Virtual Private Cloud (VPC) Flashcards
What does CIDR stand for?
Classless Inter-Domain Routing
a method for allocating IP addresses
CIDR - Classless Inter-Domain Routing
A CIDR consists of two components
Base IP
Subnet Mask
- Represents an IP contained in the range (XX.XX.XX.XX)
- Example:10.0.0.0,192.168.0.0,…
Base IP
- Defines how many bits can change in the IP
- Example:/0,/24,/32
- Can take two forms:
- /8ó255.0.0.0
- /16ó255.255.0.0
- /24ó255.255.255.0
- /32ó255.255.255.255
Subnet Mask
basically allows part of the underlying IP to get additional next values from the base IP
CIDR - The Subnet Mask
New EC2 instances are launched into the default VPC if no ______ is specified
subnet
Default VPC has Internet connectivity and all EC2 instances inside it have public ________ addresses
IPv4
Default VPC in new EC2 instances, we also get a public and a private ____________ names
IPv4 DNS
Can you have multiple VPCs in an AWS region?
YES (max. 5 per region – soft limit)
Max. CIDR per VPC is ______ , for each CIDR:
* Min. size is
* Max. size is
5
/28 (16 IP addresses)
/16 (65536 IP addresses)
Because VPC is private, only the ________ ranges are allowed:
* 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
* 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
* 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
Private IPv4
Your VPC CIDR should ________ overlap with your other networks
NOT
AWS reserves ______ IP addresses (first 4 & last 1) in each subnet
5
These 5 IP addresses are __________ for use and can’t be assigned to an EC2 instance
not available
What does IGW stand for??
Internet Gateway
- Allows resources (e.g., EC2 instances) in a VPC connect to the Internet
- It scales horizontally and is highly available and redundant
- Must be created separately from a VPC
- OneVPC can only be attached to one IGW and vice versa
Internet Gateway (IGW)
Internet Gateways on their own __________ allow Internet access
do not
We can use a ________ to SSH into our private EC2 instances
Bastion Host
The bastion is in the _______ which is then connected to all other ___________
public subnet
private subnets
Bastion Host security group must allow inbound from the internet on _________ from restricted CIDR, for example the public CIDR of your corporation
port 22
Security Group of the EC2 Instances must allow the Security Group of the Bastion Host, or the __________ of the Bastion host
private IP
What does NAT stand for?
Network Address Translation
- Allows EC2 instances in private subnets to
connect to the Internet - Must be launched in a public subnet
- Must disable EC2 setting: Source / destination Check
- Must have Elastic IP attached to it
- RouteTables must be configured to route traffic from private subnets to the NAT Instance
NAT Instance
- AWS-managed NAT, higher bandwidth, high availability, no administration
- Pay per hour for usage and bandwidth
- NATGW is created in a specific Availability Zone, uses an Elastic IP
- Can’t be used by EC2 instance in the same subnet (only from other subnets)
- Requires an IGW (Private Subnet => NATGW => IGW)
- 5 Gbps of bandwidth with automatic scaling up to 45 Gbps
- No Security Groups to manage / required
NAT Gateway
NAT Gateway is resilient within a ___________
single Availability Zone
NAT Gateway with High Availability - Must create __________ in multiple AZs for fault-tolerance
multiple NAT Gateways
There is no cross-AZ failover needed because if an AZ goes down it _______
doesn’t need NAT
Availability
Highly available within AZ (create in another AZ)
NAT Gateway
Bandwidth
Up to 45 Gbps
NAT Gateway
Maintenance
Managed by AWS
NAT Gateway
Cost
Per hour & amount of data transferred
NAT Gateway
Availability
Use a script to manage failover between instances
NAT Instance
Bandwidth
Depends on EC2 instance type
NAT Instance
Maintenance
Managed by you (e.g., software, OS patches, …)
NAT Instance
Cost
Per hour, EC2 instance type and size, + network $
NAT Instance
Public IPv4 - Yes
NAT Gateway
Public IPv4 - Yes
NAT Instance
Private IPv4 - Yes
Nat Gateway
Private IPv4 - Yes
Nat Instance
Security Group - No
Nat Gateway
Security Group - Yes
Nat Instance
Use as Bastion Host - No
Nat Gateway
Use as Bastion Host - Yes
Nat Instance
What does NACL stand for?
Network Access Control List
are like a firewall which control traffic from and to subnets
Network Access Control List (NACL)
One NACL per ________, new subnets are assigned the ________
subnet
Default NACL
- Rules have a number (1-32766), higher precedence with a lower number
- First rule match will drive the decision
- Example: if you define #100 ALLOW 10.0.0.10/32 and #200 DENY 10.0.0.10/32, the IP address will be allowed because 100 has a higher precedence over 200
- The last rule is an asterisk (*) and denies a request in case of no rule match
- AWS recommends adding rules by increment of 100
NACL Rules
Newly created NACLs will ________ everything
deny
NACL are a great way of __________?
blocking a specific IP address at the subnet level
Accepts everything inbound/outbound with the subnets it’s associated with
Default NACL
Instead of modifying the default NACL, instead you want to _______?
create custom NACLs
- For any two endpoints to establish a connection, they must use ports
- Clients connect to a defined port, and expect a response on ________
- Different Operating Systems use different port ranges, examples:
- IANA&MSWindows10è49152–65535
- Many Linux Kernelsè32768 – 60999
Ephemeral Ports
Security Group vs. NACLs
Operates at the instance level
Security Group
Security Group vs. NACLs
Supports allow rules only
Security Group
Security Group vs. NACLs
Stateful: return traffic is automatically allowed, regardless of any rules
Security Group
Security Group vs. NACLs
All rules are evaluated before deciding whether to allow traffic
Security Group
Security Group vs. NACLs
Applies to an EC2 instance when specified by someone
Security Group
Security Group vs. NACLs
Operates at the subnet level
NACL
Security Group vs. NACLs
Supports allow rules and deny rules
NACL
Security Group vs. NACLs
Stateless: return traffic must be explicitly allowed by rules (think of ephemeral ports)
NACL
Security Group vs. NACLs
Rules are evaluated in order (lowest to highest) when deciding whether to allow traffic, first match wins
NACL
Security Group vs. NACLs
Automatically applies to all EC2 instances in the subnet that it’s associated with
NACL
Privately connect two VPCs using AWS’ network
VPC Peering
Make them behave as if they were in the same network
VPC Peering
Must not have overlapping CIDRs
VPC Peering
connection is NOT transitive
(must be established for each VPC that need to communicate with one another)
VPC Peering
You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other
VPC Peering
You can create VPC Peering connection between VPCs in different _____?
AWS accounts/regions
You can reference a security group in a peered VPC _______
(works cross accounts – same region)
Every AWS service is publicly exposed (public URL)
VPC Endpoints (AWS PrivateLink)
allows you to connect to AWS services using a private network instead of using the public Internet
VPC Endpoints (AWS PrivateLink)
They’re redundant and scale horizontally
VPC Endpoints (AWS PrivateLink)
They remove the need of IGW, NATGW, …
to access AWS Services
VPC Endpoints (AWS PrivateLink)
In case of issues:
* Check DNS Setting Resolution in your VPC
* CheckRouteTables
VPC Endpoints (AWS PrivateLink)
2 types of VPC Endpoints (AWS PrivateLink)
Interface Endpoints (powered by PrivateLink)
Gateway Endpoints
- Provisions an ENI (private IP address) as an entry
point (must attach a Security Group) - Supports most AWS services
- $ per hour + $ per GB of data processed
Interface Endpoints (powered by PrivateLink)
- Provisions a gateway and must be used as a target in a route table (does not use security groups)
- Supports both S3 and DynamoDB
- Free
Gateway Endpoints
VPC Endpoints - ___________ is most likely going to be preferred all the time at the exam
Gateway
is preferred access is required from on- premises (Site to Site VPN or Direct Connect), a different VPC or a different region
Interface Endpoint
2 ways for Lambda in VPC accessing DynamoDB
Option1: Access from the public internet
Option 2 (better & free): Access from the private VPC network
Because Lambda is in a VPC, it needs a NAT Gateway in a public subnet and an internet gateway
Option1: Access from the public internet
- Deploy a VPC Gateway endpoint for DynamoDB
- Change the Route Tables
Option 2 (better & free): Access from the private VPC network
- Capture information about IP traffic going into your interfaces:
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface (ENI) Flow Logs
- Helps to monitor & troubleshoot connectivity issues
- Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
- Captures network information from AWS managed interfaces too: ELB, RDS, ElastiCache, Redshift,WorkSpaces, NATGW,Transit Gateway…
VPC Flow Logs
- VPN concentrator on the AWS side of the VPN connection
- VGW is created and attached to the VPC from which you want to create the Site-to-Site VPN connection
- Possibility to customize the ASN (Autonomous System Number)
Virtual Private Gateway (VGW)
2 types of AWS Site-to-Site VPN
Virtual Private Gateway (VGW)
Customer Gateway (CGW)
Software application or physical device on customer side of the VPN connection
Customer Gateway (CGW)
Provide secure communication between multiple sites, if you have multiple VPN connections
AWS VPN CloudHub
Low-cost hub-and-spoke model for primary or secondary network connectivity between different locations (VPN only)
AWS VPN CloudHub
It’s a VPN connection so it goes over the public Internet
AWS VPN CloudHub
To set it up, connect multiple VPN connections on the same VGW, setup dynamic routing and configure route tables
AWS VPN CloudHub
Provides a dedicated private connection from a remote network to your VPC
Direct Connect (DX)
Dedicated connection must be setup between your ________ and AWS Direct Connect locations
DC
You need to setup aVirtual Private Gateway on yourVPC
Direct Connect (DX)
Access public resources (S3) and private (EC2) on same connection
Direct Connect (DX)
Use Cases:
* Increase bandwidth throughput - working with large data sets – lower cost
* More consistent network experience - applications using real-time data feeds * Hybrid Environments (on prem + cloud)
Direct Connect (DX)
Does Direct Connect (DX) Supports both IPv4 and IPv6
YES
If you want to setup a Direct Connect to one or more VPC in many different regions (same account), you must use a __________?
Direct Connect Gateway
2 Direct Connect – Connection Types
Dedicated Connections
Hosted Connections
- 1Gbps,10 Gbps and 100 Gbps capacity
- Physical ethernet port dedicated to a customer
- Request made to AWS first, then completed by AWS Direct Connect Partners
Dedicated Connections
- 50Mbps, 500 Mbps, to 10 Gbps
- Connection requests are made via AWS Direct Connect Partners
- Capacity can be added or removed on demand
- 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners
Hosted Connections
For Direct Connect – Connection, Lead times are often longer than __________ to establish a new connection
1 month
Direct Connect, Data in transit is _________ but is private
not encrypted
AWS Direct Connect + VPN provides an ________
IPsec-encrypted private connection
- For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
- Regional resource, can work cross-region
- Share cross-account using Resource Access Manager (RAM)
- You can peer this across regions
- RouteTables: limit which VPC can talk with othe rVPC
- Works with Direct Connect Gateway,VPN connections
- Supports IP Multicast (not supported by any other AWS ser vice)
Transit Gateway
Used for IPv6 only
Egress-only Internet Gateway
similar to a NAT Gateway but for IPv6
Egress-only Internet Gateway
Allows instances in your VPC outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances
Egress-only Internet Gateway
IP Range
CIDR
Virtual Private Cloud => we define a list of IPv4 & IPv6 CIDR
VPC
tied to an AZ, we define a CIDR
Subnets
at the VPC level, provide IPv4 & IPv6 Internet Access
Internet Gateway
must be edited to add routes from subnets to the IGW,VPC Peering Connections,VPC Endpoints, …
RouteTables
public EC2 instance to SSH into, that has SSH connectivity to EC2 instances in private subnets
Bastion Host
gives Internet access to EC2 instances in private subnets. Old, must be setup in a public subnet, disable Source / Destination check flag
NAT Instances
managed by AWS, provides scalable Internet access to private EC2 instances, IPv4 only
NAT Gateway
stateless, subnet rules for inbound and outbound, don’t forget Ephemeral Ports
NACL
stateful, operate at the EC2 instance level
Security Groups
connect two VPCs with non overlapping CIDR, non-transitive
VPC Peering
provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within a VPC
VPC Endpoints
can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights
VPC Flow Logs
setup a Customer Gateway on DC,aVirtual Private Gateway on VPC, and site-to-site VPN over public Internet
Site-to-SiteVPN
hub-and-spoke VPN model to connect your sites
AWS VPN CloudHub
setup a Virtual Private Gateway on VPC, and establish a direct private connection to an AWS Direct Connect Location
Direct Connect
setup a Direct Connect to many VPCs in different AWS regions
Direct Connect Gateway
- Connect services privately from your service VPC to customers VPC
- Doesn’t need VPC Peering, public Internet, NAT Gateway, Route Tables
- Must be used with Network Load Balancer & ENI
AWS PrivateLink / VPC Endpoint Services
connect EC2-Classic EC2 instances privately to your VPC
ClassicLink
transitive peering connections forVPC,VPN & DX
Transit Gateway
copy network traffic from ENIs for further analysis
Traffic Mirroring
like a NAT Gateway, but for IPv6
Egress-only Internet Gateway
Protect your entire Amazon VPC
AWS Network Firewall
From Layer 3 to Layer 7 protection
AWS Network Firewall
Any direction, you can inspect
* VPCtoVPCtraffic
* Outbound to internet
* Inbound from internet
* To/fromDirectConnect&Site-to-SiteVPN
AWS Network Firewall
Uses the AWS Gateway Load Balancer
AWS Network Firewall
Rules can be centrally managed cross- account by AWS Firewall Manager to apply to many ________?
VPCs
Supports 1000s of rules
* IP & port - example: 10,000s of IPs filtering
* Protocol – example: block the SMB protocol for outbound communications
* Stateful domain list rule groups: only allow outbound traffic to*.mycorp.com or third-party software repo
* General pattern matching using regex
AWS Network Firewall
Traffic filtering: Allow, drop, or alert for the traffic that matches the rules
AWS Network Firewall
Active flow inspection to protect against network threats with intrusion-prevention capabilities (like Gateway Load Balancer, but all managed by AWS)
AWS Network Firewall
AWS Network Firewall send logs of rule matches to ___________? (3)
Amazon S3
CloudWatch Logs
Kinesis Data Firehose
