In this chapter, we will look at a brief overview of Amazon Web Services (AWS) and its networking services so that we can get started quickly and have an idea about key services and key concepts.
To understand AWS, it is better to have a core understanding of what exactly it is and then look at AWS-related topics.
Cloud computing, cloud service models, cloud deployment models, and cloud characteristics that are based on the National Institute of Standards and Technology (NIST) definition will help us understand the core of cloud computing. This chapter will cover how we can categorize different services of AWS by considering cloud service models and cloud deployment models.
In this chapter, we will cover the following topics in detail:
- The core concepts of AWS
- Regions and Availability Zones
- Security and compliance
- Amazon Elastic Compute Cloud (Amazon EC2)
- Security groups
- An overview of networking services
- Amazon Virtual Private Cloud (Amazon VPC)
- Amazon CloudFront
- Amazon Route 53
- AWS Direct Connect
- Elastic Load Balancing
- Auto Scaling
- Billing Dashboard
- AWS Total Cost of Ownership (TCO) calculator
- Architecture—compute and networking services for a sample application
Cloud computing is an on-demand computing resource that provides multi-tenant or dedicated computing resources, such as compute, storage, and network, which are delivered to users over the network.
A network in the form of internet or LAN is based on the deployment model of the cloud. According to NIST's definition of cloud computing, it has both cloud deployment models and cloud service models:
Cloud deployment models define the way resources are deployed, that is, whether they are accessible over LAN or accessible over the internet. There are four cloud deployment models:
- Public cloud, which is accessible over the internet
- Private cloud, which is accessible over LAN and owned by an organization
- Community cloud, where resources are shared by a specific set of organizations that share similar types of interests
- Hybrid cloud, which combines two or more deployment models to form a cloud based on specific use cases such as databases that are on-premise due to security reasons
The cloud service model defines the way cloud resources are used by taking into consideration their flexibility or the options that are provided to users. There are three cloud service models:
- Infrastructure as a Service (IaaS): Resources such as compute, storage, and network are accessible to users. Security and control is in the hands of users. The cloud service provider plays a limited role in resource management in this service model.
- Platform as a Service (PaaS): Users get a platform where he/she can deploy a package directly without worrying about setting up a runtime environment. Security and control is in the hands of the cloud service provider. Users can do some configuration for versions of the web server, enable logs, set up load balancers, and so on. Users play a limited role in resource management in this service model.
- Software as a Service (SaaS): The user creates an account, and all of the services are available directly. Office 365, Google Docs, and Zoho Docs are some popular examples of SaaS. The cloud service provider is responsible for resource management in this service model.
Cloud computing has a few characteristics that are significant, such as the multi-tenancy, pay as you go billing model that is similar to electricity billing; an on-demand self service; resource pooling for better utilization of cloud resources; rapid elasticity for scaling up and scaling down instances that are served in case of IaaS or PaaS based on needs in an automated manner; and measured services for billing.
There are many cloud service providers that provide public cloud services in the market. However, among all the providers, Amazon Web Services (AWS) has established itself as a leader in terms of innovation and the services it provides.
This all began in 2006 when AWS started providing infrastructure services.
Now, AWS services are utilized in more than 190 countries all over the world, and many research firms have announced AWS as a leader in the cloud space as well.
The AWS Cloud operates in 16 geographic Regions, with 44 Availability Zones around the world. Some of these are depicted in the following diagram:
A Region is a location in any part of the world, whereas Availability Zones (AZs) are separate data centers that are available in a specific region:
Each region is isolated from another region, and each Availability Zone is planned as an independent failure zone to support highly available resources, fault-tolerant resources, and scalable application architecture.
Security in AWS is a shared responsibility based on the cloud service model that's used by the customer or user. In AWS, physical resources, such as servers, storage, and the network, are managed by AWS. Users don't have to worry about security since AWS has already put in best practices and it is transparent.
It is up to you to configure security in AWS as per the proven best practices that are available for the AWS infrastructure.
Users can configure security groups and access control lists, Virtual Private Cloud (VPC), and identity and access management to make the resources in the cloud more secure:
Compliance is extremely important for the assurance of security and protection. Security and compliance are both shared responsibilities for AWS and the AWS customer, and is based on how much the cloud service model is used by the customer. AWS complies to SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27018, and so on.
Amazon Elastic Compute Cloud (EC2) is a web service. Do you remember Amazon Web Services?
Amazon EC2 provides compute services in the Amazon Cloud.
Is it easy to get your hands on it?
Yes; you can create an account and use the free tier to create a simple instance:
You need to follow these steps to create an instance:
- Go to aws.amazon.com and log in with your credentials.
- Click on Services in the top bar:
- Select EC2 from the Compute services that are available in the AWS Portal.
- The Amazon EC2 dashboard provides details related to a number of running instances, such as Elastic IPs, Volumes, Key Pairs, Snapshots, Load Balancers, Security Groups, Service Health, Supported Platforms, Default VPC-related information, and so on:
- Click on the Launch instance and follow the simple wizard to create an instance.
- After you have created an instance, the EC2 dashboard will give complete details of your Amazon EC2 instance.
- Click on Instances in the EC2 dashboard to get details on all the instances that you have created in Amazon EC2:
You can edit instance configuration, restart an instance, or terminate an instance from the Action menu, which can be found in the EC2 dashboard.
Instances come in different types, and are based on usage and pricing:
A security group is a virtual firewall. It manages the traffic flow from and to AWS instances. It is easy to associate a security group with instances in AWS as you can do this while creating an instance. You can assign up to five security groups at the time of launching an instance or after launching the instance. Each security group can serve one or more instances. Security groups are associated with the primary network interface (eth0) of an instance.
Each AWS account comes with a default security group for each VPC and each region. By default, instances are associated with the default security group. The default security group can't be deleted, but it allows all inbound traffic from other instances associated with the default security group and all outbound traffic from the instance.
Let's try and create a security group and look at what we can do:
- Go to the EC2 or VPC dashboard via Network & Security | Security Groups and click on Create Security Group.
- Provide a Security group name and select the VPC that the security group belongs to.
- You need to configure security rules for inbound and outbound traffic. Based on these rules, traffic is controlled with the use of a security group in AWS. By default, a security group includes an outbound rule that allows all outbound traffic:
- Click on Add Rule and select Type, Protocol, Port Range, Source, and Description.
- You can create one or multiple rules based on your requirements:
- Click on Create and verify the security group in the EC2 Dashboard or VPC Dashboard.
If the instance or the web server is not accessible via PuTTY or a web browser, then you need to troubleshoot the issue. To do this, you need to figure out whether everything is fine with the security group and whether the appropriate rules have been configured or not.
If you change the inbound or outbound traffic rules, then they will be applied to the instances immediately.
In this section, we will look at an overview of networking services. We will cover them in more detail in the upcoming chapters:
Let's start with Amazon Virtual Private Cloud.
Amazon Virtual Private Cloud (Amazon VPC) is more secure because it allows you to create instances in a logically isolated virtual network.
The following screenshot shows a few of the components that are important in the Amazon VPC:
AWS Accounts only support EC2 instances in VPC. Now, do you need to create a VPC the moment you create your account?
The answer is no. A default VPC is available in the Amazon VPC. If you delete the default VPC, then you cannot restore it—you would need to contact AWS Support to do so:
The default VPC contains the following:
- A VPC with a size /16 IPv4 CIDR block (172.31.0.0/16). This means that you have 65,536 private IPv4 addresses. For more details on CIDR, check out the following link: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.
- Default subnet /20 in each Availability Zone. Here, you have 4,096 addresses per subnet.
- One internet gateway.
- A main route table for the default VPC.
- A default security group that must be associated with your default VPC.
- A default network Access Control List (ACL):
Perform the following steps to display the subnets available in your VPC dashboard:
- Click on Your VPCs in the VPC Dashboard.
- Verify the VPC ID, State, IPv4 CIDR, Route table, Network ACL, and so on:
The subnet can be defined as a section of a VPC's IP address range, and is where you can place groups of isolated compute resources.
- Click on Subnet on the left sidebar in the VPC Dashboard. Below Subnets, we have Route Tables, Internet Gateways, NAT Gateways, and Elastic IP addresses:
- Route Tables help us define subnets that need to be routed to the Internet Gateway, the virtual private gateway, or other instances.
- Internet Gateway allows you to connect to the public internet from an Amazon VPC.
- NAT Gateway represents a highly available and managed Network Address Translation (NAT) service for resources in a private subnet so that they can access the internet. A NAT gateway is created in a public subnet.
- An Elastic IP address is a public static IPv4 address, and is used so that you can access the resource. If an Elastic IP address is not allocated with a running instance, then an hourly charge has to be paid by the user.
In the next section, we will discuss Amazon CloudFront.
Amazon CloudFront is a Content Delivery Network (CDN) service. It helps ensure speedy content delivery to the user, along with the use of edge locations that have been established by AWS.
Go to AWS Management Console | Services | Networking & Content Delivery | CloudFront:
The following sequence takes place when the user requests static or dynamic content:
- If the content is available in the edge location near the user, CloudFront delivers the content immediately
- If the content is not available in the edge location near the user, CloudFront requests content from the source, such as an Amazon S3 bucket or an HTTP server, and delivers it to the user
In the next section, we will discuss Amazon Route 53.
Amazon Route 53 is a domain name or DNS service. It is a reliable and scalable service that has DNS servers distributed globally. It scales automatically to manage the spike in DNS queries so that services are robust.
Let's talk about what services it provides to a user. The following services are available when using Amazon Route 53:
- A highly available domain name system
- Domain name registration
- Health checks
- A scalable domain name system
Go to AWS Management Console | Services | Networking & Content Delivery | Route 53:
In the next section, we will cover AWS Direct Connect in brief.
Can we connect to AWS from the internal network of an organization without accessing the internet? The answer is yes!
It's quite simple! Connect the internal network to the AWS Direct Connect location using a standard 1 Gigabit or 10 Gigabit Ethernet fiber-optic cable. Once you have done this, you can create virtual interfaces that connect to AWS services.
Go to AWS Management Console | Services | Networking & Content Delivery | Direct Connect:
In the next section, we will cover Elastic Load Balancing in brief.
Elastic Load Balancing/Elastic Load Balancers (ELB/ELBs) can be used to distribute traffic to multiple targets. ELB can be configured on Amazon VPC and Amazon Elastic Beanstalk. It only distributes traffic to healthy targets.
There are two types of load balancers that are supported by Elastic Load Balancing:
- Application Load Balancers
- Classic Load Balancers:
Go to AWS Management Console | Services | EC2 | EC2 Dashboard | Load Balancing | Load Balancers:
In the next section, we will cover Auto Scaling in brief.
Auto scaling creates a scenario where you have an appropriate number of instances or targets to serve the traffic load based on certain conditions. Based on configured Auto Scaling policies, instances are increased and decreased on demand.
Go to AWS Management Console | Services | EC2 | EC2 Dashboard | Auto Scaling | Launch Configurations or Auto Scaling Groups:
In the next section, we will cover the AWS Billing Dashboard.
How can we find how much it costs to use certain AWS resources? In AWS Portal, you can easily find out. AWS Billing and Cost Management provides detailed information on the usage of your resources, as well as budget and notifications. You can also pay your subscription bill from here.
In AWS Portal, click on your username on the top-right bar and select My Billing Dashboard.
Billing & Cost Management Dashboard provides Spend Summary and Month-to-Date Spent by service information as well.
Spend Summary provides a forecast that also takes into account how much the current month will cost you:
It is very easy to understand what services have costs at first glance.
Click on Cost Explorer to get monthly EC2 running hours, costs, and usage:
On the Reports dropdown menu, select Daily costs to get details of costs on a daily basis, as shown in the following screenshot:
Click on the Bill Details in the Month-to-Date spend by service section. You can expand all of the services to get more information about the cost that was incurred by using that specific service:
By clicking on the dropdown arrow of each service, you will be able to get the complete details of the service charges, as shown in the following screenshot:
You can also manage budgets from My Billing Dashboard. You can create and manage budgets, refine your budget using filters, and add notifications to a budget.
The Payment Methods section will allow you to edit and remove Payment Methods, and also lets you make payments.
You can also configure Preferences to get the following:
- Receive PDF invoices by email
- Receive billing alerts
- Receive billing reports
In the next section, we will look at a sample architecture that uses Amazon VPC.
Is there any way to make a cost comparison of the application that you have hosted on-premises and the application that's hosted in your AWS environment?
The answer is yes! Follow these steps to find out how:
- Go to https://aws.amazon.com/tco-calculator/ and click on Launch the TCO Calculator. Alternatively, you can go to https://awstcocalculator.com/:
Let's see what the cost comparison is for three web servers with four cores and 8 GB memory and 1 TB storage:
- Click on Calculate TCO.
- Here, you will be provided with a 3-year cost breakdown:
- Scroll down to Environment details to get more details on the comparison of cost calculation:
- In the Cost Breakdown section, you will get on-premise and AWS cost breakdowns for servers or instances and storage in charts:
In the next section, we will discuss a sample architecture, including its compute and networking services, in brief.
The following diagram is a sample architecture for compute and networking services. It has been provided to give you a clear overview of the architecture:
The preceding diagram is the sample architecture for the VPC environment. It has the following features:
- The different Availability Zones for different tiers for high availability and to avoid single point of failure
- Auto Scaling to satisfy varied traffic load
- Different subnets (public and private subnets) for unique routing requirements
- A highly available NAT gateway to provide internet access to a private subnet
- Security groups to control traffic flow
Well done! We have come to the end of this chapter, so let's summarize what we have covered.
In this chapter, we covered the core concepts of AWS, such as Regions and Availability Zones, Security and Compliance, Amazon Elastic Compute Cloud (Amazon EC2), and Security groups.
We also covered brief details on networking services, such as Amazon Virtual Private Cloud, Amazon CloudFront, Amazon Route 53, AWS Direct Connect, Elastic Load Balancing, Auto Scaling, Billing Dashboard, the AWS Total Cost of Ownership (TCO) Calculator, and compute and networking services for our sample application.
In the next chapter, we will cover Amazon Virtual Private Cloud in detail.