Advanced VPC Networking Flashcards
What is a VPC Flow Log?
Feature allowing the monitoring of traffic flow to and from interfaces within a VPC.
Do VPC Flow Logs record the content of packets from traffic flowing through VPC interfaces?
No.
They capture PACKET METADATA not the actual packet contents; if you want to capture actual packet sniffer/capture solution on an EC2 or something.
This metadata can be stored on S3 or CW Logs
What 3 places can VPC Flow Logs be placed?
VPC Level
Subnet Level
Interface Level
This is a top down methodology i.e f you monitor at the VPC level, it monitors all subnets and interfaces too.
What is an Egress-only IGW?
Allows Outbound (and response) only access to the public AWS services and Public Internet for IPv6 enabled instances or other VPC based services.
SUMMARY:
Egress-Only IGW
→ With IPv6 - all IP’s are public. With IPv4 you need a NAT GW + IGW to route from private to public resources. With IPv6 they are public by default.
○ IGW allows all IP’s both IN and OUT; we are not using NAT with IPv6
○ The method for allowing connections OUT but no external connection IN is down via Egress-Only IGW (outbound only IPv6)
○ Summary: supports outgoing connections and the response, but not connections originating from the outside/public internet
What is a VPC GW Endpoint?
Type of VPC endpoint which allow private access to supported public services (which as of now are S3 and DynamoDB) without using public addressing.
Basically:
○ They allow a Private-Only resource inside a VPC to access S3 or Dynamo DB
or
○ They allow any resource inside a Private-Only VPC to access S3 or Dynamo DB
** You can do this WITHOUT the need for public IPs, IGW and NAT GW **
SUMMARY:
VPC GW Endpoint
→ Gateway endpoints add ‘prefix lists’ to the route table, allowing the VPC router to direct traffic flow to the public services via the gateway endpoint
○ The TARGET for the entry would be the GW endpoint
○ The destination would be the Prefix List
○ Basically, the private endpoint will use the Prefix List as a “way out” to the public services
→ With the GW Endpoint, you just set which subnets are going to be using it and it will automatically configure those routes within the route table for those subnets with this prefix list
What are the 2 main use cases for VPC Gateway Endpoint?
- You have a private VPC and you want that VPC to access public resources - S3 or Dynamo DB
- You want to prevent “leaky buckets” – S3 buckets can be set to PRIVATE-only but allow access only from a respective GW Endpoint. This is an added layer of segmentation/security because now you don’t have to give the bucket public access or have it be accessibly publicly.
VPC GW Endpoint Flow
→ Not using a Endpoint GW:
○ If traffic is in a public zone, it goes out the VPC Router to the outside resource
○ If it’s in a private VPC, it goes to the NAT GW and then through the VPC GW to the outside resource
→ Using a Endpoint GW:
○ Any traffic within the designated subnets (assigned to the Endpoint GW) are part of that prefix list and have a route to the public service (either S3 or Dynamo DB)
○ No public addresses or NAT’ing is needed – no IGW or NAT GW, just the VPC Router
What is a VPC Interface Endpoint?
Just like GW Endpoints, Interface Endpoints also provide private access to AWS public services.
The difference is that they provide access to ALL services except S3 and DDB i.e you would use a GW Endpoint for that.
Are GW and Interface EP’s configured with HA by default?
Yes for GW EP’s.
No for Int EP’s - They are not HA by default like GW Endpoints – they are specific interfaces (ENI) inside a VPC that get added to specific subnets within the same VPC.
Interface Endpoint = ENI w/ private IP address that has access to the public service. Traffic goes out this interface to the publicly hosted resources.
Can an INT EP support IPv6?
No – only supports TCP and IPv4
REVIEW:
INT EP Flow
→ Instead of Prefix Lists (which is how traffic flows from the specified VPC subnets to the GW endpoint), Int EP’s primarily use DNS.
→ When a private instance is trying to connect to an external/public service via the endpoint’s specific DNS name»_space; it will resolve that name to the Int EP’s private IP address
** The INT EP is a private interface to the service that it’s configured for; for example (SNS) **
○ Traffic can then flow via the INT EP to the service without needing any public addressing
○ It makes it seem like the service has been injected directly into the private VPC
SUMMARY:
GW EP’s v INT EP’s
→ GW EP’s work using PREFIX LISTS and ROUTE TABLES so the app never needs to change.. The app thinks it’s directly connected to the external services (S3 and Dynamo DB only).
§ Instead of going the usual way via the IGW + NAT GW, it goes via the GW EP and doesn’t require any public IP addressing
→ INT EP’s work by using DNS + ENI w/ Private IP
§ Can use endpoint-specific DNS names or you can enable private DNS; hits all other AWS resources except DDB and S3
What is VPC Peering?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
Instances in either VPC can communicate with each other as if they are within the same network.
