Zeljko Obrenovic' Technology Catalog

Cloud networking refers to hosting or using some or all network resources and services—virtual routers, bandwidth, virtual firewalls, or network management software—from the cloud, whether public, private, or hybrid.

The network can be either cloud-enabled or entirely cloud-based.

In cloud-enabled networking, the network is on premises, but some or all resources used to manage it are in the cloud. Core network infrastructure—packet forwarding, routing, and data— remains in-house, but things like network management, monitoring, maintenance, and security services are done through the cloud. One example is using a SaaS-based firewall to protect an on-premises network.

In cloud-based networking, the entire network is in the cloud. This includes network management resources and physical hardware. Cloud-based networking is used to provide connectivity between applications and resources deployed in the cloud.

Virtual network architecture refers to a network infrastructure that can be scaled to adapt to any workload. A virtual network architecture integrates network virtualization and cloud computing to create an open virtualization solution that can connect datacenters from any location.
(Citrix Glossary)

Network Connectivity

Domain Name Servers (DNS) (3)

VPNs (3)

Dedicated Connections (3)

Network Architecture

Virtual Private Clouds (VPC) (3)

Load Balancing (3)

Scale & Optimize Network Design (4)

Monitoring & Diagnostics (3)

Application Content Delivery

Content Delivery Networks (3)

API Management (4)

Cloud Resource Discovery Services (2)

Application-Level Monitoring (1)

Securing Network

DDoS Protection (3)

Firewalls (3)

Web Application Firewalls (WAF) (3)

Network Connectivity

Network connectivity describes the extensive process of connecting various parts of a network to one another, for example, through the use of routers, switches and gateways, and how that process works.

Domain Name Servers (DNS) (3)

Translates memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices.

[AWS] Route 53
A reliable and cost-effective way to route end users to Internet applications.
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.

Amazon Route 53 effectively connects user requests to infrastructure running in AWS – such as Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets – and can also be used to route users to infrastructure outside of AWS. You can use Amazon Route 53 to configure DNS health checks to route traffic to healthy endpoints or to independently monitor the health of your application and its endpoints. Amazon Route 53 Traffic Flow makes it easy for you to manage traffic globally through a variety of routing types, including Latency Based Routing, Geo DNS, Geoproximity, and Weighted Round Robin—all of which can be combined with DNS Failover in order to enable a variety of low-latency, fault-tolerant architectures. Using Amazon Route 53 Traffic Flow’s simple visual editor, you can easily manage how your end-users are routed to your application’s endpoints—whether in a single AWS region or distributed around the globe. Amazon Route 53 also offers Domain Name Registration – you can purchase and manage domain names such as example.com and Amazon Route 53 will automatically configure DNS settings for your domains.

Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/how-health-checks-work.png

Source: https://d2908q01vomqb2.cloudfront.net/cb4e5208b4cd87268b208e49452ed6e89a68e0b8/2016/10/26/Upgrades_Image1.jpeg

Links:
- aws.amazon.com/route53
[Google Cloud] DNS
Reliable, resilient, low-latency DNS serving from Google's worldwide network.
Google Cloud DNS is a scalable, reliable, and managed authoritative Domain Name System (DNS) service running on the same infrastructure as Google. It has low latency, high availability and is a cost-effective way to make your applications and services available to your users. Cloud DNS translates requests for domain names like www.google.com into IP addresses like 74.125.29.101. Cloud DNS is programmable. You can easily publish and manage millions of DNS zones and records using our simple user interface, command-line interface or API.

Source: https://lh3.googleusercontent.com/cc5gieJ40c5XiSFLQuX1FmWJHouXICaF0aTc860VH3oPmRJ4q5ruMzDxsw0Fle9LE2PfyOPTE5Zr=e14-rj-sc0xffffff-w2540

Links:
- cloud.google.com/dns
[Azure] DNS
A hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.

You can't use Azure DNS to buy a domain name. For an annual fee, you can buy a domain name by using App Service domains or a third-party domain name registrar. Your domains then can be hosted in Azure DNS for record management. For more information, see Delegate a domain to Azure DNS.
Links:
- docs.microsoft.com/en-us/azure/dns/dns-overview

VPNs (3)

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

[AWS] VPN
Establish a secure and private encrypted tunnel from your network or device to the AWS global network.
AWS Virtual Private Network (AWS VPN) lets you establish a secure and private encrypted tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN.

AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks. AWS Client VPN includes a free client-side application, which provides access to AWS services from remote networks.

Source: https://d1.awsstatic.com/diagrams/Product-Page-Diagram_Aws-Client-VPN-Connect@2x.7e31b8a9dc7f38312794b311d37faf145adc0f96.png

Links:
- aws.amazon.com/vpn
[Google Cloud] VPN
Connect your on-premises or other public cloud networks to your Google VPC securely over the internet through IPsec VPN.
Connect your on-premises or other public cloud networks to your Google VPC securely over the internet through IPsec VPN at a low cost for your data bandwidth needs up to 3.0 Gbps. High availability VPN offers the best SLA in the industry, with a guaranteed uptime of 99.99%.
Links:
- cloud.google.com/hybrid-connectivity
[Azure] VPN Gateway
Connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office.
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-about-vpngateways/vpngateway-site-to-site-connection-diagram.png

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-about-vpngateways/vpngateway-multisite-connection-diagram.png

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-about-vpngateways/point-to-site.png

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-about-vpngateways/vpngateway-vnet-to-vnet-connection-diagram.png

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-about-vpngateways/expressroute-vpngateway-coexisting-connections-diagram.png

Links:
- azure.microsoft.com/en-us/services/vpn-gateway

Dedicated Connections (3)

A communications cable or other facility dedicated to a specific application, in contrast with a shared resource such as the telephone network or the Internet.

[AWS] Direct Connect (DX)
Establish dedicated connections from on-premises to AWS.
AWS Direct Connect (DX) allows you to establish dedicated connections from on-premises to AWS. With DX, you can bypass the Internet, which often reduces network costs, improves bandwidth throughput, and provides a more consistent network experience. You can request 1 or 10Gbps connections directly from AWS, which currently supports three types of virtual interfaces (VIF) enabling additional building blocks. You can also work with a DX partner for sub 1Gbps connectivity, but they might support different VIF types.
AWS Direct Connect Gateway (DX Gateway) allows customers to access Amazon VPCs deployed in any unclassified AWS Regions (except China) with DX connections. Use a single private VIF to connect to DX Gateway, which links to up to 10 Amazon VPCs simultaneously across multiple regions, for north-south traffic.

Source: https://d1.awsstatic.com/AWS%20Direct%20Connect/Product-Page-Diagram_Direct-Connect.0166400894ac5f9c921c3f7a346f55d8c42f492c.png

Links:
- aws.amazon.com/directconnect
[Google Cloud] Interconnect
10 Gbps to 100 Gbps pipes to connect directly to a Google location.
Enterprise-grade connections to your Google VPC backed by industry-leading SLAs. Choose a 10 Gbps or 100 Gbps pipe and connect directly to a Google location with Dedicated Interconnect, or flexible bandwidth options (50 Mbps to 10 Gbps) with Partner Interconnect.

Source: https://cloud.google.com/interconnect/images/vm-same-continent-regional-routing.svg

Links:
- cloud.google.com/hybrid-connectivity
[Azure] ExpressRoute
Create private connections between Azure datacenters and infrastructure on your premises or in a colocation environment. ExpressRoute connections don't go over the public Internet.
Use Azure ExpressRoute to create private connections between Azure datacenters and infrastructure on your premises or in a colocation environment. ExpressRoute connections don't go over the public Internet, and they offer more reliability, faster speeds, and lower latencies than typical Internet connections. In some cases, using ExpressRoute connections to transfer data between on-premises systems and Azure can give you significant cost benefits.

With ExpressRoute, establish connections to Azure at an ExpressRoute location, such as an Exchange provider facility, or directly connect to Azure from your existing WAN network, such as a multiprotocol label switching (MPLS) VPN, provided by a network service provider.

Source: https://docs.microsoft.com/en-us/azure/expressroute/media/expressroute-introduction/expressroute-connection-overview.png

Links:
- azure.microsoft.com/en-us/services/expressroute

Network Architecture

Framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as communication protocols used.

Virtual Private Clouds (VPC) (3)

A virtual private cloud (VPC) is an on-demand configurable pool of shared computing resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations (denoted as users hereafter) using the resources.

[AWS] Virtual Private Clouds (VPC)
Provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications. You can easily customize the network configuration of your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. You can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Source: https://docs.aws.amazon.com/vpc/latest/userguide/images/default-vpc-diagram.png

Source: https://docs.aws.amazon.com/vpc/latest/userguide/images/nondefault-vpc-diagram.png

Source: https://docs.aws.amazon.com/vpc/latest/userguide/images/internet-gateway-diagram.png

Source: https://docs.aws.amazon.com/vpc/latest/userguide/images/virtual-private-gateway-diagram.png

Source: https://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-endpoint-privatelink-diagram.png

Links:
- aws.amazon.com/vpc
Google Virtual Private Cloud (VPC)
Managed networking functionality for your Google Cloud resources.
Virtual Private Cloud (VPC) gives you the flexibility to scale and control how workloads connect regionally and globally. When you connect your on-premises or remote resources to Google Cloud, you’ll have global access to your VPCs without needing to replicate connectivity or administrative policies in each region. You can now bring your own IP addresses to Google’s network across all regions.

Source: https://lh3.googleusercontent.com/masxp7YqQp1Ot48gY52UObB2xzyFVy40k6AAcmbuFM0iVd-GN8LQvgh-GclKcJtoUpwWGoaNeNsCnw=e14-rj-sc0xffffff-w600

Links:
- cloud.google.com/vpc
[Azure] Virtual Network
Your private network in the cloud.
Azure Virtual Network gives you an isolated and highly-secure environment to run your virtual machines and applications. Use your private IP addresses and define subnets, access control policies, and more. Use Virtual Network to treat Azure the same as you would your own datacenter.

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/nat-overview/flow-map.svg

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/nat-overview/flow-direction4.svg

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/nat-overview/az-directions.svg

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/virtual-networks-udr-overview/routing-example.png

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/virtual-networks-peering-overview/local-or-remote-gateway-in-peered-virual-network.png

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/subnet-extension/subnet-extension.png

Links:
- azure.microsoft.com/en-us/services/virtual-network

Load Balancing (3)

Load balancing refers to the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient.

[AWS] Elastic Load Balancing
Achieve fault tolerance for any application by ensuring scalability, performance, and security.
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/images/cross_zone_load_balancing_enabled.png

Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/images/cross_zone_load_balancing_disabled.png

Source: http://awsmedia.s3.amazonaws.com/2012-02-24-techdoc-elb-arch.png

Links:
- https://aws.amazon.com/elasticloadbalancing
[Google Cloud] Load Balancing
High performance, scalable load balancing on Google Cloud Platform.
Scale your applications on Compute Engine from zero to full throttle with Cloud Load Balancing, with no pre-warming needed. Distribute your load-balanced compute resources in single or multiple regions—close to your users—and to meet your high availability requirements. Cloud Load Balancing can put your resources behind a single anycast IP and scale your resources up or down with intelligent autoscaling. Cloud Load Balancing comes in a variety of flavors and is integrated with Cloud CDN for optimal application and content delivery.

Source: https://cloud.google.com/load-balancing/images/lb-simple-overview.svg

Source: https://cloud.google.com/load-balancing/images/choose-lb-5.svg

Links:
- cloud.google.com/load-balancing
[Azure] Load Balancer
Deliver high availability and network performance to your applications.
With built-in load balancing for cloud services and virtual machines, you can create highly-available and scalable applications in minutes. Azure Load Balancer supports TCP/UDP-based protocols such as HTTP, HTTPS, and SMTP, and protocols used for real-time voice and video messaging applications.

Source: https://docs.microsoft.com/en-us/azure/load-balancer/media/load-balancer-overview/load-balancer.svg

Links:
- azure.microsoft.com/en-us/services/load-balancer

Scale & Optimize Network Design (4)

A set of technologies and techniques that are geared towards improving network performance, managing bandwidth utilization, minimizing latency, packet loss, congestion and jitter.

[AWS] Transit Gateway
Connect thousands of Amazon VPCs in a region and your on-premises networks with a single gateway.
AWS Transit Gateway enables you to connect thousands of Amazon VPCs in a region and your on-premises networks with a single gateway. It provides control over connectivity policies, scale, and monitoring your networks. It’s a managed IP router where you can create multiple route tables and attach VPCs, VPNs, and DX Gateway (via transit VIF) for centralized control of routing for both east-west and north-south traffic.

Source: https://d1.awsstatic.com/product-marketing/transit-gateway/tgw-after.d85d3e2cb67fd2ed1a3be645d443e9f5910409fd.png

Source: https://d1.awsstatic.com/product-marketing/transit-gateway/tgw-before.7f287b3bf00bbc4fbdeadef3c8d5910374aec963.png

Links:
- aws.amazon.com/transit-gateway
[AWS] Global Accelerator
Improve global application availability and performance using the AWS global network.
Improve global application availability and performance using the AWS global network.

Source: https://d1.awsstatic.com/r2018/b/ubiquity/global-accelerator-how-it-works.feb297eb78d8cc55205874a1691e0ea2bc8bdbf1.png

Source: https://d1.awsstatic.com/r2018/b/ubiquity/global-accelerator-before.46be83fdc7c630457bba963c7dc928cb676d9046.png

Source: https://d1.awsstatic.com/r2018/b/ubiquity/global-accelerator-after.2e404ac7f998e501219f2614bc048bb9c01f46d4.png

Links:
- aws.amazon.com/global-accelerator
[Google Cloud] Network Service Tiers
Optimize your network for performance or cost.
Premium Tier delivers GCP traffic over Google’s well-provisioned, low latency, highly reliable global network. This network consists of an extensive global private fiber network with over 100 points of presence (POPs) across the globe. By this measure, Google’s network is the largest of any public cloud provider. See the Google Cloud network map.

GCP customers benefit from the global features within Global Load Balancing, another Premium Tier feature. You not only get the management simplicity of a single anycast IPv4 or IPv6 Virtual IP (VIP), but can also expand seamlessly across regions, and overflow or fail over to other regions.

Source: https://cloud.google.com/images/network-tiers/standard-diagram.svg

Source: https://cloud.google.com/images/network-tiers/premium-diagram.svg

Links:
- cloud.google.com/network-tiers
[Azure] Traffic Manager
Route incoming traffic for high performance and availability.
Azure Traffic Manager operates at the DNS layer to quickly and efficiently direct incoming DNS requests based on the routing method of your choice. An example would be sending requests to the closest endpoints, improving the responsiveness of your applications. Azure Traffic Manager offers six types of DNS-based traffic routing: Priority, performance, geographic, weighted round-robin, subnet, and multi-value. Choose the one that’s right for you or combine, using nested profiles.

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-routing-methods/priority.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-routing-methods/weighted.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-routing-methods/performance.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-routing-methods/geographic.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-nested-profiles/figure-1.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-nested-profiles/figure-2.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-nested-profiles/figure-3.png

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/media/traffic-manager-nested-profiles/figure-4.png

Links:
- azure.microsoft.com/en-us/services/traffic-manager

Monitoring & Diagnostics (3)

A system that constantly monitors a computer network for slow or failing components and that notifies the network administrator in case of outages or other trouble.

[Google Cloud] Network Intelligence Center
Comprehensive network monitoring, verification, and optimization.
Network Intelligence Center provides unmatched visibility into your network in the cloud along with proactive network verification. Centralized monitoring cuts down troubleshooting time and effort, increases network security, and improves the overall user experience.

Source: https://cloud.google.com/network-intelligence-center/docs/network-topology/images/graph-overview.svg

Source: https://cloud.google.com/network-intelligence-center/docs/performance-dashboard/images/pd-pl-now.png

Links:
- cloud.google.com/network-intelligence-center
[Azure] Network Watcher
Network performance monitoring and diagnostics solution.
Monitor and diagnose networking issues without logging in to your virtual machines (VMs) using Network Watcher. Trigger packet capture by setting alerts, and gain access to real-time performance information at the packet level. When you see an issue, you can investigate in detail for better diagnoses.

Source: https://docs.microsoft.com/en-us/azure/network-watcher/media/network-watcher-monitoring-overview/topology.png

Source: https://docs.microsoft.com/en-us/azure/network-watcher/media/network-watcher-monitoring-overview/subscription-limit.png

Source: https://docs.microsoft.com/en-us/azure/network-watcher/media/network-watcher-monitoring-overview/traffic-analytics.png

Links:
- azure.microsoft.com/en-us/services/network-watcher
[Azure] Internet Analyzer
Test how networking infrastructure changes will impact your customers’ performance.
Test and measure how changes to your cloud network architecture affects your users’ performance over the Internet. Whether you’re migrating from on-premises to Azure or evaluating a new Azure service, learn from your users’ data and Microsoft’s rich analytics to better understand and optimize your network architecture with Azure—before you migrate.

Source: https://docs.microsoft.com/en-us/azure/internet-analyzer/media/ia-overview/architecture.png

Links:
- azure.microsoft.com/en-us/services/internet-analyzer

Application Content Delivery

Delivery of content to mobile and web apps.

Content Delivery Networks (3)

A geographically distributed network of proxy servers and their data centers, providing high availability and performance by distributing the service spatially relative to end users.

[AWS] CloudFront
Fast, highly secure and programmable content delivery network (CDN).
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services. CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience. Lastly, if you use AWS origins such as Amazon S3, Amazon EC2 or Elastic Load Balancing, you don’t pay for any data transferred between these services and CloudFront.

You can get started with the Content Delivery Network in minutes, using the same AWS tools that you're already familiar with: APIs, AWS Management Console, AWS CloudFormation, CLIs, and SDKs. Amazon's CDN offers a simple, pay-as-you-go pricing model with no upfront fees or required long-term contracts, and support for the CDN is included in your existing AWS Support subscription.

Source: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/images/how-you-configure-cf.png

Source: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/images/how-cloudfront-delivers-content.png

Source: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/images/Charges.png

Links:
- aws.amazon.com/cloudfront
[Google Cloud] CDN
Fast, reliable web and video content delivery with global scale and reach.
With edge caches peered with nearly every major end-user ISP globally, Cloud CDN offers connectivity to more users everywhere. Thanks to anycast architecture, your site gets a single global IP address, combining consistent performance worldwide with easy management.

Source: https://cloud.google.com/cdn/images/cdn-response-flow.svg

Source: https://cloud.google.com/cdn/images/cache-hit.svg

Source: https://cloud.google.com/cdn/images/cache-fill.svg

Links:
- cloud.google.com/cdn
[Azure] Content Delivery Network
Secure and reliable global content delivery and acceleration.
In online content delivery, user experience is everything. Azure Content Delivery Network (CDN) lets you reduce load times, save bandwidth, and speed responsiveness—whether you’re developing or managing websites or mobile apps, or encoding and distributing streaming media, gaming software, firmware updates, or IoT endpoints.

Source: https://docs.microsoft.com/en-us/azure/cdn/media/cdn-overview/cdn-overview.png

Links:
- azure.microsoft.com/en-us/services/cdn

API Management (4)

API management refers to the processes for distributing, controlling, and analyzing the APIs that connect applications and data across the enterprise and across clouds.

[AWS] API Gateway
Create, maintain, and secure APIs at any scale.
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the "front door" for applications to access data, business logic, or functionality from your backend services. Using API Gateway, you can create RESTful APIs and WebSocket APIs that enable real-time two-way communication applications. API Gateway supports containerized and serverless workloads, as well as web applications.

API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management. API Gateway has no minimum fees or startup costs. You pay for the API calls you receive and the amount of data transferred out and, with the API Gateway tiered pricing model, you can reduce your cost as your API usage scales.

Source: https://d1.awsstatic.com/serverless/New-API-GW-Diagram.c9fc9835d2a9aa00ef90d0ddc4c6402a2536de0d.png

Links:
- aws.amazon.com/api-gateway
[AWS] AppSync
Power your applications with the right data, from one or more data sources, at global scale.
AWS AppSync simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources. AppSync is a managed service that uses GraphQL to make it easy for applications to get exactly the data they need.

With AppSync, you can build scalable applications, including those requiring real-time updates, on a range of data sources such as NoSQL data stores, relational databases, HTTP APIs, and your custom data sources with AWS Lambda. For mobile and web apps, AppSync additionally provides local data access when devices go offline, and data synchronization with customizable conflict resolution, when they are back online.

AWS AppSync is generally available. If you would like to try building data driven mobile and web applications, watch the re:Invent session video to learn more and open the AWS AppSync console to get started. For pricing details, please see the pricing page. AWS AppSync is available in multiple regions. For details on region availability, please see the regions detail page.

Source: https://d1.awsstatic.com/AppSync/product-page-diagram_AppSync@2x.d46d96d1e27169aa5005223299068da899280538.png

Links:
- aws.amazon.com/appsync
[Google Cloud] Endpoints
Develop, deploy, and manage APIs on any Google Cloud back end.
Develop, deploy, protect, and monitor your APIs with Cloud Endpoints. An NGINX-based proxy and distributed architecture give unparalleled performance and scalability. Using an OpenAPI Specification or one of our API frameworks, Cloud Endpoints gives you the tools you need for every phase of API development and provides insight with Cloud Logging, Cloud Monitoring, and Cloud Trace.

Source: https://lh3.googleusercontent.com/77WNpDgElb-qSWgt5EEeTB4wB2kaBKz4Ua9G26-ueMfZms_a_tqytA435mj-iI_dEWrYMCc9hehI=e14-rj-sc0xffffff-w2540

Links:
- cloud.google.com/endpoints
[Azure] API Management
Hybrid, multi-cloud management platform for APIs across all environments.
Today's innovative enterprises are adopting API architectures to accelerate growth. Streamline your work across hybrid and multi-cloud environments with a single place for managing all your APIs.

Source: https://azurecomcdn.azureedge.net/cvt-e918f8bc2be525756af58617c14443351ac83a8fd87a0b28d31919d627969098/images/page/services/api-management/transform-image.jpg

Source: https://azurecomcdn.azureedge.net/cvt-e918f8bc2be525756af58617c14443351ac83a8fd87a0b28d31919d627969098/images/page/services/api-management/accelerate-image.jpg

Links:
- azure.microsoft.com/en-us/services/api-management

Cloud Resource Discovery Services (2)

[AWS] Cloud Map
Service discovery for cloud resources.
AWS Cloud Map is a cloud resource discovery service. With Cloud Map, you can define custom names for your application resources, and it maintains the updated location of these dynamically changing resources. This increases your application availability because your web service always discovers the most up-to-date locations of its resources.

Modern applications are typically composed of multiple services that are accessible over an API and perform a specific function. Each service interacts with a variety of other resources, such as databases, queues, object stores, and customer-defined microservices, and it needs to be able to find the location of all the infrastructure resources on which it depends in order to function. In most cases, you manage all these resource names and their locations manually within the application code. However, manual resource management becomes time consuming and error-prone as the number of dependent infrastructure resources increases or the number of microservices dynamically scale up and down based on traffic. You can also use third-party service discovery products, but this requires installing and managing additional software and infrastructure.

Cloud Map allows you to register any application resources, such as databases, queues, microservices, and other cloud resources, with custom names. Cloud Map then constantly checks the health of resources to make sure the location is up-to-date. The application can then query the registry for the location of the resources needed based on the application version and deployment environment.

Source: https://d1.awsstatic.com/r2018/a/product-page-diagram_skymap_before-after.601791b8d5c69fb0c7e96bd6706cfd5320ca8f3d.png

Links:
- aws.amazon.com/cloud-map
[Google Cloud] Service Discovery
A single place to publish, discover, and connect services.
Service Directory helps reduce the complexity of management and operations by providing a single place to publish, discover, and connect services. It is a managed service that enhances service inventory management at scale so you don’t have to. Service Directory provides real-time service information, whether you have a few service endpoints or thousands. This helps ensure that your applications only resolve the most updated information of their resources, increasing the reachability of your services.

Source: https://cloud.google.com/service-directory/images/service-directory-01.svg

Source: https://cloud.google.com/service-directory/images/service-directory-02.svg

Source: https://cloud.google.com/service-directory/images/service-directory-03.svg

Source: https://cloud.google.com/service-directory/images/service-directory-04.svg

Source: https://cloud.google.com/service-directory/images/service-directory-05.svg

Links:
- cloud.google.com/service-directory

Application-Level Monitoring (1)

[AWS] App Mesh
Application-level networking for all your services.
AWS App Mesh is a service mesh that provides application-level networking to make it easy for your services to communicate with each other across multiple types of compute infrastructure. App Mesh standardizes how your services communicate, giving you end-to-end visibility and ensuring high-availability for your applications.

Modern applications are typically composed of multiple services. Each service may be built using multiple types of compute infrastructure such as Amazon EC2 and AWS Fargate. As the number of services grow within an application, it becomes difficult to pinpoint the exact location of errors, re-route traffic after failures, and safely deploy code changes. Previously, this has required you to build monitoring and control logic directly into your code and redeploy your service every time there are changes.

AWS App Mesh makes it easy to run services by providing consistent visibility and network traffic controls for services built across multiple types of compute infrastructure. App Mesh removes the need to update application code to change how monitoring data is collected or traffic is routed between services. App Mesh configures each service to export monitoring data and implements consistent communications control logic across your application. This makes it easy to quickly pinpoint the exact location of errors and automatically re-route network traffic when there are failures or when code changes need to be deployed.

You can use App Mesh with AWS Fargate, Amazon EC2, Amazon ECS, Amazon EKS, and Kubernetes running on AWS, to better run your application at scale. App Mesh also integrates with AWS Outposts for your applications running on-premises. App Mesh uses the open source Envoy proxy, making it compatible with a wide range of AWS partner and open source tools.

Source: https://d1.awsstatic.com/app-mesh/app-mesh-2.49bcef8619bc96e37d30cbf0e59369f403b911f1.png

Source: https://d1.awsstatic.com/app-mesh/app-mesh.8b0ce6cfb04a60c4b0317714a5e78d813383b92e.png

Links:
- aws.amazon.com/app-mesh

Securing Network

The policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.

DDoS Protection (3)

A set of techniques or tools for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks.

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.

Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and activism can motivate these attacks.

DDoS mitigation is a set of techniques or tools for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. DDoS attacks are a constant threat to businesses and organizations by threatening service performance or to shut down a website entirely, even for a short time.

The first thing to do in DDoS mitigation is to identify normal conditions for network traffic by defining "traffic patterns", which is necessary for threat detection and alerting. DDoS mitigation also requires identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and JavaScript footprints.

After the detection is made, the next process is filtering. Filtering can be done through anti-DDoS technology like connection tracking, IP reputation lists, deep packet inspection, blacklisting/whitelisting, or rate limiting.

One technique is to pass network traffic addressed to a potential target network through high-capacity networks with "traffic scrubbing" filters.

Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually. Other ways to prevent DDoS attacks can be implemented on-premise or/and via cloud-based solution providers. Through on-premise mitigation the technology (most commonly a hardware device) is placed in front of the network, with the disadvantage that the filtering capacity is limited to the capacity of the filtering device. A middle option is to have a hybrid solution by combining on-premise filtering with cloud-base filtering.

Best practices for DDoS mitigation include having both anti-DDoS technology and anti-DDoS emergency response services. DDoS mitigation is also available through cloud-based providers.

Source: https://upload.wikimedia.org/wikipedia/commons/thumb/3/3f/Stachledraht_DDos_Attack.svg/1024px-Stachledraht_DDos_Attack.svg.png

Links:

[AWS] Shield
Managed DDoS protection.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.

AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or Elastic Load Balancing (ELB) in the following AWS Regions - Northern Virginia, Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt, London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, and Mumbai.

Source: https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/03/15/HW3-DDoS-a.png

Links:
- aws.amazon.com/shield
[Google Cloud] Armor
Protect your services against denial of service and web attacks.
When you stand up applications on Google Cloud, you benefit from DDoS and web attack protection at Google-scale. Google Cloud Armor works with our global Cloud Load Balancing infrastructure and provides always-on attack detection and mitigation so you can run your business without interruption.

Source: https://lh3.googleusercontent.com/L0PZXWYQWnqElcPk1rqr6u6YqSd4ekFGvbIo6mlgAFVekRbt6fqXyjVlhoO6NthqTDwLFRSA2MQx5g=e14-rj-sc0xffffff-w2540

Links:
- cloud.google.com/armor
[Azure] DDoS Protection
Protect your Azure resources from Distributed Denial of Service (DDoS) attacks.
Backed by the Microsoft global network, DDoS Protection brings massive DDoS mitigation capacity to every Azure region. Scrub traffic at the Azure network edge before it can impact the availability of your service.

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/ddos-protection-partner-onboarding/real-time-tuning.png

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/manage-ddos-protection/view-mitigation-policies.png

Source: https://docs.microsoft.com/en-us/azure/virtual-network/media/manage-ddos-protection/ddos-alert-asc.png

Links:
- azure.microsoft.com/en-us/services/ddos-protection

Firewalls (3)

A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

[AWS] Firewall Manager
Centrally configure and manage firewall rules across accounts and applications.
AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization. As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. Now you have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure.

Using AWS Firewall Manager, you can easily roll out AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. Similarly, you can create AWS Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. Finally, with AWS Firewall Manager, you can enable security groups for your Amazon EC2 and ENI resource types in Amazon VPCs.

Source: https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/11/07/Firewall-and-WAF-01.png

Links:
- aws.amazon.com/firewall-manager
[Google Cloud] Firewall
Let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify.
Google Cloud firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify. Enabled Google Cloud firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up.

Every Virtual Private Cloud (VPC) network functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. You can think of the Google Cloud firewall rules as existing not only between your instances and other networks, but also between individual instances within the same network.

Source: https://cloud.google.com/vpc/images/firewalls/firewall_overview_ingress_examples.svg

Source: https://cloud.google.com/vpc/images/firewalls/firewall_overview_egress_examples.svg

Links:
- cloud.google.com/vpc/docs/firewalls
[Azure] Firewall
A managed, cloud-based network security service that protects Azure Virtual Network resources.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Source: https://docs.microsoft.com/en-us/azure/firewall/media/overview/firewall-threat.png

Links:
- docs.microsoft.com/en-us/azure/firewall/overview

Web Application Firewalls (WAF) (3)

[AWS] Web Application Firewall (Amazon WAF)
Protect your web applications from common web exploits.
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

With AWS WAF, you pay only for what you use. The pricing is based on how many rules you deploy and how many web requests your application receives. There are no upfront commitments.

You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.

Source: https://d1.awsstatic.com/products/WAF/product-page-diagram_AWS-WAF_How-it-Works@2x.452efa12b06cb5c87f07550286a771e20ca430b9.png

Links:
- aws.amazon.com/waf
[Google Cloud] Armour WAF
Protect your services against web attacks.
Links:
- cloud.google.com/armor
[Azure] Web Application Firewall
A cloud-native web application firewall (WAF) service that provides powerful protection for web apps
Help protect your web apps from malicious attacks and common web vulnerabilities, such as SQL injection and cross-site scripting. With the cloud-native Azure web application firewall (WAF) service, deploy in minutes and only pay for what you use.

Source: https://docs.microsoft.com/en-us/azure/web-application-firewall/media/ag-overview/waf1.png

Source: https://docs.microsoft.com/en-us/azure/web-application-firewall/media/ag-overview/diagnostics.png

Links:
- azure.microsoft.com/en-us/services/web-application-firewall

Public Cloud Encyclopedia: Networking & Content Delivery Products

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links:

Links: