Concept

Essential Networking Knowledge

AZ and Region concepts
VPC fundamentals
Public vs Private subnets
NAT and Source/Destination Checks
Routing tables (default and local routes)
IPv4 addressing and subnet masks (/16, /24)
Basic networking terms (MAC address, ports, gateways vs routers)

OSI Model Layers

Physical (Layer 1) - Physical cables
Data Link (Layer 2) - MAC addresses
Network (Layer 3) - IP, IPX, ARP
Transport (Layer 4) - TCP
Session (Layer 5)
Presentation (Layer 6)
Application (Layer 7) - Web browsers, HTTP

Mnemonic: "Please Do Not Throw Sausage Pizza Away"

TLS runs ON TOP OF TCP:

Application Data
    ↓
TLS Encryption (Layer 6)
    ↓
TCP Segments (Layer 4)
    ↓
IP Packets (Layer 3)

AWS Responsibility Demarcation

AWS responsibility: Generally Layers 1-2
Customer responsibility: Generally Layers 3-7
Some overlap exists at the boundary
Virtual components (like ENIs) span both zones

Network Protocols

TCP
- Connection-based
- Stateful
- Acknowledges receipt
- Example: Web traffic
UDP
- Connectionless
- Stateless
- No acknowledgment required
- Used in: Streaming media, DNS
ICMP
- Network device communication
- Used for: ping, traceroute
- Network health monitoring

Ephemeral Ports

Short-lived transport protocol ports
Range: Usually 49152-65535
Above well-known ports (1024+)
OS-dependent default settings
Important for NACL and security group configuration

VPC Reserved IP Addresses

In each subnet, five IPs are reserved:

Network address (.0)
VPC router (.1)
AWS DNS (.2)
Future use (.3)
Broadcast address (last IP)

Note: Numbers are positional, not absolute

Availability Zone Assignment

Physical-to-logical AZ mapping is account-specific

Benefits:
- Load balancing across datacenters
- Enhanced security through randomization
- Example: us-west-2a may differ between accounts

Chain of Trust vs Certificate Authentication

Certificate Authentication Process

Complete process includes:

1. Chain of Trust Validation    ← Verify signing hierarchy
2. Certificate Expiration Check ← Is it still valid?
3. Revocation Status Check      ← Has it been revoked?
4. Hostname Verification        ← Does it match the domain?
5. Cryptographic Verification   ← Valid signatures?
6. Key Usage Validation         ← Proper certificate purpose?

Chain of Trust Validation (Step 1)

Specific process:

Website Certificate
    ↓ (signed by)
Intermediate CA Certificate
    ↓ (signed by)
Root CA Certificate
    ↓ (trusted by)
Browser/OS Trust Store

Validation steps:

Check website cert was signed by intermediate CA
Check intermediate CA cert was signed by root CA
Verify root CA is in trusted store
Validate all signatures in the chain

PreviousNetworking NextIP Address allocation

Last updated 7 months ago

hashtagEssential Networking Knowledge

hashtagOSI Model Layers

hashtagAWS Responsibility Demarcation

hashtagNetwork Protocols

hashtagEphemeral Ports

hashtagVPC Reserved IP Addresses

hashtagAvailability Zone Assignment

hashtagChain of Trust vs Certificate Authentication

hashtagCertificate Authentication Process

hashtagChain of Trust Validation (Step 1)