In Part 1, I covered setting up identity and access management using Amazon AWS. In Part 2, we will focus on setting up a VPC and establishing a network. VPCs are the virtual equivalent of traditional data centers. In comparison, physical servers require routers, switches, and cables to operate. Cloud computing has replaced this with virtual private networks with logical boundaries and Application-Program-Interfaces (API) hosted by a Cloud Provider that handles all the physical equipment. The default VPC is considered a flat network, and to take a defense-in-depth approach, you must segment your networks between various tiers, like web, application, and database. To achieve fault tolerance, you will need twice the amount virtual servers spread across two Availability Zones (AZ). You must define subnets and routes that allow network traffic to transverse these boundaries. For example, if you have a web and database server, you would need two (four for AZ) subnets, one public and one private, controlled by security groups akin to firewall policies similar to Figure 1:
Figure 1 - VPC
After defining your VPC and subnets, it's essential to consider how the virtual servers will communicate with each other. If you require an Internet connection, you'll need an Internet Gateway. If your server needs to initiate an outbound connection from a private subnet, a Network-Address-Translation (NAT) Gateway would be necessary. Although both gateways share similar characteristics, the Internet gateway is designed for public networks to your virtual servers, while the NAT Gateway is for private networks and allows the translation to an elastic public IP address space. Be careful; NAT Gateways incur a charge versus a free Internet Gateway, so it is best to check pricing options to establish your network. The routing tables must have default routes to either Gateway, defined as 0.0.0.0/0 < Gateway>.
To assign and resolve IP addresses to Fully Qualified Domain Names (FQDN), a preferred method for dynamic virtual servers, you'll need an IP address and a DNS service called AWS Route 53. As an AWS administrator, you can use the self-service signup feature to purchase domains for your website, transfer registration, or perform health checks on your endpoints. AWS Route 53 supports Alias and CNAME records to enable you to route traffic to other resources and is essential when you are considering failover route policies. At a more fundamental level, simple routing will get you up and running to a single resource, such as a web server, that resolves to your domain (e.g., acme.com).
Consider auto-scaling and load balancers that can throttle when necessary during peak traffic times for a highly-available configuration. The network extends using secure clients through remote and site-to-site connections between VPCs or a traditional data center. A security-hardened Bastion Host is a must when managing virtual servers internally across these boundaries with explicit security rules. For more information, refer to the Well-Architected Framework.
Comments