Advanced VPC Networking Flashcards
VPC Flow Logs
Flow logs capture metadata(Not Content) from the capture point down
attached to a VPC-all ENIs in that VPC
subnet- All ENIs in that subnet
Flow logs can capture accepted, rejected or all metadata
not real time
Valid destinations for VPC Flow Logs
S3 or CloudWatch Logs
why would you uses Athena with s3?
querying flow logs stored in S3 with a SQL like querying method
Egress-Only Internet Gateway
Egress-Only is outbound-only for IPv6
Allows public IPv6 address outbound only access to the public internet
without allow external initiate connections(IN)
VPC Endpoints : Gateway Endpoints
provide private access to public AWS services like S3 and DynamoDB
Prefix List added to route table → Gateway Endpoint
Highly Available(HA) across all AZs in a region by default
Endpoint Policy
used to control what resources it can access
you can apply a gateway policy to a endpoint and only allow it to connect to a particular subset of S3 buckets
What type of service is VPC gateway Endpoints Regional or Public ?
Reginal can’t access cross-region services
Limitation of VPC Endpoints ?
that they are only accessible from inside the VPC it was created in
How can Gateway Endpoints Prevent Leaky Buckets
S3 Buckets can be set to private only by allowing access ONLY from a gateway endpoint
S3 buckets can be locked down by creating a bucket policy and applying it to that S3 bucket and you could configure a bucket policy to only accept operations coming from a specific gateway endpoints
and because S3 is private by default for anything else there would be an implicitly deny
VPC Endpoint: Interface Endpoint
provide private access to AWS public Services
can be used with anything that is not DDB
added to a specific subnet-an ENI -not HA
How can you Design HA for your Interface Endpoint ?
add one endpoint, to one subnet , per AZ used in the VPC
How can you Restrict access with Interface Endpoints ?
Network access can be controlled via security Groups
Endpoint Policies - restrict what can be done with the endpoint
Limitations with Interface Endpoints ?
Only support TCP and IPv4 Only
How do Interface endpoints operate in the backend ?
PrivateLink is how interface endpoints operate also how you can deploy third party
applications or services directly into your VPC
Explain how DNS is used with Interface endpoint ?
when you create an Interface endpoint in a particular region for a particular service you get a new DNS name for that service a endpoint specific DNS name
e.g. vpce-123-xyz.sns.us-east-1.bpce.amazonaws.com - SNS service inside an region
