Brushing Up on Networking Basics
When computers talk to one another, they do so over a network. For the vast majority of computing done throughout the world, this talking activity takes place on a TCP/IP network. The TCP/IP network standard uses the concept of layers to illustrate how communication takes place. In this model, the layers are numbered 1, 2, and 3:                                          

 

✓ The physical layer (Layer 1): Is associated with the cables that sit in your office or how your wireless access point talks to the wireless card in your computer.

✓ The data-link layer (Layer 2): Controls the flow of data between network entities (Hosts, Domain Names, Subnets, whatever) residing on the same network; this local-area network (LAN) is dedicated to a single organization.These entities typically have a network interface card (NIC), each of which carries a unique identifier — its Media Access Control (MAC) address. Layer 2 specifies how two entities with MAC addresses can send data to one another. (Note that this data is sent with the help of a NIC, a handy piece of hardware that’s kept on a server.)

✓ The network layer (Layer 3): Controls the flow of data between network entities residing on different networks. In this wide-area network (WAN), users communicate across multiple LANS and cannot count on being connected on the same local physical layer. Layer 3 most commonly works by using the Internet Protocol (IP), which uses a logical addressing scheme (called, logically enough, IP addresses) to communicate.IP addresses most commonly have four digits — say, 10.1.2.3 — whereeach digit is represented by eight bit sets of data.The display uses periods to separate 8-bit segments, and the collectionof all four segments is supposed to represent a hierarchy; that is, the10.1 part of the address is supposed to contain a collection of network devices that reside below the 10.1 portion of the address. For example,your ISP has a large range of addresses available to it because it may control the set of addresses starting with, say, the number 16. Two specialcases, the high-level numbers 10 and 192, do not represent publicly addressable IP addresses but are used for private addresses. (They cannot be routed over the public Internet.) Multiple entities can therefore use these high-level numbers within their own data centers as sort of a set of private identifiers.                                                                                         

“How do virtual machines send and receive network traffic?” After all, they’re virtual and have no hardware NIC. The answer, naturally enough, is that they have a virtual NIC (sometimes referred to as a VNIC) — a software construct through which the virtual machine sends and receives network traffic. The virtualization hypervisor manages the job of mapping these packets to and from the physical NIC that connects to (and communicates with) the physical network in the data center.                                             

 

Virtual LANS — keeping data private

In a shared networking environment (and don’t forget that that’s precisely what a cloud-computing provider, at its core, is offering), how can you assure one user that his or her data is not accessible to another user? Obviously, one way is to create separate physical networks and let each user account have its own local-area network; however, that would be a logistical nightmare (and an extremely expensive one). Moreover, this method would require that each user have his or her own router to the outside world to communicate all its Layer 3 traffic to other, outside users. Routers have been upgraded to provide virtual LANs (VLANs) that essentially cordon off sections of larger, shared networks to specific users. Within that VLAN, traffic flows via Layer 2; any traffic to other parts of the shared network, rout on the Internet, flows via Layer 3.                                            

 

Most hosting companies use VLAN technology to assign a VLAN to every customer so that its computers are segregated from other customers’ computers.This strategy, which provides a secure networking solution to customers, communicates to them that their network traffic is immune from interception. However this use of VLANs for cloud computing carries some drawbacks:

✓ A delay in the account setup: Cloud computing providers that continue to create and configure VLANs manually impose a delay on the initial customer account setup. Many customers find this delay inconvenient; others consider it a barrier to using that cloud computing provider.

✓ A limit on the number of VLANs that a router can manage: Though this limitation can be addressed via the use of multiple routers, it imposes complexity on the provider’s infrastructure.

✓ A limit on the number of computers that can be attached to a specificVLAN: Though many customers are unaffected, this limit is an unacceptableproblem for webscale applications that can require hundreds (if not thousands) of computers.

 

The Amazon alternative to VLANs

Because Amazon wants to avoid the scaling limitations of VLAN technology in its cloud service, Amazon designed its network quite differently from conventional approaches, and it implemented a networking design with thesefeatures:                               

✓ The use of Layer 3 technology throughout the infrastructure: All traffic is directed based on the IP address, with no reliance on Layer 2 MAC addressing.

✓ The requirements that every instance is assigned an IP address and all traffic to that instance must be directed by IP address: This is true whether the traffic originates within AWS or externally — no exceptions.

✓ No use or support of VLAN technology: Within every region, Amazon has one or more ranges of IP addresses, and customer instances are assigned IP addresses randomly within those address ranges. A corollary to this approach is that all AWS IP addresses are Amazon’s, not the customer’s. So if a customer decides to move its website from its owndata center to AWS, the website will have a new IP address. AWS networking is often described as being completely flat — all traffic is IP-adaddress-based, and no hierarchy is implied by the IP address assigned to an instance.  

 

Because customers have no specific VLAN created or configured for them, the account setup process is immensely simplified — so much so that the entire process can be automated to a much greater extent than can other,more traditional, cloud computing providers. Moreover, because customers aren’t segregated into assigned VLANs, growing and shrinking the number of instances a customer uses are much simpler — customers can simply request additional instances, and Amazon can launch a new instance, assign it an IP address from Amazon’s much larger overall IP address pool, and return the instance’s IP address to the customer. The IP address may be quite different from the others assigned to the customer, but because all trafficis directed based on IP address, the discontinuity in address range causes no issues.

 

AWS Network IP Addressing

Unlike other cloud-computing providers, which assign a fixed range of addresses to virtual machines hosted within a customer’s assigned VLANs, AWS dynamically assigns IP addresses from within its own IP address range. To start off, every instance on the network has its own virtual network interfacecard, or VNIC — a software construct that mimics the functionality of a hardware NIC.

 

The Xen hypervisor within AWS maps traffic between each instance’s VNIC and the actual hardware NIC on the physical server on which the Xen hypervisor runs. AWS assigns two IP addresses to an instance’s VNIC: a public IP addressand a private IP address. The latter is within the 10.X.X.X address range — a range designed to be unroutable over the public Internet and to serve to enable private traffic within data centers. Having two IP addresses means that each instance can send and receive traffic from outside AWS on a public IP address that anyone can reach. 

 

The difference between the two IP addresses is quite important, however, for your AWS bill because traffic within the local AWS network (the 10.X.X.Xaddresses, in other words) is at a much lower cost than traffic sent to public IP addresses. The key aspect of this concept relates to network traffic sent by an instance —all inbound traffic (traffic that an instance receives) is free whether it comesfrom inside AWS or via the public Internet. Outbound traffic (traffic thatan instance sends), on the other hand, is low cost if its destination resides within the same AWS region and incurs a high network charge if the network address resides outside AWS.                                                      

Users now have three choices for network traffic:

✓ Intraregional: Traffic between AWS resources within a given region (for example, US East); free for sending and receiving traffic.

✓ Interregional: Traffic between AWS resources in different regions. For each resource, any traffic it receives is free, but traffic it sends incurs a fee (an admittedly low one).

✓ Extraregional: Traffic between an AWS resource and a non-AWS resource; traffic to the AWS resource is free, and any traffic sent by the resource incurs a full traffic fee.

 

Network cost is based on total gigabytes of traffic sent during a month and is based on the price per gigabyte. The first gigabyte of traffic per month is free; traffic ranging from 2 gigabytes to 10 terabytes per month is $.12 per gigabyte. As traffic increases beyond 10 terabytes per month, the cost per gigabyte decreases; at 350 terabytes per month, a gigabyte is only $.05; above that level, you’re asked to contact AWS to (presumably) strike a custom-pricing deal.                                  

 

Instance IP addresses aren’t persistent. Every instance that’s launched is assigned an address from the general pool of IP addresses — clearly an issue, for two reasons:

✓ People need to be able to find your site if they want to access your application for an extended period. You want people to access your corporate website (for example, for many years), yet every time you launch an instance that runs your website, it is assigned a new public IP address. In other words, how can you manage the DNS mapping for your website when the IP address associated with your company website (say, www.example.com) changes every time you launch the website’sinstance? The answer to this question is “Elastic IP addresses" .

✓ In a complex application topology, every instance is dynamically assigned a private IP address at launch-time, and it needs to be able to find other instances. For example, you may have several web servers,a couple application servers, and a couple database servers. If a web server has just been launched and it needs to connect to the two application servers, how can it find their IP addresses so that it can send and receive network traffic to them? see section “Instance IP address communication.”