Public subnet, public IP, internet gateway VPC Public

August 26, 2023

26 Less than a minute

18 Slides678.52 KB

Save Document

Public subnet, public IP, internet gateway VPC Public subnet 172.31.0.0/20 EC2 instance Private IP address: 172.31.16.1 Public IP address: 3.221.88.186 Internet gateway Application Container

Private subnet, NAT gateway for internet access VPC Public subnet Private subnet 172.31.0.0/20 172.31.16.0/20 EC2 instance Private IP address: 172.31.16.1 No public IP Internet gateway NAT gateway Application Container

ALB ingress VPC Public subnet Private subnet 172.31.0.0/20 172.31.16.0/20 EC2 instance Private IP address: 172.31.16.1 No public IP Internet gateway Application load balancer Application Container

NLB ingress VPC Public subnet Private subnet 172.31.0.0/20 172.31.16.0/20 EC2 instance Private IP address: 172.31.16.1 No public IP Internet gateway Network load balancer Application Container

API gateway ingress VPC Private subnet 172.31.16.0/20 EC2 instance Private IP address: 172.31.16.1 No public IP Internet gateway Amazon API Gateway VPC Link Application Container

Host networking mode Bridge mode with static mapping Private subnet Private subnet 172.31.16.0/20 172.31.16.0/20 EC2 instance 172.31.16.1:3000 EC2 instance Port 3000 Port 3000 Port 3000 Container 172.31.16.1:80 Port 80 ENI: 172.31.16.1 EC2 instance Port 3000 Port 3000 Container ENI: 172.31.16.2 Container ENI: 172.31.16.1 EC2 instance 172.31.16.2:3000 Network Bridge 172.31.16.2:80 Port 3000 Port 80 Network Bridge ENI: 172.31.16.2 Container

Bridge networking mode with dynamic mapping Private subnet 172.31.16.0/20 EC2 instance 172.31.16.1:47760 Port 3000 Port 47760 Container Port 45283 172.31.16.1:45283 ENI: 172.31.16.1 Port 3000 Container EC2 instance 172.31.16.2:50077 Port 3000 Port 50077 Container Port 52330 172.31.16.2:52330 ENI: 172.31.16.2 Port 3000 Container

AWS VPC networking mode Private subnet 172.31.16.0/20 EC2 instance EC2 IP: 172.31.16.0 EC2 host level processes ENI 172.31.16.1:80 Container ENI 172.31.16.2:80 Port 80 Port 80 Port 80 Port 80 Container ENI

AWS VPC ENI Trunking Private subnet 172.31.16.0/20 EC2 instance EC2 IP: 172.31.16.0 EC2 host primary ENI ENI 172.31.16.1:80 Port 80 Trunk ENI ENI 172.31.16.2:80 Port 80 Port 80 Container Port 80 Container

AWS VPC ENI Trunking, secondary IP address range Private subnet Private subnet 100.64.0.0/19 172.31.16.0/20 EC2 instance EC2 IP: 172.31.16.0 ENI 100.64.0.1:80 Port 80 Port 80 Container Trunk ENI 100.64.0.2:80 Port 80 EC2 host primary ENI Port 80 ENI Container

NAT gateway access to other services VPC Public subnet Private subnet 172.31.0.0/20 172.31.16.0/20 Amazon Simple Storage Service (S3) Amazon Elastic Container Service Amazon Elastic Container Registry EC2 instance Private IP address: 172.31.16.1 No public IP Internet gateway NAT gateway Application Container

Endpoint access to other services VPC Public subnet Private subnet 172.31.0.0/20 172.31.16.0/20 S3 Gateway VPC Endpoint Amazon Simple Storage Service (S3) Internet gateway NAT gateway Application Container

Endpoint access to other services VPC Public subnet Private subnet 172.31.0.0/20 172.31.16.0/20 ENI S3 Gateway VPC Endpoint Amazon Simple Storage Service (S3) EC2 instance ENI Internet gateway NAT gateway AWS PrivateLink VPC Endpoint Amazon Elastic Container Service Application Container ENI AWS PrivateLink VPC Endpoint Amazon Elastic Container Registry

Service discovery between services Private subnet Private subnet 172.31.16.0/20 172.31.32.0/20 AWS Cloud Map Container A Container B 172.31.16.1 172.31.32.1 service-a.local: 172.31.16.1 service-b.local: 172.31.16.2 172.31.32.1 Container B Container C 172.31.16.2 172.31.32.2 service-c.local: 172.31.32.2

Internal load balancer Private subnet Private subnet 172.31.16.0/20 172.31.32.0/20 Service A Load Balancer Container A Container B Container A Container B 172.31.16.1 172.31.16.2 172.31.32.1 172.31.32.2 Service B Load Balancer

AWS App Mesh AWS App Mesh Private subnet Private subnet 172.31.16.0/20 172.31.32.0/20 AWS Cloud Map Container A ENI 172.31.16.1 ENI 172.31.32.1 Container B service-a.local: 172.31.16.1 service-b.local: 172.31.16.2 172.31.32.1 Container B ENI 172.31.16.2 ENI 172.31.32.2 Container C service-c.local: 172.31.32.2

NLB ingress Client application Authentication Service Password Service Authentication Task TLS secured Client application Service Mesh Gateway mTLS secured Password Task mTLS secured Authentication Container Password Container

File system EFS access point Certificate renewal task gateway-certs/ EFS access point The certificate renewal task has root access to the filesystem. It runs periodically on a schedule to regenerate the certificates before they expire. authentication-certs/ EFS access point Each service is configured to be able to connect to a specific access point in EFS and fetch its certificates from that path. The access point limits it to read only the certificates in that path of the filesystem. TLS secured Client application Service Mesh Gateway Amazon Elastic File System password-certs/ Authentication Task mTLS secured Password Task mTLS secured Authentication Container Password Container

August 26, 2023

26 Less than a minute

Related Articles

GIS – Whirlwind Tour (In 25 slides) What, Why, How

Portaria CAT 24/2020 de 10 de março de 2020 em substituição

CFDA 84.215E 2014 Technical Assistance Webinar for

Dorchester Abbey School Visits Let us plan a stimulating visit for you

Autopilot for New Computers Brian Arkills, barkills@uw Kim

Commercial Card Expense Reporting (CCER) The Trustees of Roanoke