AWS Networking

 Networking

Elastic Network Interfaces - ENI 

  • An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC. The user can attach up to two
    ENIs with a single instance. However, AWS cannot assign a public IP when there are two ENIs attached to a single instance. It is recommended to assign an elastic IP in this scenario. 
  • Logical units and represent Network interface card in AWS
  • One ENI can be attached to one instance only. However they can be detached and the attached to another instance.
  • ENI is connected with one primary or default private IP address. Primary cannot be detached.
  • It can be connected to more than 1 secondary private IP addresses.
  • For each Private IP address we can 1 elastic IP.
  • We can associate 1 Public IP address
  • Source Destination enabled flag
  • ENI can be attached when the instance is running, stopped or launched.
  • Instance can be attached to 2 ENI - 1 public IP in Subnet 1 to allow internet traffic to instance and another ENI with private IP in Subnet 2 which will enable to instance to interact with backend.

VPC Interface Endpoints


  • VPC Interface endpoints helps you to connect with services in other VPC or other accounts only in the same region.
  • IEP can be connected to on-premise through VPN or DC.
  • The VPC with the IEP is the Service consumer.
  • The VPC which offers the service is the Service provider and it should accept the request from IEP. By default this is automatically accepted.
  • The VPCE can be made redundant by having it across subnet in different AZs. 
  • Each endpoint is allocated a private IP address.
  • SG should be attached to the IEP, if none attached default SG is attached.
  • The security group rules control the traffic to the endpoint network interface from resources in your VPC. 
  • By default the VPCE gets a domain name using which it can be accessed.  
  • A private DNS name can also be configured for the VPCE. To use private DNS, you must set the following VPC attributes to trueenableDnsHostnames and enableDnsSupport.
  • VPCE is used to connect to services in other VPC (Service Provider). The services in other VPC cannot initiate connection to VPCE to talk to resources in your VPC.
  • IEP Supports only TCP and IP4 traffic.

VPC Gateway Endpoints


  • GEP is applicable only to S3 and Dynamo.
  • Multiple endpoints to a single service is supported. Different RT can be associated to the endpoints.
  • Supports connectivity to services in that region only.
  • Only IP4 traffic.
  • Like IEP - the resources in our VPC (Service consumer) - cannot be accessed by resources on the other VPC.
  • Endpoint policies can be used to control access. By default policy allows any user or service within VPC to access resources on the other VPC (Provider). Route Tables can be used to control access, however IAM policy or bucket policy cannot be used to control access.
  • You cannot use the aws:SourceIp condition in your bucket policies for requests to Amazon S3 through a VPC endpoint. Instead, use aws:VpcSourceIp to control access from specific IP address ranges.
  • On the resource side - DynamoDB or S3, to control access to a specific gateway endpoint use aws:sourceVpce condition key.
  • "Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-11aa22bb" } }

AWS Managed VPN


  • Max bandwidth throughput of 1.25 GB per tunnel. Note that the VPN is connected to VGW which can max support only 1.25 GB even when multiple VPN are connected to the same VGW.
  • For DC, the bandwidth is based on the port setting.

Network Firewall


https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

AWS Network Firewall – a stateful, managed, network firewall and intrusion prevention service for your VPC. It is designed for scale and supports tens of thousands of rules.
To apply traffic-filtering logic provided by AWS Network Firewall, you must route traffic symmetrically to the AWS Network Firewall endpoint. 
WS Network Firewall endpoint is deployed into a dedicated subnet of a VPC. We call this subnet an AWS Network Firewall subnet or simply firewall subnet. Depending on the use case and deployment model, the firewall subnet could be either public or private. For high availability (HA) and Multi-AZ deployments, allocate a subnet per Availability Zone (AZ). 
As a best practice, do not use AWS Network Firewall subnet to deploy any other services since AWS Network Firewall is not able to inspect traffic from sources or destinations within firewall subnet.
To have your network traffic inspected by AWS Network firewall, you must direct traffic to firewall endpoint using VPC route tables.
Deployment models
  1. istributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.
  2. Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC. For centralized deployment model, AWS Transit Gateway is a prerequisite. AWS Transit Gateway acts as a network hub and simplifies the connectivity between VPCs as well as on-premises networks. AWS Transit Gateway also provides inter-region peering capabilities to other Transit Gateways to establish a global network

  1. VPC and DHCP
    1. It's not possible to modify the IP address range of an existing virtual private cloud (VPC) or subnet. You must delete the VPC or subnet, and then create a new VPC or subnet with your preferred CIDR block. However you can attach 1 additional CIDR range to the same VPC.
    2. The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network.
    3. After you create a set of DHCP options, you can't modify them. If you need your VPC to use a different set of DHCP options, you must create it and then associate it with your VPC.
    4. You can have multiple sets of DHCP options, but you can associate only one set of DHCP options with a VPC at a time.
    5.  If you delete a VPC, the DHCP options set that is associated with the VPC is disassociated from the VPC. 
    6. The options field of a DHCP message contains configuration parameters, including the domain name, domain name server, and the netbios-node-type.
    7. Default DHCP options set: AmazonProvidedDNS. AmazonProvidedDNS is an Amazon Route 53 Resolver server, and this option enables DNS for instances that need to communicate over the VPC's internet gateway.
    8. If you use a Amazon Route 53 private hosted zone, you can use AmazonProvidedDNS. 
  2. VPC and DNS
    1. Custom domain name servers can also be configured.
    2. enableDnsHostnames - Indicates whether the instances launched in the VPC get public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true. 
    3. If you use custom DNS domain names defined in a private hosted zone in Amazon Route 53, or use private DNS with interface VPC endpoints (AWS PrivateLink), you must set both the enableDnsHostnames and enableDnsSupport attributes to true.
    4. A private hosted zone is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more VPCs without exposing your resources to the internet. 
    5. You can then create Route 53 resource record sets, which determine how Route 53 responds to queries for your domain and subdomains. For example, if you want browser requests for example.com to be routed to a web server in your VPC, you'll create an A record in your private hosted zone and specify the IP address of that web server. 
    6. DNS resolution from On-premise
      1. By default the on-premise cannot resolve to the Amazon provided DNS server. 
      2. When we have DNS resolver setup in VPC, the On-premise DNS servers can connect to this for name resolution by conditionally forwarding to that IP.
      3. When there are multiple VPC's customer end up creating multiple DNS resolver per VPC or per AZ to enable On-prem able to resolve.
      4. This can be simplified using Resolver endpoints which connects to the Amazon DNS in resolving.
    7. Route 53 resolver endpoints - Is a regional service and the endpoint lies within the VPC. When you create a Resolver endpoint, you can't specify a VPC that has the instance tenancy attribute set to dedicated.  
    8. When you create a VPC using Amazon VPC, Route 53 Resolver automatically uses a Resolver on the VPC to answer DNS queries for local Amazon VPC domain names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) and records in private hosted zones (acme.example.com). For all other domain names, Resolver performs recursive lookups against public name servers.
    9. Resolver checks if its Private Hosted zone (higher priority) followed by VPC DNS and then to Public DNS.
    10. Direction of DNS Queries
      1. Outside VPC - Allows DNS outbound to On-premise
      2. Inbound VPC - Allows DNS queries to your VPC
      3. Bi-directional
    11.  Forwarding rules for Outbound traffic 
      1. From which VPCs
      2. Domain name which need to be looked up
      3. Target IP and Port
      4. The rules can be shared with other accounts using RAM within the region.
      5. Note - The endpoint is attached to one VPC but the forwarding rules are shared across multiple VPCs. So VPC which doesn't have an endpoint will first forward to the   VPC which has it.
  3. Hosted Zones
    1. private hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs. 
    2. You create a private hosted zone, such as example.com, and specify the VPCs that you want to associate with the hosted zone. For example, suppose you have a database server that runs on an EC2 instance in one of the VPCs that you associated with your private hosted zone. You create an A or AAAA record, such as db.example.com, and you specify the IP address of the database server. 
    3. When an application submits a DNS query for db.example.com, Route 53 returns the corresponding IP address. The application must also be running on an EC2 instance in one of the VPCs that you associated with the example.com private hosted zone. 
    4. If you want to route traffic for your domain on the internet, you use a Route 53 public hosted zone.
    5. If you want to associate VPCs that you created by using one account with a private hosted zone that you created by using a different account, you first must authorize the association. 
    6. You can delete a private hosted zone only if there are no records other than the default SOA and NS records.
    7. Alias records let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets. They also let you route traffic from one record in a hosted zone to another record. (Note - A CNAME record can redirect DNS queries to any DNS record)
  4. Private Link or Interface endpoint
    1. AWS PrivateLink is a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to communicate with the service. Access a service in a different VPC.
    2. To use AWS PrivateLink, create a VPC endpoint for a service in your VPC. You create the type of VPC endpoint required by the supported service. This creates an elastic network interface in your subnet with a private IP address that serves as an entry point for traffic destined to the service. 
    3. VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. 
    4. An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a service that is owned by AWS or owned by an AWS customer or partner. 
    5. When you create an interface or gateway endpoint, you can attach an endpoint policy to it that controls access to the service to which you are connecting.  You cannot attach more than one policy to an endpoint. 
    6. When you create an interface endpoint, you can associate security groups with the endpoint network interface that is created in your VPC. If you do not specify a security group, the default security group for your VPC is automatically associated with the endpoint network interface. 
    7. You must ensure that the rules for the security group allow communication between the endpoint network interface and the resources in your VPC that communicate with the service.
    8. When you create a VPC endpoint service, we generate endpoint-specific DNS hostnames that you can use to communicate with the service. By default, your consumers access the service with that DNS name. Alternatively Private DNS can be used. An endpoint service can only have one private DNS name.
    9.  Connecting through AWS private network
    10. Consumer initiated connect through the endpoint from its VPC to the Provider VPC.
    11. The provider VPC can have other AWS services or 3rd party applications.
    12. This connect model helps establish connectivity without IG, NAT or Peering.
    13. On-premise application can connect to VPC service through Privatelink.
    14. When you create a VPC endpoint to an AWS service, you can enable Private DNS. When enabled, the setting creates an AWS managed Route 53 private hosted zone (PHZ) which enables the resolution of public AWS service endpoint to the private IP of the interface endpoint. 
    15. To access the shared private hosted zone, the hosts in the spoke VPCs should use the Route 53 Resolver IP of their VPC. Interface endpoints are also accessible from on-premises networks over VPN and Direct Connect. 
    16. Decentralized model
      1. Endpoints in each VPC. (1 endpoint in each AZ, 2 or 3 AZ for HA in VPC).
      2. The endpoints connect to the services which need to be accessed.
      3. If a new microservice is deployed in a VPC and that needs to be accessed - then each VPC should have a new endpoint to connect to that microservce. 
      4. Supports overlapping IP addresses.
    17. Centralized model - Follows multi-account best practice
      1. All endpoints are deployed to a central shared VPC and make it available to individual VPCs through transit gateway.
      2. When 100s or 1000s of VPC need to be connected TGW is best - for smaller number of VPC we can use peering.
      3. has additional cost as TGW is involved.
      4. Since EP is central the IP usage is reduced.
    18. VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, we attach a default policy for you that allows full access to the service. You cannot attach more than one policy to an endpoint. Your policy must contain a Principal element. When you create or modify an endpoint, you specify the VPC route tables that are used to access the service via the endpoint. The VPC endpoint must be in the same AWS Region as the bucket.
  5. NLB and endpoint service
    1. In Service provider VPC
      1. Single NLB with endpoint service - NLB is connected to a network interface in AZ1 and to another network interface in AZ2.
      2. Multiple NLB with endpoint service - Consider we have 2 NLB - Where both of them are connected to network interface in AZ1 and AZ2.
    2. The consumers could be in separate VPCs with their Endpoint network interface pointing to NLB's network interface in Service provider VPC.
  6. Hybrid Networking
    1. DCG is a global resource and can be accessed from any region. However the DCG can only connect to the DC location in that region.
    2. Private VIF are for connecting to VPC within the region using Private IPs.
    3. Public VIF are for connecting to resources outside of VPC.
    4. 1 DC can be connected to max of 50 Private or Public VIF.
    5. Each VPC has a virtual private gateway that connects to the Direct Connect gateway.
    6. The VIF are used to connect the DCG to the DC location. The DC location is connected to the Data center customer gateway through the DC connection.
    7. Max of 1 Transit VIF can be attached to a DC. Transit VIF are used to connect 1 or more Transit gateways to DC.
    8. You can migrate a virtual interface to a new connection within the same Region, but you can't migrate it from one Region to another.
    9. You can peer transit gateways across regions.
    10. We can have multiple route tables to transit gateway.
    11. Transit gateway are used to connect multiple VPC to DCG.
    12. To share DC with another Account, create a hosted VIF for other account. The other account should accept it.
    13. For connecting to a VPC in the same AWS Region, you need the virtual private gateway for your VPC.
    14. Before VIF can be created we should have a DC connection and LAG.
    15. LAG - Link aggregation group aggregates multiple connections as a single connection at the DC gateway endpoint.
    16. VIF can be detached and attached to new DC within the same region. 
    17. Before a DC can be deleted the attached VIF should be deleted.
    18. A Unicast transmission/stream sends IP packets to a single recipient on a network. A Multicast transmission sends IP packets to a group of hosts on a network.
    19. Service discovery means that a service client, such as a network file system browser, does not need to have explicit, configured, knowledge of the hostnames or IP addresses of servers offering that service — file servers in this example. 
    20. AWS Transit Gateway now supports routing internet protocol (IP) multicast traffic between attached Amazon Virtual Private Cloud (VPC) connections. Multicast delivers a single stream of data to many users simultaneously, and is a preferred protocol to stream multimedia content and subscription data to a group of subscribers. 
    21. A Site to site VPN routes encrypted traffic through Internet. Set 'Enable Acceleration' as True to route traffic through AWS network. With this it is called Accelerated VPN.
    22. VPN Cloudhub enables connectivity between on-prem networks using DC or VPN in same region.
    23. DCG enables  connectivity between on-prem networks and VPC across regions.
    24. Existing Private VIF cannot be associated with DCG, only at time of creation we can link VIF to DCG.
    25. DCG cannot be used to route traffic between VPCs.
    26. A null route or black hole route is a network route (routing table entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering. To disallow the spoke VPC from communicating with each other we can add Blackhole entry in RT.
    27. VPC Peering
      1. You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.  
      2. To accept the peering request the accepted VPC should have an IAM role with ec2:AcceptVpcPeeringConnection permission. If this is not VPC peering will not work.
      3. Likewise for the requester account to assume the IAM role, configure a trust relationship for the IAM role.
      4. If the VPCs are located in different AWS Regions, then you must include the PeerRegion in your AWS CloudFormation template which specifies where your accepter account VPC is located. . 
      5. You cannot route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect.
    28. SNMP  - SImple Network Management Protocol -  is an internet standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include routers, switches, firewalls, servers, and appliances. You can use SNMP to monitor on-premises devices through AWS Direct Connect or AWS Site-to-Site VPN
    29. only one virtual private gateway (VGW) can be attached to a VPC at a time.
    30. In promiscuous mode, a network device, such as an adapter on a host system, can intercept and read in its entirety each network packet that arrives. Promiscuous mode (port mirroring) on AWS is not supported. Even 2 virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.
    31. Port Scanning. Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy.
    32. IP Spoofing. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
    33. VPC Traffic Mirroring. This provides the ability to send traffic to two places: the intended destination, plus another endpoint for logging and/or analysis. Under VPC, select the source and target ENI under menu 'Mirror Targets'. The target ENI can be in same account as the VPC to be mirrored or in another account. Then mirror filters can be set to track ports to be monitored. The mirrored traffic can be monitored by tools. This IDS/IPS can be now managed by AWS firewall.
    34. Each VPN connection consists of two separate tunnels. Each tunnel contains an IKE security association, an IPsec security association, and a BGP peering. 
    35. Internet key exchange (IKE) security association. This is required to exchange keys used to establish the IPsec security association. IPsec security association. This handles the tunnel's encryption, authentication, and so on. For devices that use BGP, this exchanges routes between the customer gateway device and the virtual private gateway.
    36. When configuring your customer gateway to connect to your VPC, several steps need to be completed. The IKE Security Association is established first between the virtual private gateway and customer gateway using the Pre-Shared Key as the authenticator.
    37. You can create additional VPN connections from your on-premises location to other VPCs using the same customer gateway device.
    38. For redundancy you can set up a second VPN connection using a second customer gateway device.  When you establish redundant customer gateway devices at a single location, both devices should advertise the same IP ranges.
    39. You can establish multiple VPN connections to a single virtual private gateway from multiple customer gateway devices. This enables you to have multiple locations connected to the AWS VPN CloudHub. 
    40. Statically assigned routes are preferred over BGP advertised routes in cases where identical routes exist in the virtual private gateway. If you select the option to use BGP advertisement, then you cannot specify static routes.  If your customer gateway device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your Site-to-Site VPN connection. If your customer gateway device does not support BGP, specify static routing.
    41. For a virtual private gateway, one tunnel across all Site-to-Site VPN connections on the gateway will be selected. To use more than one tunnel, we recommend exploring Equal Cost Multipath (ECMP), which is supported for Site-to-Site VPN connections on a transit gateway. ECMP is not supported for Site-to-Site VPN connections on a virtual private gateway.
    42. An accelerated Site-to-Site VPN connection (accelerated VPN connection) uses AWS Global Accelerator to route traffic from your on-premises network to an AWS edge location that is closest to your customer gateway device. AWS Global Accelerator optimizes the network path, using the congestion-free AWS global network to route traffic to the endpoint that provides the best application performance.You can use an accelerated VPN connection to avoid network disruptions that might occur when traffic is routed over the public internet. By default, acceleration is disabled. You can optionally enable acceleration when you create a new Site-to-Site VPN attachment on a transit gateway. Acceleration is only supported for Site-to-Site VPN connections that are attached to a transit gateway. Once created cannot be turned on/off.
    43. A pre-shared key is a Site-to-Site VPN tunnel option that you can specify when you create a Site-to-Site VPN tunnel and is the default auth option.If you do not want to use pre-shared keys, you can use a private certificate from AWS Certificate Manager Private Certificate Authority to authenticate your VPN.
    44. AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Once deployed, Firewall endpoint is similar to interface endpoint and it shows up as vpce-id in your VPC route table target selection.
      1. Will be used for rule based filtering
      2. In your VPC, in each Availability Zone where you want a firewall endpoint, create a subnet specifically for use by Network Firewall.
      3.  The subnets that you use for your firewall endpoints must belong to a single AWS Region and must be in different Availability Zones within the Region. 
      4. Change your routing tables to route traffic through the Network Firewall firewall. 
    1. A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. If you're using EC2-Classic, you must use security groups created specifically for EC2-Classic. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group. If you're using EC2-VPC, you must use security groups created specifically for your VPC. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.
    2. You can place a network interface on each of your web servers that connects to a mid-tier network where an application server resides. The application server can also be dual-homed to a backend network (subnet) where the database server resides. Instead of routing network packets through the dual-homed instances, each dual-homed instance receives and processes requests on the front end, initiates a connection to the backend, and then sends requests to the servers on the backend network.
  7. Outposts
    1. AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. 
    2. AWS Outposts enables customers to build and run applications on premises using the same programming interfaces as in AWS Regions, while using local compute and storage resources for lower latency and local data processing needs.
    3. An Outpost is a pool of AWS compute and storage capacity deployed at a customer site. AWS operates, monitors, and manages this capacity as part of an AWS Region. 
    4. You can create subnets on your Outpost and specify them when you create AWS resources such as EC2 instances, EBS volumes, ECS clusters, and RDS instances.
    5.  Instances in Outpost subnets communicate with other instances in the AWS Region using private IP addresses, all within the same VPC.

    6. Service link – Network route that enables communication between your Outpost and its associated AWS Region. Each Outpost is an extension of an Availability Zone and its associated Region. The service link is an encrypted set of VPN connections that are used whenever the Outpost communicates with your chosen home Region. Best practice to have redundant 1 GBPS connectivity.

    7. Your on-premises network must provide wide area network (WAN) access back to the Region and to the internet. 

    8. Local Gateway  - Connects Outpost with the Local DC network.

    9. Each Outpost can support multiple VPCs that can have one or more Outpost subnets.

Comments

Post a Comment

Popular posts from this blog

AWS Organizations, IAM

Image
Active Directory AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. You can spread application loads across multiple AD Connectors to scale to your performance needs.  AD Connector is your best choice when you want to use your existing on-premises directory with AWS services. AD Connectors and your on-premises AD domains have a 1-to-1 relationship.  Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. Simple AD is a standalone managed directory.  Small - Supports up to 500 users,  Large - Supports up to 5,000 users.  Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains.  AWS Directory Service lets you run Microsoft Active Directory (AD)
Read more

Key Concepts

A  resource group  is a collection of AWS resources that are all in the same AWS Region, and that match the criteria specified in the group's query.  Tag-based queries include lists of resources and tags.  In an AWS CloudFormation stack-based query, you choose an AWS CloudFormation stack in your account in the current region, and then choose resource types within the stack that you want to be in the group.   You can use  resource groups  to organize your AWS resources. AWS Resource Groups is the service that lets you manage and automate tasks on large numbers of resources at one time.  With Resource Groups, you can create a custom console that organizes and consolidates information based on criteria specified in tags, or the resources in an AWS CloudFormation stack.  Transfer Family - Supports connecting to S3 or EFS through FTPS/SFTP/FTP protocols.  The hostname for the endpoint can also configured with R53.  The transfer family can be associated with Elastic IP. Security group pe
Read more

Linear Algebra Concepts

Vector Spaces Rank of matrix is the number of non zero rows in REF form. Alternatively rank of matrix is = total number of columns - total number of dependent columns. In the REF form, If a column of a matrix can be expressed in terms of other columns then it is a dependent vector. The vectors on the left most side with leading 1 at the col number position ( 1 at 1st row 1st col, 1 at 2nd row 2nd col, likewise) then such columns are linearly independent columns. For linerarly independence a1v1+a2v2+a3v3=0 where v1,v2,v3 are vectors and a1,a2,a3 are scalars. Span of a vector space is all the possible vectors which can be formed using the basis vectors. Basis vectors are linearly independent vectors which can span the vector space. Column space is all possible set of vectors formed by the column vectors. Row space is all possible set of vectors formed by the row vectors. Dimension of a row space or column space is equal to its rank. Null space or kernel of a matrix is any vector x which
Read more