VPC

Question 1

IP Addresses in AWS

Answer 1

• IPv4 – Internet Protocol version 4 (4.3 Billion Addresses)
  - Public IPv4 – can be used on the Internet
  - EC2 instance gets a new a public IP address every time you stop then start it (default)
  - Private IPv4 – can be used on private networks (LAN) such as internal AWS networking (e.g., 192.168.1.1)
  - Private IPv4 is fixed for EC2 Instances even if you start/stop them
• Elastic IP – allows you to attach a fixed public IPv4 address to EC2 instance
  - Note: has ongoing cost if not attached to EC2 instance or if the EC2 instance is stopped
• IPv6 – Internet Protocol version 6 (3.4 × 10!” Addresses)
  - Every IP address is public (no private range)
  - Example: 2001:db8:3333:4444:cccc:dddd:eeee:ffff

Question 2

VPC & Subnets Primer

Answer 2

• VPC - Virtual Private Cloud: private network to deploy your resources (regional resource)
• Subnets allow you to partition your network inside your VPC (Availability Zone resource)
  * Tied to an AZ, network partition of the VPC
  * A public subnet is a subnet that is accessible from the internet
  * A private subnet is a subnet that is not accessible from the internet
  * To define access to the internet and between subnets, we use Route Tables.
• A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location.

Question 3

Internet Gateway

Answer 3

• Internet Gateways helps our VPC instances connect with the internet
• Public Subnets have a route to the internet gateway.

Question 4

NAT Gateways

Answer 4

• NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private

Question 5

Network ACL

Answer 5

• NACL (Network ACL)
  - A firewall which controls traffic from and to subnet
  - Can have ALLOW and DENY rules
  - Are attached at the Subnet level
  - Rules only include IP addresses
  - It’s stateless: return traffic must be explicitly allowed by rules
  - Rules are processed in order when decinding whether to allow traffic
  - Automatically applies to all instances in the subnet it’s associated with (teherfore, you don’t have to rely on users to specify the security group)

Question 6

Security Groups

Answer 6

• Security Groups
  - A firewall that controls traffic to and from an ENI / an EC2 Instance
  - Can have only ALLOW rules
  - Rules include IP addresses and other security groups
  - It’s statefull: return traffic is automatically allowed, regardless of any rules
  - All rules are evaluated before deciding whether to allow traffic
  - Applies to an instance only if someone specifies the security group when launching the instance or associates the security group with the instance later on

Question 7

VPC Flow Logs

Answer 7

• Capture information about IP traffic going into your interfaces:
  - VPC Flow Logs
  - Subnet Flow Logs
  - Elastic Network Interface Flow Logs
• Helps to monitor & troubleshoot connectivity issues. Example:
  - Subnets to internet
  - Subnets to subnets
  - Internet to subnets
• Captures network information from AWS managed interfaces too: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc…
• VPC Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose

Question 8

VPC Peering

Answer 8

• Connect two VPC, privately using AWS’ network
• Make them behave as if they werein the same network
• Must not have overlapping CIDR (IP address range)
• VPC Peering connection is not transitive (must be established for each VPC that need to
  communicate with one another)

Question 9

VPC Endpoints

Answer 9

• Endpoints allow you to connect to AWS Services using a private network instead of the public network
• This gives you enhanced security and lower latency to access AWS services
• VPC Endpoint Gateway: S3 & DynamoDB
• VPC Endpoint Interface (ENI): the rest

Question 10

AWS PrivateLink
(VPC Endpoint Services)

Answer 10

• Privately connect to a service in a 3rd party VPC
• Most secure & scalable way to expose a service to 1000s of VPCs
• Does not require VPC peering, internet gateway, NAT, route tables…
• Requires a network load balancer (Service VPC) and ENI (Customer VPC)

Question 11

Site to Site VPN

Answer 11

• Connect an on-premises VPN to AWS
• The connection is automatically encrypted
• Goes over the public internet
• On-premises: must use a Customer Gateway (CGW)
• AWS: must use a Virtual Private Gateway (VGW)

Question 12

Direct Connect (DX)

Answer 12

• Establish a physical connection between on-premises and AWS
• The connection is private, secure and fast
• Goes over a private network
• Takes at least a month to establish

Question 13

AWS Client VPN

Answer 13

• Connect from your computer using OpenVPN to your private network in AWS and on-premises
• Allow you to connect to your EC2 instances over a private IP (just as if you were in the private VPC network)
• Goes over public Internet

Question 14

Transit Gateway

Answer 14

• For having transitive peering between thousands of VPC and on-premises, hub-and-spoke
  (star) connection
• One single Gateway to provide this functionality
• Works with Direct Connect Gateway, VPN connections