2.7 Amazon EC2 Network

Overview

• To increase network performance and reduce latency, you can launch instances in a placement group.
• You can get significantly higher packet per second (PPS) performance using enhanced networking.
• You can accelerate high performance computing and machine learning applications using an Elastic Fabric Adapter (EFA), which is a network device that you can attach to a supported instance type.

Regions and Zones

• Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of Regions, Availability Zones, Local Zones, AWS Outposts, and Wavelength Zones.
• Each Region is a separate geographic area.
• Availability Zones are multiple, isolated locations within each Region.
• Local Zones provide you the ability to place resources, such as compute and storage, in multiple locations closer to your end users.
• AWS Outposts brings native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility.
• Wavelength Zones allow developers to build applications that deliver ultra-low latencies to 5G devices and end users. Wavelength deploys standard AWS compute and storage services to the edge of telecommunication carriers' 5G networks.

Regions

• Each Amazon EC2 Region is designed to be isolated from the other Amazon EC2 Regions
• When you launch an instance, you must select an AMI that's in the same Region. 
• Note that there is a charge for data transfer between Regions
• Your account determines the Regions that are available to you.
• The number and mapping of Availability Zones per Region may vary between AWS accounts.

Availability Zones

• Each Region has multiple, isolated locations known as Availability Zones
• To ensure that resources are distributed across the Availability Zones for a Region, we independently map Availability Zones to names for each AWS account. For example, the Availability Zone 

  us-east-1a

   for your AWS account might not be the same location as 

  us-east-1a

   for another AWS account.
• To coordinate Availability Zones across accounts, you must use the AZ ID, which is a unique and consistent identifier for an Availability Zone.
• Migrate an instance to another Availability Zone
  • Creating an AMI from the original instance
  • Launching an instance in the new Availability Zone
  • Updating the configuration of the new instance, as shown in the following procedure

Local Zones

• A Local Zone is an extension of an AWS Region in geographic proximity to your users.
• Local Zones have their own connections to the internet and support AWS Direct Connect, so that resources created in a Local Zone can serve local users with low-latency communications
• To use a Local Zone：
  • you must first enable it.
  • create a subnet in the Local Zone.
  • launch any of the following resources in the Local Zone subnet,Amazon EC2 instances
    • Amazon EBS volumes
    • Amazon ECS
    • Amazon EKS

Wavelength Zones

• AWS Wavelength enables developers to build applications that deliver ultra-low latencies to mobile devices and end users.
•  Developers can extend a virtual private cloud (VPC) to one or more Wavelength Zones
• To use a Wavelength Zone,:
  • you must first opt in to the Zone.
  • create a subnet in the Wavelength Zone
  • launch your resources in the Wavelength Zones subnet
• Wavelength Zones are not available in every Region

AWS Outposts

• AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises.
• To begin using AWS Outposts, you must create an Outpost and order Outpost capacity
• You can launch EC2 instances in the Outpost subnet that you created.The root volume must be 30 GB or smaller
• You can create EBS volumes in the Outpost subnet that you created. When you create the volume, specify the Amazon Resource Name (ARN) of the Outpost.

Addressing an Instance

•  By default, Amazon EC2 and Amazon VPC use the IPv4 addressing protocol; you can't disable this behavior.
• When you create a VPC, you must specify an IPv4 CIDR block (a range of private IPv4 addresses).
• You can optionally assign an IPv6 CIDR block to your VPC and subnets, and assign IPv6 addresses from that block to instances in your subnet. 

Public Domain Name System (DNS) Name

• When you launch an instance, AWS creates a DNS name that can be used to access the instance.
• This DNS name is generated automatically and cannot be specified by the customer.
• This DNS name persists only while the instance is running and cannot be transferred to another instance.

Public IP

• A launched instance may also have a public IP address assigned.
• This IP address is assigned from the addresses reserved by AWS and cannot be specified.
• This IP address is unique on the Internet, persists only while the instance is running, and cannot be transferred to another instance.
•  Your stopped or hibernated instance receives a new public IP address when it is started

Elastic IP

• An elastic IP address is an unique public address on the Internet that you reserve independently and associate with an Amazon EC2 instance.
• An Elastic IP address is static; it does not change over time.
• his IP address persists until the customer releases it and is not tied to the lifetime or state of an individual instance.
• By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. 
• We currently do not support Elastic IP addresses for IPv6.
• a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface
• An Elastic IP address is for use in a specific Region only, and cannot be moved to a different Region.
• all AWS accounts are limited to five (5) Elastic IP addresses per Region

Private IP addresses and Elastic Network Interfaces (ENIs)

• Additional methods of addressing instances that are available in the context of an Amazon VPC.
• When you launch an instance, we allocate a primary private IPv4 address for the instance
• Each instance is also given an internal DNS hostname that resolves to the primary private IPv4 address
• Each instance has a default network interface (eth0) that is assigned the primary private IPv4 address.
• You can also specify additional private IPv4 addresses, known as secondary private IPv4 addresses. Unlike primary private IP addresses, secondary private IP addresses can be reassigned from one instance to another.
• All instances are assigned at least one private IPv4 address that, by default, will fall within one of the blocks:
  • 10.0.0.0 ~10.255.255.255
  • 172.16.0.0 ~172.31.255.255
  • 192.168.0.0 ~192.168.255.255
• You can specify multiple private IPv4 and IPv6 addresses for your instances. It can be useful to assign multiple IP addresses to an instance in your VPC to do the following:
  • Host multiple websites on a single server by using multiple SSL certificates on a single server and associating each certificate with a specific IP address.
  • Operate network appliances, such as firewalls or load balancers, that have multiple IP addresses for each network interface.
  • Redirect internal traffic to a standby instance in case your instance fails, by reassigning the secondary IP address to the standby instance.

Elastic network interfaces

• An elastic network interface is a logical networking component in a VPC that represents a virtual network card. It can include the following attributes:
  • A primary private IPv4 address from the IPv4 address range of your VPC
  • One or more secondary private IPv4 addresses from the IPv4 address range of your VPC
  • One Elastic IP address (IPv4) per private IPv4 address
  • One public IPv4 address
  • One or more IPv6 addresses
  • One or more security groups
  • A MAC address
  • A source/destination check flag
  • A description
• You can create and configure network interfaces in your account and attach them to instances in your VPC.
• When you move a network interface from one instance to another, network traffic is redirected to the new instance.
• Each instance has a default network interface, called the primary network interface. You cannot detach a primary network interface from an instance.
• If you have an Elastic IP address, you can associate it with one of the private IPv4 addresses for the network interface. You can associate one Elastic IP address with each private IPv4 address.

• Termination behavior:You can specify whether the network interface should be automatically deleted when you terminate the instance to which it's attached.
• Source/destination checking
  • You can enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives.
  • Source/destination checks are enabled by default.
  • You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.

Network cards

• Instances with multiple network cards provide higher network performance, including bandwidth capabilities above 100 Gbps and improved packet rate performance.
• Each network interface is attached to a network card.
• The primary network interface must be assigned to network card index 0
• You can create a network interface in a subnet. You can't move the network interface to another subnet after it's created, and you can only attach the network interface to instances in the same Availability Zone.

Enhanced networking

• Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types.
• SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.
• Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies.
• You can enable enhanced networking using one of the following mechanisms:
  • Elastic Network Adapter (ENA): install the required ENA module and enable ENA support
  • Intel 82599 Virtual Function (VF) interface: install 

    ixgbevf

     module and enable the 

    sriovNetSupport

     attribute

Elastic Fabric Adapter

• An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. 
• An EFA is an Elastic Network Adapter (ENA) with added capabilities. It provides all of the functionality of an ENA, with an additional OS-bypass functionality.
• OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality.
• EFA OS-bypass traffic is limited to a single subnet.
• EFA OS-bypass traffic is not routable.
• The EFA must be a member of a security group that allows all inbound and outbound traffic to and from the security group itself.
•  EFAs cannot be attached to or detached from an instance in a running state

Placement Groups

• There are three placement group strategies.
  • Cluster – packs instances close together inside an Availability Zone.
  • Partition – spreads your instances across logical partitions
  • Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
• You cannot launch Dedicated Hosts in placement groups.

Cluster placement group

• A Cluster placement group is a logical grouping of instances within a single Availability Zone.
• A cluster placement group can't span multiple Availability Zones.
• This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.
• Placement groups enable applications to participate in a low-latency, 10 Gbps network.
• Recommended for applications that benefit from low network latency, high network throughput
• Choose an instance type that supports enhanced networking and 10 Gbps network performance.
• You can launch multiple instance types into a cluster placement group. We recommend using the same instance type 

Partition placement group

• Partition placement groups help reduce the likelihood of correlated hardware failures for your application
• Amazon EC2 ensures that each partition within a placement group has its own set of racks
• groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions.
• This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
• A partition placement group can have partitions in multiple Availability Zones in the same Region.
• A partition placement group supports a maximum of seven partitions per Availability Zone.
• A partition placement group with Dedicated Instances can have a maximum of two partitions.

spread placement group

• A spread placement group is a group of instances that are each placed on distinct racks, with each rack having its own network and power source.
• Spread placement groups are recommended for applications that have a small number of critical instances that should be kept separate from each other.
•  suitable for mixing instance types or launching instances over time
• A spread placement group can span multiple Availability Zones in the same Region. 
• A spread placement group supports a maximum of seven running instances per Availability Zone.
• Spread placement groups are not supported for Dedicated Instances.

• 

Tenancy Options

Shared Tenancy

• Shared tenancy is the default tenancy model for all Amazon EC2 instances
• Shared tenancy means that a single host machine may house instances from different customers
• secure tenancy model: fully isolates instances from other instances on the same host

Dedicated Instances

• Dedicated Instances run on hardware that’s dedicated to a single customer. 
• Dedicated Instance can launch on any hardware that has been dedicated to the account.

Dedicated Host

• An Amazon EC2 Dedicated Host is a physical server with Amazon EC2 instance capacity fully dedicated to a single customer’s use.
• The customer has complete control over which specific host runs an instance at launch.

Reference

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-networking.html