A cloud architecture requires secure and reliable network connectivity. Whether an organization hosts all its workloads in the cloud or keeps some applications and data on premises, the system will only function properly if there's a secure, reliable connection to the cloud network and between resources.
IT teams rely on public cloud networking services to manage and monitor traffic, facilitate communication across environments, protect sensitive data from public exposure and various other functions.
AWS offers a range of services to help cloud consumers establish and maintain network connectivity within their applications -- on premises and in the cloud. Explore these Amazon networking services to see which features meet your network requirements.
Amazon Virtual Private Cloud
Amazon Virtual Private Cloud (VPC) creates a virtual network where developers can launch resources in an isolated section of the AWS cloud. Developers use this tool to enable secure communication between different parts of the cloud network, such as instances in different subnets.
Network configuration is customizable with Amazon VPC, so developers can control configuration choices -- such as IP address range and when to use private and public subnets. Developers and administrators can also create security groups and use network access control lists to filter traffic for a more secure virtual network. IT teams use Amazon VPC to connect cloud applications to their data centers and connect corporate networks to the cloud, among other use cases.
Elastic Load Balancing
Elastic Load Balancing (ELB) is an Amazon service that automatically distributes incoming application traffic across multiple targets and Availability Zones. It also scales resources to meet traffic demands. ELB distributes traffic to targets, including Amazon EC2 instances, containers, IP addresses and AWS Lambda functions.
This service monitors EC2 instance health to ensure traffic is routed to properly working instances. Developers can route traffic via a public, internet-facing load balancer or through an internal load balancer for security purposes.
There are three types of load balancers within ELB -- Classic, Application and Network. Classic Load Balancer performs load balancing across EC2 instances. This is a Layer 4 load balancer that operates at the request and connection level, though it has some Layer 7 functionality. Classic Load Balancer predates the two other ELB variants and likely shouldn't be used for new deployments.
Network Load Balancer is built for load balancing traffic that requires high performance and low latency, including TCP, User Datagram Protocol and Transport Layer Security traffic. Network Load Balancer operates at a Layer 4 connection level.
Application Load Balancer is used for HTTP(S) traffic and provides routing for application architectures such as microservices and containers. This version of ELB is a Layer 7 load balancer and works at the individual request and application level.
Amazon Route 53
Amazon's scalable domain name system (DNS), Route 53, directs end users to web applications by translating domain names into numbered IP addresses. This DNS service can route users to infrastructure inside and outside of the AWS cloud.
Route 53 is IPv6 compliant and supports various routing types, such as geo-DNS, weighted round robin and latency-based routing. The Amazon Route 53 Traffic Flow feature provides a GUI for AWS cloud users to define polices for how end-user traffic is routed to applications. Route 53 also offers DNS failover, domain name registration and DNS health checks to monitor resources.
Amazon CloudFront is AWS' native content delivery network (CDN) service. Organizations use CloudFront to distribute content -- such as HTML and image files -- to end users at high speeds with low latency. The CDN routes each request through the AWS network and to the nearest edge location to provide the fastest delivery path to end users. CloudFront also reduces the number of networks that a user's request passes through in the content delivery process.
AWS Direct Connect provides a private connection between a customer's on-premises data center and the AWS cloud without using the public internet. This Amazon networking service uses an Ethernet cable to connect an organization's internal workloads to one of AWS' Direct Connect locations.
This connection creates multiple virtual interfaces to Amazon's publicly accessible cloud services or to private resources hosted on AWS, while also maintaining network separation between the two environments. AWS Direct Connect is particularly useful for organizations with strict governance and compliance rules that require private connectivity.
AWS cloud users can choose between two types of connections with this service -- dedicated or hosted. The dedicated connection uses an Ethernet cable to create a connection with an individual customer. AWS cloud users request a dedicated connection through the AWS Direct Connect console, the command-line interface or the API. The hosted connection requires an AWS Direct Connect Partner to provision the physical Ethernet connection on behalf of a customer. For the hosted connection, IT teams must choose a partner in the AWS Direct Connect Delivery Partners Program.
AWS Virtual Private Network
The platform's initial VPN offering, AWS Site-to-Site VPN, creates a secure, encrypted connection between an on-premises facility and an Amazon VPC environment. AWS cloud users can also opt for the Client VPN, an elastic VPN service that enables employees to access a company's resources remotely. The Client VPN is a fully managed service that covers provisioning, capacity and scales automatically.
AWS Transit Gateway
AWS Transit Gateway is a central network hub that connects Amazon VPCs and on-premises networks across multiple accounts in a single gateway. It is useful for organizations with hybrid cloud architectures.
AWS users can centrally monitor their network with the Transit Gateway Network Manager, which provides an overview of the entire network. Data in Transit Gateway is automatically encrypted and never internet-facing. With Transit Gateway, organizations that use AWS no longer need to make individual connections for networks outside of AWS. This networking service also offers an inter-region peering feature to connect networks and share resources in different AWS regions.
AWS Global Accelerator
This Amazon networking service is built for organizations that need to boost network connectivity for globally distributed end users. AWS Global accelerator provides a static IP address that works as a single fixed entry point and is associated to a regional endpoint. The static IP address accepts incoming traffic onto the global AWS network from the closest edge location. Global Accelerator then directs traffic to an endpoint on the most efficient path based on geographical location, application health and routing policies set by the developer.
Global Accelerator automatically redirects traffic to healthy endpoints. This service improves traffic and availability between end users and applications that run on Network and Application load balancers, EC2 instances or Elastic IP addresses.
This Amazon networking service provides a secure, private connection between Amazon VPCs and other resources that run on AWS or on-premises applications. PrivateLink establishes a private IP address with an elastic network interface and provides a connection that protects data from public internet exposure.
PrivateLink integrates with AWS Direct Connect to provide a secure interface for on-premises applications. By blocking public exposure, PrivateLink helps mitigate certain security threats such as brute force and distributed denial-of-service attacks.