AWS Networking
source link: https://wilsonmar.github.io/aws-networking/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CIDR Ranges
An example CIDR block looks like this:
10.0.1.0/18
PROTIP: To avoid naming conflicts, some organizations use a convention replacing the “1” in the address with other numbers for each separate environment and tier as well as duplicate zones:
Env | Tier | zone A | zone B | Routes |
---|---|---|---|---|
Prd | ELB | 1 | 11 | Public |
Prd | WEB | 2 | 12 | Private |
Prd | APP | 3 | 13 | Private |
Prd | Cache | 4 | 14 | Private |
Prd | DB | 5 | 15 | Private |
Dev | ELB | 21 | 31 | Public |
Dev | WEB | 22 | 32 | Private |
Dev | APP | 23 | 33 | Private |
Dev | Cache | 24 | 34 | Private |
Dev | DB | 25 | 35 | Private |
PROTIP: Use the table above to pre-define your own numbering scheme, which can also be used as shortcuts in other names.
PROTIP: Some organizations allocate the bottom half of the 255 possibilities to private and upper half to public addresses:
- private 10.1.0.0/24 (< 129)
- public 10.129.0.0/24 (> 128)
Address ranges for private (non-routed) use (per RFC 1918):
- 10.0.0.0 -> 10.255.255.255 within “Class A” addresses 1 -> 126
- 172.16.0.0 -> 172.31.255.255 within “Class B” addresses 127 -> 191
- 192.168.0.0 -> 192.168.255.255 within “Class C” addresses 192 -> 223
REMEMBER: The CIDR block for a default VPC is always 172.31.0.0/16.
PROTIP: Use addresses from different IP classes. For example,
- use VPC CIDR 10.0.0.0/16 for production
- use VPC CIDR 172.16.0.0/16 for DR regions
PROTIP: Carefully predict how many nodes each subnet might need. Once assigned, AWS VPC subnet blocks can’t be modified. If you find an established VPC is too small, you’ll need to terminate all of the instances of the VPC, delete it, and then create a new, larger VPC, then instantiate again.
Refer to this table of nodes for each netmask Amazon allows:
# Nodes | Netmask | Subnet Mask |
---|---|---|
14 | /28 | 255.255.255.240 |
30 | /27 | 255.255.255.224 |
62 | /26 | 255.255.255.192 |
126 | /25 | 255.255.255.128 |
254 | /24 | 255.255.255.0 |
510 | /23 | 255.255.254.0 |
65,534 | /16 | 255.255.255.240 |
For example, if all you’ll need are 14 nodes, specify /28
.
Notice that the larger the CIDR netmask, the less hosts in the subnet.
Bucket of Candies Analogy
If you must know why, here is my analogy (best for kinesthetic learners): When we say a sports star makes a “7 figure salary”, we figure out what that means with a table like this:
Figure: | 7 | 6 | 5 | 4 | 3 | 2 | 1 |
---|---|---|---|---|---|---|---|
# Values: | 1,000,000 | 100,000 | 10,000 | 1,000 | 100 | 10 | 1 |
Now imagine a bucket for each figure level, a different size bucket containing candies of various colors and patterns, unique one for each possible value. People earning 7 figures can choose from the bucket holding a million possible values.
If we add up the values (colors) possible in the right-most 3 buckets, we would have 100 + 10 + 1 = 111 possibilities.
Counting in Base 2
Instead of the way bankers do arithmetic where ten $1 bills is equivalent to a 10 dollar bill (called “base 10” or decimal calculation), computers count using “base 2” or binary arithmetic using 0’s and 1’s. So each of their “buckets” have a different number of possibility values:
Position: | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 |
---|---|---|---|---|---|---|---|---|
# Values: | 254 | 128 | 64 | 32 | 16 | 8 | 4 | 2 |
Cumulative possible addresses: | 510 | 254 | 126 | 62 | 30 | 14 | 6 | 2 |
If we add up the possible addresses just from the right-most 3 buckets (from right to left), we would have 2 + 4 + 8 = 14 possibilities.
Look back above at the table of nodes, we see 14 possibilities can be obtained from a specification of 28 bits.
This is all one needs to know to use AWS VPC.
But if you would like to know how we get 3 buckets from the 28 bit specification, read on.
IP address octets
IPV4 subnet addresses such as “127.10.138.128” are 4 sets of there are 32 “buckets” separated by dots into four 8 bit “octets”:
The 127 in the figure above is obtained by adding the base 10 value of each bit “bucket”. Looking at a single octet of 8 bits:
“Bucket” position: | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 |
---|---|---|---|---|---|---|---|---|
Base 10 value of each bucket: | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
Cumulative base 10 (left to right) | 255 | 127 | 63 | 31 | 15 | 7 | 3 | 1 |
Base 2 for 127 in base 10 | 1 | 1 | 0 | 1 | 1 | 0 | 0 | 1 |
Cumulative base 10 (left to right) | 217 | 89 | 25 | 25 | 9 | 1 | 1 | 1 |
To translate a base 2 number of all 1’s (“1111111”) to a base 10 value of 255 we accumulate base 10 values for each “bucket”, left to right.
To translate the Base 2 set of 1’s and 0’s to a base 10 number of 217, we accumulate the equivalent base 10 number at each position where there is a 1.
Now let’s look at the relationship between /28 and the “255.255.255.240” subnet mask associated with the /28 in the table of nodes above.
The “240” base 10 number in the right-most quartet is equivalent to “11110000” in base 2.
“Bucket” position: | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 |
---|---|---|---|---|---|---|---|---|
Base 10 value of bucket: | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
Base 2 for 240 in base 10 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 |
Cumulative base 10 (left to right) | 240 | 122 | 48 | 16 | 0 | 0 | 0 | 0 |
Putting the three 255 and 240 together we get a continuous set of 1’s followed by four 0’s:
11111111.11111111.1111111.11110000
-
The 1’s “buckets” on the left side are used to address subnets managed by Amazon.
-
The 0’s buckets on the right side are used to address your individual nodes.
REMEMBER: Although there are four 0’s buckets, only 3 are used to specify node addresses because one digit (two values) are reserved for network broadcast use (addresses containing all 0’s and all 1’s).
More on CIDR (Classless Inter-Domain Routing), aka “supernetting”:
-
https://www.youtube.com/watch?v=POPoAjWFkGg IP Subnetting from CIDR Notations (getting network and broadcast addresses).
-
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
-
VLSM (Variable Length Subnet Mask)
-
https://cloudacademy.com/amazon-web-services/amazon-vpc-networking-course/build-and-configure-a-nat-instance.html
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK