Overview Flashcards
VPC: How is it used?
Create a virtual network in the cloud dedicated to your AWS account, where you can launch AWS resources
Amazon VPC is the networking layer of Amazon EC2
AVPC spans all the availability zones in the region after creating a VPC you can add one or more subnets in each availability zone
VPC key concepts
specify an IP address range add subnets
associate security groups configure route tables
public subnet for resources connected to the Internet
private subnet for resources that won’t be connected to the Internet.
To protect the AWS resources in each subnet, use security groups and network access control lists.
Expand your VPC by adding secondary IP ranges
Default VPC
If your account supports the EC2–VPC platform only, it comes with a default VPC that has a default subnet in each availability zone
Your default VPC includes an Internet gateway, which allows your instances to communicate with the Internet
each default subnet is a public subnet.
Each instance that you launch into a default subnet has a private IP V4 address, and a public IP V4 address.
To allow an instance in your VPC to initiate outbound connections to the Internet, but prevent unsolicited inbound connections from the Internet, you can use a network address, translation, (NAT) device for IP V4 traffic.
You can optionally associate in Amazon provided IPV6 CIDR block with your VPC & assign IPV6 addresses to your instances.
IP V6 traffic is separate from IP V4 traffic;
your route tables must include separate routes for IP V6 traffic.
Non-default VPC
You can create your own non-default VPC and configure it as you need. Subnets that you create in your non-default VPC and additional subnets that you create in your default VPC are called non-default subnets
Instances can communicate with each other, but can’t access the Internet. You can enable Internet access for an instance launched into a non-default subnet by attaching an Internet gateway and associating an elastic IP address with the instance.
By default, each instance that you launch into a non-default subnet has a private IP V4 address, but no public IP V4 address, unless you specifically assign one at launch, or are you modify the subnets public IP address attribute.
To allow an instance in your GPC to initiate outbound connections to the Internet, but prevent unsolicited inbound connections from the Internet, you can use a net work address, translation (NAT) device for IP V4 traffic.
You can optionally associate in Amazon provided IP V6 CIDR block with your VPC and assign IPv6 addresses to your instances. IP V6 traffic is separate from IP V4 traffic; your route tables must include separate routes for IPv6 traffic.
VPC: accessing a corporate or home network (VPN)
You can connect your VPC to your own corporate data center using an IPsec AWS managed VPN connection
A VPN connection consists of:
1. A virtual private gateway (which is the VPN concentrator on the Amazon side of the VPN connection) attached to your VPC.
- A customer gateway, which is a physical device or software appliance on your side of the VPN connection located in your data center.
AWS site to site VPN connections can be moved from a virtual private gateway to an AWS transit gateway without having to make any changes on your customer gateway. Transit gateways enable you to easily scale connectivity across thousands of Amazon, VPCs, AWS, accounts, and on premise networks
VPC: AWS PrivateLink
AWS Privatelink, enables you to privately connect your VPC to supported AWS services, services hosted by other AWS, accounts (VPC endpoint services), and supported AWS marketplace partner services. You do not require an Internet gateway, NAT device, public IP address, AWS direct, connect connection, or VPN connection to communicate with the service. Traffic between your VPC and the service does not leave the Amazon network.
VPC Peering
You can create the VPC peering connections between your VPCs, or with a VPC in another AWS account and enable routing of traffic between the VPCs using private IP addresses. You cannot create a VPC Peering connection between VPCs that have overlapping CIDR blocks.
Applications in an Amazon, VPC can securely access AWS private link endpoints across VPC peering connections. The support of VPC peering by AWS private link, makes it possible for customers to privately connect to a service, even if that services endpoint resides in a different Amazon VPC that is connected using VPC peering
AWS Privatelink endpoints can now be accessed across both intra- and inter-region VPC peering connections.
VPC use case scenarios
VPC with a single public subnet
VPC with public and private subnets (NAT)
VPC with public and private subnets, and AWS managed VPN access
VPC with a private subnet only and AWS manage VPN access
VPC: Subnets
● When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block (example: 10.0.0.0/16). This is the primary CIDR block for your VPC.
● You can add one or more subnets in each Availability Zone of your VPC’s region.
● You specify the CIDR block for a subnet, which is a subset of the VPC CIDR block.
● A CIDR block must not overlap with any existing CIDR block that’s associated with the VPC.
● Types of Subnets
○ Public Subnet - has an internet gateway
○ Private Subnet - doesn’t have an internet gateway
○ VPN-only Subnet - has a virtual private gateway instead
● IPv4 CIDR block size should be between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP
addresses).
● The first four IP addresses and the last IP address in each subnet CIDR block are NOT available for
you to use, and cannot be assigned to an instance.
● You cannot increase or decrease the size of an existing CIDR block.
● When you associate a CIDR block with your VPC, a route is automatically added to your VPC route
tables to enable routing within the VPC (the destination is the CIDR block and the target is local).
● You have a limit on the number of CIDR blocks you can associate with a VPC and the number of routes
you can add to a route table.
● The following rules apply when you add IPv4 CIDR blocks to a VPC that’s part of a VPC peering
connection:
○ If the VPC peering connection is active, you can add CIDR blocks to a VPC provided they do not
overlap with a CIDR block of the peer VPC.
○ If the VPC peering connection is pending-acceptance, the owner of the requester VPC cannot
add any CIDR block to the VPC. Either the owner of the accepter VPC must accept the peering connection, or the owner of the requester VPC must delete the VPC peering connection request, add the CIDR block, and then request a new VPC peering connection.
○ If the VPC peering connection is pending-acceptance, the owner of the accepter VPC can add CIDR blocks to the VPC. If a secondary CIDR block overlaps with a CIDR block of the requester VPC, the VPC peering connection request fails and cannot be accepted.
● If you’re using AWS Direct Connect to connect to multiple VPCs through a direct connect gateway, the VPCs that are associated with the direct connect gateway must not have overlapping CIDR blocks.
● The CIDR block is ready for you to use when it’s in the associated state.
● You can disassociate a CIDR block that you’ve associated with your VPC; however, you cannot
disassociate the primary CIDR block.
VPC: Subnet routing
● Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet.
● Every subnet that you create is automatically associated with the main route table for the VPC.
● You can change the association, and you can change the contents of the main route table.
● You can allow an instance in your VPC to initiate outbound connections to the internet over IPv4 but
prevent unsolicited inbound connections from the internet using a NAT gateway or NAT instance.
● To initiate outbound-only communication to the internet over IPv6, you can use an egress-only internet
gateway.
VPC: subnet security
● Security Groups — control inbound and outbound traffic for your instances
○ You can associate one or more (up to five) security groups to an instance in your VPC
○ If you don’t specify a security group, the instance automatically belongs to the default security group.
○ When you create a security group, it has no inbound rules. By default, it includes an outbound rule that allows all outbound traffic.
○ Security groups are associated with network interfaces.
● Network Access Control Lists — control inbound and outbound traffic for your subnets
○ Each subnet in your VPC must be associated with a network ACL. If none is associated, automatically associated with the default network ACL.
○ You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time.
○ A network ACL contains a numbered list of rules that is evaluated in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
○ The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated.
○ For custom ACLs, you need to add a rule for ephemeral ports, usually with the range of 32768-65535. If you have a NAT Gateway, ELB or a Lambda function in a VPC, you need to enable 1024-65535 port range.
● Flow logs — capture information about the IP traffic going to and from network interfaces in your VPC that is published to CloudWatch Logs.
● Flow logs can help you with a number of tasks, such as:
○ Diagnosing overly restrictive security group rules
○ Monitoring the traffic that is reaching your instance
○ Determining the direction of the traffic to and from the network interfaces
● Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.
● After you’ve created a flow log, it can take several minutes to begin collecting and publishing data to the chosen destinations. Flow logs do not capture real-time log streams for your network interfaces.
● VPC Flow Logs can be sent directly to an Amazon S3 bucket which allows you to retrieve and analyze these logs yourself.
● Amazon security groups and network ACLs don’t filter traffic to or from link-local addresses or AWS-reserved IPv4 addresses. Flow logs do not capture IP traffic to or from these addresses.
VPC: Security Groups vs NACLs
Security Groups:
Operate at the instance level
Support Allow rules only
Is statefull: return traffic is automatically allowed, regardless of any rules
Evaluates all rules before deciding whether to allow traffic
Applies only to EC2 instances and similar services that use EC2 as the backend
NACLs:
Subnet Level
Allow rules and Deny rules
Stateless: return traffic must be explicitly allowed by rules
Rules are processed in number order when deciding whether to allow traffic
Automatically applies to all
Applies to all instances in the subnet it’s associated with
VPC NETWORKING COMPONENTS: Network Interfaces
Network Interfaces
○ a virtual network interface that can include:
■ a primary private IPv4 address
■ one or more secondary private IPv4 addresses
■ one Elastic IP address per private IPv4 address
■ one public IPv4 address, which can be auto-assigned to the network interface for eth0
when you launch an instance
■ one or more IPv6 addresses
■ one or more security groups
■ a MAC address
■ a source/destination check flag
■ a description
○ Network interfaces can be attached and detached from instances, however, you cannot detach a primary network interface
VPC NETWORKING COMPONENTS: Route Tables
Route Tables
○ contains a set of rules, called routes, that are used to determine where network traffic is
directed.
○ A subnet can only be associated with one route table at a time, but you can associate multiple
subnets with the same route table
Internet Gateways
Internet Gateways
○ Allows communication between instances in your VPC and the internet.
○ Imposes no availability risks or bandwidth constraints on your network traffic.
○ Provides a target in your VPC route tables for internet-routable traffic, and performs network
address translation for instances that have been assigned public IPv4 addresses.
○ The following table provides an overview of whether your VPC automatically comes with the
components required for internet access over IPv4 or IPv6.
○ To enable access to or from the Internet for instances in a VPC subnet, you must do the
following:
■ Attach an Internet Gateway to your VPC
■ Ensure that your subnet’s route table points to the Internet Gateway.
■ Ensure that instances in your subnet have a globally unique IP address (public IPv4
address, Elastic IP address, or IPv6 address).
■ Ensure that your network access control and security group rules allow the relevant
traffic to flow to and from your instance
● Egress-Only Internet Gateways
○ VPC component that allows outbound communication over IPv6 from instances in your VPC to
the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.
○ An egress-only Internet gateway is stateful.
○ You cannot associate a security group with an egress-only Internet gateway.
○ You can use a network ACL to control the traffic to and from the subnet for which the
egress-only Internet gateway routes traffic.
