Thursday, July 11, 2013

AWS Networking 101 for Oracle DBAs, Developers and Architects

Oracle DBAs understand TCP/IP and ports as this is how they connect to and manage an Oracle database.  However, there is no need to understand other networking constructs such as routing tables, network translation, VPN tunnels, or even a network mask.  This blog post will cover networking terminology, AWS networking services and features, and specifics around DNS.

Below are some general network terms and constructions you need to understand when you move to AWS:
1. CIDRs (Classless Inter-Domain Routing) : CIDR is also known as supernetting as it effectively allows multiple subnets to be grouped together for network routing.  CIDR specifies an IP address range using a combination of an IP address and its associated network mask. An example is, 192.168.1.0/24.  This means that the first three octnets (192, 168,  and 1) are fixed and the last octnet is available to use.  Therefore, there are 256 IP addresses available to use 192.168.1.0 - 192.168.1.255.  CIDRs are used in AWS VPC and security groups. 
2. VPN (Virtual Private Network) : Extends a private network across a public network.  This allows AWS to be an extension of your corporate network.  It also provides security, encryption, and management across your Internet-based connection to AWS.
3. Ipsec : Is a protocol suite for securing IP communications.  When you establish a VPN connection to AWS VPC, you create an IPSec tunnel for secure communication over the Internet. More here : http://cloudconclave.blogspot.com/2013/03/getting-started-with-aws-vpc.html
4. Layer 2 and Layer 3 networks : The Internet Protocol (IP) address is a layer 3 address.  Layer 3 networks do routing at the IP level.  Layer 2 networks operate at the data link layer of the network.  Therefore, they use the Media Access Control (MAC) address to determine where to direct the message.  AWS is a layer 2 network.  The fact AWS is a layer 2 network could impact some of the 3RD party solutions that can run on AWS.
5. Multicast and unicast : Multicast is a true broadcast. The multicast source relies on multicast-enabled routers to forward the packets to all client subnets that have clients listening.Unicast is a one-to one connection between the client and the server. Unicast uses IP delivery methods such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), which are session-based protocols.  AWS only supports unicast.  Some software products (such as Oracle RAC) use multicast so they can not be run on AWS infrastructure. 
6. VLAN : A single layer-2 network may be partitioned to create multiple distinct broadcast domains.  When using AWS Direct Connect, you can provision virtual interface (VLAN) connections to the AWS cloud, Amazon VPC, or both.  You can not extend you data center VLAN into the AWS cloud when using AWS Direct Connect.
7. NAT : Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device.  NAT AWS EC2 instances are used to translate IP addresses in an AWS VPC when instances are in a private subnet and need to communicate with the outside world.
8. SDN : Software-defined networking (SDN) is an approach to computer networking which abstracts the distributed systems, the control plane and the data plane. SDN is similar to what virtual machines have done for compute virtualization. SND is network virtualization.  
9. iptables : The Linux iptables are essentially the way an AWS NAT instance does the IP (actually does port routing so AWS NAT is actually a PAT - Port Address Translation).
10. Overlay networks : An overlay network is a computer network which is built on the top of another network.  For example, since the AWS network is a layer 2 network that does not support multi-cast, you cloud place a overlay network on top of the base AWS network that supports multi-cast.  Blog post on overlay and SDN : http://cloudconclave.blogspot.com/2013/06/overlay-networks-on-aws.html
11. BGP : Border Gateway BC Protocol (BGP) is the protocol which is used to make core routing decisions on the Internet; it involves a table of IP networks or "prefixes" which designate network reachability among autonomous systems (AS).  BGP does dynamic routing and AWS refers to a BGP device as the Customer Gateway when using a VPN connection to AWS VPC.
 12. ASA : Cisco ASA is a static routing device.  The Cisco ASA device is referred to as the Customer Gateway when using a VPN connection to AWS VPC.

These are AWS specific services and components:
1. VPC : Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
2. Internet Gateway :  The Internet Gateway allows EC2 instances in a VPC communicate with the Internet.  When you launch an AWS VPC with a public subnet it comes with an Internet gateway, and instances launched into a public subnet have a public IP address and communicate with the internet using the Internet Gateway. 
Instances that you launch into a private subnet do not receive a public IP address, and can't communicate with the Internet. You can enable Internet access for instances that you launch into a private subnet by using a NAT instance.
3. Customer Gateway : A customer gateway is a physical device or software application on your side of the VPN connection.  The Customer Gateway is used to create an secure IPsec VPN tunnel to AWS VPC.
4. Virtual Private Gateway A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection.  The VPG is a service provided by AWS.
5. ENI : An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. ENIs allow an EC2 instance to have more than one IP address.  This includes a primary private IP address, one or more secondary private addresses, or an Elastic IP address. You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of a network interface follow the network interface as it is attached or detached from an instance and reattached to another instance. When you move a network interface from one instance to another, network traffic is redirected to the new instance.  This is feature is useful for creating a management network, dual homed instances, or security appliances in your VPC.
6. ElasticIP : An Elastic IP address (EIP) is a static public IP address that can be assigned to an EC2 instance or an ENI.  A more appropriate name for an EIP may be a Public IP address. With an EIP, you can mask the failure of an instance by rapidly remapping the address to another instance. Your EIP is associated with your AWS account, not a particular instance, and it remains associated with your account until you choose to explicitly release it.
There's one pool of EIPs for use with the EC2-Classic platform and another for use with your VPC. You can't associate an EIP that you allocated for use with a VPC with an instance in EC2-Classic, and vice-versa.
7. Public and Private Subnet : A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won't be connected to the Internet. instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can't. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't.More on public and private subnets can be found here: http://cloudconclave.blogspot.com/2013/05/aws-vpc-public-and-private-subnets.html
8. NAT Instances : Instances that you launch into a private subnet in a virtual private cloud (VPC) can't communicate with the Internet. You can optionally use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.
 9. Route 53 : Amazon Route 53 is a Domain Name System (DNS) web service.  More on Route 53 can be found here: http://cloudconclave.blogspot.com/2013/05/routing-53-as-your-dns-service.html.  Route 53 resolves an IP address to a domain name.
10. Direct Connect : Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.  Direct Connect has speeds of 1 Gbps or 10 Gbps.   When companies are extending their Oracle solutions into the cloud, they often times chose to use Direct Connect as Internet speeds are not fast enough.  More on Direct Connect http://cloudconclave.blogspot.com/2013/06/aws-direct-connect-active-active-with.html and http://cloudconclave.blogspot.com/2013/06/aws-vpn-connection-as-direct-connect.html.  Direct Connect also refers to a facility that is next to an AWS data center that can be used to host third party hardware and software solutions such as Oracle RAC. More on this here: http://cloudconclave.blogspot.com/2013/06/oracle-rac-on-aws.html
11. CloudFront : CloudFront is an edge location content delivery service.  It is mostly used to deliver static content such as web sites, documents, videos, pictures etc.  However, it can also be used for dynamic content.

Specific to Route 53 (the AWS DNS Hosting Service):http://cloudconclave.blogspot.com/2013/05/routing-53-as-your-dns-service.html
1. DNS hosting service : A DNS hosting service is a service that runs Domain Name System servers.  
2. A records : An A record (Address Record) points a domain or subdomain to an IP address.
3. Zone apex record : I sometimes called the root domain or naked domain.  The apex record would be domainname.com without a www or any another prefix.
4. Cname : A CNAME (Canonical Name) points one domain or subdomain to another domain name, allowing you to update one A Record each time you make a change, regardless of how many Host Records need to resolve to that IP address.
5. Alias records : Route 53 offers ‘Alias’ records (a Route 53-specific virtual record). Alias records are used to map resource record sets in your hosted zone to Elastic Load Balancing load balancers, CloudFront distributions, or S3 buckets that are configured as websites. Alias records work like a CNAME record in that you can map one DNS name (example.com) to another ‘target’ DNS name (elb1234.elb.amazonaws.com). They differ from a CNAME record in that they are not visible to resolvers. Resolvers only see the A record and the resulting IP address of the target record.

Security also plays a key role when configuring a network on AWS. More on security can be found here: http://cloudconclave.blogspot.com/2013/07/aws-security-101-for-oracle-dbas.html

6 comments:

  1. The specifications are great but what are the advantages of using this networking system?

    Thanks
    Silvester Norman

    Change Mac Address

    ReplyDelete
  2. Would it be possible to use an overlay network / SDN to enable multicast to permit Oracle RAC to run in AWS?

    ReplyDelete
  3. I read this blog please update more content on hacking, further check it once at AWS Online Training

    ReplyDelete
  4. Very clear-cut information easy to understand. Thanks for providing for more updates on AWS Get touch with.
    AWS Online Training

    ReplyDelete