Networking Services¶
Route53¶
- DNS uses UDP, but uses TCP when size > 512 or for tasks like zone transfers
- Route53 will incur a charge for CNAME but not for an Alias
- Resolving name server: A server (by ISP or public) that resolves domain name via chain:
- Root server -> TLD server -> name server
- Zone file: A name server’s file containing mapping between IP and domain
- Hosted Zones: Like Zone file, but hosted on AWS. Must have the same domain name.
- Starts with SOA record
- Private: routing within VPC
- Public: routed to internet
- Use ALIAS, since CNAME are not allowed in
- Max Soft limit of 50 domain names
- Routing policies
- Simple: one domain points to one server
- Weighted: split based on weight to different servers (eg for A/B testing)
- Latency: pick server that has lowest latency to the user
- FailOver: pick secondary server when primary fails. Must set up health check for primary.
- Geo location: pick based on user’s geo location. Can specify, continent, country, US states or any (*)
Security Groups¶
- Operates at instance layer, associated with Networking Interface (first line of defense)
- Control Inbound and outbound ports
- Default outbound is all, inbound is none
- Source can be IP, CIDR (0.0.0.0/0 => public) or SG
- Can’t block specific IP
- Security Group changes are immediate
- Up to 5 SG can be assigned to an instance
SG v/s Network ACL¶
| Security Group | Network ACL |
|---|---|
| Instance level | subnet level |
| stateful | stateless |
| only allow rules | allow and deny rules |
| all rules are evaluated | rules applied with lowest seq # first |
| applied to instance only if SG specified | applied to all instances within subnet |