Difference between Internet Gateway and NAT Gateway (Internet Gateway vs NAT Gateway)

There is a minor and confusing difference between Internet Gateway and NAT Gateway. Below are some points to illustrate the difference between both:

1. Internet Gateway is used to connect a VPC to the internet while a NAT Gateway is used to connect the private subnet to the internet (through public subnet and Internet Gateway).

2. NAT Gateway cannot work without Internet Gateway. Your VPC must have Internet Gateway otherwise how NAT Gateway will direct traffic to the internet? NAT Gateway should always be launched in the public subnet where there is a route out Internet Gateway. If there is no route out to the Internet Gateway, NAT Gateway would not be able to connect the instances in the private subnet with internet.

3. NAT Gateway and NAT Instances only support IPv4 addresses while Internet Gateway supports both.

4. NAT Gateway supports only one way communication (from private subnet to internet and not vice-versa) while Internet Gateway supports both inbound and outbound traffic.

I have written a detailed article on NAT Gateway and NAT Instances here. Hope this might help.

Difference between NAT Instances and NAT Gateways (NAT Instances vs NAT Gateways)

NAT stands for Network Address Translation.

We launch many instances in private subnet in the VPC for security reasons. These instances cannot communicate with the internet. But there are many scenarios when these instances need to connect to internet like for patch updates, software installation, connection to Git repository etc. In these scenarios we need to make these instances communicate with the internet. 

NAT Instances and NAT Gateways come handy in these cases. These allow only outbound traffic to internet and restrict inbound traffic from internet. It means our instances in the private subnet can make connection to internet but nobody from the internet can access our instances in private subnet. 

Below are some basic points and differences between NAT Instances and NAT Gateways:

NAT Instances

1. NAT instance is like an EC2 instance and is also launched like an EC2 instance from AWS console.

2. It should always be launched in the public subnet.

3. Once launched, you need to manually disable source/destination check (this option is available under Actions >> Networking). This is because, it will be sending and receiving traffic on behalf of other instances, so the source and/or destination might not be itself.

4. You need to manage this instance yourself like you manage your EC2 instances.

5. NAT instance should be assigned an Elastic IP (but you can also use public IP).

NAT Gateway

1. Managed by AWS (you need to manage NAT instances yourself).

2. Always deploy your NAT Gateway in public subnet.

3. You must allocate Elastic IP to your NAT Gateway (you can allocate public IP to NAT instances).

4. In the main Route Table of your VPC (or the Route Table connected to private subnet), add a route out to this NAT Gateway. Set Destination as 0.0.0.0/0 and set target as NAT Gateway.

5. You cannot assign security groups to NAT Gateway (you can assign security groups to NAT instances).

6. You need one in each AZ since they only operate in a single AZ.

Note: Both NAT Instances and NAT Gateway only support IPv4 traffic (not IPv6).

Documentation: NAT Instances, NAT Gateway, Difference between NAT Instance and NAT Gateway

Difference between CloudSearch and ElasticSearch in AWS (CloudSearch vs ElasticSearch)

Both CloudSearch and ElasticSearch use powerful underlying search engines and enable you to search and analyze the data. Both are listed under the Analytics services in AWS console. Below are the basic differences between CloudSearch and ElasticSearch: 

CloudSearch

1. Custom search service for your website or application.

2. CloudSearch uses open source Apache Solr as the underlying search engine.

3. Supports 34 languages and popular search features such as highlighting, autocomplete, and geospatial search.

4. It requires data to be loaded as documents and is good for full-text search, with an understanding of languages and grammar (example, synonyms, words to ignore etc.).

5. You can create a search domain and upload the data that you want to make searchable, and Amazon CloudSearch will automatically provision the required resources and deploy a highly tuned search index.

ElasticSearch

1. The service offers open-source Elasticsearch APIs, managed Kibana, and integrations with Logstash (ELK stack) and other AWS Services, enabling you to securely ingest data from any source and search, analyze, and visualize it in real time.

2. It is commonly used for near real-time visualizations of logs files and data analytics.

3. The service also offers built-in integrations with other AWS services such as Amazon Kinesis Data Firehose, AWS IoT, and Amazon CloudWatch Logs for data ingestion; AWS CloudTrail for auditing; Amazon VPC, AWS KMS, Amazon Cognito, and AWS IAM for security.

Difference between Route53 and ELB in AWS (Route53 vs ELB)

Both Route53 and ELB are used to distribute the network traffic. These AWS services appear similar but there are minor differences between them. 

1. ELB distributes traffic among Multiple Availability Zone but not to multiple Regions. Route53 can distribute traffic among multiple Regions. In short, ELBs are intended to load balance across EC2 instances in a single region whereas DNS load-balancing (Route53) is intended to help balance traffic across regions.

2. Both Route53 and ELB perform health check and route traffic to only healthy resources. Route53 weighted routing has health checks and removes unhealthy targets from its list. However, DNS is cached so unhealthy targets will still be in the visitors cache for some time. On the other hand, ELB is not cached and will remove unhealthy targets from the target group immediately. 

Use both Route53 and ELB: Route53 provides integration with ELB. You can use both Route53 and ELB in your AWS infrastructure. If you have AWS resources in multiple regions, you can use Route53 to balance the load among those regions. Inside the region, you can use ELB to load balance among the instances running in various Availability Zones.

For more details on Route53 and ELB, you can visit my following articles:

Route53: Domain Name System (DNS) from AWS

AWS ELB (Elastic Load Balancer)

AWS VPC Security: Difference between Security Group and ACL (Security Group vs ACL)

Security Group and ACL(Access Control List) provide security to resources launched in a VPC. Below are the basic differences between Security Group and ACL:

Security Group

1. Acts as a virtual Firewall at instance level.

2. Security Group acts as first layer of defense in a VPC.

3. One instance can be associated with multiple security groups.

4. Whenever we create a VPC, a default Security Group is created.

5. If we don’t associate an instance with any security group, default security group is automatically associated with it which was created while creating a VPC.

6. Stateful: Return traffic is automatically allowed, regardless of any rules.

7. Supports allow rules only.

8. We evaluate all rules before deciding whether to allow traffic.

9. Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on.

10. Basic ports to remember:

• SSH - 22 (Mainly for Linux Server)
• RDP - 3389 (Mainly for Windows Server)
• SMTP - 25 (Mail Server)
• HTTP - 80
• HTTPS - 443
• All traffic - 0 – 65535

NACL (Network Access Control List)

1. Acts as a virtual Firewall at subnet level.

2. NACL acts as second (optional) layer of defense (after Security Group) in VPC.

3. One subnet can be associated with only one NACL while one NACL can be associated with multiple subnets.

4. Whenever we create a VPC, a default NACL is created.

5. If we don’t associate a subnet with any NACL, default NACL is automatically associated with it which was created while creating a VPC.

6. Stateless: Return traffic must be explicitly allowed by rules.

7. Supports allow rules and deny rules.

8. We process rules in number order when deciding whether to allow traffic.

9. Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group).

VPC and Subnets: AWS Networking Services

VPC (Virtual Private Cloud) and Subnets are very important concepts under AWS Networking Services. All you AWS resources are defined in VPC. Below are some basic points about VPC and Subnets:

VPC

1. It is a logically isolated virtual network (sub-cloud) for you in AWS cloud. All your AWS resources are defined in a particular VPC.

2. You can select your own IP addresses, subnets, NACL (Network Access Control List), route tables and network gateways.

3. Whenever you create a VPC, you must define IP range for that VPC. IPv4 and IPv6 CIDR are supported. IPv4 CIDR must be from 16 to 28. IPv6 CIDR is of fixed size: 56. You cannot choose any IP range in IPv6.

4. One VPC can have multiple Subnets, NACL and Route Tables.

5. Internet Gateway: VPC is composed of subnets. Subnets are private by default. To make any subnet public, Internet Gateway should be associated with that VPC. One VPC cannot have more than one Internet Gateway.

6. VPC Peering: Connect two or more of your VPC with each other or with VPC of another AWS account. All VPC must be in same region. Example: You can enable VPC Peering between DEV VPC and UAT VPC and PROD VPC and Disaster Recovery VPC. There can be only one to one connection between VPC and Transitive Peering is not possible.

7. Whenever we create an account, a default VPC is created.

8. Default Route Table, NACL and Security Group: Whenever we create a VPC, by default one Route Table, NACL and Security Group gets created. If you don’t associate your subnets to any Route Table and NACL, this default Route Table and NACL gets associated with those subnets by default. If you don’t associate your instances to any Security Group, default Security Group is associated with each instance.

9. Flow Logs: You can associate flow logs with VPC. It captures information about the IP traffic going to and from network interfaces in your VPC. You should have IAM role for flow logs and log group in CloudWatch to enable flow logs.

Subnets

1. Sub-network inside a VPC. It contains sub-range of IP Addresses in a VPC.

2. A Subnet must be associated with an AZ. It cannot spread across multiple AZ.

3. Subnet can be private and public. Keep your databases in private subnet and webservers in public subnet.

4. An instance always belongs to a subnet. You cannot have an instance in a VPC which does not belong to any subnet.

5. NACL (Network Access Control List): Optional layer of security at subnet level. Acts as firewall at subnet level (Security Group act as firewall at instance level). One subnet can only be associated with one NACL. One NACL can be associated with multiple subnets.

6. Route Table: Each subnet must be associated with a Route Table. One subnet can have only one Route Table. One Route Table can be associated with multiple subnet. Network traffic of any instance inside a subnet is dictated by the routing table attached to it.

7. While creating a subnet, you must specify VPC, CIDR (must be in between the CIDR range of the parent VPC), and Availability Zone.

8. After creating a subnet, you should associate a Route Table and NACL with it. If you don’t do this, then the default Route Table and NACL will get associated with it which was created while creating the VPC.

9. A Subnet is private by default. To make it public, 

• Define an Internet Gateway.
• Attach IGW to VPC. IGW should be attached to a VPC. One VPC can only be attached to one IGW. Create a Route Table and add internet route in it (direct 0.0.0.0/0 to IGW).
• Explicitly associate a Subnet (which you want to make public) to this Route Table. One Subnet have only one Route Table.
• Enable Auto-assign public IPv4 address in that Subnet. You can also do this setting while launching an instance in this subnet. 
• Ensure Security Group and NACL are not blocking internet traffic.
• Now any EC2 instance launched in this Subnet will be able to communicate with the internet.

AWS Workspace: Desktop as a Service from AWS

AWS Workspace is a very useful service. You don't need to create and manage VMs for your employess/workers/contractors which are spread across the globe, just use AWS Workspaces. This is desktop as a service. Below are some basic points about AWS Workspaces:

1. Cloud desktop service (DaaS: Desktop as a Service)

2. You can use Amazon Workspaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe. 

3. Workspaces helps you eliminate the complexity in managing hardware inventory, OS versions and patches, and Virtual Desktop Infrastructure (VDI), which helps simplify your desktop delivery strategy. 

4. With Amazon Workspaces, your users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported device.

5. Enable bring your own device (BYOD): Amazon Workspaces lets you run a cloud desktop directly on a wide range of devices like PC, Mac, iPad, Kindle Fire, Android tablet, Chromebook, and web browsers like Firefox, and Chrome. 

6. You can integrate these desktops with your company active directory.

7. You can pay either monthly or hourly, just for the Workspaces you launch, which helps you save money when compared to traditional desktops and on-premises VDI solutions.