S.A.A CH3 Flashcards
CH3
PG84
VPC?
Amazon VPC?
Subnet - 1?
VPC = Amazon VPC can have the app and the database tiers running on a private subnet in the same VPC
• You can have some of the applications running in the cloud within VPC and some of the application running on premise
• You can create a public subnets by providing it with Internet Access and can keep the resource isolated from the internet by creating a private subnet
• You can have dedicated connectivity between you corporate data center and VPN by using Direct Connect. You Can also connect your data center using a hardware virtual private network via an encrypted IPsec connection.
• If you need more than one VPC you can create multiple VPC and can connect each one of them by VPC peering. The way you can share the resources across multiple VPC and accounts
• You can connect to resources such as S3 using a VPC endpoint
Amazon VPC = First step of creating a VPC is deciding the IP range by providing a Classless Inter Domain Routing (CIDR) block. VPC is deciding the IP range by providing a
Subnet = is short for a subnetwork, which is logical subdivision of an IP network. With VPC you can create various subnets as per your needs. Most common ones are public subnets, private subnets and VPN-only subnets. Public subnets are for resources that need to be connected to the internet. Private subnets are for resources that do not. VPN only subnet is for when you want to connect your virtual private could with your corporate data center.
CH3
PG84
Subnet - 2?
Subnet = in VPC you can define subnet usingCIDR block. Smallest subnet you can create within VPC is /28, which corresponds to 16 available IP addresses. If you use IPv6 and create a subnet using /64 as the CIDR block, you get A LOT of ip addresses
• It must be noted that a subnet is tied to only availability zone. You can not have subnet span multiple AZ’s, however a VPC can span multiple AZ’s in aregion
• IF you have 3 AZ’s in a VPC, for example, you need to create a separate subnet in each AZ, such as Subnet 1 for AZ1, subnet 2 for AZ2 and Subnet 3 for AZ3. Of course within an AZ you can have multiple sibnets
• Subnets are AZ specific. For multiple Az’s create multiple subnets
• VPC are regions specific. For multiple AZ’s, create multiple subnets
• VPC are region specific. For multiple regions create different VPC’s
CH3
PG84
Subnet - 3?
CH3
PG84
Subnet - When creating a VPC you need to provide a CIDR block for the IP address range for VPC. It can be as big as /16, which can have 65,536 IP addresses. When creating multiple subnets, you must take into account the CIDR block of the VPC. Say you create the VPC with /16 and within VPC you create 3 subnets with /18, which has 16,384 IP addresses each. By doing this you have exhausted 49,152 IP addresses. Now you only have 65,536- m49,152 IP addresses left for creating new subnets. At this point you wont be able to create new subnets with /17, which has 32,768 IP addresses however you should be able to create new subnets between /19 and /28. If you create more than one subnets in a VPC, the CIDR blocks of the subnets cannot overlap. There are lots of tools
CH3
PG88
Route table?
Internet Gateway?
Route table = Every subnet should have a route table. Example if Subnet of a VPC contains an internet gateway in the route table, that subnet has access to the Internet. You can associate multiple subnets with the same route table. Whenever you create a subnet it is automatically associate with the main route table of the VPC. Thus a route with a destination of say, 0.0.0.0/0 for all IPv4 addresses wont carter the destination. If you later add a virtual private gateway, Internet gateway, NAT device or anything like that in your VPC, you must update the route table accordingly so that any subnet that wants to use these gateway can take advantage of them and have a route defined for them. If you look at the routing table, you will notice there are only two column: Destination and target. The target is where the traffic is directed, and the destination specifies the IP range that can be directed to the target. As shown in Table 3-2, the first two entries are local, which indicates internal routing within VPC for IPv4 and IPv6 for the CIDR block.
Internet Gateway = it must be noted that an IG is a horizontally scaled, redundant and highly available component in VPC. An IG support both IPv4 and IPv6 traffic.
CH3
PG90
Network Address Translation?
NAT instances?
NAT Gateways?
Egress-Only Internet Gateway?
Network Address Translation = (NAT) tries to solve that problem. Using a NAT device you can enable any instances in a private subnet to connect to the Interne, but this does not mean the Internet can initiate a connection to the instance. The reverse is not true. A NAT device forwards traffic from the instances in the private subnet to the internet and then sends the response to the instances. When traffic goes to the internet, the source IPv4 address is replaced with the NAT devices address; similarity when the response traffic goes to those instances, the NAT device translates the address back to those instances private IPv4 addresses. This is another reasonwhy it is called address tranlations. Please note that NAT dvices can be used only for IPv4 traffic; they cant be used fo IPv6 there are two types ofNAT devices available within AWS
NAT instances = NAT instances in the public subnet and route the database servers Internet traffic via the NAT instance running in the public subnet. By doing that, the database server will be able to initiate the connection to the internet, but reverse is not allowed (meaning no one will be able to connect to the database server from the internet using NAT)
CH3
PG90
NAT Gateways?
Egress-Only Internet Gateway?
NAT Gateways = performs the same function as that of a NAT instance, but it does not have the same limitations as a NAT instances. Moreover it is a managed service and therefore does not require administration overhead. If you want to use the same elastic IP address for a NAT gateway, you need to de-associate it first from the NAT instance and then re-associate it with the NAT gateway.
Egress-Only Internet Gateway = The only difference is that a NAT gateway handles IPv4 traffic and an egress-only gateway handles the IPv6 traffic. When you use an egress-only Internet gateway, you put the entry of the egress-only internet gateway in the routing table
CH3
PG93
Elastic Network Interface?
Elastic IP address?
Security Group?
Elastic Network Interface = this ENI is avirtual network interface that you can attach to an instance in Amazon VPC. An ENI can have the following attributes:
• A MAC address
• One public IPv4 address
• One or more IPv6 addresses
• A primary private IPv4 address
• One or more secondary private IPv4 addresses
• One elastic IP address (IPv4) per private IPv4 address
• One or more security groups
• A source/destination check flag and description
ENI attributes follow its attachment to the instance.
Elastic IP address = EIP address is designed for application running on the cloud. Every time you launch a new EC2 instance in AWS. Instead of changing the IP address for all applications every time, what you need todo is obtain an EIP and associate that with the EC2 instance and map the EIP with the application. Now whenever the IP address of the EC2 instance changes, you just need to repoint the new EC2 instance to the EIP and applications can connect using the same EIP.
• Please note at this moment that an EIP supports only IPv4 and does not support IPv6
• When you dissasocciate an EIP and don’t re-associate it with any other resource it continuous to remain in your account until you explicitly release it from your account
CH3
PG95
Security Group =
Security Group = is like a virtual firewall that can be assigned to any instance running in a virtual private cloud. A security group define what traffic can flow inside and outside a particular instance. Since it is instance specific, you can have different security group for different instances. The security group is applied at the instance level and not at the subnet level. Therefore, even within a subnet, you can have different security groups for different instances. You can attach up to five different security group to each group is stateful and consist of IP address.
• Security groups are stateful. This means if you send a request from your instance and vice versa traffic is allows
• The only exception is security groups
• Amazon VPC always comes with a default security group
CH3
PG84
VPC?
Amazon VPC?
Subnet - 1?
VPC = Amazon VPC and can have the app and the database tiers running on a private subnet in the same VPC
• You can have some of the applications running in the cloud within VPC and some of the application running on premise
• You can create a public subnets by providing it with Internet Access and can keep the resource isolated from the internet by creating a private subnet
• You can have dedicated connectivity between you corporate data center and VPN by using Direct Connect. You Can also connect your data center using a hardware virtual private network via an encrypted IPsec connection.
• If you need more than one VPC you can create multiple VPC and can connect each one of them by VPC peering. The way you can share the resources across multiple VPC and accounts
• You can connect to resources such as S3 using a VPC endpoint
Amazon VPC = First step of creating a VPC is deciding the IP range by providing a Classless InterDomain Routing (CIDR) block. VPC is deciding the IP range by providing a
Subnet = is short for a subnetwork, which is logical subdivision of an IP network. With VPC you can create various subnets as per your needs. Most common ones are public subnets, private subnets and VPN-only subnets. Public subnets are for resources that need to be connected to the internet. Private subnets are for resources that do not. VPN only subnet is for when you want to connect your virtual private could with your corporate data center.
CH3 Gateways
NAT Gateway?
AWS Private Link?
Customer Gateway/Virtual Private Gateway?
Direct Connect ?
CH3 Gateways NAT Gateway - you cannot route traffic to a NAT gateway through a VPC peering connection, site-to-site VPN connection, or direct Connect. You cant have overlapping CIDR ranges. You dont need transitive information
AWS Private Link - sharing services between different VPCs across AWS accounts and you dont want traffic to travel the internet Customer
A) Gateway/Virtual Private Gateway -
- One virtual private gateway per VPC*********
- Border gateway protocol (BGP) or static routes
- redundant IPSEC tunnels
- Redundant routers across two AZ’s
- Can connect multiple customer on premise sites to one virtual private gateway. up to 8 sites.
B) Direct Connect - the virtual private gateway is the router on the amazon side of the direct connect connection
- is a global resource
- connects (associates) up to 10 Virtual private gateways globally and cross account
- Has one BGP peering per Direct Connect gateway per direct connect connection
- allows north-south traffic flow does, not permit VPC to VPC connectivity
- can be associated with a virtual private gateway or transit gateway
CH3
Customer Gateway?
Direct Connect?
Customer Gateway
- physical or software appliance you manage on premise.
- redundant IPSec tunnels - automatic fail over, configure both tunnels of the customer gateway
- Each tunnel contains an internet key exchange (IKE) security association, an IPSEC security association, and a BGP peering
Direct Connect -
CH3
Transit Gateway and Direct Connect?
Local Gateway?
Transit Gateway and Direct Connect:
- it has attachments - the connection from Amazon VPC, a VPN, Direct Connect, or a connect attachment to a transit gateway
- Association - the route table used to route packets coming from an attachment (from Amazon VPC and VPN)
- Propagation - The route table where the attachments routes are installed
- up to 20 route tables
- is a regional resource that resides outside of a VPC
- Connects VPC’s and on premises networks through a central hub
- simplifies networking by acting as a regional virtual router
- encrypts data automatically
Local Gateway -
- industry standard 42U rack. one local gateway per outpost. out post provides the target
- fully assembled, ready to be rolled into its final position
- installed by AWS, plugged into the power and network
- Centralized redundant power conversion unit and DC distribution system for higher reliability, energy efficiency, easier serviceability
- redundant active components including top of rack switches and hot spare hots
CH3
Summary:
Regional?
Global?
Local?
CH3
Summary:
Regional:
- Virtual Private gateway
- Transit gateway
- Internet gateway
- NAT gateway
Global:
- Direct Connect gateway
Local
- Customer gateway
- Local gateway
CH3
Summary:
Route tables
CH3
Summary:
Route tables are attached to the following
- Virtual Private gateway
- Interne gateway
- Transit gateway
Scenarios:
VPN
- Customer gateway
- Virtual private gateway
- Can be attached to a transit gateway
Direct Connect
- Can use virtual private gateway only
- Can use direct connect gateway and a virtual private gateway
- Can use direct connect gateway and a transit gateway
CH3
Summary Scenario Continued:
CH3
Summary Scenario Continued:
Connecting VPC
