There’s no place like 127.0.0.1 — Atos AWS Coaching Hub Networking Immersion Day

As I’ve written before within Atos I lead an AWS focussed community interested in training, certification and working with AWS technologies with our customers, our Atos AWS Coaching Hub.

As part of our most recent hands-on upskilling I arranged a Networking Immersion Day with our colleagues at AWS. Networking in the cloud really is a fundamental skill and should be a key consideration in an Landing Zone design. As such I encouraged out Coaching Hub participants to join the day, despite them being from a variety of backgrounds and not all of them as deeply interested in networking as those from a more traditional networking background.

Immersion Days are mix of overview / theory and hands on labs, so it’s a great way for people to learn. The day comprised of a fairly basic overview of the AWS global infrastructure, through to more detailed topics, as well as labs along the way building out VPCs, peering, Transit Gateways and simulated VPN connectivity to on-premise, along with some monitoring and security topics.

The labs for the AWS Immersion Day are publicly available here — https://networking.workshop.aws/

I’ve created a Terraform based repository for anyone who needs assistance deploying the resources. Of course it does mean you need to know a little bit about how to use Terraform, but perhaps if you don’t going through the labs firstly in the console, and then do them again using the code might mean you learn about networking as well as Infrastructure as Code! -https://github.com/markjamesross/aws-networking-immersion-day

Overview of the AWS global infrastructure, including AWS’ own dedicate private networking. As recently as a couple of months ago I heard Google claim ‘other hyperscalers’ cross region traffic traverses the internet so always do your own homework to avoid FUD!

Region, AZ and Local Zone overview

AZ Characteristics

AWS Backbone Network

AWS Global Network, including a statement on cross region traffic

Overview of basic networking constructs such as the cornerstone of AWS networking, the VPC

A basic VPC

IPv6 if you want it — note you must run in dual stack mode to use IPv6, it’s not possible to use IPv4 only

One of our delegates asked about cross AZ latency. Whilst AWS don’t publish metrics and it no doubts depends on physical things like distance between AZ, as well as logical things like different instances sizes are given more networking capability, I did a quick test between instances in eu-west-1a and eu-west-1b to give them a feel for it. A not too shabby 0.354ms average was the result

Latency test

We then moved on to multi-account / multi-VPC considerations

The age old conundrum of how to separate your workloads

VPC peering — fine at small scale but soon gets complicated

Transit Gateway — the answer to large environments with numerous VPCs

VPC sharing — been around for a while but I’m personally still not sold on it. Apparently customers using it tend to be those who want separation of duties between the networking team and others

We covered some interesting security topics including the AWS network firewall, which can provide both inbound and outbound protections. So far I’ve used it as a transparent forward proxy, although the price of it versus something like your own Squid set-up is a little concerning.

AWS Network Firewall

AWS WAF

Security Hub — great for visualising your environments security posture

In summary AWS Immersion Days are a great resource, I’d recommend you talk to your APN partners or AWS directly to get a deeper dive as there’s a range of different topics. Fundamental topics like networking and security should be high on your list.