AWS-VPC

VPC

• Logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

• Virtual Data Center in the cloud

• Amazon provides you a default VPC in every region when you create your account

• Can create hardware VPN between corporate datacenter and your VPC, make AWS your extension

• Users may connect their VPC to corporate data center using a Hardware VPN connection via the virtual private gateway.

• Amazon supports Internet Protocol security (IPsec) VPN connections.

• Users can create two types of Site-to-Site VPN connections: statically routed VPN connections and dynamically-routed VPN connections.

• Client VPN supports authentication with Active Directory using AWS Directory Services and Certificate-based authentication.

• AWS Client VPN supports statically-configured Certificate Revocation List (CRL).

• Using CloudWatch monitor users can see Ingress and Egress bytes and Active connections for each Client VPN Endpoint.

• Each AWS Site-to-Site VPN connection has two tunnels and each tunnel supports a maximum throughput of up to 1.25 Gbps.

• Only Transit Gateway supports Accelerated Site-to-Site VPN.

• Multiple VPN connections to the same Virtual Private Gateway are bound by an aggregate throughput limit from AWS to on-premises of up to 1.25 Gbps.

• VPN connection-hours are billed for time the VPN connections are in the available state.

VPC Endpoint

• A VPC endpoint enables users to privately connect their VPC to supported AWS services.

• There are two types of VPC endpoints: interface endpoints and gateway endpoints.

• An interface endpoint is an elastic network interface with a private IP address from the IP address range of user's subnet that serves as an entry point for traffic destined to a supported service.

• Endpoints are virtual devices.

• Endpoints are horizontally scaled, redundant and highly available VPC components.

• A gateway endpoint is a gateway that users specify as a target for a route in their route table for traffic destined to a supported AWS service.

• An endpoint route is automatically deleted when users remove the route table association from the endpoint or when they delete their endpoint.

• Gateway endpoints are supported within the same Region only. Users cannot create a gateway endpoint between a VPC & a service in a different Region.

• Gateway endpoints support IPv4 traffic only.

• Endpoint policies must be written in JSON format.

What can be done:

• Launch instances into sugnet of choice

• Assign custom IP address range to each subnet

• Configure route tables between subnets

• Create internet gateway and attach it to our VPC, one per VPC

• Better security control over AWS resources

• Instance security groups

• Subnet Access Control Lists (ACLs)

Default VPC Vs. Custom VPC

• Default VPC is user friendly, allows you to immediately deply

• All subnets in default VPC have a route out to the internet

• Each EC2 instance has public and private IP address

VPC Peering

• Allows you to connect one VPC with another via a direct network route using private IP Addresses

• Instances behave as if they were on the same private network

• You can peer VPC's with other AWS accounts as well as with other VPC's in same account

• Peering is in star configuration: 1 central VPC peer with 4 others---no transitive peering

• A VPC peering connection is a networking connection between two VPCs that enables to route traffic between them privately.

• Users can create a VPC peering connection between their own VPCs, with a VPC in another AWS account or with a VPC in a different AWS Region.

• Users can modify a VPC peering connection to enable instances in their VPC to communicate with linked EC2-Classic instances in the peer VPC.

• Users cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.

• A VPC peering connection is a one to one relationship between two VPCs.

• Users can create multiple VPC peering connections for each VPC, but transitive peering relationships are not supported.

• Users have a quota on the number of active and pending VPC peering connections that they can have per VPC.

• Users cannot have more than one VPC peering connection between the same two VPCs at the same time.

• Unicast reverse path forwarding in VPC peering connections is not supported.

• Users cannot connect to or query the Amazon DNS server in a peer VPC.

VPC ENI

• Elastic network interface is a logical networking component in a VPC that represents a virtual network card.

• Users can create a network interface, attach it to an instance, detach it from an instance & attach it to another instance.

• Users can create and attach an additional network interface to any instance in their VPC.

• All network interfaces have a resource identifier that starts with eni-.

• Users can also modify the attributes of their network interface, including changing its security groups & managing its IP addresses.

• Every instance in a VPC has a default network interface, called the primary network interface (eth0).

• The maximum number of network interfaces that users can use varies by instance type.

• Users can associate IPv6 CIDR block with their VPC and subnet, and assign one or more IPv6 addresses from the subnet range to a network interface.

• Users can enable a VPC flow log on their network interface to capture information about the IP traffic going to and from a network interface.

• Users can create a management network using elastic network interfaces.

VPC Route Table

• A route table contains a set of rules, called routes, that are used to determine where network traffic from subnet or gateway is directed.

• Main route table automatically comes with VPC. It controls the routing for all subnets that are not explicitly associated with any other route table.

• Edge association use to route inbound VPC traffic to an appliance.

• Gateway route table that's associated with an internet gateway or virtual private gateway.

• Each route in a table specifies a destination and a target.

• Every route table contains a local route for communication within the VPC.

• A gateway route table supports routes where the target is local or an elastic network interface in VPC.

• Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other.

• Subnets that are in VPCs associated with AWS Outposts can have an additional target type of a local gateway.

• Users VPC peering connection can also support IPv6 communication between instances in the VPCs, if the VPCs and instances are enabled for IPv6 communication.

VPC Internet Gateway

• An internet gateway is a horizontally scaled, redundant & highly available VPC component that allows communication between instances in VPC & the internet.

• An internet gateway supports IPv4 and IPv6 traffic.

• An internet gateway help to provide a target in VPC route tables for internet-routable traffic.

• An internet gateway help to perform NAT for instances that have been assigned public IPv4 addresses.

• An egress-only Internet gateway is for use with IPv6 traffic only.

• Users cannot associate a security group with an egress-only Internet gateway.

• Users can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.

• To enable communication over the internet for IPv4, instance must have a public IPv4 address or an Elastic IP address.

• An egress-only Internet gateway is stateful.

• AWS CLI command to create egress-only internet gateway:

VPC DHCP Options Set

• The Dynamic Host Configuration Protocol provides a standard for passing configuration information to hosts on a TCP/IP network.

• The options field of a DHCP message contains the configuration parameters like domain name, domain name server & the netbios-node-type.

• When users create a VPC, AWS automatically create a set of DHCP options and associate them with the VPC.

• DHCP options set includes two options: domain-name-servers=AmazonProvidedDNS and domain-name=domain-name-for-your-region.

• Users cannot filter traffic to or from a DNS server using network ACLs or security groups.

• Once users create a set of DHCP options, they can't modify them.

• Users can have multiple sets of DHCP options, but they can associate only one set of DHCP options with a VPC at a time.

• If users delete a VPC, the DHCP options set associated with the VPC is disassociated from the VPC.

• Users can change which set of DHCP options their VPC uses.

• Use describe-dhcp-options to describe the options set and associate-dhcp-options to associate dhcp options set.

NAT Instances

• When creating a NAT instance, disable source/destination check on the instance

• NAT instances must be in a public subnet

• There must be a route out of the private subnet to the NAT instance for this to work

• The amount of traffic that NAT instances can support depends on the instance size

• You can create HA using:

• Autoscaling Groups

• Multiple subnets in different AZs

• Script to automate failover

• Behind Security groups

NAT gateways

• Preferred by the enterprise

• Scale automatically up to 10Gbps

• No need to patch

• Not associated with security groups

• Automatically assigned a public ip address

• Remember to update route tables and point to NAT Gateways

• No need to disable source/destination checks

• More secure than a NAT instance

Network ACL's

• VPC automatically comes with default network ACL and by default allows all in/outbound traffic

• You can create custom network ACL's. By default each network ACL denies all in/outbound traffic

• Each subnet in VPC must be associated with a network ACL, uses default ACL by default

• You can associate network ACL with multiple subnets, however subnet can only associate with one ACL at a time

• Adding subnet to a second ACL will automatically remove it from the previous ACL

• Network ACL contains numbered list of rules that is evaluated in order, starting with lowest number

• Network ACL always have separate inbound and outbound rules

• Network ACL's are stateless

Others

• Think of VPC as logical datacenter in AWS

• Consists of IGW's (or virtual private gateways), route tables, NACL's, Subnets, Security Groups

• 1 subnet = 1 AZ

• Security Groups are stateful; NACL's are Stateless

• NO TRANSITIVE PEERING

• VPC allows to provision a logically isolated section of the AWS cloud where user can launch AWS resources in a virtual network.

• VPC endpoints enables to privately connect with VPC to services hosted on AWS without requiring an Internet gateway, a NAT device, VPN or firewall proxies.

• VPC endpoints are horizontally scalable and highly available virtual devices.

• Amazon VPC offers two different types of endpoints: gateway type endpoints and interface type endpoints.

• VPC supports the creation of an Internet gateway. This gateway enables EC2 instances in the VPC to directly access the Internet.

• An Internet gateway is horizontally-scaled, redundant & highly available. It imposes no bandwidth constraints.

• Users may use a third-party software VPN to create a site to site or remote access VPN connection with VPC via the Internet gateway.

• AWS supports Internet Protocol Security (IPSec) VPN connections.

• An internet gateway is not required to establish an AWS Site-to-Site VPN connection.

• Default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC are assigned /20 netblocks within the VPC CIDR range.

• Users can route traffic via the AWS Site-to-Site VPN connection and advertise the address range from their home network.

• Users can bring their public IPv4 addresses into AWS VPC and statically allocate them to subnets and EC2 instances.

• A VPC can have both IPv4 and IPv6 CIDR blocks associated to it.

• The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4.

• AWS reserves the first four IP addresses and the last one IP address of every subnet for IP networking purposes.

• An IP address assigned to a running instance can only be used again by another instance once that original running instance is in a 'terminated' state.

• Users can use VPC traffic mirroring and VPC flow logs features to monitor the network traffic in their AWS VPC.

• A subnet must reside within a single Availability Zone.

• The total number of network interfaces that can be attached to an EC2 instance depends on the instance type.

• Network interfaces can only be attached to instances residing in the same Availability Zone.

• Peering connections can be created with VPCs in different regions.

• Peered VPCs must have non-overlapping IP ranges.

• Edge to Edge routing isn’t supported in AWS VPC.

• VPC peering connections do not require an Internet Gateway.

• Security groups cannot be referenced across an Inter-Region VPC Peering connection.