Have you ever had to draw an architecture diagram and found the repetitive clicking and dragging tedious? Did you have to do modifications to that diagram and found it complicated?

Graphviz is an open source graph visualization software that allows us to decribe a diagram using code, and have it automatically drawn for us. If the diagram needs to be modified in the future, we just need to modify the description and the nodes and edges will be repositioned automatically for us.

Drawing graphs

Before we start writing graphs, we need to learn how we can convert our code into an image so we can test what we are doing.

In my path to learning about networking on AWS I have written a few articles:

• Introduction to AWS networking
• Setting up a bastion host on AWS
• Introduction to AWS NAT Gateway

This time I’m going to write about a way to allow a private EC2 instance to communicate with an AWS service without having to go through the public Internet. At the time of this writing, there are two services that provide VPC Gateway endpoints: S3 and DynamoDB.

We might want to use a VPC Gateway endpoint to improve security and decrease latency when a service we own needs to use S3 or DynamoDB. Without VPC Gateway endpoints, we would have our private instance use a NAT Gateway to reach the Internet (Including any AWS service). With a VPC Gateway endpoint the traffic stays inside AWS network, making it faster and safer.

A NAT (Network Address Translation) Gateway can be used to allow an instance in a private Subnet to communicate with the Internet while preventing the Internet from initiating connections to it.

In my previous article I explained how to create a bastion host. In this article I’m going to create a private Subnet in the same VPC, and I’m going to allow this Subnet to initiate connections to the Internet without giving the instances a public IP address.

The end result of my article about creating a bastion host was this:

If you are not familiar with networking concepts on AWS, I recommend you take a look at my introduction to aws networking.

A Bastion host (also called Jumpbox) is used to protect hosts that are part of a private network, while still allowing access to them over the Internet. If a system administrator needs to access other hosts, It needs to first SSH to the Bastion and from there, SSH to any other host.

Being exposed to the Internet, the Bastion becomes the target of attackers and should be a central part of our security plan.

A few months ago, I wrote an introduction to networking for Google Cloud. Today I find myself working with AWS, so I’m going to explore networking on the AWS platform.

I’m going to be using AWS CLI for my examples, so I recommend you install it and configure it before proceeding.

Virtual Private Clouds (VPC), Subnets and Security Groups (SG)

To get started we need to get familiar with these 3 fundamental concepts:

• Virtual Private Cloud (VPC) - Refers to a network that is logically isolated from the rest of the world. A VPC is a regional resource (It can span a full region, but not accross regions)
• Subnet - A section of a VPC. Subnets exist in a single Availability Zone (AZ)
• Security Group (SG) - A virtual Firewall. Any EC2 instance must be attached to at least one Security Group. By default a Security Group allows all outbound traffic and disallow all inbound traffic

In a previous post I wrote about AWS CodeBuild, which allows us to run our builds using AWS infrastructure. In this post we are going one step further and explore CodePipeline; AWS’ solution for continuos delivery.

Some of Pipelines’ features:

• Detect code changes and start Pipeline automatically
• Split releases into stages (One per environment, for example)
• Pause the releases if a step fails
• Allow steps to only proceed after manual approval

CodeBuild is AWS’ offering for running builds in the cloud. We can think of it as an alternative to TravisCI or CircleCI.

Concepts

There are 4 things we need to configure as part of a CodeBuild project:

• Source - Get the code we want to build. At the time of this writing, we can retrieve code from S3, GitHub, Bitbucket or CodeCommit (AWS’ code hosting offering)
• Environment - Type of machine to use for the builds
• Buildspec - Commands to run as part of the build
• Artifacts - Artifacts to publish to S3 (Optional)

In a previous post I wrote about AWS CLI. In that post I explained how to create an admin user and how to use that user with the CLI. In this post I’m going to go in more depth into AWS IAM and show some examples.

The root user

When someone signs up to AWS they will need to provide an e-mail address and password they want to use to access their account. At this point, they are the only person who knows that combination of e-mail and password, so it can be safely assumed that whoever holds those two pieces of information is the owner of the account.

The owner of the account has the power to create or delete resources as they desire, so it’s very important that the password doesn’t fall in the wrong hands.

Null terminated strings

Null terminated strings (also called C strings) store a string as a sequence of characters terminated by a null character (\0).

For example, if we have a variable with the string taco, in a character array, it would look like this:

1
2
index: 0 | 1 | 2 | 3 | 4
value: t | a | c | o | \0

Notice that even though, taco is only 4 characters, it is necesary to allocate an extra byte for the null characer (\0).

As computer users, we are accustomed to storing data to retrieve it sometime in the future. Today there are many ways to do this. If you take a photo on your cell phone, it’s going to be saved into the phones internal flash memory (or an external flash card). If you have a modern computer it’s likely that you have a Solid State Drive (SSD). It’s also possible to save your data in the “cloud”. So, why focus on Hard drives?

Hard Disk Drives (HDD) have been a reliable way to store data since the 1950’s. Cloud providers (AWS, Azure, Google Cloud) have HDD offerings that are cheaper than the SSD alternatives. At the time I wrote this article, if I want to buy a 5TB HDD, I would have to pay around $100 USD; if I want to buy 5TB SSD I would have to pay around $500 USD. For this reason HDDs are still widely used.