VPC
- Logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
- Virtual Data Center in the cloud
- Amazon provides you a default VPC in every region when you create your account
- Can create hardware VPN between corporate datacenter and your VPC, make AWS your extension
- Users may connect their VPC to corporate data center using a Hardware VPN connection via the virtual private gateway.
- Amazon supports Internet Protocol security (IPsec) VPN connections.
- Users can create two types of Site-to-Site VPN connections: statically routed VPN connections and dynamically-routed VPN connections.
- Client VPN supports authentication with Active Directory using AWS Directory Services and Certificate-based authentication.
- AWS Client VPN supports statically-configured Certificate Revocation List (CRL).
- Using CloudWatch monitor users can see Ingress and Egress bytes and Active connections for each Client VPN Endpoint.
- Each AWS Site-to-Site VPN connection has two tunnels and each tunnel supports a maximum throughput of up to 1.25 Gbps.
- Only Transit Gateway supports Accelerated Site-to-Site VPN.
- Multiple VPN connections to the same Virtual Private Gateway are bound by an aggregate throughput limit from AWS to on-premises of up to 1.25 Gbps.
- VPN connection-hours are billed for time the VPN connections are in the available state.
VPC Endpoint
- A VPC endpoint enables users to privately connect their VPC to supported AWS services.
- There are two types of VPC endpoints: interface endpoints and gateway endpoints.
- An interface endpoint is an elastic network interface with a private IP address from the IP address range of user's subnet that serves as an entry point for traffic destined to a supported service.
- Endpoints are virtual devices.
- Endpoints are horizontally scaled, redundant and highly available VPC components.
- A gateway endpoint is a gateway that users specify as a target for a route in their route table for traffic destined to a supported AWS service.
- An endpoint route is automatically deleted when users remove the route table association from the endpoint or when they delete their endpoint.
- Gateway endpoints are supported within the same Region only. Users cannot create a gateway endpoint between a VPC & a service in a different Region.
- Gateway endpoints support IPv4 traffic only.
- Endpoint policies must be written in JSON format.
What can be done:
- Launch instances into sugnet of choice
- Assign custom IP address range to each subnet
- Configure route tables between subnets
- Create internet gateway and attach it to our VPC, one per VPC
- Better security control over AWS resources
- Instance security groups
- Subnet Access Control Lists (ACLs)
Default VPC Vs. Custom VPC
- Default VPC is user friendly, allows you to immediately deply
- All subnets in default VPC have a route out to the internet
- Each EC2 instance has public and private IP address
- Allows you to connect one VPC with another via a direct network route using private IP Addresses
- Instances behave as if they were on the same private network
- You can peer VPC's with other AWS accounts as well as with other VPC's in same account
- Peering is in star configuration: 1 central VPC peer with 4 others---no transitive peering
- A VPC peering connection is a networking connection between two VPCs that enables to route traffic between them privately.
- Users can create a VPC peering connection between their own VPCs, with a VPC in another AWS account or with a VPC in a different AWS Region.
- Users can modify a VPC peering connection to enable instances in their VPC to communicate with linked EC2-Classic instances in the peer VPC.
- Users cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.
- A VPC peering connection is a one to one relationship between two VPCs.
- Users can create multiple VPC peering connections for each VPC, but transitive peering relationships are not supported.
- Users have a quota on the number of active and pending VPC peering connections that they can have per VPC.
- Users cannot have more than one VPC peering connection between the same two VPCs at the same time.
- Unicast reverse path forwarding in VPC peering connections is not supported.
- Users cannot connect to or query the Amazon DNS server in a peer VPC.
VPC ENI
- Elastic network interface is a logical networking component in a VPC that represents a virtual network card.
- Users can create a network interface, attach it to an instance, detach it from an instance & attach it to another instance.
- Users can create and attach an additional network interface to any instance in their VPC.
- All network interfaces have a resource identifier that starts with eni-.
- Users can also modify the attributes of their network interface, including changing its security groups & managing its IP addresses.
- Every instance in a VPC has a default network interface, called the primary network interface (eth0).
- The maximum number of network interfaces that users can use varies by instance type.
- Users can associate IPv6 CIDR block with their VPC and subnet, and assign one or more IPv6 addresses from the subnet range to a network interface.
- Users can enable a VPC flow log on their network interface to capture information about the IP traffic going to and from a network interface.
- Users can create a management network using elastic network interfaces.
VPC Route Table
- A route table contains a set of rules, called routes, that are used to determine where network traffic from subnet or gateway is directed.
- Main route table automatically comes with VPC. It controls the routing for all subnets that are not explicitly associated with any other route table.
- Edge association use to route inbound VPC traffic to an appliance.
- Gateway route table that's associated with an internet gateway or virtual private gateway.
- Each route in a table specifies a destination and a target.
- Every route table contains a local route for communication within the VPC.
- A gateway route table supports routes where the target is local or an elastic network interface in VPC.
- Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other.
- Subnets that are in VPCs associated with AWS Outposts can have an additional target type of a local gateway.
- Users VPC peering connection can also support IPv6 communication between instances in the VPCs, if the VPCs and instances are enabled for IPv6 communication.
VPC Internet Gateway
- An internet gateway is a horizontally scaled, redundant & highly available VPC component that allows communication between instances in VPC & the internet.
- An internet gateway supports IPv4 and IPv6 traffic.
- An internet gateway help to provide a target in VPC route tables for internet-routable traffic.
- An internet gateway help to perform NAT for instances that have been assigned public IPv4 addresses.
- An egress-only Internet gateway is for use with IPv6 traffic only.
- Users cannot associate a security group with an egress-only Internet gateway.
- Users can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.
- To enable communication over the internet for IPv4, instance must have a public IPv4 address or an Elastic IP address.
- An egress-only Internet gateway is stateful.
- AWS CLI command to create egress-only internet gateway:
VPC DHCP Options Set
- The Dynamic Host Configuration Protocol provides a standard for passing configuration information to hosts on a TCP/IP network.
- The options field of a DHCP message contains the configuration parameters like domain name, domain name server & the netbios-node-type.
- When users create a VPC, AWS automatically create a set of DHCP options and associate them with the VPC.
- DHCP options set includes two options: domain-name-servers=AmazonProvidedDNS and domain-name=domain-name-for-your-region.
- Users cannot filter traffic to or from a DNS server using network ACLs or security groups.
- Once users create a set of DHCP options, they can't modify them.
- Users can have multiple sets of DHCP options, but they can associate only one set of DHCP options with a VPC at a time.
- If users delete a VPC, the DHCP options set associated with the VPC is disassociated from the VPC.
- Users can change which set of DHCP options their VPC uses.
- Use describe-dhcp-options to describe the options set and associate-dhcp-options to associate dhcp options set.
NAT Instances
- When creating a NAT instance, disable source/destination check on the instance
- NAT instances must be in a public subnet
- There must be a route out of the private subnet to the NAT instance for this to work
- The amount of traffic that NAT instances can support depends on the instance size
- You can create HA using:
- Autoscaling Groups
- Multiple subnets in different AZs
- Script to automate failover
- Behind Security groups
NAT gateways
- Preferred by the enterprise
- Scale automatically up to 10Gbps
- No need to patch
- Not associated with security groups
- Automatically assigned a public ip address
- Remember to update route tables and point to NAT Gateways
- No need to disable source/destination checks
- More secure than a NAT instance
Network ACL's
- VPC automatically comes with default network ACL and by default allows all in/outbound traffic
- You can create custom network ACL's. By default each network ACL denies all in/outbound traffic
- Each subnet in VPC must be associated with a network ACL, uses default ACL by default
- You can associate network ACL with multiple subnets, however subnet can only associate with one ACL at a time
- Adding subnet to a second ACL will automatically remove it from the previous ACL
- Network ACL contains numbered list of rules that is evaluated in order, starting with lowest number
- Network ACL always have separate inbound and outbound rules
- Network ACL's are stateless
Others
- Think of VPC as logical datacenter in AWS
- Consists of IGW's (or virtual private gateways), route tables, NACL's, Subnets, Security Groups
- 1 subnet = 1 AZ
- Security Groups are stateful; NACL's are Stateless
- NO TRANSITIVE PEERING
- VPC allows to provision a logically isolated section of the AWS cloud where user can launch AWS resources in a virtual network.
- VPC endpoints enables to privately connect with VPC to services hosted on AWS without requiring an Internet gateway, a NAT device, VPN or firewall proxies.
- VPC endpoints are horizontally scalable and highly available virtual devices.
- Amazon VPC offers two different types of endpoints: gateway type endpoints and interface type endpoints.
- VPC supports the creation of an Internet gateway. This gateway enables EC2 instances in the VPC to directly access the Internet.
- An Internet gateway is horizontally-scaled, redundant & highly available. It imposes no bandwidth constraints.
- Users may use a third-party software VPN to create a site to site or remote access VPN connection with VPC via the Internet gateway.
- AWS supports Internet Protocol Security (IPSec) VPN connections.
- An internet gateway is not required to establish an AWS Site-to-Site VPN connection.
- Default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC are assigned /20 netblocks within the VPC CIDR range.
- Users can route traffic via the AWS Site-to-Site VPN connection and advertise the address range from their home network.
- Users can bring their public IPv4 addresses into AWS VPC and statically allocate them to subnets and EC2 instances.
- A VPC can have both IPv4 and IPv6 CIDR blocks associated to it.
- The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4.
- AWS reserves the first four IP addresses and the last one IP address of every subnet for IP networking purposes.
- An IP address assigned to a running instance can only be used again by another instance once that original running instance is in a 'terminated' state.
- Users can use VPC traffic mirroring and VPC flow logs features to monitor the network traffic in their AWS VPC.
- A subnet must reside within a single Availability Zone.
- The total number of network interfaces that can be attached to an EC2 instance depends on the instance type.
- Network interfaces can only be attached to instances residing in the same Availability Zone.
- Peering connections can be created with VPCs in different regions.
- Peered VPCs must have non-overlapping IP ranges.
- Edge to Edge routing isn’t supported in AWS VPC.
- VPC peering connections do not require an Internet Gateway.
- Security groups cannot be referenced across an Inter-Region VPC Peering connection.
No comments:
Post a Comment