AWS

AWS NAT Gateways:


Hi Everyone, today I have another small video for AWS NAT Gateways.
IN a customized VPC we use NAT gateways to help our EC2 instances which are in our Private Subnet to reach to internet without allowing internet reaching to our servers from outside, 
There are certain pre-requisite which we need to fulfil for our NAT Gateway to work:

         a) NAT gateway should be placed in a public subnet which has a route out to internet.
         b) You need an Elastic IP for the NAT Gateway
         c)  After NAT gateway is created in Public subnet, provide a route out from your private subnet               to point to NAT gateway for all the traffic which you want to send to internet.

You can make use of the following diagram for reference:


You can also make use of the instructions provided in the video below to create your NAT Gateway 



AWS Endpoints:
     AWS Endpoints Endpoints are virtual devices and can be used to connect t your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device or direct connection.

     There are two types of endpoints currently available in AWS i.e. 
            1)  Interface Endpoints
            2)  Gateway Endpoints


Interface Endpoints (Powered by AWS PrivateLink)

An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. The following services are supported:
(https://docs.aws.amazon.com/vpc/latest/userguide/)

  • Amazon API Gateway
  • AWS CloudFormation
  • Amazon CloudWatch
  • Amazon CloudWatch Events
  • Amazon CloudWatch Logs
  • AWS CodeBuild
  • AWS Config
  • Amazon EC2 API
  • Elastic Load Balancing API
  • AWS Key Management Service
  • Amazon Kinesis Data Streams
  • Amazon SageMaker and Amazon SageMaker Runtime
  • Amazon SageMaker Notebook Instance
  • AWS Secrets Manager
  • AWS Security Token Service
  • AWS Service Catalog
  • Amazon SNS
  • Amazon SQS
  • AWS Systems Manager
  • Endpoint services hosted by other AWS accounts 
Gateway Endpoints

A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service.  At this point of time only  following AWS two services are supported:
  • Amazon S3
  • DynamoDB
Here I would describe how you can create your own Gateway Endpoints for S3 and use it to connect to your S3 bucket in that region.
To create and set up a gateway endpoint, follow these general steps:


  1. Log in to your AWS Management Console and open the VPC Dashboard. On the left hand side click on Endpoints.Specify the VPC in which to create the endpoint, and the service to which you're connecting.
  1. After selecting your VPC, Select the Route Table which is associated with the subnet in which your private instances are being hosted. 
  2. Attach an endpoint policy to your endpoint that allows access to some or all of the service to which you're connecting as shown below and create the gateway endpoint. 



In the following diagram, instances in the private subnet  can access Amazon S3 through the gateway endpoint. 


Following video has simple to do instructions for creating an S3 Gateway endpoint along with how to log in to EC2 Instance in private subnet without storing Keys on Bastion/Jump box server by using PAGEANT (agent forwarding).


   
AWS Route 53: Basics


Today we are going to talk about Amazon Route 53 Which is the DNS Services offering from AWS.
This is the first part and we would discuss briefly about Route 53 and what it can do for us.
Then we will talk about DNS basics because before we start configuring the Route 53 as our DNS service it would be helpful to know bit about the DNS basics.
which include how DNS works in brief then the Resource records Route 53 supports and some key differences between CNAME and Alias Records.
I ll also discuss about the Domain registration and the authorised agencies for the same, let’s get started. Below is the video I made to explain it all together.

So first, let’s see what is ROUTE 53 all about:
As I said earlier it is a highly available and scalable Domain Name System (DNS) web service. You can use Route 53 to perform three main functions in any combination:

1)     Domain registration:  -          If you need a website name, such as example.com. Route 53 lets you register a name for your website or web application, which is known as a domain name.

2)     DNS routing:                            When a user opens a web browser and enters your domain name (example.com) in the address bar, Route 53 helps connect the browser with your website or web application.

3)     Health checking:                     Route 53 sends automated requests over the internet to a resource, such as a web server, to verify that it's reachable, available and functional. You also can choose to receive notifications when a resource becomes unavailable and choose to route internet traffic away from unhealthy resources.

How DNS Routes Traffic for Your Domain:
Below is a brief description how does DNS works in the background to route traffic to your domain (ref: docs.amazon.com)
1. A user opens a web browser, enters www.example.com in the address bar, and presses Enter.
2 The request for www.example.com is routed to a DNS resolver, which is typically managed by the user's internet service provider (ISP),
3 The DNS resolver for the ISP forwards the request for www.example.com to a DNS root name server. Which provides the name of the Top-Level domain (TLD) name servers for the requested domain, in our case it is .com TLD
4 This time DNS resolver forwards the request for www.example.com to one of the TLD name servers for .com domains.   The name server for .com domains responds to the request with the names of the name servers that are associated with the example.com domain. in this case it is Route53 name servers.
 The DNS resolver caches (stores) the Route 53 name servers. The next time someone browses example.com, the resolver skips steps 3 and 4 because it already has the name servers for example.com. The name servers are typically cached for two days.
5             The DNS resolver chooses a Route 53 name server and forwards the request for www.example.com to that name server.
6             The Route 53 name server looks in the example.com hosted zone for the www.example.com record, gets the associated value, such as the IP address for a web server, lets assume it is 192.0.2.44, and returns the IP address to the DNS resolver.
7             The DNS resolver finally has the IP address that the user needs. The resolver returns that value to the web browser.
Note
The DNS resolver also caches the IP address for example.com for an amount of time that you specify so that it can respond more quickly the next time someone browses to example.com.
8             The web browser sends a request for www.example.com to the IP address that it got from the DNS resolver. This is where your content is, for example, a web server running on an Amazon EC2 instance or an Amazon S3 bucket that's configured as a website endpoint.
9             The web server or other resource at 192.0.2.44 returns the web page for www.example.com to the web browser, and the web browser displays the page.



Supported Record types in Route 53:

A record
Also knows as Host record it contains Name to address mapping record, It is the host record for which The value would be an IPv4 address
MX Record Type:
It is a record for the Mail server of the domain, each value for an MX record actually contains two values, priority and domain name, Priority value would be an integer between 0 to 65535.
 If you specify multiple servers, the value that you specify for the priority indicates which email server you want email to be routed to first, second, and so on. The server with the lowest value for the priority takes precedence. For example, if you have two email servers and you specify values of 10 and 20 for the priority, email always goes to the server with a priority of 10 unless it's unavailable. If you specify values of 10 and 10, email is routed to the two servers approximately equally.
NS Record Type
An NS record identifies the name servers for the hosted zone. The name servers know how you want to route traffic for your domain and subdomains based on the records that you created in the hosted zone for the domain.
PTR Record Type-Reverse-lookup Pointer records
It is the host record which associate an IP address with the fully qualified domain name of host. Used in reverse maps.
SOA
Start of Authority. this record appears at the beginning of a DNS zone file and indicates the Authoritative Name Server for the current DNS zone, contact details for the domain administrator, domain serial number, and information on how frequently DNS information for this zone should be refreshed.
SRV
Defines services available in the zone, for example, LDAP, http, sip etc. Allows for discovery of domain servers providing specific services.
Canonical Name record (CNAME Record)
CNAME can be used to alias a hostname to another hostname. When a DNS client requests a record that contains a CNAME, which points to another hostname, the DNS resolution process is repeated with the new hostname.       
AAAA Record Type
This is like host record as stated above, only difference is that it is for Ipv6 address. The value for a AAAA record is an IPv6 address in colon-separated hexadecimal format.

Other than the above mentioned records there are some other records such as CAAA, SPF, Text records which are also supported by AWS.




Domain Registration:
Domain name registration is one of the three functions which ROUTE 53 can perform for you. Let see some of the basics related to domain name registration.

Domain name
The name, such as example.com, that a user types in the
address bar of a web browser to access a website or a web application.
TLD(Top Level Domain):
               The last part of the domain such as .com, .org etc, TLD can be generic or Geographic

Domain Registry:
A company that owns the right to sell domains that have a specific top-level domain. For example, VeriSign is the registry that owns the right to sell domains that have a .com TLD.
A domain registry defines the rules for registering a domain, such as residency requirements for a geographic TLD.
A domain registry also maintains the authoritative database for all the domain names that have the same TLD.
 The registry's database contains information such as contact information and the name servers for each domain.

Domain Registrars:
               A company that is accredited by ICANN (Internet Corporation for Assigned Names and Numbers) to process domain registrations for specific top-level domains (TLDs). For example, Amazon Registrar, Inc. is a domain registrar for .com, .net, and .org domains.

Domain Resellers:
               Company that sells domain names for registrars such as Amazon Registrar, Amazon Route 53 is a domain reseller for Amazon Registrar and for its registrar associate, Gandi.
 
 
Difference Between CNAME & Alias Records in AWS:
Difference between CNAME & Alias Records
 
CNAME Records         
 
Alias Record
 
       CNAME record cant be created at the zone apex or for naked domain names. For example, if you register the DNS name example.com, the zone apex is example.com.
       A CNAME record redirects queries for a domain name regardless of record type.
       A CNAME record can point to any DNS record that is hosted anywhere.
       A CNAME record appears as a CNAME record in response to dig or nslookup queries.
       Route 53 charges for CNAME queries.
 
       You can create an alias record at the zone apex.
       Route 53 responds to a DNS query only when the name and type of the alias record matches the name and type in the query.
       n alias record can only point to selected AWS resources or to another record in the hosted zone that you're creating the alias record in.
       An alias record appears as the record type that you specified when you created the record, such as A or AAAA. The alias property is visible in the Route 53 console or AWS CLI commands.
       Route 53 doesn't charge for alias queries to AWS resources.
 
www.BeCloudGuru.com
 


CNAME Records
Alias Record

CNAME record cant be created at the zone apex or for naked domain names. For example, if you register the DNS name example.com, the zone apex is example.com.

        You can create an alias record at the zone apex.

        A CNAME record redirects queries for a domain name regardless of record type.

        Route 53 responds to a DNS query only when the name and type of the alias record matches the name and type in the query.

        A CNAME record can point to any DNS record that is hosted anywhere.

        An alias record can only point to selected AWS resources or to another record in the hosted zone that you're creating the alias record in.

        A CNAME record appears as a CNAME record in response to dig or nslookup queries.

        An alias record appears as the record type that you specified when you created the record, such as A or AAAA. The alias property is visible in the Route 53 console or AWS CLI commands.

        Route 53 charges for CNAME queries.

        Route 53 doesn't charge for alias queries to AWS resources.