiple Availability Zones ELB Scales automatically Support Auto Scaling Groups Automatically (de)register instances to the ELB There are 2 types of ELB: Network Load Balancer (L4) Application Load Balancer (L7) 31 ELB – ROUTING OPTIONS Configure NLB if you https://login.sgonlineshop.com/buyer need: https://login.sgonlineshop.com/seller Ultra-high performance Static IP address Direct to different backend servers using path-based 32 routing COMPARISON OF ELB Remember: If high throughput or Static IP is needed, choose NLB If HTTP-header based distribution is needed, choose ALB 33 CONTENT DISTRIBUTION NETWORK 34 WHY NEED CDN? 35 600+ Points of Presence in 100+ cities 36 37 SUMMARY Load Balancer CDN (Internal/Global) Internet Organization 1 VPC1 (sales) VPC5 (on-prem) 10.0.0.1/20 VPN Dynamic Routing 192.168.1.0/24 VPC Sharing VPC Peering VPC2 VPC3 VPC4 (product) (Procurement) (partner sales) 10.1.0.1/24 192.168.0.0/24 10.10.0.1/20 Organization 2 38 LAB – NETWORK https://catalog.workshops.aws/general-immersionday/en-US/basic-module s/20-vpc/vpc Note: The IP ranges in the above steps are examples, you can choose your own IP range 39 ASSIGNMENT Create a subnet and attach a NACL Create an instance and a database(or another instance) within this subnet Create two security groups (SG1 & SG2), add your instance and database(or another instance) into different security groups Test 2 scenarios see how ACL and security group will affect your traffic 1. NACL allows a traffic, SG1 denies it, SG2 allows it 2. NACL denies a traffic, SG1 and SG2 allow it Submit your homework via eLearn Design the network components for your project 40 REFERENCE – DRESS4WIN 40 web application servers providing micro-services based APIs and static content Tomcat-Java Nginx 4-core CPUs Private subnet 2 for analytics 32 GB RAM 20 Apache Hadoop/Spark servers Private subnet 1 for request Data analysis and real-time trending calculations response 8-core CPUs 128GB RAM 4*5TB HDD (RAID 1) 3 RabbitMQ servers for messaging, social notifications and events 8-core CPUs Public subnet for 32GB RAM Internet Requests Miscellaneous servers Jenkins, monitoring, bastion hosts, security scanners 32GB RAM 41
