Subnetting from CIDR Notation

This blog post will help you understand subnetting using CIDR notation assuming you already have an idea about IP Address, Network ID and broadcast ID in networking. There are many approaches for understanding this but hopefully this approach might help you.

I have an IP Address with a CIDR notation /20. Using this I need to figure out what the Network ID and the broadcast ID is and by doing that we understand what the CIDR notation of /20 means.

Example 1:

IP Address: 192.168.60.55/20

The CIDR notation indicates how many bits are turned on with my subnet. The below table format helps to explain the example better.

empty table

I am making a simple looking chart to get better understanding of this. When we talk about subnet masking we generally see 255.255.255.xxx  and something on that lines. Let’s go ahead and start doing them in 8-bit rotations keeping all the 1’s turned ON for 20 bits and 0’s turned ON for the remaining 12 bits

Let’s go ahead and start doing them in 8-bit rotations keeping all the 1’s turned ON for 20 bits and 0’s turned ON for the remaining 12 bits.

ex1

This would mean that equivalent of turning them all ON and adding them together will be  = 255

So the subnet for this particular IP range will be

255.255.(128+64+32+16).0 = 255.255.240.0

IP Address: 192.168.60.55/20 Subnet: 255.255.240.0

We will just go further and understand how to determine the Network ID, Broadcast ID. At this position, The 3rd Octet is our focus. Since we already know the 1st and 2nd octets are already turned ON we know the values 1st, 2nd of the possible Network ID & Broadcast ID for the IP range. For the 4th Octet since all the bits are turned off it will be 0 otherwise it will be 255.

ex1

So here we just need to find the 3rd column values. To find out the 3rd column values we need to translate the value 60 into a binary value and map it into our existing Binary notation using x’s. We will be converting 60 into binary notation that is (00111100)

arrowdown

Using the above values, we are going to build a logic table on binary numbers which results in the below

11111111.11111111.00110000.00000000 –> 3rd octet in Network id become 48

ex1

So now we need to figure out what would be the next possible network ID in the list and whatever the next one is, the number right before would be the Broadcast ID for the IP range. This can be determined by the last bit that is turned on in the 3rd octet.

arrowside

So, the 3rd octet in my Broadcast ID would be 48 + 16 -1 = 63 as shown below. When deciding on the usable IP range we can’t start with 0 and end with 255 so the IP range would be 192.168.48.1 – 192.168.63.254

Network ID: 192 168 48 0
Broadcast ID: 192 168 63 255
Usable IPs:  192.168.48.1 – 192.168.63.254

Example 2: IP Address: 172.10.85.60/22 

ex2

So the subnet for this particular IP range will be 255.255.(128+64+32+16+8+4).0 = 255.255.252.0

IP Address: 172.10.85.60/22 Subnet: 255.255.252.0

To find the Network id:

 

ex2

Using the above values, we are going to build a logic table on binary numbers which results in the below

11111111.11111111.01010100.00000000 –> 3rd octet in Network id become 84

So now we need to figure out what would be the next possible network ID in the list and whatever the next one is, the number right before would be the Broadcast ID for the IP range. This can be determined by the last bit that is turned on in the 3rd octet.

ex2

So, the 3rd octet in my Broadcast ID would be 84 + 4 -1 = 87 as shown below. When deciding on the usable IP range we can’t start with 0 and end with 255 so the IP range would be

 192.168.87.1 – 192.168.87.254

ex2

Hope this helps.

 

AWS VPC vs Azure VPN

AWS-VPC

Amazon has been a fore runner in the cloud computing arena and pioneered many industry revolutionizing services like EC2, VPC etc. AWS’s initial offering EC2-classic platform allowed customers to run ec2 instances on a flat global network shared by all the customers, also there were other attributes including shared tenancy, restrictions on Security Groups and lack of Network Access control lists concerned security minded customers. AWS then introduced EC2-VPC, an advanced platform which provisions logically isolated section of the AWS Cloud. AWS EC2-VPC supports Shared/Dedicated Tenancy, Improved Network Security Groups/Network Access Control etc., Enterprise Customers and SMB customers gained more confidence with the VPC architecture and started adopting AWS better than before.

In 2013, Azure turned its focus from being just a PaaS provider into a Full-fledged IaaS provider to avoid the competitive edge and market loss. In order to compete with the early starter AWS, Azure introduced many new services and importantly Virtual Networks, “a Logically Isolated network” the VPC version of Azure within its Datacenter. Azure’s Virtual Network resembles VPC in many aspects and in fact behaves similar in many cases but there are few differences as well.

In this blog, we’ll see those differences in detail and off course the similarities as well. It’s all about Networking, so let’s begin with

Subnet

  • Azure VNet and AWS VPC segregate the networks with subnets.
  • An AWS VPC spans all the Availability Zones (AZs) in that region, hence, subnets in AWS VPC are mapped to Availability Zones (AZs). After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones.
  • Azure VNet subnets are defined by the IP Address block assigned to it.
  • Communications between all subnets in the AWS VPC are through the AWS backbone and are allowed by default. AWS VPC subnets can either be private or public. A subnet is public if it has an internet gateway (IGW) AWS allows only one IGW per VPC and the public subnet allow resources deployed in them access to the internet.
  • AWS creates a default VPC and subnets for each region. This default VPC has subnets for each region where the VPC resides, and any image (EC2 instance) deployed to this VPC will be assigned a public IP address and hence has internet connectivity.
  • Azure VNet does not provide a default VNet and does not have private or public subnet as in AWS VPC. Resources connected to a VNet have access to the Internet, by default.

IP Addresses

  • Both AWS VPC and Azure VNET use non-globally routable CIDR from the private IPv4   address ranges as specified in RFC 1918 – addresses from this RFC are not globally routable — but customers can still use other public IP addresses.
  • Azure VNet assigns resources connected and deployed to the VNet a private IP address from the CIDR block specified. In Azure VNet, the smallest subnet supported is /29 and the largest is a /8.
  • AWS also allows IP addresses from the same RFC 1918 or publicly routable IP blocks. Currently, AWS does not support direct access to the internet from publicly routable IP blocks, hence they are not reachable from the internet even through the Internet gateway (IGW). They are only reachable via the Virtual Private Gateway.
  • For the subnet, AWS recommends a minimum address block of /28 and maximum of /16.

Routing Table

  • AWS uses the route table to specify the allowed routes for outbound traffic from the subnet.
  • All subnets created in a VPC is automatically associated with the main routing table, hence, all subnets in a VPC can allow traffic from other subnets unless explicitly denied by security rules.
  • In Azure VNet, all resources in the VNet allow the flow of traffic by using the system route. Azure VNet uses the system route table to ensure that resources connected to any subnet in any VNet communicate with each other by default. However, there are scenarios when you might want to override the default routes. For such scenarios, you can implement the user-defined routes (UDR) — control where traffic is routed for each subnet — or/and BGP routes (your VNet to your on-premises network using an Azure VPN Gateway or ExpressRoute connection). The UDR applies to only traffic leaving the subnet and can provide a layer of security for Azure VNet deployment, if the goal of UDR is to send traffic to some kind of inspection NVA or the like.
  • The UDR applies to only traffic leaving the subnet and can provide a layer of security for Azure VNet deployment, if the goal of UDR is to send traffic to some kind of inspection NVA or the like. With UDR, packets sent to one subnet from another can be forced to go through a network virtual appliance on a set of routes.

Security

Security is the primary driving force why Virtual network is preferred over public facing endpoints. AWS provides various virtual Security services to provide maximum security both at Virtual Instance level, subnet level and overall network Level.

Security Group

  • AWS “Security Groups” helps protecting instances by configuring inbound and outbound rules. Users can configure what ports to open to accept traffic from what source and similarly configure outbound ports from EC2 instances. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level.
  • Azure’s naming convention is “Network Security Group” can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

Virtual Network Interfaces

Virtual Network interface card (NIC) is a virtual appliance that can be plugged and unplugged with VMs. When you move a network interface from one instance to another, network traffic is redirected to the new instance.

In AWS each instance in your VPC has a default network interface (the primary network interface) that is assigned a private IPv4 address from the IPv4 address range of your VPC. You cannot detach a primary network interface from an instance. You can create and attach an additional network interface to any instance in your VPC.

A network interface enables an Azure Virtual Machine to communicate with Internet, Azure, and on-premises resources. When creating a virtual machine using the Azure portal, the portal creates one network interface with default settings for you.

DNS Service

The Domain Name System, or DNS, is responsible for translating (or resolving) a website or service name to its IP address. It’s very essential to avoid latency and unnecessary networking hopping. AWS Route53 provides a highly available and redundant DNS service that connects user requests to various services of AWS such as EC2, ELB, or S3 and it can also be used to route users to infrastructure outside of AWS.

Azure DNS is a hosting service for DNS domains, providing name resolution using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services. Azure DNS now also supports private DNS domains.

Connectivity

Inter connectivity lets different networks connect each other. Cloud providers provides 3 basic inter connectivity option

1. Direct Internet Connectivity

AWS allows users to associate Public IPs to EC2 instances there by allowing internet connectivity to those machines and similarly VMs in the private subnet gain internet access by routing through NAT instances in the public subnet.

Azure lets users to configure public endpoints aka Public IP addresses to VMs inside the subnet thereby VM’s can be connected with other systems.

2. VPN over IPsec

VPN over IPsec is an IP based connection methodology to interconnect two different networks, irrespective of networks within cloud/ outside, cloud to on premise network etc., broadly there are two types of VPN routing protocols used 1. Static Routing protocol 2. Dynamic Routing protocol.

Azure and AWS provide support for Static and Dynamic Routing with Routing Support (BGP). BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange “routes” that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved.

3. Private Connectivity using Exchange Provider

Private connectivity option mainly focused towards enterprise customers who have bandwidth heavy workloads.  Private connection by ISPs can provide much better performance than Internet. AWS has partnered with major Telecom and ISVs to offer private connectivity between their clouds and customer’s on premise infrastructure while Azure runs a Microsoft backbone network between regions to support Express Route. Azure supports most of their features through Express Route except certain features like

  • CDN
  • Visual Studio Team Services Load Testing
  • Multi-factor Authentication
  • Traffic Manager

Similarly AWS supports All AWS services, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), and Amazon DynamoDB can be used with AWS Direct Connect. As far as the SLA is concerned, AWS doesn’t provide SLA for this service, but Azure on the other hand promises 99.9% SLA, otherwise the customer can claim service credits.

Summary

The intention of this article is to highlight certain intricate differences and not an in-depth comparison guide. AWS being the pioneer in the IaaS space has lot of matured options and tools set to offer, but Azure on the other hand has closed the gap at a rapid pace in the past few years. Azure being Conventional Software provider focused mainly on enabling their windows environment to suit and operate within IaaS offering, hence all the services newly launched and services in preview seems to be more Windows focused. Microsoft welcomes partners and vendors to build the Providers/Adaptors/Connectors/APIs for the Open Source programming languages like Python or Ruby n Rails etc. Azure from its inception focuses Enterprise customers and goes with Hybrid Story, AWS on the other end tasted their success with startups and SMB customers now trying to build Enterprise story line to take AWS to the next level.

Create a free website or blog at WordPress.com.

Up ↑