Concept

Essential Networking Knowledge

  • AZ and Region concepts

  • VPC fundamentals

  • Public vs Private subnets

  • NAT and Source/Destination Checks

  • Routing tables (default and local routes)

  • IPv4 addressing and subnet masks (/16, /24)

  • Basic networking terms (MAC address, ports, gateways vs routers)

OSI Model Layers

  1. Physical (Layer 1) - Physical cables

  2. Data Link (Layer 2) - MAC addresses

  3. Network (Layer 3) - IP, IPX, ARP

  4. Transport (Layer 4) - TCP

  5. Session (Layer 5)

  6. Presentation (Layer 6)

  7. Application (Layer 7) - Web browsers, HTTP

Mnemonic: "Please Do Not Throw Sausage Pizza Away"

TLS runs ON TOP OF TCP:

Application Data

TLS Encryption (Layer 6)

TCP Segments (Layer 4)

IP Packets (Layer 3)

AWS Responsibility Demarcation

  • AWS responsibility: Generally Layers 1-2

  • Customer responsibility: Generally Layers 3-7

  • Some overlap exists at the boundary

  • Virtual components (like ENIs) span both zones

Network Protocols

  1. TCP

    • Connection-based

    • Stateful

    • Acknowledges receipt

    • Example: Web traffic

  2. UDP

    • Connectionless

    • Stateless

    • No acknowledgment required

    • Used in: Streaming media, DNS

  3. ICMP

    • Network device communication

    • Used for: ping, traceroute

    • Network health monitoring

Ephemeral Ports

  • Short-lived transport protocol ports

  • Range: Usually 49152-65535

  • Above well-known ports (1024+)

  • OS-dependent default settings

  • Important for NACL and security group configuration

VPC Reserved IP Addresses

In each subnet, five IPs are reserved:

  1. Network address (.0)

  2. VPC router (.1)

  3. AWS DNS (.2)

  4. Future use (.3)

  5. Broadcast address (last IP)

Note: Numbers are positional, not absolute

Availability Zone Assignment

  • Physical-to-logical AZ mapping is account-specific

  • Benefits:

    • Load balancing across datacenters

    • Enhanced security through randomization

    • Example: us-west-2a may differ between accounts

Chain of Trust vs Certificate Authentication

Certificate Authentication Process

Complete process includes:

1. Chain of Trust Validation    ← Verify signing hierarchy
2. Certificate Expiration Check ← Is it still valid?
3. Revocation Status Check      ← Has it been revoked?
4. Hostname Verification        ← Does it match the domain?
5. Cryptographic Verification   ← Valid signatures?
6. Key Usage Validation         ← Proper certificate purpose?

Chain of Trust Validation (Step 1)

Specific process:

Website Certificate
    ↓ (signed by)
Intermediate CA Certificate
    ↓ (signed by)
Root CA Certificate
    ↓ (trusted by)
Browser/OS Trust Store

Validation steps:

  1. Check website cert was signed by intermediate CA

  2. Check intermediate CA cert was signed by root CA

  3. Verify root CA is in trusted store

  4. Validate all signatures in the chain

PreviousNetworkingNextIP Address allocation

Last updated

Was this helpful?