Skip to content

태그: Netwoking

AWS 리소스 구성 후 관리자는 VPC 외부에서 Private Subnet에 직접 접근할 수 없다. Private Subnet의 Private한 특성을 지키기 위해 Public Subnet인 인스턴스를 하나 만들어서 그 인스턴스를 통해 접근하는 방법을 많이 쓰는데, 이러한 host를 Bastion Host라고 부른다. 쉽게 말하면 내부와 외부 네트워크 사이에서 일종의 게이트 역할을 수행하는 호스트이다. 관리자가 Bastion Host으로 SSH 연결을 한 후 Bastion Host에서 Private Subnet의 Host에 SSH 연결을 하는 형태로 Private Subnet에 접근할 수 있다. SSH 연결을 수행해야 하기 때문에 Bastion Host 또한 Public Subnet에 위치하는 EC2 In

The AWS CDN service is called CloudFront. It serves up cached content and assets for the increased global performance of you application. The main components of ClouFront: adge locations: cache endpoint the origin: original sourve of truth to be cached such as an EC2 instance, an S3 bucket, an Elastic Load Balancer or a Route 53 config distribution: the arrangement of edge locations from the orig

Direct Connect Gateway

Use AWS Direct Connect gateway to connect your VPCs. You associate an AWS Direct Connect gateway with either of the following gateways: A transit gateway when you have multiple VPCs in the same Region A virtual private gateway You can also use a virtual private gateway to extend your Local Zone. This configuration allows the VPC associated with the Local Zone to connect to a Direct Connect gatew

EC2 Instance Connect Endpoint

Imagine trying to connect to an EC2 instance within your VPC over the Internet. Typically, you’d first have to connect to a bastion host with a public IP address that your administrator set up over an IGW in your VPC, and then use port forwarding to reach your destination. EC2 Instance Connect (EIC) Endpoint is allows you to connect securely to you instances and other VPC resources from the Intern

An elastic network interface is a networking component that represents a virtual network card. It can include the following attributes: A primary private IPv4 address from the IPv4 address range of your VPC One or more secondary private IPv4 addresses from the IPv4 address range of your VPC One Elastic IP address (IPv4) per private IPv4 address One public IPv4 address One or more IPv6 addresses O

Global Accelerator

AWS Global Accelerator is a networking service that helps you improve the availability and performance of the applications that you offer to your global users. AWS Global Accelerator is easy to set up, configure, and manage. It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions

NAT gateway & NAT instance

속성NAT 게이트웨이NAT 인스턴스가용성고가용성. 각 가용 영역의 NAT 게이트웨이는 중복적으로 구현됩니다. 각 가용 영역에 하나의 NAT 게이트웨이를 만들어 아키텍처가 영역에 종속되지 않도록 한다.스크립트를 사용하여 인스턴스 간의 장애 조치를 관리한다.대역폭최대 100Gbps까지 확장한다.인스턴스 유형의 대역폭에 따라 다르다.유지 관리AWS에서 관리한다. 유지 관리 작업을 수행할 필요가 없다.사용자가 관리한다(예: 인스턴스에 소프트웨어 업데이트 또는 운영 체제 패치 설치).성능소프트웨어가 NAT 트래픽 처리에 최적화되어 있다.NAT를 수행하도록 구

Amazon Route 53 is a highly available and scalable Domain Name System(DNS) service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking. DNS is used to map human-readable domain names into an internet protocol address similarly to how phone books map company names with phone numbers. When you buy a domain name, every D

Transit Gateway

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud router—each new connection is made only once. Use cases Deliver applications around the world: Build, deploy, and manage applications across

가상 프라이빗 클라우드(VPC)는 퍼블릭 클라우드 내에서 호스팅되는 안전하고 격리된 프라이빗 클라우드이다. VPC를 사용하면 정의한 논리적으로 격리된 가상 네트워크에서 AWS 리소스를 효율적으로 관리할 수 있다. VPC별로 네트워크를 구성하거나 각각의 VPC에 따라 다르게 네트워크 설정을 줄 수 있다. 또한 각각의 VPC는 완전히 독립된 네트워크처럼 작동한다. 아래 그림은 VPC의 예시이다. VPC에는 리전의 각 가용성 영역에 하나의 서브넷이 있고, 각 서브넷에 EC2 인스턴스가 있고, VPC의 리소스와 인터넷 간의 통신을 허용하는 인터넷 게이트웨이가 있는 구조이다. 쉽게 예시를 들자면, 퍼블릭 클라우드를 붐비는 레스토랑으로, 가상 프라이빗 클라우드를 붐비는 레스토랑의 예약된 테이블로 생각해볼 수 있다.

VPC Mapping Service

AWS VPC를 이용해서 가상 네트워크를 만들면 아래와 같은 구성이 된다. 물리 Host 내에 다수의 VPC가 존재할 수 있고, 각 VPC 간에는 독립적인 구성이 가능하다. 각 VPC는 서로 다른 IP 대역(CIDR)를 사용하는 것 뿐 아니라, 내부 IP를 같은 값으로 지정할 수도 있다. 하나의 VPC는 여러 물리 Host로 나뉘어 위치하기도 한다. 서로 다른 Host에 위치한 ZIGI-VM1과 ZIGI-VM3은 논리적으로 같은 네트워크이기 때문에 서로 간의 통신이 가능하다. 근데 물리적으로 서로 다른 ZIGI-VPC1과 ZIGI-VM3은 어떻게 통신이 가능할까? 바로 아래과 같이 VPC에 대한 정보는 Encapsulation하고, 통신하고자 하는 물리 Host IP 정보를 같이 담아 전송하게 된다. 그

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink. Amazon VPC instances do not require public IP addresses to communicate with resources of the service. Traffic between an Amazon VPC and a service does not leave the Amazon network. VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highl

VPCs can also serve as a bridge between your corporate data center and the WAS cloud. With a VPC Virtual Private Network (VPN), your NPC bocomes an extension of your ono-prem environment. Naturally, your instances that you launch in your VPC can’t communicate with your own on-premise servers. You can allow the access by first: attaching a virtual private gateway to the VPC. creating a custom

AWS Site-to-Site VPN You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the Site-to-Site VPN connection, a virtual private gateway or transit gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway device on the remote side of the Site-to-Site VPN connection. For more information, see the AWS Site-to

Application LoadBalancer components

A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability of your application. You add one or more listeners to your load balancer. A listener checks for connection requests from clients, using the protocol and port that

Connection Draining

Connection Draining is a feature provided by Elastic Load Balancer that allows in-flight requests to complete before terminating an unhealthy instance. When an instance becomes unhealthy, the ELB stops sending new requests to that instance but allows existing requests to complete within a specified timeout period. This helps prevent the loss of in-flight requests and provides a smooth transition w

Elastic Load Balancing automatically distributes incoming application traffic acress multiple targets, such as Amazon EC2 instances, Docker containers, IP addresses, and Lambda functions. It can handel the varying load of your application traffic in a single Availability Zone or acress multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the hig

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC. The following diagram shows a VPC with two subnets. Each sub

Security Groups

Security Groups are used to control access (SSH, HTTP, RDP, ect.) with EC2. They act as a virtual firewall for your instances to control inbound and outbound traffic When you launch an instance in a VPC, you can assign up to five security groups to the instance an security groups act at the instance level, not the subnet level. Security Groups control inbound and outbound traffic for your insta

AWS WAF is a web application thet let you allow or block the HTTP(s) requests that are bound for CloudFront, API Gateway, Application Load Balancers, EC2, and other Layer 7 entry points into you AWS Environment. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripti