DEV Community

Swati Tiwari
Swati Tiwari

Posted on

Behind the Scene of AWS IP Packet Delivery

AWS hosts millions of customers in multiple regions and availability zones. Mostly Customers have overlapping private IP CIDR blocks, so the question is how AWS is preventing the IP Conflict moreover how is it actually distinguishing and preventing each customer's logical network infrastructure while they are perhaps sharing the same Physical host or different.

The Key answer to this is VPC mechanics and mapping Service. AWS VPC lets you provision a logically isolated section of the AWS Cloud. That Logically isolated section is called a virtual network that you define, and you have full control of it which includes selecting IP range, creation of subnet and so on. Each customer has their own logically isolated network ie VPC. Each VPC infrastructure is made up of the following:

  • Physical Host on which Customer launch their EC2 instance
  • Amazon DNS Server
  • DHCP Server
  • Instance Metadata

When an EC2 instance is launched, physical server on which it will be hosted gets determined by many factors like availability zone, EC2 instance type, EC2 instance tenancy and EC2 instance placement group.

Tenant isolation is a core function of VPC which helps in keeping these instances invisible to the other instances launched by different AWS accounts. And VPC uses a Mapping Service to understand which resources are part of it. Mapping service maintains information about VPC resources like MAC addresses, VPC IP addresses and the physical host IP address on which it lies.

Look at the following example to understand how the IP packet delivery process happens between two instances A and B, hosted on Physical hosts X and Y respectively, refer to the diagram to understand each step:

Image description

1- Instance A, which is hosted on physical host X, will send an ARP to know Instance B's MAC, which is captured by the HyperVisor of Host X.

2- HyperVisor of Host X goes to the mapping service to confirm if the Instance B exists in the same VPC.

3- Mapping service Confirms and it returns the MAC of Instance B to HyperVisor of Host X and HyperVisor sends the synthetic response to Instance A's ARP request.

Therefore, ARP request from Instance A does not directly reaches to the other host rather being taken care by the local HyperVisor and the mapping service.

4- Now, Instance A will send an IP packet which is encapsulated in the ethernet header. IP packet will have the source IP as instance A's ip and destination IP as Instance B's ip. And the Ethernet header will have the source MAC as Instance A's and Destination MAC as of instance B. IP packet is captured by HyperVisor of Host X where A exists. HyperVisor of host X goes to Mapping service to understand the IP of the physical host Y on which Instance B exists.

5- Mapping service returns the IP of the physical host Y to the HyperVisor of host X.

6- Now HyperVisor of host X encapsulates the IP packet with two more headers, One is VPC header which includes the VPC ID and another IP header which includes the IP of destination physical host Y. Now this packet is transmitted over the AWS network, and it reaches the destination physical host Y.

7- Now HyperVisor of the receiving physical host Y reaches to the mapping service to confirm if instance A exists in the same VPC.

8- Once Mapping service confirms, HyperVisor of Physical Host Y rips off the headers and delivers the packet to the Instance B successfully.

So there is a lot of scrutiny happens by mapping service to make sure instances within the same VPC able to connect while making sure to keep the others isolated. There is more to routing and network infrastructure of AWS however this covers the basics of how the VPC mechanics and mapping service works.

Hope it helps!

Happy Learning.

Top comments (0)