Advanced VPC

Question 1

What VPC Peering?

Answer 1

o It allows direct communication between VPCs
o Obtained through an AWS service called Peering Connection (a network gateway object)
o Services can communicate using private IPs from VPC to VPC, through the definition of Route Tables (going through the Peering Connection)
o VPC peers can span AWS Accounts and Regions
o Data is encrypted and transits via the AWS global backbone (much better performance than via Internet)
o VPC Peers are used to link 2 VPCs at Layer 3 for company mergers, shared services, company and vendor, auditing.

Question 2

What are the limitations of VPC Peering?

Answer 2

o VPC CIDR blocks cannot overlap
o VPC peers connect 2 VPCs, but routing is not transitive: routes are required at both sides
o Access control can be managed via NACLs and SGs
o SGs can be referenced, but not cross region
o IPv6 support is not available cross-region
o DNS resolution to private IPs can be enabled, but it is a setting needed at both sides

Question 3

What are VPC Endpoints (and what are the 2 types)?

Answer 3

o VPC Endpoints are gateway objects created within a VPC, used to connect to AWS public services without the need for the VPC to have an attached internet gateway and be public. 2 types:
o (1) Gateway endpoints: Can be used for DynamoDB and S3
o (2) Interface endpoints: Can be used for everything else (SNS, SQS, …)
o When to use them:
 If the entire VPC is private with no IGW
 If a specific instance has no public IP/NATGW and needs to access public services
 To access resources restricted to specific VPCs or endpoints (private S3 buckets)

Question 4

What are the main limitations and considerations for VPC Endpoints?

Answer 4

o Gateway endpoints are used via route table entries – they are gateway devices. Prefix lists for a service are used in the destination field with the gateway as the target
o Gateway endpoints can be restricted via policies
o Gateway endpoints are Highly Available across AZs in a Region
o Interface endpoints are interfaces in a specific subnet. For High Availability, you need to add multiple interfaces (one per AZ)
o Interface endpoints are controlled via SGs on that interface. NACLs also impact traffic
o Interface endpoints add or replace the DNS for the service – no route table updates are required
o Code changes to use the endpoint DNS, or enable private DNS to override the default service DNS

Question 5

How does IPv6 work within AWS?

Answer 5

o IPv6 is supported within AWS, but not across every product and feature
o It is “opt-in” at VPC creation phase, disabled by default
o To use it:
 Request an IPv6 allocation – each VPC is allocated a /56 CIDR from the AWS pool, which cannot be adjusted
 Subnets can then be allocated a /64 CIDR from within the /56 range
 Resources launched into a subnet with an IPv6 range can be allocated a IPv6 address via DHCP6

Question 6

What are the main limitations and considerations of IPv6?

Answer 6

o DNS Names are not allocated to IPv6 addresses
o IPv6 addresses are all publicly routable – no concept of private vs public, unlike IPv4
o With IPv6, OS is configured with this public address via DHCP6
o No Elastic IPs for IPv6 (not required, given the high number of available IPs)
o Not currently supported for VPNs, Customer Gateways, VPC endpoints

Question 7

What is the Egress-only Internet Gateway?

Answer 7

o It provides IPv6 instances with outgoing access to public internet via IPv6, but prevents the instances from being accessed from the internet
o NAT is not required with IPv6, so NATGWs are not compatible with IPv6
o Architecturally, it behaves as IGW