AWS Series #3: The 3-step Infrastructure & Network Layer
Infrastructure & Network Layer
Once the Security Roadmap is defined and implemented, the next logical step is to setup Infrastructure and Network Layer. Once this is set up, you are all set. This layer can be set up as a 3-step process
Step 1: Gateway to your Infrastructure
Step 2: Your Network & Security Architecture
Step 3: The core of your Infrastructure
Step 1: Gateway to your Infrastructure
Region
Real World Example: You are on a trip and you want to have a coffee at Starbucks. Google Map suggests that there are 20 Starbucks around the location of interest. Based on the proximity and convenience and availability of the services that you want, you can choose the Starbuck of your choice.
On AWS: Region is dedicated locations in the map where Data Centres are functional. Not all Data centers are the same, and not all features will be available in all data centers. Based on the proximity, your organizational policies, jurisdiction needs, and governance, you can choose the Region or Regions depending on the need. Tradeoff Between Convenience vs. Availability of services.
Internet Gateway (IG)
Real world Example: Before understanding VPC, it is imperative that we understand the Internet Gateway which is the first entry gateway into the Virtual Data Center on AWS. The door to the building directly leads you into the building — lounge/reception/gantry. Once you are inside the building, you can relate that you are already inside your VPC.
Does it give the automatic right to traverse to any VPC and access the resources? No. Internet Gateway is only the start point, think of it as you have an access card to a particular floor of the building, to get to the Gantry to tap the access card, you will have to enter the building first.
On AWS: Internet Gateway lets you access the VPC. Once you pass the Internet Gateway, via the internet, you are on your VPC (building). There are a couple of entry points that will let you access the AWS resources.
VPC
Real World Example: Once you are inside the office, that is the VPC already. The office, all resources inside the office everything is placed on one of the floors of this building and the aim is to get access to that space based on the access path and access rights available to the user.
On AWS: By getting into the VPC does not give the automatic right to access all resources. Each user that is created by the root user via IAM, may have restriction levels set to and not to access resources. Based on what has been permission-ed for, the user is set to access the resources.
Availability Zone
Real World Example: In any office, you may see more than one meeting room. If one meeting room is not available for renovation (don’t consider this as in-use here), the other meeting room can be used.
On AWS: Availability Zones enables DR. Most of the services on AWS offers Multi-Availability Zone or Multi-AZ for its SAAS or PAAS offerings. If it does not allow implicitly, you can always manage one by yourself.
Step 2: Your Network & Security Architecture
Router
Real World Example: Router is like assigning the Lift once you tap the access card.
On AWS: The Router takes you to the NACL that is listed in the Route table.
Route Tables
Real World Example: Once you get into the assigned lift, you will be dropped at the floor to which your access card is assigned (let us assume, each access card can access only one floor). Upon reaching the floor, you still need to have permission to get into the designated office. The same access card can be provisioned to enter. The access to enter checkpoint available at the office door is like NACL (Network Access Control List).
On AWS:The access to enter checkpoint available at VPC level usihng NACL (Network Access Control List).
Route 53
Real World Example: Say you want to go to your friend's house and they give you the latitude, longitude, and altitude details for you to be present there. How about given an address instead? In the physical world, Address is not a post-fact, it is the key information that underneath has the geospatial information.
On AWS: Route 53 is an optional service but a good practice. It enables 4 key tasks — DNS Management; Traffic Management; Availability monitoring and Domain Registration.
NACL
Real World Example: Let’s assume Level 5 is your designated floor and there is only one office on that floor. The office is secured that lets you in only upon swiping/tapping the access card that has appropriate permission to enter. Does NACL enable you to access all the rooms in the office? Not really — you are on the office premises and can see general ones. Let’s assume you are in reception and to gain further entry there are further firewalls. This NACL is associated with a subarea where the actual resources are available. But now, to gain access to the sub-area with resources, you need access permissions.
On AWS: Network Access Control List (NACL) is the first line of defense that controls traffics for one or more subnets. This is an optional layer. It works based on Accept and Deny rules for both Inbound and Outbound. The numbered list rules orders the way the access should be evaluated. This is stateless, which means that the inbound traffic is subject to the rules of the outbound traffic.
Security Groups
Real World Example: You are inside your office, say you want to get into the Server room and that has access restrictions and can be accessed only by Infra — that is the Security Group in the cloud world.
On AWS: Once you are inside the Subnet, to access the EC2 instance, you will have to have the required permissions to access the instances within the subnet. This is applicable for any type of instance, be it EC2 or Database.
NAT
Real World Example: Anyone who wants to gain access to the Server Room in the office, has to approach Infra, if they think it is appropriate, they will grant access.
On AWS: The best way to access the instances within the subnet is via the NAT so that all the traffic is routed through the NAT Gateway and single clearance window.
Direct Connect | Private Link | VPC Private Gateway | VPC End Point
- CloudFront
- API Gateway
- Storage Gateway
- ALB / ELB / CLB
Step 3: The core of your Infrastructure
Subnet
Real World Example: If VPC is the building, Subnet is the rooms in the office space. Assume each of the rooms can be accessed via access card, that is the Security Group. Inside each of the rooms, there will be instances and NAT gateway.
On AWS: Subnet resides inside the Availability Zone. In one Availability zone, there can be more than one subnet. A subnet can be both Private and Public. Public Subnets are those that can be accessed via the Internet Gateway — can be used to spin up EC2 or Web server. Private Subnet on the other hand cannot be accessed via Internet Gateway or cannot be SSH’d into. The only way the private subnet can be accessed is via the public subnet, SSH into Private subnet — Database can be part of the Private subnet disallowing external access.
Servers & Instances
Real World Example: Inside the Server room, there shall be Linux Server, Database Server, AD Server, HP Server that hosts VM, etc.,
On AWS: Inside the subnet, you can spin up instances such as EC2 or Database. This is part of the Processing Layer and will not be discussed as part of Infrastructure and Network Layer. This is included just to show that this is critical / core service — the very purpose you are setting up the Infrastructure & Network Layer.
Instances (Compute)
- EC2 | EC2 Image Builder
Containers
- ECS
- EKS
- Fargate
Summary:
Parent Article: AWS Multi-Part Series.
For other articles refer to luxananda.medium.com.
