Section 6: Virtual Private Cloud (VPC)

Question 1

Virtual Private Cloud - Intro

Answer 1

• Logically isolated portion of the AWS Cloud.
• Allows deployment of AWS resources in kind of private space.
• Control over networking environment including address ranges, routing configuration, the security groups, and how your firewall your instances and subnets.
• Various technologies to connect VPCs including on-prem data centers.

Lesson 87

Question 2

AWS Global Infrastructure

Answer 2

• Region: physical location in the world and independent (and geographically distant) from each other. There are over 26 regions in the world. Connected via a high bandwidth, fully redundant network. Each region contains 2 or more AZs.
• Availability Zone: one or more data centers within a Region. Think of as a cluster of data centers. Redundant power sources and redundant networking.
• Local Zones: extend regions closer to end-users. Get AWS services closer to your end-users.

Use cases: (1) Single-digit ms latency to end-users / apps.

• AWS Outposts: extend some of the AWS services into our on-prem data centers. Run some AWS Services on dedicated hardware within your own data center.

Use cases: (1) AWS Services on-prem; (2) AWS APIs on-prem.

• AWS Wavelength Zone: Extending AWS services via a 5G network to your end-users.

Use cases: (1) Single-digit ms latency to mobile devices/users; (2) Live video, ML, Augmented Reality/VR.

• Amazon CloudFront: Content Delivery Network (CDN) service. Regional Edge Caches and Edge Locations. There are 13+ Regional Edge Caches and 400+ Edge Locations.

Lesson 88

Question 3

IPv4 Addressing Primer

Answer 3

• What is an IPv4 address: used by computers to communicate. DNS takes a friendly name (e.g. example.com) and translates it to an IP address.

Lesson 89

Question 4

Networks and Hosts

Answer 4

192.168.0.1

Network = 192.168.0
Host = 1

Subnet mask (used to define the network and host) - 255.255.255.0

Lesson 89

Question 5

Classes of IP addresses

Answer 5

• Class A: 10.0.0.0
• Class B: 172.16.0.0
• Class C: 192.168.0.0

Lesson 89

Question 6

Classless Interdomain Routing (CIDR)

Answer 6

Variable length subnet masks (VLSM).

Lesson 89

Question 7

Amazon VPC (Good) Overview

Answer 7

• A VPC is a logically isolated portion of the AWS Cloud within a region.
• Subnets are created within AZs.
• The VPC router takes care of routing within the VPC and outside the VPC.
• The route table is used to configure the VPC router.
• Am Internet Gateway is attached to a VPC and used to connect to the Internet. Egress - out to Internet. Ingress - in from Internet.

+++++++++++
- You can create multiple VPCs within a region, by default 5, and can request an increase.
- Each VPC has a CIDR block (VPC_A = 10.0.0.0/16; VPC_B = 10.1.0.0/16).
- Each subnet has a block of IP addresses from the CIDR block.

Lesson 90

Question 8

VPC Components (Study)

Answer 8

• Virtual Private Cloud (VPC) - a logically isolated virtual network in the AWS Cloud.
• Subnet - a segment of a VPC’s IP address range where you can place groups of isolated resources.
• Internet Gateway / Egress-only Internet Gateway - the Amazon VPC side of a connection to the public Internet for IPv4/IPv6. Egree-only is when using the IPv6 protocol.
• Router - Routers interconnect subnets and direct traffic between Internet Gateways, virtual private Gateways, NAT Gateways, and subnets.
• Peering Connection - Direct connection between two VPCs.
• VPC endpoints - Private connection to public AWS Services.
• NAT instance - Enables Internet access for EC2 instances in private subnets (managed by you).
• NAT Gateway - Enables Internet access for EC2 instances in private subnets (managed by you).
• Virtual Private Gateway - the Amazon VPC side of a Virtual Private Network (VPN) connection.
• Customer Gateway - Customer side of a VPN connection.
• AWS Direct Connect - High speed, high bandwidth, private network connection from customer to AWS.
• Security Group - instance level Firewall.
• Network ACL - subnet-level Firewall.

Lesson 90

Question 9

CIDR Block Rules and Guidelines

Answer 9

• CIDR block size can be between /16 and /28.
• The CIDR block must not overlap with any existing CIDR block that’s associated with the VPC.
• You cannot increase or decrease the size of an existing CIDR block.
• The first four and last IP address are not available for use.
• AWS recommend you use CIDR blocks from the RFC 1918 ranges: see minute 1:04

Lesson 91

Question 10

CIDR Block Considerations

Answer 10

• Ensure you have enough networks and hosts.
• Bigger CIDR Blocks are typically better (more flexibility).
• Smaller subnets are OK for most use cases. (Don’t need thousands of instances per subnet).
• Consider deploying application tiers per subnet (e.g. different subnet for each tier for a 3-tier application).
• Split your HA resources across subnets in different AZs.
• VPC Peering requires non-overlapping CIDR blocks. NOTE: this is across all VPCs in all Regions / accounts you want to connect.
• AVOID OVERLAPPING CIDR BLOCKS as much as possible!

Lesson 91

Question 11

Helpful CIDR Block Tool

Answer 11

link

Question 12

VPC Peering

Answer 12

Fill

Lesson 97

Question 13

VPC [HOL]

Answer 13

Success: ping one instance to the other using private IP address.

1. Create VPC
2. Create Peering Connection
3. Create Security Group
4. Update Route Table

Lesson 98

Question 14

VPC Interface Endpoint

Answer 14

EC2 instance connects to public AWS services using a private IP.

• an ENI is created within the subnet.
• each interface endpoint can connect to one of many AWS services (e.g. API Gateway, AWS CloudFormation, AWS CodeDeploy, AWS CloudWatch, etc).
• or you can connect to an AWS PowerLink powered service.

Lesson 99

Question 15

VPC Gateway Endpoint

Answer 15

Temp

Lesson 99