Module 7: Create a networking env Flashcards
Reminder on AWS Physical infrastructure
Servers in racks in data center. Every rack has network routers and switch to route traffic.
Data centers grouped in AZ.
AZ grouped in regions and connected with 0.001-9 second latency network.
Region inter connected with 0.01-9 second latency
Reminder on Virtual networks
A virtual network emulates a phyisical one with switches, firewall, and load balacer. It comes on top of the physical network.
A VPC is logically or Phiysically isolated?
Logically
Name two services designed to operate in a VPC
EC2 and RDS
Name two services operating outside a customer VPC
Lambda and CloudWatch
Why should you build a new VPC for production environment ?
Because the default VPC already has connectivity conifgurations, You should configure your own depending on your configuration
How do you size a VPC ?
By allocating a range of IP
What is another name for a range of IP.
A CIDR block
What is a CIDR block?
It’s a Classeless Inter-Domain Routing. In other words, a range of IP
Is the size of the VPC easy to modify ?
No, this is why it’s important to assess the size correctly.
Min and Max size of an IPv4 VPC ?
Min of 16 IP adresses (/28)
Max of 65536 IP adresses (/16)
What is the dual stack configuraion for a VPC ?
Includes both IPv4 and IPv6 domains
What tool can I use to manage my adresses more easily ?
The IP address manager (IPAM)
Why opt for IPv6?
More adresses and also often better performance because IPV4 doesn’t do NAT
What should I be careful with when sizing a VPC with IPv4?
The cost because each IP is billed by the hour whether attached to a service or not.
What is a subnet ?
It’s a division of a VPC. They are linked to AZ. It’s also a segment of the range of IP in the VPC.
Can subnet CIDR block overlap ?
No
Are all IP in a subnet freely available to the customer?
No Amazon reserves 5 for its usage.
1. Network Adress
2. VPC local Router
3. DNS resolution
4. Future use (Undefined yet)
last. Network broadcast address
Two types of subnet
Public or Pricate depending on how accessible they are.
What should I consider for making ressources accessible through the internet ?
A subnet with an internet Gateway
How to configure my VPC to send traffic to the internet?
Create a public VPC with a public subnet route table
What is an elastic IP address ?
An IP address that can migrate from an EC2 to another. The IP stays the same.
While a private IP is released when the instance is terminated, the elastic IP stays.
First is free but additional incur charges.
Cost and elastic IPs?
The first one is free but if detached and not reattach there is an hourly fee.
Additional Elastic IP are at cost.
What can elastic IP link to ?
Load balancer, VPC network interface, or EC2
If you don’t want your ressource to be accessible from the internet?
Create a private subnet
What is best practie about route tables and subnet?
To define custom route table for every subnet
What are NAT useful for ?
If you don’t want to expose your Ip to the internet a NAT will replace the IP with its own.
Can IPV4 do NAT?
No this is also why an internet gateway can be used
Sometime a ressource in a private subnet may need access to the internet. How to do that?
Use a NAT device hosted in another public subnet that will be linked to the private subnet through the private subnet route.
What are the options for setting up a NAT device ?
NAT gateway provided by AWS, or setup your own NAT device in an EC2 instance.
Note: When using multiple AZ create a gateway for each AZ for better resilience
What about IPv6 if a private subnet wants to access the internet?
Setup an Egress only internet gateway that allows outbound but no inbound
Should I place web app in a private or public subnet
Amazon recommands private with load balancer in front. Except if the environment requires a public subnet.
Recall in your mind the proper security layer between the client application and the EC2
1.Secure network protocol (TLS or HTTPS)
2. Internet Gateway
3. Route table
4. ACL
5.Subnet layer
6.Security group layer
What is the differnce between a security group and an access Control list ?
The security group will prevent you to enter a building quite like having a key to open a door.
An ACL will let you in if you are the right person.
Security group = do you have the Key
The security group controls the ressource
ACL = Does the doorman know you. The ACL controls the subnet.
A security group is statefull, meaning that if inbound traffic allowed, outbound allowed as well by default.
An ACL is stateless inbound and outbound must be explicitely stated.
Security groups only specifies allow
ACL specifes allow and deny
What additional safety can be added to the network ?
A firewall, when dealing with sensitive data. It’s a buffer to ensure that the incoming traffic is not malicious. It’s deplyoed in a specific firewall subnet.
The route will point to the firewall instead.
Other option is to use a bastion host. A server providing maintenance access to the private subnet. You host it in a public subnet and allow access to it through IAM policies and sec group. and only link it to the private subnet.
How do I best connect to managed AWS services ?
Through the use of an interface VPC endpoint
How to set up the interface VPC endpoint?
Choose the service, choose the VPC in the service, then the subnet and specify the security group
What other type of endpoint exists and what is it used for ?
Gateway VPC endpoints to connect to S3 or Dynamo DB. The diff is that there is no AWS Privatelink like for interface VPC.
Interface VPC endpoints vs gateway VPC endpoints
Gateway need a public IP, and interface a private one.
Basically interface is more secure but costs and limits perf.
While gateway is less secure but free and no limitation on perf.
How do I monitor the traffic in my VPC?
With VPC flow logs
What type of traffic do I monitor in my VPC flow log ?
All traffic, accepted traffic or rejected traffic
What service may work well in conjunction with the flow logs ?
Amazon Cloudwatch, but can also be exported to a S3 and be analysed there through Athena for example.
Amazon Kinesis data firehose can also deliver logs to Amazon Open search dashboard or third party solutions like Spunk
Can all users acces the logs ?
No. attach a role to an IAM user with the appropriate permissions
Additional tools for VPC monitoring ?
Reachability analyzer
Network Access Analyzer
Traffic mirroring
Well architected: How to make the network RELIABLE?
Ensure IP subnet allocation accounts for expansion and availability.
(do not forget the 5 reserved ip by subnet, be careful of services having to provision additional IP, plan carefully)
Well architected: How to make the network SECURE?
Create network layers: Group services sharing the same security requirements in a layer with the proper security rules
control traffic at all layers: Combine ACL, Security groups…
Inspect and Protect: VPC network Acces analyzer
Well architected: How to make the network EFFICIENT?
Understand how networking impact performance.
Evaluate available networking features
Choose network protocol to improve perf: Do not use TCP for all but also consider UDP for real time data
What Network protocol for real time data?
UDP
What network protocol for critical data?
TCP because more reliable
Well architected: How to make the network COST OPTIMIZED?
Choose the region accordingly
How do you create a public subnet ?
Create an internet gateway.
Create a route table.
Add a route to the route table that directs 0.0.0.0/0 traffic to the internet gateway.
Associate the route table with a subnet, which becomes a public subnet.
