VPC Flashcards
CIDR
Classless Inter-Domain Routing.
They help to define an IP address range.
CIDR has two components
WW.XX.YY.ZZ/32
The base IP (XX..XX.YY.ZZ)
The base IP represents an IP contained in the range.
The Subnet Mask (/32)
The subnet masks define how many bits can change in the IP.
IMP
Your VPC CIDR should not overlap with your other networks (ex: corporate).
CIDR not should overlap, and the max CIDR size in AWS is /16.
Important info about Subnets
1) AWS reserves 5 IPs addresses (first 4 and last 1 IP address) in each Subnet. (Imp pt.)
2) Those 5 IPs cannot be assigned to the instance and are reserved by AWS.
3) Ex, if CIDR block 10.0.0.0/24, reserved IP is:-
10. 0.0.0: Network address
10. 0.0.1: Reserved by AWS for the VPC router
10. 0.0.2: Reserved by AWS for mapping to Amazon-provided DNS
10. 0.0.3: Reserved by AWS for future use
10. 0.0.255: Network broadcast address.
4)Exam Tip:
• If you need 29 IP addresses for EC2 instances, you can’t choose a Subnet of size /27 (32 IP)
• You need at least 64 IP, Subnet size /26 (64-5 = 59 > 29, but 32-5 = 27 < 29)
Internet Gateways (IGW)
1) Help VPC instances connecting to the internet by editing the Route table.
2) 1 IGW/VPC
3) Acts as the NAT for IPv4 instances.
NAT Gateway
1) AWS managed NAT Instance (used by instances in a private subnet to connect to the internet).
2) AZ specific, uses Elastic IP
3) Flow for connecting to the internet for instance in private subnet(Private Subnet => NAT => IGW).
4) Autoscale within an AZ.
5) NAT Gateway is resilient within a single-AZ
6) For fault tolerance -> Create multiple NAT in Multiple AZ.
NaCl (Network Access Control List)
1) Subnet Level
2) Stateless i.e. -> There is no state mentioned. Both the inbound and outbound requests will be checked.
3) Firewall to the subnet.
4) 1 NaCl/ subnet
5) Great way of blocking a specific IP at the subnet level.
NaCl vs Security Groups (Important)
Refer to slide number 655 in SAA course Slides
VPC Peering
1) Connect two VPC privately using AWS network
2) Two VPC’s that are peered must not have overlapping CIDR’s
3) Update route table in VPC subnets for instances to communicate.
4) Possible for VPC in the same account or another account or inter region
5) VPC peering connection not transitive. (Each VPC set peered separately)
VPC Endpoints
1) Connect to AWS Services using a private network for instance inside VPC.
2) No need for NAT, IGW for connecting to instances.
3) Interface connection - (ENI) Most AWS Services
4) Gateway - (target => used in route table) S3 & DynamoDB. (IMP)
These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).
In case of any connectivity issues(VPC & AWS services):
• Check DNS Setting Resolution in your VPC
• Check Route Tables
Flow Logs
1) Logs at VPC, Subnet, and ENI levels.
2) Helps in monitoring traffic and troubleshooting
3) Logs can be stored in S3 or cloud watch
4) Captures info from other AWS services also.
5) Can be used for analytics on usage patterns, or malicious behavior
6) Query VPC flow logs using Athena on S3 or CloudWatch Logs Insights.
7) VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC
Bastion Host
1) Used for doing SSH to your private instances.
2) Host is in a public subnet, it acts as a reverse proxy to connect to private subnets.
3) Bastion Host security group must be tightened.
4) Exam Tip: Make sure the bastion host only has port 22 traffic from the IP you need, not from the security groups of your other instances.
Site to Site VPN ( See the figure in slide 667 for better understanding)
1) Connect VPC to the corporate data center using a VPN connection.
2) Attach Virtual Gateway(VGW) to VPC and customer gateway to the corporate data center.
3)
Direct Connect
1) Dedicated private connection from the remote network to vpc.
2) Setup VGW on the VPC side for facilitating direct connect connection to resources inside VPC.
3) Access public and private resources on the same connection.
4) See diagram in slide 670
5) Also useful in connecting, more than one VPC located in different regions for the same account.
6) Dedicated Connection -> 1gbps to 10 Gbps capacity
7) Hosted Connection -> 50 Mbps, 500 Mbps to 10 Gbps capacity.
8) Takes more than 1 month to establish a connection.
9) Data not encrypted by default but private.
10) Encryption layer can be added
11) High Availability can be done in this.
12) Direct connect is not over the public internet.
Egress Only Internet Gateway
1)Give internet access to ipv6 instances
AWS private link
1) Most secure and scalable to expose service of one vpc to other vpc
2) Requires NLB on 1 side and ENI on the other side to connect.
3) Allows you to expose a private application to other AWS customers without making the application public to the Internet and without making a VPC Peering connection.
