diff --git a/2-4-aws-vpc.md b/2-4-aws-vpc.md new file mode 100644 index 0000000..86ac2c5 --- /dev/null +++ b/2-4-aws-vpc.md @@ -0,0 +1,184 @@ +# Enterprise design and AWS VPC + +## Enterprise design + +### Definition + +- Aligning the IT requirements with the enterprise strategic needs + +### IT requirements + +- Scalability +- Performance +- Modularity +- Flexibility +- Maintainability +- Portability +- Security + +### Business needs + +- Cost saving +- Profitability +- Performance of staff +- Competitive advantage over competitions +- Better service delivery +- Innovation and creativity +- Novelties + +### Enterprise design patterns + +#### MVC + +- Definition: clear separation and modularity, that implements Model, View, and + controller +- Features: + - Components can be reused + - View change independently + - Improves maintainability + - Increased complexity, because of abstraction + +#### Business Delegate + +- Definition: Delegate business processing to remote, by adding a proxy layer to + the business layer. + - Acts as a proxy + - Converts references +- Reduces coupling + +#### Front Coltroller + +- A centralized enterprise system, that handles all request + - A problem will affect the whole system +- Good for security applications, like ATM +- Can be implemented with other patterns + +#### Hybrid Pattern Design + +- Using more than one system +- Used by most real world applications + +## AWS VPC Designs + +### Networking + +#### Basics + +- Definition: a network consists of at least two machines, connected to share + resources +- Can be partitioned into **subnets**: a logical division, that has a range of + IP + - Written with `/` +- Require a networking device, that connect the computers together + - Example: a router or a switch + - Can also connect between different networks, and then forward packets + between the networks + +#### Subnets and CIDR + +- Subnet's addresses in CIDR (Classless Inter-Domain Routing): + - `100.0.0.1/20` +- Can be public or private + - Public: for hosting public websites or servers, can be accessed from + internet + - Private: for hosting data, can't be accessed from internet +- Number of available IP addresses: $2^{32 - prefix}$ + - For example, for `100.0.0.1/20`, there is $2^{32 - 20} = 2^12 = 4096$ IPs + available +- Possible EC **Instances**: Number of possible IP addresses minus **5** + - AWS reserved the first 4 and last IP addresses (4+1=5) + - From the last example, there can be atmost $4096 - 5 = 4091$ instances in + the network + +### Designing considerations + +#### Regions + +- Consider data soverignty and compliance: Where you can legally host the data + - Laws + - Consumers from other countries + - Governance requirements +- Proximity to user base + - Delay in website matters in sales + - Consider cost for same distance regions +- Service available + - Some services are limited to regions + - Cross regions increase latency + - Can be expanded +- Cost + - Cost is different per region + - Some have cost for transferring data + - Consider replicating environment + +#### AZ(Avaiability Zones) + +- Recommendation: start with two + - This way always has a back up in case one fail + - Easy to support +- Choosing the number of zones: two or more + - heavily rely on EC instances + - Applications with MySQL, Oracle, Mongo data bases: High availability, + active / passive configuration(active one process request, passive one as + backup) + +#### VPC (Virtual Private Cloud) + +- One VPC: rare, limited use cases: + - High-performance computing + - Microsoft Active Directory for service discovery + - Small application developed by small team +- Multi VPC or Multi Account: used to organize most common infrastructure: + - Multi VPC: Single team or organization(like managed service provider), not + suitable for governance or compliance + - Multi Account: Large organizations, or ones with different IT teams, or + medium ones that grow rapidly, because managing access is hard for one + account + - Can use account management service (AWS Organizations) + - to consolidate multiple accounts into a organization, and arrange + - to consolidate billing + - Has hierarchical grouping, integration with other services like + [IAM](/1-5-security.md#iam-identity-and-access-management) + - Management structure + - Root + - Organizational unit + - AWS Account + - TODO: watch the diagram at p35 +- Majority of services are not in VPC by default, but some of them like s3 and + dynamo has opt in options + +#### Subnets + +- When VPC is created, CIDR is specified +- Amazon VPCs can use CIDR between 16 to 28 +- Subnets are segments or partitions of network, divided by CIDR +- public vs. private + - public: traffic routed to a internet gateway + - private: not routed to one, not directly accessible with internet + - Use jump box like a bastion host to support outbound only internet +- Recommendation: use subnet to define internet accessibility + - Start with one public and one private + - Allocate more ip to private subnets than in public subnets + - Use large subnets + - public or private + - Public: web apps + - Private: backend, processing, data store, or management web apps + +#### Defaults: VPCs and Subnets + +- Default VPC + - Each region has a default VPC, with CIDR of `172.31.0.0/16` + - Creating a VPC based instance (EC, RDS, Load Balancing) Without specifying + a VPC, it will be placed into the default one in the **region** + - Has some default components: + - subnet + - IGW (internet gate way) + - Route table connecting to default default subnet and IGW, default + security group and Network ACL (NACL) + - Is configurable +- Default Subnet + - Created for each **AZ** for each default VPC + - Is a public subnet, with CIDR of `/20` + - Can manually convert to private +- Recommendation + - Use default VPC only for experimentation, and quick starting + - Create real world VPC and subnets for real world application