Saturday, April 21, 2018

AWS Network Security Notes


security Layers:

  1. Routing
  2. NACL (Network Access Control Lists)
  3. security Groups
  4. Host based Firewall, IDS and IPS

Routing security

  • no support for " edge to edge routing "

NACL (Network Aecess control list)

  • Applied to subnet as whole
  • stateless (Don't remeber TCP sessions)
  • As a result must specify ingress and egress rules
  • When you create a vpc, Aws will create a default NALC allow all *
  • Allow or Deny

- Protocol (Tcp, UDP)
- source destination IP Range
- source destination PORT range (Eg: Ingress 80 and 22 VPN Egress 1024- 65535)

Security Groups

  • Applied to the instance.
  • statefull
  • therefore can specify ingress and egress rules: but not need to specify both.
  • security Groups. all outbound ⇒ allowed, inbound ⇒ deny
  • therefore only allow rules, no deny

- protocol (TCP, UD.P) .
- Source IP and Port range for ingress
- Destination EP and Port rang only for engress

When VPC is created, default security group is created. If any EC2 has applied this security goup can talk to each other. If lounging EC2 instance without a security group, default will be the security group for that instance, because there should be at least one security group for each instance.

LB need to initiate connections to backend EC2 servers in the container cluster, which receive traffic from the specified part by the container. Containers has ability to select emphramel port to receive traffic from LB: Dynamic port mapping.

These are the notes created from the video tutorial1. I would like to recommend this for AWS beginners who want more details.

  1. Networking in Amazon Web Services AWS LiveLessons, by Richard A Jones Publisher: Addison-Wesley Professional, Release Date: December 2017, ISBN: 013485084X 

Friday, April 20, 2018


I would like to recommend IP explained before reading this.


  • logically isolated
  • independent network no access to internet
  • Each region come with default VPC per account for region.
  • Limited to single region
  • Within the region all the availability zones can be used.
  • maximum for a region 5 VPCS
  • maximum of 200 subnets for a region
  • subnet created only for particular availability zone within the region.
  • When creating subnets, subnet range should be subset of the VPC IP range.
  • For each subnet, AWS keep 5 IP addresses.

Here the subnet calculator

AWS reserves first 4 and last Ip address :
For VPC range for the subnet following addresses are a guinea by AWS:

  2. (router)
  5. ( Broadcast)

Subnet high availability can be gain as follows.. For example classic three the application

  1. Public tier with load balancing and proxy
  2. Application tier
  3. Database tier

then can achieve the following architectural attributes:
- Isolation
- High availability
- Fault-Tolerance


Routing is communication channel between some network or different networks. Basically traffic can µw one place to another within the period of time. Route table will be created automatically when VPC is created, even communication channel not created yet.

Every VPC has to have at least one route table that is default route table: main route table. Default route table is important because if you create a new subnet, it falls to default router table automatically. Router can be used to connect to internet, another VPC or a VPN.

There are 6 things to access Internet
1. Internet gateway
2. Attach the IGW to the VPC
3. Route table
4. Route → IGW
5. Associate route table with Subnet
6. Assign public IP

As a best practice keep the main route table private because, when new subnet created the default to this table.

Auto assign public IP v4
- from Amazon pool
- these are transient because when you terminate FC2 and restart again new IP v4 will be allocated.
- can inherit from the subnet

Elastic IP
- Allocated from Amazon pool.
- static
- re-assignable instance to instance.

Network address translation: (NAT) public IP address is mapped to the private address of the EC2 instance.

- all public.
- Range is decide by the Amazon. (IPv6.::/56)

NAT Gateway

Egress communication is only EC2 can access the internet but none from Internet side can access the EC2: One way communication.

Egress Internet Gateway

For the IPv6, need to create Egress internet gateway only. No need of NAT.

Access Amazon services

If your EC2 hosted application need to access the AWS managed services:
- Mainly NAT Gateway (public IPs)
- Only S3 and DynamoDB has VPC endpoints provided.

These are the notes created from the video tutorial1. This is one of the best in the market. I would like to recommend this for AWS beginners.

  1. Networking in Amazon Web Services AWS LiveLessons, by Richard A Jones Publisher: Addison-Wesley Professional, Release Date: December 2017, ISBN: 013485084X 

Monday, April 16, 2018

Blog Writing Workflows

I have used the workflow of Markdown blog writer for blogger for around two years. The main problem with this approach was the image manipulation. I have to separately upload the images to google photos. However later found the iPic image upload app which work with typora. But following two work flows are efficient as I found.

Blog workflow

this is how I create my new blogs. The basic tools are as follows:

  • iPad
  • Apple pencil
  • MWeb app

here the benifs of this workflow:

  • I can work on same document both iPad and the mac computer
  • Mweb support images and Malh for my documents
  • In addion to that , Mweb publishes the web blog post to my Blogger site.
  • The best is images are automatically upload to the google photos.
  • Same post can be publish number of time, but Mweb keep track of images without duplicating.
  • I use third party app sueh as Good Note 4 to create the diagram. For example following diagram was drawn from the DrawExpress App.

As shown in the above diagram, Mweb synch the markup documents via iCloud. The process has been simplified compared to my previous approach of Stackedit
1. edit the doc in either iPad or Mac
2. you can add maths using such as MathPad as well as images
3. in the Mae publish the doc as a blog

There is no limit to republish. If you change the image with a new image accordingly change in the blog as well, but the image was replaced will be remain in the google photo: you have to manually delete that.

Alternative workflow

There is an another workflow. You can write and add maths such as MyScript math sample in the MS Word in the iPad.
1. Create a docx document using MS Word in the iPad using Apple pencil.
2. Copy the doc to the Mac
3. Use the pandoc to transfer the document to markdown format.
4. Publish the markdown document as a blog to the Blogger.

    pandoc --extract-media=images --wrap=none -s example.docx -t markdown -o

However, in this workflow, I haven't found the way to create fenced code blocks.

I have found few of other interesting sites which are amazing to consider:

I tested the Byword which is not a good as MWeb. It doesn't support picture upload. As well as not support to publish the same blog again an again with the new contents. This was unexpected because most of the websites rank that as one of the best, but that is not.