#vpc | Amazon VPC (1)

Define virtual networks in the cloud. For example, to deploy your application into a private subnet not reachable from the Internet.

Detecting connectivity anomalies with CloudWatch Internet Monitor

Imagine customer support informs you that some customers can no longer access your web application. Immediately you check the monitoring, but no abnormalities are visible on the dashboard. No alarm has been triggered. So, what’s the problem? The number ...

Monitor VPC NAT gateways with CloudWatch metrics and alarms

Many VPC designs make use of public and private subnets. A NAT gateway is needed to communicate from a private subnet with the Internet. A VPC NAT gateway is a finite resource that can be exhausted. That’s why you need to add monitoring to be alerted i...

How to create a security group allowing traffic from CloudFront only?

It is one of those problems for which there has been no satisfactory solution for years. How do you ensure that only CloudFront is granted access to an Elastic Load Balancer - CLB, ALB, or NLB? Without the ability to restrict incoming traffic, all of Cl...

What Architects Need to Know About Networking on AWS

As an architect, you may not have thought too much about the network management before. At least that’s how it used to be for me. But since I’ve been designing architectures for AWS, network structure has become much more important to me. With Amazon V...

Does your VPC endpoint allow access to half of the Internet?

Are you using VPC endpoints to enable private connections between your VPC and AWS services? Drop everything and check the policy attached to your VPC Endpoint for S3. You might have allowed access to half of the Internet - assuming that half of the Int...

AWS Client VPN: Connected with the Cloud

Everybody talks about remote work those days. A fundamental prerequisite is to provide secure connectivity to your infrastructure. No matter if only a few engineers or users need to access resources within a private network. About two years ago, AWS ann...

Debugging a VPC: Security Groups, Network ACLs, and Routing Tables

Configuring a VPC (Virtual Private Cloud) and firewalls (Security Groups and Network ACLs) is tricky. What to do when you cannot find the cause for a connection refused or connection timed out error when connecting to an EC2 instance, RDS database insta...

Getting started with IPv6 on AWS

In mid-2019, AWS paid ~$108M to access 4 million IPv4 addresses from Amateur Radio Digital Communications - $27 per IP address. The reason why AWS spends so much money on IPv4 addresses is simple: There are no free IPv4 addresses that regional internet ...

(Erratum) VPC Endpoint increases DynamoDB latency by 30%

Our reader Tom wrote in to tell me, that the latency for read requests to DynamoDB increased significantly after enabling a VPC endpoint a few weeks ago. Someone else reported a similar problem in the AWS discussion forums as well. Therefore, I started ...

Advanced AWS Networking: Pitfalls That You Should Avoid

AWS offers shiny and powerful networking services. However, you should know about the pitfalls when designing advanced networking architectures for AWS. I will share some pitfalls that came to my attention when consulting clients to get the most out of ...

Review: AWS Global Accelerator - Improving Latency and Design for Failure

The Cloud is all about networking. AWS introduced Global Accelerator at re:Invent in 2018. A year after that, it is about time to review the service. AWS Global Accelerator makes use of Amazon’s worldwide infrastructure and is designed to improve the pe...

Fargate networking 101

Fargate runs Docker containers on AWS. ECS is responsible for orchestrating the containers that Fargate runs. If you are new to Fargate, I recommend you to read: ECS vs. Fargate: What’s the difference?. ECS and Fargate offer deep integration with other ...

My mental model of AWS

AWS is a complex system that no one can understand end-to-end? As AWS professionals we still have to deal with the AWS system daily. We design for AWS, and we debug our applications running in AWS. How can we deal with a system that is too complex to un...

EC2 Network Performance of t3

AWS introduced the t3 instance type in August. Time to update the EC2 Network Performance Cheat Sheet. The following table shows the network capabilities of t3 instances. Compared to the last generation t2 there is no difference in the baseline through...

Behind the scenes of the EC2 network performance benchmark

What is the maximum network throughput you can expect from an EC2 instance of type t2.large? How much does the network performance increase when switching from a t2.large to m5.large instance? All these kind of questions are hard to answer, as AWS does ...

Serverless pattern: accessing public and private resources

Crossing the chasm between the old world - virtual machines isolated within a private network - and the new world - Serverless making use of publicly accessible APIs only - can be tricky. On the one hand, it is possible to configure VPC access for AWS L...

EC2 Network Performance Cheat Sheet

What is the maximum network throughput of your EC2 instance? The answer to this question is key to choosing the type of an instance or defining monitoring alerts on network throughput. Unfortunately, you will only find very vague information about the ...

Evolution of the EC2 Network Performance: m3, m4, and m5

AWS announces new generations of EC2 instances from time to time. Typically, each generation offers better performance at lower costs. This article discusses the networking capabilities of the general purpose instances over time. Spoiler alert: you can ...

EC2 network performance demystified: m3 and m4

AWS offers EC2 instances in different sizes, defined by the instance type. How do you decide which instance type to use? Do you need an m4.large or m4.xlarge instance? At least the following factors should affect your decision: How much memory does the...

Beyond the default: a Multi-VPC architecture

I created my first AWS account on December 23, 2012. The one thing that surprised me most was the possibility to define private networks with Virtual Private Cloud (VPC). As this allowed me creating isolated areas, a fundamental prerequisite for buildin...