EBU6502_cloud_computing_notes/2-4-aws-vpc.md

186 lines
5.9 KiB
Markdown
Raw Normal View History

2024-12-29 19:31:14 +08:00
# Enterprise design and AWS VPC
## Enterprise design
### Definition
- Aligning the IT requirements with the enterprise strategic needs
### IT requirements
- Scalability
- Performance
- Modularity
- Flexibility
- Maintainability
- Portability
- Security
### Business needs
- Cost saving
- Profitability
- Performance of staff
- Competitive advantage over competitions
- Better service delivery
- Innovation and creativity
- Novelties
### Enterprise design patterns
#### MVC
- Definition: clear separation and modularity, that implements Model, View, and
controller
- Features:
- Components can be reused
- View change independently
- Improves maintainability
- Increased complexity, because of abstraction
#### Business Delegate
- Definition: Delegate business processing to remote, by adding a proxy layer to
the business layer.
- Acts as a proxy
- Converts references
- Reduces coupling
#### Front Coltroller
- A centralized enterprise system, that handles all request
- A problem will affect the whole system
- Good for security applications, like ATM
- Can be implemented with other patterns
#### Hybrid Pattern Design
- Using more than one system
- Used by most real world applications
## AWS VPC Designs
### Networking
#### Basics
- Definition: a network consists of at least two machines, connected to share
resources
- Can be partitioned into **subnets**: a logical division, that has a range of
IP
- Written with `<ip>/<prefix>`
- Require a networking device, that connect the computers together
- Example: a router or a switch
- Can also connect between different networks, and then forward packets
between the networks
#### Subnets and CIDR
- Subnet's addresses in CIDR (Classless Inter-Domain Routing):
- `100.0.0.1/20`
- Can be public or private
- Public: for hosting public websites or servers, can be accessed from
internet
- Private: for hosting data, can't be accessed from internet
- Number of available IP addresses: $2^{32 - prefix}$
- For example, for `100.0.0.1/20`, there is $2^{32 - 20} = 2^12 = 4096$ IPs
available
- Possible EC **Instances**: Number of possible IP addresses minus **5**
- AWS reserved the first 4 and last IP addresses (4+1=5)
2025-01-04 15:36:07 +08:00
- First and last: network address and broadcast address
2024-12-29 19:31:14 +08:00
- From the last example, there can be atmost $4096 - 5 = 4091$ instances in
the network
### Designing considerations
#### Regions
- Consider data soverignty and compliance: Where you can legally host the data
- Laws
- Consumers from other countries
- Governance requirements
- Proximity to user base
- Delay in website matters in sales
- Consider cost for same distance regions
- Service available
- Some services are limited to regions
- Cross regions increase latency
- Can be expanded
- Cost
- Cost is different per region
- Some have cost for transferring data
- Consider replicating environment
#### AZ(Avaiability Zones)
- Recommendation: start with two
- This way always has a back up in case one fail
- Easy to support
- Choosing the number of zones: two or more
- heavily rely on EC instances
- Applications with MySQL, Oracle, Mongo data bases: High availability,
active / passive configuration(active one process request, passive one as
backup)
#### VPC (Virtual Private Cloud)
- One VPC: rare, limited use cases:
- High-performance computing
- Microsoft Active Directory for service discovery
- Small application developed by small team
- Multi VPC or Multi Account: used to organize most common infrastructure:
- Multi VPC: Single team or organization(like managed service provider), not
suitable for governance or compliance
- Multi Account: Large organizations, or ones with different IT teams, or
medium ones that grow rapidly, because managing access is hard for one
account
- Can use account management service (AWS Organizations)
- to consolidate multiple accounts into a organization, and arrange
- to consolidate billing
- Has hierarchical grouping, integration with other services like
[IAM](/1-5-security.md#iam-identity-and-access-management)
- Management structure
- Root
- Organizational unit
- AWS Account
- TODO: watch the diagram at p35
- Majority of services are not in VPC by default, but some of them like s3 and
dynamo has opt in options
#### Subnets
- When VPC is created, CIDR is specified
- Amazon VPCs can use CIDR between 16 to 28
- Subnets are segments or partitions of network, divided by CIDR
- public vs. private
- public: traffic routed to a internet gateway
- private: not routed to one, not directly accessible with internet
- Use jump box like a bastion host to support outbound only internet
- Recommendation: use subnet to define internet accessibility
- Start with one public and one private
- Allocate more ip to private subnets than in public subnets
- Use large subnets
- public or private
- Public: web apps
- Private: backend, processing, data store, or management web apps
#### Defaults: VPCs and Subnets
- Default VPC
- Each region has a default VPC, with CIDR of `172.31.0.0/16`
- Creating a VPC based instance (EC, RDS, Load Balancing) Without specifying
a VPC, it will be placed into the default one in the **region**
- Has some default components:
- subnet
- IGW (internet gate way)
- Route table connecting to default default subnet and IGW, default
security group and Network ACL (NACL)
- Is configurable
- Default Subnet
- Created for each **AZ** for each default VPC
- Is a public subnet, with CIDR of `/20`
- Can manually convert to private
- Recommendation
- Use default VPC only for experimentation, and quick starting
- Create real world VPC and subnets for real world application