Amazon Virtual Private Cloud (VPC) Flashcards
VPC
Virtual Private Cloud
logically isolated virtual network in the AWS cloud
a VPC is a virtual network dedicated to your AWS account
Analogous to having your own Data Center (DC) inside AWS
logically isolated from other virtual networks in the AWS Cloud
provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways
you can launch your AWS resources, such as Amazon EC2 instances, into your VPC
When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/`6
VPC spans all the availability zones in the region
you have full control over who has access to the AWS resources inside your VPC
by default you can create up to 5 VPCs per region
a default VPC is created in each region with a subnet in each AZ
you can create a VPC, it’s an isolated area where you can create resources in (private to you and is controlled)
Coordinate with a router through a route table
You can create multiple VPC’s; each VPC has a different CIDR block
Subnet
Subnets are created w/in AZ’s
segment of a VPC’s IP address range where you can place groups of isolated resources
Internet Gateway or
Egress only Internet Gateway
the Amazon VPC side of a connection to the public internet for IPv4/IPv6
Router
routers interconnect subnets and direct traffic between internet gateways, virtual private gateways, NAT gateways, and subnets
Peering Connection
direct connection between two VPC’s; you can send data between the two directly
only between 2 VPC’s though; for connecting more, you can use AWS Transit Gateway
VPC Endpoints
private connection to public AWS services
NAT Instance
NAT = network address translation
enables internet access for EC2 instances in private subnets (managed by you)
managed by you (e.e. software updates)
you create the EC2 instance and make it a NAT instance
scale up (instance type) manually and use enhanced networking
no high availability - scripted/auto-scaled HA possible using multiple NATs in multiple subnets
need to assign Security Group
Can use as a bastion host
use an Elastic IP address or a public IP address with a NAT instance
can implement port forwarding through manual customization
NAT Gateway
NAT = network address translation
enables internet access for EC2 instances in private subnets (managed by AWS)
best solution in most cases vs. NAT Instance
managed by AWS
Elastic scalability up to 45 Gbps
Provides automatic high availability within an AZ and can be placed in multiple AZs
no Security Groups
Cannot access through SSH
Choose the Elastic IP address to associate with a NAT gateway at creation
Does not support port forwarding
Virtual Private Gateway
the Amazon VPC side of a Virtual Private Network (VPN) connection
Customer Gateway
customer side of a VPN connection
AWS Direct Connect
High speed, high bandwidth, private network connection from customer to AWS
Security Group
instance-level firewall
acts as a virtual firewall for your instance to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance
Security groups are stateful meaning that if traffic is allowed in one direction, the return traffic is automatically allowed regardless of whether there is a matching rule for the traffic.
operates at the instance (interface) level
supports allow rules only; can’t make deny rules
stateful (server is required to maintain the current state and session information)
evaluates all rules
applies to an instance only if associated with a group
Network ACL
subnet-level firewall
an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Network ACLs operate at the subnet level not at the availability zone level.
operates at the subnet level
supports allow and deny rules
slateless (server and client are loosely coupled and can act independently)
processes rules in order
automatically applies to all instances in the subnets its associated with
Internet Protocol (IP) Address: Public IP Address
Internet Protocol (IP) Address (3 total) lost when the instance is stopped; used in public subnets; no charge; associated with private IP addresses on the instance; cannot be moved between instances
Internet Protocol (IP) Address: Private IP Address
Internet Protocol (IP) Address
(3 total)
retained when the instance is stopped; used in public and private subnets