Ref: https://learn.cantrill.io/courses/1820301/lectures/41301617
YouTube: https://www.youtube.com/watch?v=OJSVtgZrVsg
AWS Networking Ecosystem
- Three different networking zones:
- “AWS Private” zones → defined by customer-managed private NWs (VPCs)
- VPCs are private and isolated by default
- External access to VPCs can be configured:
- On-premises access via VPN or Direct Connect (DX)
- AWS Public zone access via e.g. an Internet Gateway (IGW)
- Public internet access via e.g. an IGW
- 💡 If you have a laptop in a VPN, it will only communicate with the internet if you configure it to. Similarly, a VPC will communicate with the public internet only if you configure it to.
- ‼️ AWS private services need VPCs to deploy resources!
- e.g. EC2 deploys virtual servers/instances in a VPC
- “AWS Public” zone → AWS-managed NW that is connected to the public internet
- Runs between public internet & VPCs
- AWS public services work from here
- e.g. AWS IAM, Amazon R53, Amazon S3…
- Can be accessed via public endpoints (accessible from the public internet)
- ‼️ AWS public services do NOT need VPCs!
- 💡 If a VPC communicates with a public AWS service (e.g. S3), it can do so through an IGW that potentially never touches the public internet!!
- “Public Internet” zone → the good ol’ Internet as we know it, the public NW of NWs
- AWS Networking Zones Diagram
- ‼️ The distinction between AWS private and public services refers ONLY to NWing!
- This has NOTHING to do with access permissions (authentication & authorization)!!
- ❗ AWS public services do NOT offer open access to everybody, they only expose public endpoints!
- An entity accessing those endpoints still needs credentials/permissions (or other means of authentication and authorization) in order to access the public service!
- 💡 By default only the root user of an account can access public services! Other users in the account must be granted permissions to access public services.