Reviews core networking concepts relevant for the Cloud practitioner. We use AWS as the platform. However the content is generally applicable across clouds.
Note: The instructor-led version of this presentation is at:
https://www.udemy.com/course/primer-for-the-aws-cloud-networking/
The Udemy.com course titled Primer for the AWS Cloud: Networking.
Join this session to learn the latest networking features on AWS. The learning objectives from this session are as follows:- Introduction to new AWS networking features - PrivateLink, Direct Connect gateway, and more- How the new features, PrivateLink and Direct Connect gateways, work together- Best practices for deploying these new features
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
I crafted this presentation for the AWS Chicago Meetup. This deck covers the rationale, building blocks, guidelines, and several best practices for Amazon Web Services Virtual Private Cloud. I classify it as a somewhere between a 101 and 201 level presentation.
If you like the presentation, I would appreciate you clicking the Like button.
Docker containers have become a key component of modern application design. Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources.
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
In this session, we first cover build-out and design fundamentals for VPCs, including selecting your IP space, subnetting, routing, security, and more. We then discuss different approaches and scenarios for connecting your VPC to your data center with AWS VPN or AWS Direct Connect. Throughout this presentation, we discuss our latest networking services and updates, including AWS Transit Gateway and AWS PrivateLink. This mid-level architecture discussion is for architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how to connect VPCs with your offices and data center footprint.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
Join this session to learn the latest networking features on AWS. The learning objectives from this session are as follows:- Introduction to new AWS networking features - PrivateLink, Direct Connect gateway, and more- How the new features, PrivateLink and Direct Connect gateways, work together- Best practices for deploying these new features
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
I crafted this presentation for the AWS Chicago Meetup. This deck covers the rationale, building blocks, guidelines, and several best practices for Amazon Web Services Virtual Private Cloud. I classify it as a somewhere between a 101 and 201 level presentation.
If you like the presentation, I would appreciate you clicking the Like button.
Docker containers have become a key component of modern application design. Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources.
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
In this session, we first cover build-out and design fundamentals for VPCs, including selecting your IP space, subnetting, routing, security, and more. We then discuss different approaches and scenarios for connecting your VPC to your data center with AWS VPN or AWS Direct Connect. Throughout this presentation, we discuss our latest networking services and updates, including AWS Transit Gateway and AWS PrivateLink. This mid-level architecture discussion is for architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how to connect VPCs with your offices and data center footprint.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
Amazon EKS Architecture in detail including CNI/Networking, IAM, Provisioning, Shared Responsibility Model, Project Calico, Load Balancing, Logging/Metrics, CI/CD using AWS CodePipeline, CodeCommit, CodeBuild, Lambda, Amazon ECR and Parameter Store and finally the use of Spot Instances which could yield a savings of 70-90% versus conventional on-demand EC2 instances.
by Isaiah Weiner, Sr. Manager of Solutions Architecture, AWS
Companies are using AWS to create and deploy efficient, fast, and cost-effective backup and restore capabilities to protect critical IT systems without incurring the infrastructure expense of a second physical site. In this session, we will talk about cloud-based services AWS provides to enable robust backup and rapid recovery of your IT infrastructure and data.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Identity and Access Management (IAM) is first in the Security Perspective of the AWS Cloud Adoption Framework CAF because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multifactor authentication mechanisms; and operate IAM at scale.
Slides for a short presentation I gave on AWS Lambda, which "lets you run code without provisioning or managing servers". Lambda is to running code as Amazon S3 is to storing objects.
In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
In this chalk talk, we discuss why using temporary security credentials to manage access to your AWS resources is an AWS Identity and Access Management (AWS IAM) best practice. IAM roles help you follow this best practice by delivering and rotating temporary credentials automatically. We discuss the different types of IAM roles, the assume role functionality, and how to author fine-grained trust and access policies that limit the scope of IAM roles. We then show you how to attach IAM roles to your AWS resources, such as Amazon EC2 instances and AWS Lambda functions. We also discuss migrating applications that use long-term AWS access keys to temporary credentials managed by IAM roles.
Learning Objectives:
- Learn how to make decisions about the service and share best practices and useful tips for success
- Learn about Content based routing, HTTP/2, WebSockets
- Secure your web applications using TLS termination, AWS WAF on Application Load Balancer
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
Come learn what's new with Amazon CloudWatch, and watch as we leverage new capabilities to better monitor our systems and resources. We also walk you through the journey that BBC took in monitoring its custom off-cloud infrastructure alongside its AWS cloud resources.
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
Opinionated implementation of AWS Landing Zone - Best practices for automating AWS multi-account environment in your organization based on my past experience.
Is anyone interested in live webinar ?
Please write down in comments.
PS. I still have to add few more slides.
#hybridcloud #aws #cloud #devops #automation #cloudcomputing #vmware #kubernetes #teambuilding #bestpractices #cloudsecurity #automating #terraform #cloudformation #cloudnative
Discuss the basics of the AWS CDK with its pros and cons. Including how the Cloud Development Kit (CDK) helped overcome the challenges faced in their previous serverless IaC solution.
Github repo for the PoC Source Code: https://github.com/dtl-open/cdkpoc
In this session, we walk through the fundamentals of Amazon VPC. First, we cover build-out and design fundamentals for VPCs, including picking your IP space, subnetting, routing, security, NAT, and much more. We then transition to different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how you can connect VPCs with your offices and current data center footprint.
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
The AWS Well-Architected Framework enables customers to understand best practices around security, reliability, performance, cost optimization and operational excellence when building systems on AWS. This approach helps customers make informed decisions and weigh the pros and cons of application design patterns for the cloud.
In this one hour webinar, you'll learn how to use the AWS Well-Architected Framework to follow guidelines and best practices for your architecture on AWS.
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss how to deploy a scalable environment that considers the AWS account structure, security services, network architecture, and user access. We present an overview of the AWS Landing Zone solution, an automated solution for setting up a robust and flexible AWS environment designed from the collective experience of AWS and our customers. The AWS Landing Zone helps automate the setup of a flexible account structure, security baseline, network structure, and user access based on best practices. Future growth is facilitated by an account vending machine component that simplifies the creation of additional accounts. Learn how the AWS Landing Zone can ensure that you start your AWS journey with the right foundation. We encourage you to attend the full AWS Landing Zone track, including SEC303. Search for #awslandingzone in the session catalog.
Amazon EKS Architecture in detail including CNI/Networking, IAM, Provisioning, Shared Responsibility Model, Project Calico, Load Balancing, Logging/Metrics, CI/CD using AWS CodePipeline, CodeCommit, CodeBuild, Lambda, Amazon ECR and Parameter Store and finally the use of Spot Instances which could yield a savings of 70-90% versus conventional on-demand EC2 instances.
by Isaiah Weiner, Sr. Manager of Solutions Architecture, AWS
Companies are using AWS to create and deploy efficient, fast, and cost-effective backup and restore capabilities to protect critical IT systems without incurring the infrastructure expense of a second physical site. In this session, we will talk about cloud-based services AWS provides to enable robust backup and rapid recovery of your IT infrastructure and data.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Identity and Access Management (IAM) is first in the Security Perspective of the AWS Cloud Adoption Framework CAF because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multifactor authentication mechanisms; and operate IAM at scale.
Slides for a short presentation I gave on AWS Lambda, which "lets you run code without provisioning or managing servers". Lambda is to running code as Amazon S3 is to storing objects.
In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
In this chalk talk, we discuss why using temporary security credentials to manage access to your AWS resources is an AWS Identity and Access Management (AWS IAM) best practice. IAM roles help you follow this best practice by delivering and rotating temporary credentials automatically. We discuss the different types of IAM roles, the assume role functionality, and how to author fine-grained trust and access policies that limit the scope of IAM roles. We then show you how to attach IAM roles to your AWS resources, such as Amazon EC2 instances and AWS Lambda functions. We also discuss migrating applications that use long-term AWS access keys to temporary credentials managed by IAM roles.
Learning Objectives:
- Learn how to make decisions about the service and share best practices and useful tips for success
- Learn about Content based routing, HTTP/2, WebSockets
- Secure your web applications using TLS termination, AWS WAF on Application Load Balancer
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
Come learn what's new with Amazon CloudWatch, and watch as we leverage new capabilities to better monitor our systems and resources. We also walk you through the journey that BBC took in monitoring its custom off-cloud infrastructure alongside its AWS cloud resources.
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
Opinionated implementation of AWS Landing Zone - Best practices for automating AWS multi-account environment in your organization based on my past experience.
Is anyone interested in live webinar ?
Please write down in comments.
PS. I still have to add few more slides.
#hybridcloud #aws #cloud #devops #automation #cloudcomputing #vmware #kubernetes #teambuilding #bestpractices #cloudsecurity #automating #terraform #cloudformation #cloudnative
Discuss the basics of the AWS CDK with its pros and cons. Including how the Cloud Development Kit (CDK) helped overcome the challenges faced in their previous serverless IaC solution.
Github repo for the PoC Source Code: https://github.com/dtl-open/cdkpoc
In this session, we walk through the fundamentals of Amazon VPC. First, we cover build-out and design fundamentals for VPCs, including picking your IP space, subnetting, routing, security, NAT, and much more. We then transition to different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how you can connect VPCs with your offices and current data center footprint.
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
The AWS Well-Architected Framework enables customers to understand best practices around security, reliability, performance, cost optimization and operational excellence when building systems on AWS. This approach helps customers make informed decisions and weigh the pros and cons of application design patterns for the cloud.
In this one hour webinar, you'll learn how to use the AWS Well-Architected Framework to follow guidelines and best practices for your architecture on AWS.
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss how to deploy a scalable environment that considers the AWS account structure, security services, network architecture, and user access. We present an overview of the AWS Landing Zone solution, an automated solution for setting up a robust and flexible AWS environment designed from the collective experience of AWS and our customers. The AWS Landing Zone helps automate the setup of a flexible account structure, security baseline, network structure, and user access based on best practices. Future growth is facilitated by an account vending machine component that simplifies the creation of additional accounts. Learn how the AWS Landing Zone can ensure that you start your AWS journey with the right foundation. We encourage you to attend the full AWS Landing Zone track, including SEC303. Search for #awslandingzone in the session catalog.
This presentation gives a brief description about IP Address (Internet protocol address), Classes of IPv4. And also included, what is IPv4 and what is IPv6.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Networking Brush Up for Amazon AWS Administrators
1. Brush Up for
AWS Admins:
A Review of Basic Networking topics useful inAmazon AWS
A. Akpaffiong
September 2017
Networking
2. Topic Introduction
• The reason:
– In presentations/workshops on Introductory AWS, I review basic
networking and security topics to get everyone up to the same level
– Here’s a compilation of the networking discussions
– My contribution to the communal learning process
• The goal:
– Review basic networking topics relevant to AmazonAWS
• The secret:
– This is not just forAWS Admins
• The result:
– Let me know
We reject kings, presidents and voting.
We believe in: rough consensus and running code.
– David Clark, IETFTalk
4. Communication Model
Connecting devices can pose a problem of compatibility
A network
communications model
enforces protocols
defines how devices interact over a medium
separates networking functions into discrete layers
Examples include:
IBM SNA
DECNET
TCP/IP
ISO-OSI
TCP/IP and ISO-OSI represent a layered, and modular communications models
electrical signals packet delimiters addressing data formats etc...
5. Layer Layer Name Protocol Data
Unit (PDU)
Main Function Example
Protocol
AddressType
7 Application Data Interaction with user.
Provides services to app.
FTP Hostname
example.com
6 Presentation Data Data representation
(Converts/Encrypts)
XDR, XML Hostname
example.com
5 Session Data Connection dialog
(Start/Stop/Order)
RPC, SOCKS Socket
172.16.3.24:80
4 Transport Segment (TCP)
Datagram (UDP)
End-to-End Delivery
(Reliable vs. Unreliable)
TCP, UDP Port number
80
3 Network Packet Routing and Addressing IP, IGMP IP Address
172.16.3.24
2 Data Link Frame Node-to-node
(Access to media)
Ethernet,
MPLS
MAC
1C98ECA8EC30
1 Physical Bit Distance and electrical
(Low level parameters)
RS232,
DOCSIS
N/A
Application
Transport
Internet
Link
Communication Model
ISO-OSI
7 Layer Model
6. Transport Protocols
Protocol Name RFC Goal
ICMP* Internet Control Message Protocol 792 Error-reporting protocol
DCCP† DatagramCongestionControl Protocol 4340
Control over tradeoffs btw
delay and in-order delivery
TCP TransmissionControl Protocol 793 Reliable, ordered byte stream
UDP User Datagram Protocol 768 Unreliable packet delivery
SCTP† Stream ControlTransmission Protocol 4960 Reliable, ordered byte stream
*ICMP is not a transport protocol
† SCTP and DCCP not currently available in AWS
7. Port Number Ranges
0 – 1023
1024 –
49,151
49,152 –
65,535
Well-known ports
(System Ports)
Ports in the Well-known Ports range are
reserved for privileged applications.
Registered ports
(User Ports)
Ports in the Registered Ports range can
be used by ordinary user applications;
require known and stable port number.
Dynamic ports
(Private Ports)
Ports in the Dynamic Ports range are
set aside for local and dynamic use and
cannot be registered. Usable by any
application in a dynamic fashion.
9. AWord From Our Sponsors – Request For Comments (RFC)
• Created in 1969 by Steve Crocker as unofficial records on the development of the
early Internet (known then as ARPAnet).
• RFCs have evolved to become official documentation of Internet specifications,
communications protocols, procedures, and events.
• Researchers publish RFCs to offer best practices and solicit feedback on Internet
technologies.
• Helped initiate a culture of openness, sharing and voluntary contributions.
• The official online source for RFCs is the RFC Editor: https://www.rfc-editor.org
• Example RFCs:
– Private IPv4 Addresses (RFC 1918)
– IPv4 Specification (RC 791)
– IPv6 Specification (RFC 8200)
– Border Gateway Protocol (RFC 4271)
11. Number Systems
• Binary Notation
– Base 2
– Made up of only 0’s and 1’s
– Number positions:
• ones, twos, fours, eights, sixteens, etc.
eights twos
fours ones
1 0 11 = 1x20 + 1x21 + 0x22 + 1x23
= 11 (in decimal)
= 1 + 2 + 8+ 0
12. Number Systems
• Hexadecimal Notation
– Numerical values prefixed with “0x”
– Base 16
– Number positions:
• ones, sixteens, two hundred and fifty six (i.e. 16x16), etc.
– Values:
• 0 thru 9,A thru F
• E.g. 0xFF = 15*160 + 15*161 = 255
Decimal 0 1 … 8 9 10 11 12 13 14 15
Hexadecimal 0 1 … 8 9 A B C D E F
13. IP Address
An IP Address
uniquely identifies a
node on aTCP/IP
network.
Each of the four
numbers in an IP
address can range
from 0 to 255.
IP address can also be
written as four sets of
binary octets:
10000000 11100000 00001100 01100001
IP address can be
written in dotted
decimal notation (i.e.
a sequence of four
decimal numbers:
128.224.12.97
How do we convert dotted decimal to binary notation?
Each octet consists of
eight binary digits, 1’s
and 0’s.
The numbers are
separated by a dot.
The “binary notation”.
14. 128.224.12.97 Dot- or dotted decimal notation
10000000 11100000 00001100 01100001 Binary notation
Octet
8 bits
28 bits = 256
0 – 255
Four Octets
4 x 8 bits = 32 bits
232 = 4,294,967,296
0 – 255. 0 – 255. 0 – 255. 0 – 255
This is why an IP address is
said to be a 32-bit number.
Internet Protocol version 4 (IPv4)
15. IP Address
A. All numbers from 0 to 255.
Imagine that the following, are
the only numbers in your universe:
Q.What are the results of adding one or
more of the above numbers together?
(Using each number only once per calculation.)
132.224.12.97
For example, take this IP address:
By columns, put a “1” in the cell next to each number that will add up to
each one of the four numbers in the IP address. Otherwise put a “0”
132 224 12 97
1
1
0
0
0
0
0
0
1
0
0
0
0
1
1
0 1
0
0
0
0
0
0
1 0
0
0
1
1
0
0
1
1 2 4 8 16 32 64 128
1 32+ = 97
0
128
1
2
4
8
16
32
64
64+
132 = 1 0 0 0 0 1 0 0 = 128 + 4
224 = 1 1 1 0 0 0 0 0 = 128 + 64 32+
12 = 0 0 0 0 1 1 0 0 = 8 + 4
97 = 0 1 1 0 0 0 0 1 = 64 + 32 1+
16. IP Address
A. All numbers from 0 to 255.
Imagine that the following, are
the only numbers in your universe:
Q.What are the results of adding one or
more of the above numbers together?
(Using each number only once per calculation.)
132.224.12.97
For example, take this IP address:
By columns, put a “1” in the cell next to each number, that will add up to
each one of the four numbers in the IP address. Otherwise put a “0”
132 224 12 97
1
1
0
0
0
0
0
0
1
0
0
0
0
1
1
0 1
0
0
0
0
0
0
1 0
0
0
1
1
0
0
1
1 2 4 8 16 32 64 128
1 32+ = 97
0
128
1
2
4
8
16
32
64
64+
132. 224. 1 2. 97
1 0 000100 1 1 1 00000 00001 100 01 1 00001
(dotted decimal notation)
(binary notation)
17. Internet Protocol version 4 (IPv4) – Design
Original
“Classful” IP
Addresses
A, B, C, D, E
“Classless”
IP Addresses
/ notation
32-bit Address
Space
28 or 256 total global
network identifiers
each with up to 224 or
16,777,216 devices
Goal – improve
management of
address space
Network fixed: 8 bits
Device fixed: 24 bits
Original design Subsequent redesign
Hierarchical Flexible
CIDR
RFC 760
RFC 791
RFC 4632
18. Internet Protocol version 4 (IPv4)
Subnetwork A Subnetwork B
Network ID Device Addresses
10.1.4.56
IP Address is composed of two parts:
network and device
Network part identifies
the network the address
belongs on
Device part identifies a
particular device on the
network
10.1.0.0/16 10.2.0.0/16
10.1.4.56
10.1.4.22 10.2.5.11
19. • 4.3 billion addresses for global identification of network devices
• 5 classes:
– A, B, C, identifies network devices
– D multicast addressing
– E is reserved
• Notation
– Dotted Decimal, e.g. 128.224.12.97
– Binary Octets, i.e. four sets of eight bits, or octets, total of 32-bits
10000000 11100000 00001100 01100001
2nd Octet1st Octet 3rd Octet 4th Octet
128 . 224 . 12 . 97
Internet Protocol version 4 (IPv4) – Design
Same address is represented in
decimal (128.224.12.97) or
binary (10000000 11100000 00001100 01100001)
notation
Classful
21. Internet Protocol version 4 (IPv4) – Design
• Class A – for large networks
– Network part fixed as the 1st octet, or 8-bits
• 1st bit of first octet always set to “0” (zero)
• Results in 27 or 128 possible classA addresses, globally:
• 00000000 – 01111111 (in binary) and 0 – 127 (in decimal)
– Device part fixed as the remaining three octets, or 24-bits
• Results in a total of 224
or 16,777,216 device addresses
for each of the 127
network addresses
Classful
– Class A IP Addresses range from
0.x.x.x to 127.x.x.x.
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
00000000 – 01111111
0 – 127
Note: 256 * 256 * 256 = 16777216
256 256256
22. • Class B – for medium-sized networks
– Network part fixed as the first 16-bits or two octets
• 1st two bits of first octet is always set to “10”
• Results in 214 (i.e. 26+8), or 16384 network addresses
• 10000000 – 10111111 (in binary) and 128 – 191 (in decimal)
– Device part fixed as the remaining two octets, or 16-bits
• Results in a total of 216
or 65,536 device addresses
for each of the 16384
network addresses
Internet Protocol version 4 (IPv4) – Design
Classful
– Class B IP Addresses range from
128.0.x.x to 191.255.x.x.
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
10000000 – 101111111
128 – 191
00000000 – 111111111
0 – 255
256 * 256 = 65536
256 256
23. • Class C – for small networks
– Network part fixed as the first 24-bits or three octets
• 1st three bits of first octet is always set to “110”
• Results in 221 (i.e. 26+8+8), or 2,097,152 network addresses
• 11000000 – 11011111 (in binary) and 192 – 223 (in decimal)
– Device part fixed as the remaining one octet, or 8-bits
• Results in a total of 28
or 256 device addresses
for each of the 2,097,152
network addresses
Internet Protocol version 4 (IPv4) – Design
Classful
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
11000000 – 11011111
192 – 223
00000000 – 111111111
0 – 255
– Class C IP Addresses range from
192.0.0.x to 223.255.255.x.
256
24. Internet Protocol version 4 (IPv4)
Classful
7 bits
14 bits
21 bits
# of bits for network portion
24 bits
16 bits
8 bits
# of bits for device portion
Class
A
B
C
Bits Set
1
2
3
25. • Class D – for multicast networks
– Multicast protocol enables one-to-many packet transmission
– A multicast address is not divided into a network and device portion
• 1st four bits of first octet is always set to “1110”
• Remaining 28-bits identify the devices in a multicast group
– Class D IP Addresses range from 224.0.0.0 to 239.255.255.255
– Note: no subnet mask used for class D
• Class E – for experimental purposes
– 1st four bits of first octet is always set to “1111”
– IP addresses in this class range from 240.0.0.0 to 255.255.255.254
– Note: no subnet mask used for class E
Internet Protocol version 4 (IPv4) – Design
Classful
26. Internet Protocol version 4 (IPv4) – Design
Classful
2nd Octet 3rd Octet 4th Octet
Network Device
In this generation of IP addressing, a fixed number of bits were used
to delineate the network and host portions of an IP address.
Class A
The first octet (or 8-bits) set aside for the
network portion
1st Octet
1111 1111
27. 2nd Octet
Internet Protocol version 4 (IPv4) – Design
Classful
1st Octet 3rd Octet 4th Octet
Network Device
In this generation of IP addressing, a fixed number of bits were used
to delineate the network and host portions of an IP address.
Class B
The first two octets (or 16-bits) set aside for
the network portion
1111 1111 1111 1111
28. 2nd Octet2nd Octet
Internet Protocol version 4 (IPv4) – Design
Classful
1st Octet 4th Octet
Network Device
In this generation of IP addressing, a fixed number of bits were used
to delineate the network and host portions of an IP address.
Class C
The first three octets (or 24-bits) set aside for
the network portion
1111 1111 1111 1111 1111 1111
29. • Not enough addresses
– Class A
• Only 127 possibleClassA networks
• Each ClassA network, with 16 million possible hosts is too big for most organizations
– Class C
• Only 2,097,152 possibleClass C networks
• Each Class C network, with 256 possible hosts is too small for most organizations
• To meet host need, organizations acquired multiple Class C addresses
– Class B
• Only 16384 possible Class B networks
• Each Class B network, with 16384 hosts is adequate for most organizations
• Class B address space in high demand
• Rapid exhaustion and waste of IPv4 address space
Internet Protocol version 4 (IPv4) – Design
Classful Issues
Everybody
wants one
Too big
Too small
30. AWS Elastic IP
• An AWS Elastic IP address is :
– a static IPv4 address
– a persistent public IPv4 address
– allocated to AWS account, not a resource
– reusable, unlike a Public IP address
• To access the Internet, an Instance can be given a Public IP or Elastic IP
address
• Elastic IP address, can be migrated or rapidly remapped from one
instance to another in your account
• Elastic IP addresses are free, unless more than one per Instance is used
or it is associated with a non-running Instance.
31. Only 3.7 billion IPv4 addresses are usable by ordinary Internet access
devices.The rest are used for special protocols, like IP Multicasting.
Almost three and a half billion addresses was enough for the Internet
envisioned in the 1980s, it is not enough for today’s production
network.
https://www.icann.org/en/system/files/files/ip-addresses-beginners-guide-04mar11-en.pdf
33. • IPv4 address space is exhausted
– 232 or 4,294,967,296 theoretical addresses
– designed to uniquely identify each network device
– i.e. there are more devices online than available in IPv4 address space
• Measures to extend life of IPv4 include:
– Private IP
– Network AddressTranslation (NAT)
– Classless Inter-Domain Routing (CIDR)
Private IP Address – IPv4
Private IP, NAT, CIDR
34. • IPv4 addresses classified as either “public” or “private” addresses
– Devices with “Public” addresses can communicate on the Internet
– Router prevents “Private” addresses from reaching the Internet
Private IP Address – IPv4
Public IP Address Private IP Address
Border Firewall
Internet Internal Network
Private IP, NAT, CIDR
35. • Subsets of IPv4 address space set aside as “private” addresses:
Private IP Address – IPv4
0 255
I P A d d r e s s R a n g e
10/8 prefix 172.16/12 prefix 192.168/16 prefix
begins with 10. begins with 172.16. through 172.31. begins with 192.168.
Private IP, NAT, CIDR
36. • Special Use Addresses
– In addition to the private-use addresses…
– other portions of the IPv4 and IPv6 address space are set aside
– Described in RFC 6890
– Examples
Private IP Address – IPv4
Private IP, NAT, CIDR
Special-Use Address Description
127.0.0.0/8 LoopbackAddress
169.254.0.0/16 Link Local
::1/128 LoopbackAddress (IPv6)
::ffff:0:0/96 IPv4-mapped Address
37. • A NAT device
– enables Instances in a private subnet to connect to the Internet
– blocks external resource from initiating connections to the local Instances
– forwards traffic from the instances in the private subnet to the Internet, and then sends the
response back to the instances.
• A NAT device works by:
– replacing the source IPv4 address with that of the NAT device
– on return, the NAT receives the response traffic and forwards it to the initiating instance
• AWS offers two kinds of NAT devices:
– NAT gateway – a managed service with better availability and bandwidth
– NAT instance – a NAT instance, launched from a NAT AMI and managed by the customer
Network AddressTranslation – NAT
Private IP, NAT, CIDR
38. Network AddressTranslation – NAT
192.17.1.1
Internet
NAT-enabled device
Maps private to public addresses
and accepts the return traffic on
behalf of the Instance
Internet with only
public addresses
10.1.1.16
10.1.1.20
Devices with private IP
addresses on the intranet
intranet
Blocks private IP addresses
from leaving intranet
10.1.1.15
Private IP, NAT, CIDR
39. • NAT rewrites the source and/or destination addresses
– hides address of internal devices
– intercepts private/non-unique address and uses pre-configured
public/unique addresses
• Benefits of NAT includes:
– Multiple internal devices can access the Internet using a single public IP
address, conserving IPv4 addresses
– Privacy of the internal network map
– Protect internal device from external access
Network AddressTranslation – NAT
Private IP, NAT, CIDR
40. • A notation that flexibly describes an IP address range
• A strategy to extend the longevity of IPv4 addresses
– flexible management
– address space conservation
• Introduced the slash (/) notation to highlight the number of bits
used to identify the network portion of the address
• Allows address space to be allocated based on actual need rather
than rigid Classful address structure
• Described in RFC 4632
Classless Inter-Domain Routing – CIDR
Private IP, NAT, CIDR
41. • Network 128.125
– Device address
• 128.125.0.7
• 10000000 01111101 00000000 00000111
– Subnet Mask
• 255.255.0.0
• 11111111 11111111 00000000 00000000
– Notation
• Classical: 128.125.0.7 IP address with 255.255.0.0 subnet mask
• CIDR (Slash): 128.125.0.7/16
• Aside:
– 128.125.0.7/32 identifies a single host, with IP address 128.125.0.7
Classless Inter-Domain Routing – CIDR
Private IP, NAT, CIDR
42. Private IP, NAT, CIDR
• CIDR example
– 10.10.0.0/16
– 10.10.101.0/24
– 0.0.0.0/0
– 10.10.101.5/32
Classless Inter-Domain Routing – CIDR
Creates subnet 10.10.0.0
with 232-16 device addresses
Creates subnet 10.10.101.0
with 232-24 device addresses
This describes any device
on the local subnet
The /32 notation describes
a single IP address
www.aws.training
44. Subnet/Netmask Math
• Every IP address belongs to a specific network or subnet, depending on the
subnet mask or CIDR used.
• We can use binary arithmetic to discover which network an IP address
belongs to.This is called finding the Network Address of an IP Address.
• Use Case
– Routers perform this operation to forward a packet to the right destination network
– Network designers do this to generate the proper design and layout of the network
128.125.1.105
128.125.1.11
128.125.1.10
128.125.1.21
128.125.1.7
128.125.2.15
128.125.2.87
128.125.2.11
128.125.1.21
128.125.2.152
128.125.2.26
255.255.255.0
/24
Subnet A Subnet B
45. Subnet/Netmask Math
• The TruthTable demonstrates
the Logical AND operation.
• The basic operation is the Logical AND binary operator.
– implemented in electronics as a logic gate
– performs a logical operation on binary inputs,
producing a single binary output
• Output (A AND B) is:
– 1 if-and-only-if both Inputs are 1
– 0 otherwise
AND
Gate
A
B
A AND B
I n p u t O u t p u t
A B A and B
0 0 0
0 1 0
1 0 0
1 1 1
Tr u t h Ta b l e
Inputs A and B can be
either 0 or 1.The output
of the Logical AND is
always o, unless both
inputs are 1, then the
output is also a 1.
46. Subnet/Netmask Math
AND
Gate
A
B
A AND B
I n p u t O u t p u t
A B A and B
0 0 0
0 1 0
1 0 0
1 1 1
Tr u t h Ta b l e
When router sees a packet with a destination IP address, it determines the network
(or subnet) to forward the packet to.
It does this via a Logical AND of the binary form of the IP address and the Netmask.
47. Subnet/Netmask Math
First, convert the IP address and subnet mask to binary.
Then, line up the two numbers and perform a bitwise Logical AND.
255.255.255.0 11111111 11111111 11111111 00000000
128.125.2.15 10000000 01111101 00000010 00010000IP Address
Subnet Mask
Network Address 128.125.2.0 10000000 01111101 00000010 00000000
The resulting value identifies the network/subnet the IP packet is to be routed to.
AND
Gate
A
B
A AND B
Let’s assume:
The IP Address is input A Output A AND B, the
logicalAND of both inputs
is the Network AddressThe Subnet Mask is input B
48. Example – Determine which network an IP address belongs to
• Network: 193.239.32.0/20 11000001.11101111.00100000.00000000
• NetMask: 255.255.240.0 11111111.11111111.11110000.00000000
• A server in network 193.239.32.0 wants to send a packet to IP address
193.239.52.210. Is that IP in the same or different network?
• IP: 193.239.52.210 11000001.11101111.00110100.11010010
• Mask: 255.255.240.0 11111111.11111111.11110000.00000000
• Bitwise AND 11000001.11101111.00110000.00000000
• Destination Network:
• Result:
– The IPAddress 193.239.52.210 is in network 193.239.48.0, which is NOT 193.239.32.0
193 243 48 0. . .
www.udemy.com/aws-certified-solutions-architect-guide-question-bank-i/learn/v4/content
49. • The Classful IP address scheme provides a fixed number of Networks and
fixed number of Devices per network.
Internet Protocol version 4 (IPv4) – Design
Subnets
2nd Octet1st Octet 3rd Octet 4th OctetClass A:
2nd Octet1st Octet 3rd Octet 4th OctetClass B:
2nd Octet1st Octet 3rd Octet 4th OctetClass C:
Network Device
128 networks; 16,777,216 devices
16384 networks; 65,536 device
2,097,152 networks; 256 devices
• Subnetting enables the creation of multiple (sub)networks from a single
classful network.
• It takes space from the Device portion to create addition Networks.
50. • A subnet (or subnetwork) is an identifiably separate part of an
organization's network. It is a logical grouping of connected network
devices.
• Network engineers employ subnets as a way to partition networks into
smaller logical segments to improve performance and security and
administration.
Internet Protocol version 4 (IPv4) – Design
Subnets
Diagram showing one network
partitioned into 4 smaller (sub)networks.
Subnet A
Subnet B
Subnet C
Subnet D
Network
51. • An IP address is composed of up two parts: a network and device part.
Internet Protocol version 4 (IPv4) – Design
Subnets
• E.g. a Class A address of 10 has one network ID (10) and 16 million device IP
addresses, e.g. 10.0.0.1, 10.0.0.2, etc.
– 16 million devices on one network introduces an unmanageable amount of chaos.
Network ID Device Addresses
10 0.0.0 – 255.255.255
(additional networks) (reduced)
Device AddressesNetwork ID Subnet
Subnetting carves out a
portion of the device
address space to create
additional networks, or
subnets Network ID
Subnet 1
Subnet n
+=
52. • Example, create 5 networks from one Class B network ID, 128.125.0.0
– First, convert the IP address into binary notation.
Internet Protocol version 4 (IPv4) – Design
Subnets
– Use enough “bits” from the device portion to create desired number of subnets
10000000 01111101 00000000 00000000128.125.0. 0
network network device
10000000 01111101 11100000 00000000
network devicesubnet
– 3-bits will create 23 or 8 subnets
53. Internet Protocol version 4 (IPv4) – Design
23 or 8
subnets
Subnets
10000000 01111101 11100000 00000000
network devicesubnet
10000000 01111101 00000000 00000000 128.125.0. 0=1
10000000 01111101 00100000 00000000 128.125.32. 0=2
10000000 01111101 01000000 00000000 128.125.64. 0=3
10000000 01111101 01100000 00000000 128.125.96. 0=4
10000000 01111101 10000000 00000000 128.125.128. 0=5
10000000 01111101 10100000 00000000 128.125.160. 0=6
10000000 01111101 11000000 00000000 128.125.192. 0=7
10000000 01111101 11100000 00000000 128.125.224. 0=8
In some older
implementations, the
first and last subnets
are reserved.
Corresponds to IP
addresses where
subnet bits are all “0”
or all “1”.
Each of these subnets has 216-3, i.e. 213 or 8192 device IP addresses
54. Internet Protocol version 4 (IPv4) – Design
Subnets
10000000 01111101 10000000 00000000128.125.128. 0 =
Subnet 128.125.128. 0 has 216-3, i.e. 213 or 8192 device IP addresses 213
10000000 01111101 10000000 00000000
10000000 01111101 10000000 00000001
10000000 01111101 10000000 00000010
10000000 01111101 10000000 00000011
10000000 01111101 10011111 11111111
...
The first 4 and the
last IP address in this
and every subnet in
AWS is reserved.
Subnet Address
Broadcast Address
VPC Router
DNS
Future Use
55. • AWS reserves 5 IP address in each subnet CIDR block. Cannot be assigned to an instance
– the first 4 addresses are reserved for infrastructure services
– the last 1 IP address is the broadcast
• E.g., in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
Internet Protocol version 4 (IPv4) – Design
Subnets
IP Address Status Description
10.0.0.0 Subnet address. Network
10.0.0.1 Reserved by AWS for theVPC router. Gateway
10.0.0.2 DNS DNS server
10.0.0.3 Reserved by AWS for future use. Reserved
10.0.0.255 Network broadcast address. Broadcast not supported inVPC.
56. • Classless Inter-Domain Routing (CIDR) as the name implies, eliminates
the concept of IP address classes
– A step beyond subnetting
– Virtualizes the Classful IP address space
– Introduced the slash notation which identifies the mask (fixed bits)
• 192.168.16.0/24 fixes the 1st 24 bits from the left, as the Network ID
• the remaining 8 bits, are used for Device addressing
– The subnet mask (or fixed bits) can be expressed in one of three notations:
• Binary – 11111111.11111111.1110000.0000
• Decimal – 255.255.224.0
• Slash – /19
– The binary notation is a contiguous string of “1”s, counted from the left
Internet Protocol version 4 (IPv4) – Design
Classless
57. • Classless Inter-Domain Routing (CIDR)
– Is a type of variable length subnet masks (VLSM)
– Provides a mechanism to vary the number of “fixed bits” of an IP address
– Allowing flexible management of the IP address space of a network ID
Internet Protocol version 4 (IPv4) – Design
Classless
– …“borrows” two bits from the device portion to create four additional
(sub)networks
DeviceNetwork =
11111111 11111111 00000000 00000000 11111111 11111111 00000000 00000000
DeviceSubnet 1
DeviceSubnet 2
DeviceSubnet 3
DeviceSubnet 4
To partition a singleClass
B (/16) network into four
sub-networks (/18)…
58. • A service provider may need to break a Network ID into multiple (sub)networks and
assign each one to a separate subscriber
• They do this via CIDR
Internet Protocol version 4 (IPv4) – Design
Classless
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
00101000
40
00000000
0
00000000
0
00000000
0
• To create 1024 subnets from the one Class A network on the left, take 10 bits from
the Device portion to create 210 subnets
• Instead of one network, the SP has 1024 networks to share with its subscribers
2nd Octet1st Octet 3rd Octet 4th Octet
Network Device
00101000
40
11111111
0 - 255
11000000
0 - 192
00000000
0
59. • Logically partitions network into subnetworks
• Starts by assuming a Classful IP address
• It then moves the subnet mask size to the right
• Uses the device bits to create additional subnets
• Result: the network gets partitioned into multiple subnetworks
Subnetting
• Partitions network into subnets or summarize subnets into network
• No reference to Class
• Enables hierarchical network management
• Moves “subnet mask size” left or right
• Enables flexible and efficient grouping of IP addresses
CIDR
Internet Protocol version 4 (IPv4) – Design
CIDR vs Subnetting
60. Internet Protocol version 4 (IPv4) – Design
iana
ARIN
RIPE
NIC APNIC
IP Registry
There are five Regional
Internet Registries (RIRs)
around the world.
ICANN, under the auspices of the Internet
Assigned Numbers Authority (IANA), allocates
blocks of IP addresses to the five RIRs
A RIR allocates CIDR blocks to
individual organizations and
people.
62. Types of IP Addresses
IPv6
IPVersion 6
128-bit address
space (2128 potential
addresses)
Hexadecimal notation
(2001:0DB8:85A3:0000:
0000:8A2E:0370:7334)
Standardized in 1996.
First production
allocations in 1999.
IPv4
IPVersion 4
32-bit address space
(232 potential
addresses)
Dotted decimal
notation
(128.125.253.136)
Address Depletion
Countermeasures:
• CIDR, NAT, Private IP
63. 4 hexadecimal digits
Field
16 bits
Eight 16-bit Fields
8 x 16 bits = 128 bits
2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff. 0 – ffff
2001:0db8:00a3:0000:0000:8a2e:0370:7334
Internet Protocol version 6 (IPv6)
This is why an IPv6 address is
said to be a 128-bit number.
64. 4 hexadecimal digits
Field
16 bits
2001:0db8:00a3:0000:0000:8a2e:0370:7334
2001:db8:a3:0:0:8a2e:370:7334
2001:db8:a3::8a2e:370:7334
Internet Protocol version 6 (IPv6)
65. Internet Protocol version 6 (IPv6)
• IPv6
– Developed by the Internet EngineeringTask Force (IETF)
– Defined in RFC 8200
– Addresses devices on the network
– Replacement for IPv4
– 2128 (or approximately 340 trillion trillion trillion) addresses
– Usually written in hexadecimal format
• e.g. 2A03:2880:F122:0083:FACE:B00C:0000:25DE
– In binary format: 8 bits separated by colon
• e.g. 0010 1010 0000 0011 0010 1000 1000 0000 1111 0001 0010 0010 0000 0000 1000 0011
1111 1010 1100 1110 1011 0000 0000 1100 0000 0000 0000 0000 0010 0101 1101 1110
– New features, e.g. Stateless Address Autoconfiguration (SLAAC)
66. Ridiculously Large Numbers
Name # of Zeros Long Form
million 6 1,000,000
IPv4
(4.3 billion)
billion 9 1,000,000,000
trillion 12 1,000,000,000,000
quadrillion 15 1,000,000,000,000,000
quintillion 18 1,000,000,000,000,000,000
sextillion 21 1,000,000,000,000,000,000,000
septillion 24 1,000,000,000,000,000,000,000,000
octillion 27 1,000,000,000,000,000,000,000,000,000
nonillion 30 1,000,000,000,000,000,000,000,000,000,000
decillion 33 1,000,000,000,000,000,000,000,000,000,000,000
IPv6
(340 undecillion)
undecillion 36 1,000,000,000,000,000,000,000,000,000,000,000,000
67. There are 232 possible IPv4 addresses.They have now all been claimed.
Various solutions such as CIDR, NAT and Private Addresses were
developed to extend its life.That effort has run its course.
IPv6, the next generation IP address scheme, with 2128 possible
addresses is in the initial phase of deployment.
68. Types of IP Addresses
128 125 253 136. . .
1 0000100 01 1 1 1 101 1 1 1 1 11 01 1 0001 000
E i g ht bi ts = O n e O c te t = 1 By te
Four oc te ts = 32- bi ts
An IPv4 Address
69. Types of IP Addresses
2001 0db8 85a3 0000:
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1
An IPv6 Address
: : 0000 : 8a2e: 0370: 7334:
0 0 0 0 1 1 0 1 1 0 1 1 1 0 0 0
1 0 0 0 0 1 0 1 1 0 1 0 0 0 1 1 1 0 0 0 1 0 1 0 0 0 1 0 1 1 1 0
0 0 0 0 1 1 0 1 1 0 1 1 1 0 0 0
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1
E i g ht g roup s of f our he xade c i mal di g i ts de li mi te d by c olon s
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
H e xte t
(or f i e ld)
Colon delimiter
between hextets
32 he xade c i mal di g i ts = e i g ht he xte ts = 1 28 bi ts
70. Types of IP Addresses
• A single IPv6 address can be represented in different ways:
– 2001:0db8:0000:0000:0001:0000:0000:0001
– 2001:db8:0:0:1:0:0:1
– 2001:0db8:0:0:1:0:0:1
– 2001:db8::1:0:0:1
– 2001:0db8::1:0:0:1
– 2001:db8:0:0:1::1
– 2001:db8:0000:0:1::1
– 2001:DB8:0:0:1::1
• There are best practice rules to produce the correct
representation…
71. Recommendations for IPv6Text Representation
• Suppressed leading zeros
– E.g., 2001:0db8::0001 to 2001:db8::1.
A single 16-bit 0000 field MUST be represented as 0
• Shorten Contiguous Zeros as Much as Possible
– E.g., 2001:db8:0:0:0:0:2:1 to 2001:db8::2:1.
Likewise 2001:db8::0:1 to 2001:db8::1
• Don’t Use “::” to Shorten Just One 16-bit Field
– E.g., 2001:db8:0:1:1:1:1:1 not 2001:db8::1:1:1:1:1
• Longest run of consecutive 16-bit “0” fields MUST be shortened
– E.g. 2001:0:0:1:0:0:0:1 is shortened to 2001:0:0:1::1.
If the fields are equal, the first sequence of zero bits MUST be shortened, e.g.
2001:db8:0:0:1:0:0:1 to 2001:db8::1:0:0:1
• Use Lowercase
– "a", "b", "c", "d", "e", and "f" MUST be represented in lowercase
73. Ethernet
Ethernet v2
• also known as Ethernet II
• originally DIX – Digital, Intel, Xerox
• contains the Type field
• maximum Ethernet payload size is 1500 bytes
• RFC 894: specification for IPv4 encapsulation
IEEE 802.3 + 802.2 LLC
• Implementation of the OSI Data Link layer
• LLC – logical link layer – enables error
correction and flow control
• Type field replaced by Length field
• maximum Ethernet payload size is 1497 bytes
• RFC 1042: specification for IPv4 encapsulation
Ethernet RAW
• Used by Novell Netware
• encapsulated IPX protocol inside Ethernet
frame
IEEE 802.3 + LLC + SNAP
• Specific vendor proprietary implementations
• SNAP (Sub-NetworkAccess Protocol)
• Type field replaced by Length field
• maximum Ethernet payload size is 1492 bytes
• RFC 1042: specification for IPv4 encapsulation
Most
Common
IEEE or
Proprietary
IEEE or
Proprietary
74. Ethernet Frame
• Ethernet v2 is most common
– IEEE 802.3 is used mainly by certain IEEE or proprietary protocols.
• Ethernet encapsulates higher layer (L3 – 7) protocols in header fields and a
Frame Check Sequence (FCS) footer field.
Preamble
8 bytes
Destination
6 bytes
Source
6 bytes
Type
2 bytes
Payload
46 – 1500 bytes
FCS
4 bytes
Ethernet v2
MAC layer headerSynchronization
& start of frame
MAC address of
the receiver
MAC address of
the sender
Describes protocol
encapsulated in Payload
Data & header from
higher layer protocol
A CRC value for
frame integrity
Ethernet MTU
76. Media Access Control (MAC) Address
• 48-bit (6-octet) Address Space
– Equally divided into: vendor and device parts
• 248 = 281,474,976,710,656 possible addresses
• Uniquely identity the network interface card (NIC)
• Assigned by the NIC manufacturer
• Media Access Layer of OSI and Data Link Layer ofTCP/IP
78. MaximumTransmission Unit (MTU)
• Maximum transmission unit (MTU) is
– a characteristic of a network connection
– the largest permissible packet that can be passed by a protocol
– measured in bytes
– Different protocols have different MTU values
PayloadOverhead
Ethernet Frame
Fixed Variable
• Ethernet frame consist of the payload,
i.e. the data, and the network overhead
• Large MTU increases data and reduces overhead per packet.
• Smaller values can reduce network delay.
79. Jumbo Frame
Standard Ethernet v2 Frame Format: 1500 bytes
AWS: Jumbo Frame Format: 9001 bytesJumbo Frame Format: 1501 – 9000 bytes
AWS: Jumbo frames are
supported only within aVPC.
81. Gateways
• As the name implies, a gateway:
– Is a key control point into or out of a network
– Exists at the edge of a network
– Controls and inspects traffic going in and out of the network
– Joins two (or more) networks together
• Can operate at any layer of the ISO-OSI model, typically 3 – 7.
• In strict usage, a gateway connects networks with dissimilar
protocols
– E.g.TCP/IP and IBM SNA orTCP/IP and Honeywell Bull DSA
– AWS uses a more relaxed definition of gateways; without the protocol
conversion function
82. Some Gateways Available on AWS
Customer GWInternet Gateway (IGW) VPC Peering
VPC Router VPN Connection NAT Gateway
Direct ConnectVirtual Private Cloud (VPC) Virtual Private Gateway (VGW) Storage Gateway (SGW)
Elastic Load Balancer (ELB)
83. Virtual Private Cloud (VPC)
• AmazonVirtual Private Cloud (AmazonVPC)
– provision a logically isolated section of the AWS Cloud
– launch AWS resources in your defined virtual networks
– control over the virtual networking environment
• selection of your own IP address range
• creation of public and/or private subnets
• configuration of route tables and network gateways
– leverage layers of security, including:
• security groups to control access to instances
• network access control lists, to control access to subnets
84. Subnet 1 Subnet 2
VPC 1
VPC n
Availability Zone 1 Availability Zone 2
Region VPN
Router
Internet GW
VPC Peering
Virtual Private GW
85. VPC Router
• TheVPC router processes the route in a RouteTable, and directs the traffic flow accordingly
• Using the route table
– routers identify the next router in the path
– send packets towards the destination
• Enables EC2 instances to communicate with each other across subnets in the sameVPC
• Enables subnets, Internet gateways, and virtual private gateways to communicate with one
another.
• Route tables contain routes to:
• an instance
• Internet gateway
• virtual private gateway
• NAT gateway
• VPC peer
• VPC endpoint
86. RouteTable
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
Subnet 1 Subnet 2
VPC 1
Availability Zone 1 Availability Zone 2
Router
RouteTable RouteTable
Instances Instances
Route tables are assigned to subnets
87. RouteTable
Each subnet in your VPC must be associated with a route table.
Router
RouteTable A RouteTable B
Subnet 1 Subnet 2
Router
RouteTable A RouteTable B
Subnet 1 Subnet 2
A subnet can be associated
with one route table at a time.
You can associate multiple subnets
with the same route table.
88. RouteTable
Destination Target Status Propagated
172.16.0.0/16 Local Active No
172.31.0.0/24 VGW-id Active Yes
10.10.0.0/24 PL-id Active No
0.0.0.0/0 IGW-id Active No
89. VPC Peering
• AVPC peering connection is
– a networking connection between twoVPCs
– enables you to route traffic between twoVPCs
• Instances in eitherVPC can communicate with each other as if they are
within the same network.
• You can create aVPC peering connection between:
– your ownVPCs
– with aVPC in another AWS account.
• AWS uses the existing infrastructure of aVPC to create aVPC peering
connection
90. Subnet 1
VPC 1
VPC n
Availability Zone 1 Availability Zone 2
Region
Router
Internet GW
VPC Peering
Subnet 3
Subnet 2
Subnet 4
91. Internet Gateway
• An Internet Gateway (IGW)
– is attached to theVPC
– is horizontally scalable, redundant, and highly available
– allows communication between instances in yourVPC and the Internet
• Acts as a control point between an AmazonVPC and the Internet
– providing yourAWS resources access from theVPC subnet to the Internet
92. Virtual Private Gateway (VGW)
• A service that presents an IPsec AWS managedVPN connection
– connectivity from yourVPC to your on-premise data center
– makes the AWS Cloud an extension of a corporate data center
• TheVPN connection consists of:
– a virtual private gateway attached to yourVPC
– a customer gateway located in the corporate data center
• A virtual private gateway is the VPN concentrator on the AWS side of
theVPN connection.
• A customer gateway is a physical device or software appliance on the
corporate side of theVPN connection.
93. Virtual Private Gateway (VGW)
Customer
Gateway
Customer
Network
Internet
Virtual
Private
Gateway
Amazon
VPC
Redundant VPN
Connections with
IPsec
94. VPN Connection
• AVPCVPN Connection:
– establishes an encrypted connection utilizing IPsec
– between an on-premise data center and AmazonVPC over the Internet
• Use cases include:
– quicker deployment (over AWS Direct Connect)
– applications with low to modest bandwidth requirements
– applications that can tolerate the inherent variability in Internet-based
connectivity
– leverage existing data center resources
95. Customer Gateway
• A customer gateway is:
– a physical device or software appliance
– the anchor on corporate side of the connection
• Customer gateway connect to the virtual private gateway on the
AWS side through theVPN connection
Amazon
VPC
Customer
Network
96. Direct Connect
• AWS Direct Connect
– Connects on-premise datacenter to AWS through a private network
connection
– Is an alternative to using the Internet to access the AWS cloud
– Access to all AWS services, including EC2,VPC, S3, and DynamoDB
• Maintains separate network access to public (e.g. S3)
and private resources (e.g. EC2) using 802.1qVLANs
• Benefits: reduced network costs, increase throughput,
consistent network experience
98. 192.17.1.1
Internet
NAT-enabled device
Maps private to public addresses
and accepts the return traffic on
behalf of the Instance
Internet with only
public addresses
10.1.1.16
10.1.1.20
Devices with private IP
addresses on the intranet
intranet
Blocks private IP addresses
from leaving intranet
10.1.1.15
Network AddressTranslation – NAT
99. Storage Gateway
File GW
Vol GW
VTL GW
• On-premise virtual appliance
• Applications connect to S3
• StorageTypes
Storage Gateway
hybrid storage between on-premises environments and the AWS Cloud.
low-latency performance
integration with AWS encryption, identity management, monitoring, and storage services
AWS
S3
100. Storage Gateway
• Each AWS Storage Gateway supports one of three storage
interfaces:
– file gateway
• Use NFS protocol to store and retrieve files as Amazon S3 objects
• configured S3 buckets made available as Network File System (NFS) mount points
– volume gateway
• provides S3 volumes, mounted as iSCSI devices your on-premises application servers
• Runs in cached mode where frequently accessed data is cached locally or stored mode
where entire data is available locally
– tape gateway
• Exposes a virtual tape library (VTL) interface for your backup application
• Virtual tape data is stored inAmazon S3 or archived to Amazon Glacier
101. Routing Protocols
• Border Gateway Protocol (BGP)
– an inter-Autonomous System (AS) routing protocol
– Exchange routing and reachability data between autonomous systems (AS)
– the external routing protocol of choice of tier 1 ISPs
– current version is version 4
– RFC 4271
– UsesTCP as the transport layer protocol
• via port 179
– Used in AWS by the AWS Direct Connect service
103. AWS Notes
• Conserving IPv4
– In the defaultVPC, each Instance launched into a default Subnet has a Private and Public
IPv4 Address. By default, each instance that you launch into a non-default Subnet has a
private IPv4 address, but no public IPv4 address, unless you specifically assign one at
launch, or you modify the subnet's public IP address attribute.
– Public IPv4 addresses are not persistent.They are reused once the Resource is terminated.
To get a persistent Public IPv4, use Elastic IP address.
• Not supported in AWS includes:
2
– Broadcast
– Multicast
– ARP
– DCCP/SCTP
104. Terms
• Ingres vs. Egress
• Well Known Ports
• Ephemeral Ports
• Stateful vs. Stateless
• VLSM
• Supernet
• CIDR Block
• Leading bit