Networking in AWS and EC2

AWS provides fine-grain control at the networking level. As with any physical data center, you can define your own networks, but AWS has a higher-level abstraction concept: The Virtual Private Cloud.

Amazon Virtual Private Cloud (Amazon VPC) is a segment of the AWS cloud that allows you to group and segregate your resources in subnetworks to organize and plan your infrastructure matching your requirements. It also allows you to create a VPN between AWS and your physical data center to extend the latter one, adding more resources from AWS. Also, when you create a resource in EC2, you have the possibility of creating the resource in your custom defined subnet within your VPC.

Before jumping into what a VPC looks like, let's first explain how AWS works regarding the geographical distribution of resources. AWS provides you with different data centers in different regions such as Europe, Asia, and the US. As an example, let's take EU West, which has three different availability zones:

The concept of region in AWS is basically a geographical area where the AWS data center lives. Knowing this information enables us to build global scale applications that serve the traffic from the closest data center in order to improve latency. Another very good reason for this geographical distribution is the data protection laws in several countries. By being able to choose where our data lives, we can enforce the compliance with the laws.

Inside of these geographical regions, sometimes, we can find availability zones. One availability zone is basically a physically separated data center that ensures the high availability of our system, as in the case of a catastrophe in one of the data centers, we can always fall back on the other availability zones.

Let's see how the regions and availability zones look:

Now that we understand how AWS works from the geographical perspective, let's dig deeper into what a VPC is in terms of regions and availability zones.

A VPC is a logically separated segment of the AWS cloud that is private to the user, can hold resources, and spans across all the availability regions in an AWS zone. Inside of this VPC, we can define different subnets (public and privates in different availability zones) and define which machines are reachable from the Internet: AWS allows you to create routing tables, Internet gateways, and NAT gateways among other common networking resources that enable the user to build anything that they can build in a physical data center.

It would take a full book just to talk about the networking in AWS. We will go deeper into some concepts in the rest of the chapters of this book, but if you really want to dive deep into the networking side of AWS, you can find more data and examples at http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html.

AWS also provides a very powerful element: Elastic Load Balancing (ELB). An ELB is a modern version of the classic hardware load balancer. It enables us to health-check resources and only get the healthy ones into the pool. Also, AWS comes in two flavors: classic load balancer and application load balancer. The first version is, as the name suggests, an application load balancer that distributes the traffic depending on health checks and does not understand the data being transmitted, whereas the application load balancer can route the traffic based on advanced policies dependent on the information of the request. ELBs can also handle the full HTTPS flow so that we can carry the SSL termination in the load balancer and allow our applications to offload the encryption/decryption to them.