Module 10 - Networking 2 Flashcards
How can you connect VPCs without routing through the public internet?
Use a VPC endpoint.
What is a VPC endpoint? Why would you use it?
A virtual device entry point in your VPC that enables you to connect privately to a service. Instances in your VPC do not require public IP addresses. Like a secret tunnel where you don’t have to leave the AWS network.
Eliminates the need for IGW, NAT device, VPN or Direct Connect.
What kinds of VPC endpoints are there?
Gateway endpoint - a gateway that you specify as a target for a route in your route table. Supports only Amazon S3 and DynamoDB. Free!
Interface endpoint (powered by AWS PrivateLink) - an elastic network interface (ENI) with a PRIVATE IP address from the IP address range of your subnet. You can connect to services powered by PrivateLink. (Costs $). Support MANY AWS services.
Gateway Load Balancer endpoint (powered by AWS PrivateLink)
What is AWS PrivateLink?
provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet.
How can VPCs communicate even if they are in different AWS accounts?
Use a VPC Peering connection. There can only be one peering resource between any two VPCs. NO transitive peering relationships. No overlapping CIDR blocks.
How do you set up a VPC peering connection?
The owner of the requester VPC (or local VPC) sends a request to the owner of the peer VPC. It cannot have a CIDR block that overlaps with your requester VPC’s CIDR block.
Once accepted, add a route to one or more of your VPC’s route tables that points to the IP address range of the peer VPC. (And the peer does the same).
What is a full mesh network design?
When each VPC connects to every other VPC in the organization.
What if I want to connect to multiple VPCs using an on-prem VPN or with full mesh peering?
You could have a zillion connections, but it is easier to use Direct Connect. Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services
What is a Transit Gateway?
It’s a managed service that works like a cloud router to simplify your network architecture. Traffic between VPC and Transit Gateway is on the private network, never on the open internet. Protects against DDoS and other attacks.
Operates at Layer 3.
If I am using a Transit Gateway, how do I keep track of all the connections?
Use Transit Gateway Network Manager. You use it to monitor connections and identify issues in your network.
How do you connect to a Transit Gateway from on-prem?
VPN connections and Direct Connect gateways
What can you connect to a Transit Gateway?
- One or more VPCs
- One or more VPN connections
- One or more Direct Connect gateways
- One or more transit gateway peering connections (in a different region)
How can you set up a low-latency connection between on-prem and AWS resources?
AWS Site-to-Site VPN connection.
How is a Site-to-Site VPN Connection set up?
It has 2 VPN tunnels between a virtual private gateway (or a transit gateway) on the AWS side, and a customer gateway on the on-premises side.
The tunnels end in different AZs.
You can choose a static or dynamic VPN
Supports IPsec VPN connections
How do you initiate the Site-to-Site VPN connection?
Your customer gateway device must bring up the tunnels for your AWS Site-to-Site VPN connection by generating traffic and initiating the Internet Key Exchange (IKE) negotiation process. When you create a customer gateway, you provide information about your device to AWS.
