Cloud Networking Overview (Using AWS as reference)
Summary
TLDRThis video script delves into the relevance of network administration in cloud environments, emphasizing the necessity of configuring and managing network services post-cloud migration. It explores AWS networking fundamentals, such as VPCs, CIDR blocks, subnets, and internet gateways, highlighting security best practices. The script also touches on advanced topics like VPC peering, hub and spoke architectures, and transit gateways for inter-VPC communication. It concludes by introducing Cisco's ACI for cloud, which simplifies network configuration across multiple clouds, promising a unified operational model and consistent security policies.
Takeaways
- π **Cloud Networking Importance**: Network admins and networking knowledge remain crucial in the cloud for configuring and managing network services.
- π οΈ **Cloud Networking Services**: Services like AWS VPC require configuration and management, emphasizing the need for network expertise in cloud environments.
- π **Avoid Default VPC**: AWS recommends against using the default VPC due to its non-compliance with security best practices.
- ποΈ **VPC Configuration**: Creating a VPC involves setting up CIDR blocks, subnets, and internet gateways to establish a foundational network structure.
- π **Region-Specific Networking**: Networking configurations in the cloud are region-specific, necessitating separate configurations for different regions for geographical redundancy.
- π **Security by Design**: Cloud providers embed security policies that require explicit access grants, similar to Cisco ACI's policy model.
- π¦ **Routing and Subnets**: Proper routing table configuration and subnet management are essential for controlling traffic flow within a VPC.
- π **ENI and Network Adapters**: Elastic Network Interfaces (ENIs) and other network adapters like ENAs and EFAs play a key role in providing connectivity with varying performance characteristics.
- π **Hybrid and Multi-Cloud Connectivity**: Techniques like VPC peering, hub and spoke architectures, and transit gateways facilitate communication across multiple VPCs and clouds.
- π **Cloud ACI Benefits**: Cisco ACI in the cloud simplifies network operations by abstracting configurations and automating enforcement across different cloud environments.
Q & A
Why are network admins and networking knowledge still important in the cloud era?
-Network admins and networking knowledge are crucial because multiple network services need to be configured and managed in the cloud. Network admins with existing knowledge can be valuable assets in an organization's cloud migration strategy.
What is the first step in setting up cloud networking without using ACI?
-The first step is to create a Virtual Private Cloud (VPC), which is similar to a VRF in traditional networking. It is recommended to create a custom VPC instead of using the default one to ensure it meets security best practices.
Why should you avoid using the default VPC in AWS?
-The default VPC comes with a default configuration that may not meet security best practices, which is why AWS recommends creating a custom VPC for better security control.
What is a CIDR block and why is it necessary in cloud networking?
-A CIDR block is a main IP address block from which subnets can be created. It is necessary to define the network range for instances or VMs within a VPC.
How does internet connectivity work for a VPC in AWS?
-Internet connectivity for a VPC is provided by an Internet Gateway (IGW), which must be created and attached to the VPC.
What are the differences between private and public subnets in AWS?
-Private subnets do not have direct internet connectivity, while public subnets may have internet-facing connectivity using a public or elastic IP address.
How does AWS handle IP address assignment for instances in private subnets?
-AWS automatically assigns private IP addresses to instances in private subnets, reserving the first three usable IP addresses per subnet.
What is the purpose of a routing table in AWS VPCs?
-A routing table in AWS VPCs determines the path for network traffic to and from instances. It includes routes that control the subnets' internet access and connectivity between instances.
What are the two main ways to achieve network segmentation and define policy in AWS?
-The two main ways to achieve network segmentation and define policy in AWS are Security Groups and Network Access Control Lists (ACLs).
How do Security Groups in AWS compare to ACI EPGs?
-Security Groups in AWS are comparable to ACI EPGs as they control inbound and outbound traffic and are assigned per instance, following an allow list model.
What is the significance of Cloud ACI in managing multi-cloud environments?
-Cloud ACI abstracts the network configuration and automatically creates corresponding configurations across clouds, unifying operational models and maintaining security consistency, which simplifies management in multi-cloud environments.
Outlines
π Cloud Networking Essentials
This paragraph emphasizes the ongoing importance of network administrators and networking knowledge in the cloud era. It discusses the necessity of configuring and managing multiple network services in the cloud. The speaker introduces the concept of cloud networking without using ACI, using AWS as an example. The paragraph walks through the process of setting up a Virtual Private Cloud (VPC), creating a CIDR block, and the importance of not using the default VPC for security reasons. It also covers the allocation of IP addresses, the role of an Internet Gateway (IGW), and the creation of subnets. The distinction between private and public subnets is explained, along with the concept of Elastic IP addresses. The paragraph concludes with a discussion on routing tables, the creation of instances, and the use of Elastic Network Interfaces (ENIs) for network connectivity.
π Security and Policy in Cloud Networking
The second paragraph delves into the security aspects of cloud networking, focusing on AWS as a reference. It introduces the concept of security groups, which control inbound and outbound traffic at the instance level, similar to ACI's Endpoint Groups (EPGs). The paragraph explains the default behavior of security groups and how they follow an allow-list model. It also touches on Network Access Control Lists (ACLs) as an alternative to security groups, which operate at the subnet level. The discussion includes the stateful nature of security group rules, contrasting them with the stateless ACLs. The paragraph also addresses the limitations of layer 2 forwarding in cloud environments and the differences in terminology and implementation across cloud providers like Azure and Google Cloud.
π Advanced Cloud Networking Scenarios
The final paragraph explores advanced networking scenarios in cloud environments, such as connecting multiple VPCs across regions and providing connectivity from on-premises environments. It introduces VPC peering, hub and spoke configurations, and Transit Gateways (TGWs) as methods for inter-VPC communication. The paragraph discusses the use of Virtual Private Gateways (VGWs), Customer Gateways (CGWs), and Direct Connect for establishing VPN connections and high-bandwidth private connections. It also mentions the use of Border Gateway Protocol (BGP) for routing information exchange. The paragraph concludes by discussing the challenges of managing hybrid cloud environments and how Cloud ACI can simplify network operations across multiple clouds by abstracting network configurations and enforcing consistent security policies.
Mindmap
Keywords
π‘Cloud Networking
π‘Cloud Migration Strategy
π‘VPC (Virtual Private Cloud)
π‘Cidr Block
π‘Internet Gateway (IGW)
π‘Subnet
π‘Elastic Network Interface (ENI)
π‘Security Groups
π‘Network Access Control Lists (ACLs)
π‘Hybrid Cloud
π‘Cloud ACI
Highlights
Network admins and networking knowledge remain crucial in the cloud for configuring and managing network services.
Cloud migration strategies benefit from network admins who can leverage their existing knowledge.
Cloud networking operates differently without using ACI, as illustrated by AWS networking services.
AWS console demonstration shows the creation of a VPC, which is akin to a VRF in traditional networking.
Default VPCs are discouraged due to security concerns; creating a custom VPC is recommended.
Cidr blocks are essential for IP address allocation in cloud environments.
Internet Gateways (IGW) provide internet connectivity to VPCs.
Subnets can be private or public, with public subnets allowing internet-facing connectivity.
Cloud providers reserve the first three IP addresses in each subnet for special purposes.
Routing tables in the cloud define how traffic is directed within and outside the VPC.
Elastic Network Interfaces (ENIs) are the cloud equivalent of network interface cards for VMs.
Security in cloud networking is policy-based, similar to Cisco ACI, requiring explicit access grants.
Security groups control inbound and outbound traffic at the instance level, akin to ACI EPGs.
Network Access Control Lists (ACLs) operate at the subnet level, unlike security groups.
Cloud networking is based on Layer 3, with no native support for Layer 2 configurations like VLANs.
VPC peering is a method for inter-VPC connectivity within a single region.
Hub and spoke configurations use Virtual Private Gateways (VGWs) and routers for inter-VPC connectivity.
Transit Gateways (TGWs) facilitate communication between multiple VPCs across regions.
Cloud ACI can simplify network operations across multiple clouds by abstracting and automating network configurations.
Cloud ACI uses vxlan, BGP, and optionally IPSec for multi-site orchestration, reducing the learning curve.
Networking knowledge is essential in the public cloud, with concepts similar to traditional networking but with different terminology.
Cloud ACI can help normalize network operations and security across multiple cloud environments.
Transcripts
[Music]
after all this
you may be wondering by now is there a
need for network admins and networking
knowledge in the cloud
and the answer is absolutely there are
multiple network services that will need
to be configured
and managed once running in the cloud so
if you're a network admin and already
have this knowledge you may be a true
asset as part of your organization's
cloud migration strategy
before jumping into cloud aci and its
benefits let's take a deeper look into
how cloud networking works
without using aci using aws networking
services
as example let's log into the aws
console
as you can see we're currently working
in the u.s east region
the very first thing we need to do is
create a vpc
which is similar to avrf as you can see
each account has a default vpc and you
may be wondering if it wouldn't be
easier for us to use that one
the reason to avoid the default vpc is
that it comes with a default
configuration
that would not meet security best
practices and that's why creating your
own vpc
is always recommended by aws in this
case
in the cloud ip addresses are
automatically associated to instances
or vms in order for this to happen we
must create a cider block
as part of the bpc configuration the
cider block
is your main ib address block so that
you can later create subnets from it
which will be assigned to the different
availability zones in your region
with this in mind cider blocks are
usually large networks with
16 to 28 subnet masks as minimum
internet connectivity for the vpc is
provided by an internet gateway
or igw which you must create and attach
to your vpc as well
after this you need to create your
subnets from the main cider block
each subnet you create will be mapped to
an availability zone
and can be private meaning that they
won't have direct connectivity to the
internet
or public which as we will see next may
have internet facing connectivity
using a public or elastic ip address
anything we can figure in terms of
networking through a dpc
will only apply to this region therefore
if you need geographical redundancy you
may have to configure a vpc and its
corresponding configuration
for each additional region every subnet
you create
is going to be private by default so if
you want to enable them to become public
you just have to adjust its settings so
that vms in such subnets
get both a private and a public ip
address
for private ip addresses cloud providers
commonly reserve
the first three usable ip addresses per
subnet
and automatically assign the rest this
is important to know
especially if you are migrating from an
on-premises environment and want to keep
the same ip address in the cloud
as we will cover in module 5. if you
want instances on private subnets to
have indirect connectivity to the
internet
you can enable functions on the cloud
like map gateways
just like on-prem vrfs every vpc has its
own routing table
there's a main default routing table
that includes your main cider block
if i added the gateway to the main
routing table with a quad 0 route
i would expose all related subnets from
the main slider to the internet
which is not necessarily what you want
therefore
you have to create your own routing
table and then
you would need to associate the specific
subnets to this routing table
and finally you would also need to
adjust the routes so that they reflect
the igw
as your default gateway now if you go to
ec2 to create an instance
you have to choose the cloud network
settings assigning the right subnet
and availability zone to the cloud vm
nic
in the case of aws such nics are known
as elastic network interfaces
or enis there are other type of mix that
you can also use
such as enas and efas which may provide
accelerated connectivity and low latency
features for specific needs
as with on-prem you can provide multiple
enis or network adapters to your
instances
when enis are associated to public
subnets they will have a private ip
automatically assigned
as covered before and they will also
have a public ip
which can be your own or which can be
automatically assigned by the cloud
provider
in this case aws as covered before
remember that whether you use public or
private subnets
aws recommends that instead of using the
main routing table
you create your own routing tables to
have better traffic control
in the cloud it's not only about routing
sider and subnets only
security is embedded by default
following a policy model
which is very similar to cisco aci this
means that you must explicitly grant
access to your cloud resources
otherwise communication will not be
allowed
in the case of aws there are two main
ways to achieve segmentation
and define policy between different
segmentation groups
the most popular one is called security
groups which is similar to aci epgs
they are used to control inbound and
outbound traffic
and are assigned per instance instances
in a security group
need rules to communicate to other
security groups prefixes
and more every new security group you
create will allow
all outbound traffic by default while
denying all inbound traffic
until you explicitly adjust it following
an allow list model
as mentioned before security groups and
their rules are comparable to aci epgs
and contracts
or firewall security zones just like
with aci
endpoints in the same security groups
have unrestricted communication
by default all security group rules are
stateful
meaning that you do not need to create
any mirror rules
in the case of aws there is another
option that can be used to control
traffic at the subnet level
which is called knuckles or network
access control lists
all subnets are associated to a default
knuckle which rules are set to permit
all traffic both inbound and outbound
therefore unlike sg's you do not need to
customize or adjust knuckles
if you do not want to knackles are not
stateful and they can have both allow
and denied listing if we take a look at
this diagram
taking aws as reference instances in the
web security group
will have free communication between
them while communication from the web
security group to the database security
group
or even the internet will require
specific rules to be manually defined by
the administrator
it is important to mention that cloud
networking services
are entirely based on layer 3 meaning
that there is no layer 2 forwarding
configurations
such as vlans broadcast traffic is not
supported
and multicast is either not supported or
limited depending on the cloud provider
you use
the concepts we learned about before
will very likely have different names
and implementation options
in all the different clouds for example
in azure
instead of vpcs and security groups we
may be talking about vnets
asgs and energies and in case of google
cloud
we will simply talk about vpcs and
firewall rules
as networks scale understanding
configuring and managing all these
concepts
may become challenging we just covered
an overview on how communication works
for a single region and vpc in aws
but what if we needed multiple vpcs
regions and clouds to communicate
or even if we needed to provide
connectivity from our on-prem
environment
to different clouds going back to aws is
our reference for this chapter
there are multiple options we can use
the first one
is vpc peering which may be useful for
single and multi-region inter vpc
connectivity
however it does not support transit
communication and requires
point-to-point configuration
making it hard to scale and manage
as a second option we have hub and spoke
configurations
where there is normally a hub or transit
vpc
and multiple spoke vpcs for these type
of setups
aws virtual private gateways or vgws
are commonly used at the spoke level
while routers like csr1000b
are used at the hub level ipsec
connectivity is established between each
hub csrs
and spoke vgws on each vpc
while vgws can also be used to connect
side to side vpns as well
csr routers are commonly deployed as ec2
instances
to connect to on-prem environments and
other clouds since it allows
organizations
to maintain a common operation model
plus a reacher feeder set
it is important to mention that this
implementation option has a 1.25
gigabits maximum bandwidth limit
for each tunnel and that csrs are
charged by aws
just as with any ec2 instance
bgp is commonly used to exchange routing
information between clouds and sites
we will be covering hybrid and
multi-cloud connectivity in module 5
where we will learn about multi-site aci
so
stay tuned as a third option we have
transit gateways or tgws
which can also help communicate
different bpcs in a single region
or even in multiple regions through
transit gateway peering
tdw is an interconnect hub service that
the different vpcs attach
to allowing higher bandwidth per
attachment than vgw
and also offering vpn connection options
to external environments
however csr1000b can also be used in
conjunction with tgw
for external connectivity to on-prem
sites and across clouds for the same
reasons mentioned before
tdws are the preferred option to use for
inter vpc communication
especially since it uses a cloud
provider backbone network
you just have to attach each vpc to the
tgw service
using a subnet or subnets on different
availability zones from each vpc
slider and the tgw will automatically
pull the sider information
as part of its routing table keep in
mind that on each vpc that you attach to
the tgw
you will need to add static routes to
other bpc cider blocks
pointing out to the tgw as the next hop
in your routing table
in this case the orange bpc would have a
route to the blue vpc cider
pointing out to the tdw as next hop and
the same thing would happen
in the other case around in aws
when connecting on-prem environments to
your instances on the cloud
you may simply use the internet and
connect through your vpc igw
you may also run side-to-side ipsec vpns
over the internet
which can be terminated using any of the
options mentioned before
or you can also use a high bandwidth
private physical connection from the
cloud provider
which in the case of aws is called
direct connect
direct connect may run directly to the
cloud provider facilities
or through a collocation partner these
same concepts
apply to all cloud providers with their
specific names and differences
if you now add your on-premises
environment to the mix
network administrators in a hybrid cloud
environment may find
operational challenges to provision
monitor and secure the network
consistently
this is where cloud aci may help since
you only need to learn one networking
model
not many allowing you to normalize
network operations
across multiple clouds cloud aci
abstracts the network configuration
and automatically creates the
corresponding network configuration on
each cloud
cloud aci can run in a single cloud or
may also automatically interconnect
multiple clouds
using vxlan bgp and optionally
ipsec through multi-site orchestrator
this approach
accelerates cloud adoption and keeps
both configuration
and security consistent across multiple
types of clouds while reducing the
learning curve
we will learn how to run and configure
cloud aci as well as the difference it
makes when comparing to what we did
today
in the next chapters as a summary
networking knowledge is very much needed
in the public cloud as well
although there is different terminology
for each cloud provider the concepts are
very similar to what you already know
there are multiple networking elements
you will have to configure and manage
as we learned today which may increase
complexity
and potentially adding consistency to
your multi-cloud environment
as we will see next aci can help
automating the creation of your network
configuration across multiple types of
clouds
unifying and normalizing your
operational model without sacrificing
any cloud native services
not only is this important to provide
connectivity and identify issues faster
but also to keep security consistent by
defining your configuration once
and letting aci enforce it anywhere
Browse More Related Video
5.0 / 5 (0 votes)