VPC Flashcards
Regions
Separate physical locations in the world where AWS has cloud infrastructure
Each region consist of multiple AZs
There are many regions around the world
regions are connected by AWS global network
network across regions do not offer low latency, usually regions are far apart
Availability Zone
one or more data centers
each AZ has redundant power sources and networking (within and between AZ)
low latency between and within AZs
AZs can contain public and/or private subnets
AWS Outpost
Subset of AWS services (e.g EC2) that can be run in a corporate data center that has connectivity to an AWS region
AWS Local Zone
Like AZ in metropolitan areas, connected to a region, so that resources are closer to where you are to offer lower latency but they are more expensive than AZs
offer increase performance for your app
AWS Wavelength Zone
For 5g and lower latency for mobile with connectivity back to the region
offer increase performance for your mobile app
Cloud Front
content delivery network where resources can be cached at locations around the world for better performance
allows for global deployment
Amazon Global Infrastructure
Cloud Front
VPC
AZ
Region
How are IP addresses structured
4 numerals that represent a binary octets with decimals in between
What numbers do the bits represent in a binary octet
2^7=128
2^6=64
2^5=32
2^4=16
2^3=8
2^2=4
2^1=2
2^0=1
What is the Network ID of an IP
Represents the network, so each computer (host) on the network will have the same Network ID
What is the Host ID of an IP
Represents the unique host number for each host/computer on the network
What is the subnet mask of an IP address
give example
used to define the network and host id
If subnet mask is 255.255.255.0, network id is first 3 octets and host id is last octect
What is the network id and subnet mask of 192.168.0.0/24
Explain
Network ID is 192.168.0.0
Subnet mask is 255.255.255.0
Subnet mask has 24 bits which represents 255.255.255.0
so the first 3 octets of the CIDR IP are the network ID with appending the 0 to represent first host so 192.168.0.0
What private IP addresses
Who designates
10 network 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
these addresses are reserved for private use according to IETF RFC-1918
not routable outside the network, e.g. internet
What can you do with private IP addresses, what are constraints?
Use private IPs as internal IPs
VPC
Virtual Private Cloud
logically isolated portion of the AWS cloud within a region
each VPC has unique CIDR block that is used to assign a subset of IP
addresses again expressed in CIDR to each subnet within the VPC
spans all AZs in region
Where do subnets live in AWS?
A subnet is configured in one AZ and can’t span AZs
VPC Router
How do we configure it?
takes care of routing within and outside of the VPC
interconnects subnets and directs traffic between Internet Gateways, Virtual Private Gateways, NAT Gateways and subnets
configure it by configuring route tables
Route Table
configures routing traffic in and out of your VPC
Internet Gateway
How is it configured?
IGW VPC attached connection to the public internet for IPv4
Only one per VPC and attached to the VPC
used to connect to the internet
need to configure target or destination of IGW id in the route table
What is the default limit of VPCs per region
5
What is a subnet in the context of a VPC
A segment of a VPC’s IP address range (usually expressed in CIDR notation) where you can place groups of isolated resources
What components are within a VPC
- Subnets
Internet Gateway
VPC Router/Route Table
Peering Connections
VPC Endpoints
NAT Instances
NAT Gateways
Virtual Private Gateways
Customer Gateway
AWS Direct Connect
Security Group - Network ACL
Peering Connection
Direct connection between 2 VPCs
NAT Instance
Enables Internet access for EC2 instances in private subnets
NAT Instances are managed by you
NAT Gateway
Enables Internet access for EC2 instances in private subnet
NGW is managed by AWS
Virtual Private Gateway
The VPC side of a VPN connection
Customer Gateway
The customer side of a VPN connection that is connected on the other end to AWS VPC
AWS Direct Connect
High speed, high bandwidth private network connection from customer to AWS
Security Group
Instance level firewall controlling all network traffic to the instance
Stateful firewall - if inbound traffic is allowed, outbound will be allowed
Network ACL
Subnet level firewall
apply only entering and existing the subnet (egress and ingress. - not within)
Stateless firewall - both rules for inbound and outbound must be configured to complete a request
Egress-only Internet Gateway
VPC connection to the public internet for IPv6 and only allows outbound traffic but not inbound
Default VPC
A default VPC is created in each region with a public subnet of each AZ
CIDR Block AWS Rules
- CIDR block size can be between /16 and /28
- CIDR Block must not overlap with an existing CIDR block associated with the VPC
- You cannot increase or decrease the size of an existing CIDR block
- The first four and the last IP address are not available for use
What CIDR blocks does AWS recommend?
RFC 1918 ranges
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255
(192.168/16 prefix)
Best practices for mapping/planning network (e.g CIDRs)
- Bigger CIDR blocks for VPC are typically better because this will give more flexibility
- Smaller subnets are OK for most use cases
- Consider deploying application tiers per subnet
- Split your HA resources across subnets in different AZs
- VPC Peering requires non overlapping CDIR blocks, this is across all VPCs in all Regions/accounts you want to connect
- Avoid overlapping CIDR blocks as much as possible
Stateful Firewall
allows return traffic automatically
Stateless Firewall
checks for allow rule for both the outbound and inbound network connections of a request
Differences between NACL and security groups
Security Groups operate at instance or interface level - filters traffic within and outside subnet
Network ACL operates at the subnet level - filters traffic outside subnet only
SG - allow rules only
NACL - allow and deny rules
SG - stateful
NACL - stateless
SG - evaluate all rules
NACL - process rules in order until it hits an allow or deny
SG - applies to an instance if associated with the group
NACL - applies to all instances in the subnet it associated with
VPC Peering
enables routing between 2 VPCs using private IPv4 or IPv6 addresses using Amazon Global Network (e.g. not the internet)
CIDR blocks cannot overlap
No transitive peering (e.g. A peered with B and B peered with C, A cannot talk to C).
VPCs can be in different accounts and regions
VPC Interface Endpoint
Used to connect EC2 to public AWS services using private DNS/IPs
an ENI is created
Each interface endpoint can connect to one of the many AWS services (e.g. CloudFormation, CodeDeploy, Private Link)
VPC Gateway Endpoint
Uses a route table entry to connect to a public service without going out to internet
Provision Gateway Endpoint, Route table with destination as prefix list for S3 or DynamoDB and the gateway id
You can use IAM policies to resource policies to limit traffic to just the gateway
Difference between VPC interface endpoint and VPC gateway endpoint
Interface Endpoint
What: ENI with Private IP
How: DNS entries to redirect traffic
Which service: API Gateway, CloudFormation, CloudWatch, etc.
Security: Security Groups
Gateway Endpoints:
What: A gateway that is a target for specific route
How: Use prefix list in the route table to redirect traffic
Which: Amazon S3, DynamoDB
Security: VPC Endpoint Policies
VPN Endpoint
Client VPN network interface created in subnet
VPN client software (choose from your preferred option) connects over SSL/TLS 443 over the internet
VPN Endpoint performs SNAT (source NAT) from CIDR associated with VPN endpoint to CIDR associated with VPC
In the client route table there is an entry with destination VPC CIDR to the Gateway pointing at the VPN endpoint
What is an AWS VPN
a managed IPSec VPN
it connects AWS to a corporate data center or office and tunnels the traffic through over the internet using an encrypted VPN where private IPs can be used
What is a Virtual Private Gateway (VGW)
End of AWS VPN deployed of the AWS side
A VGW is deployed on the AWS site
What is a Customer Gateway
deployed on the customer side of an AWS VPN
How is the communication established when a VPN connection is configured between a customer gateway and VGW?
The VPN connection that connects a Virtual Private Gateway and a Customer Gateway supports static routes or BGP peering/routing
Route table points to the VGW
What are use cases for AWS Site to Site VPN
Connecting corporate data center or office to AWS over encrypted VPN using internet or a back up to AWS direct connect
What is BGP
What is ASN
Border Gateway Protocol - used for advertising routes to different parts of the network
Autonormal System Number
Each env has own ASN that corresponds to the routes that are advertised and needs the ASN as the IP prefix
What is the network topology for AWS VPN Cloud Hub
Remote offices connect to VGW in a hub and spoke model
VGW is the hub
Each office must use a unique BGP ASN
Traffic can flow to and from AWS to the offices/data centers or to and from the offices/data centers in a transitive manner, first going from the office to the VGW and then to the another office
AWS Direct Connect (DX)
Private connection; doesn’t rely on the internet
between your data center/office to AWS
What is required for AWS DX
AWS Direct Connect service configured in a region
AWS Direct Connect location with an AWS cage and a Customer cage
The AWS cage must have a router where AWS Direct Connect endpoint is configured (AWS provided)
The Customer Cage must have an router configured (customer/ISP provided)
Customer must have a customer router in their data center/office
The customer router is connected to the DX router n the DX location
A DX port (1000-Base-LX or 10GBASE-LR) must be allocated in a DX location
A cross connect between the AWS DX router and the customer DX router
DX is a physical fibre connection to AWS running at 1Gbps or 10Gbps
100gbps is now available in some locations
Benefits of AWS DX
Private connection between AWS and your data center/office
Consistent network experience - increased speed/latency and bandwidth/throughput
Lower cost for orgs that transfer large volumes of data
Private VIF
connects to a single VPC in the same AWS Region using a VGW
A private virtual interface should be used to access an Amazon VPC using private IP addresses.
VIF
A virtual interface using 802.1Q VLAN and a BGP session
Public VIF
used to connect to AWS Public Services in any region but not the internet
A public virtual interface can access all AWS public services using public IP addresses.
How do you connect multiple VPCs to AWS DX
Multiple private VIFs can be used to connect multiple VPCs in one region using DX architecture components (VGWs, AWS Cage and router, Customer/Partner cage and router, DX endpoint, customer router in data center)
Hosted VIF
VIF shared across AWS account
What is an alternate way to connect directly to AWS services
DX connections via APN partners can be purchased and run at speeds between 50 mbps to 500 mbps
Is DX traffic encrypted? If so, how do you configure? If not, are there options to encrypt?
No, DX traffic is not encrypted.
You can configure an IPSEC site - to - site VPN over VIF to add encryption in transit
DX Gateway
Connects multiple regions using one DX connection and uses AWS global network for low latency, high throughput
What is the architecture of a DX Gateway
VGW in each region connects to DX Gateway
Private VIF connects DX Gateway to AWS direct connection location via AWS and Partner routers, and partner router in DX location connects back to corporate office/data center
BGP advertises route to all VPCs via DX Gateway
What are contraints of DX Gateway
You can’t route traffic between regions (e.g. VGWs can’t talk directly to each other) using DX Gateway, only to/fro the corporate office/data center
AWS Transit Gateway
“Cloud Router”
is a network transit hub that interconnects VPCs and on premise corporate networks
achieves full transitive routing between on premise, VPCs and TGW
How do you configure traffic to connect over AWS transit gateway
VPCs are attached to the transit gateway
Specify one subnet in each AZ to enable routing to all subnets
Connect transit gateway to customer gateway
What can TGWs connect to?
VPN
3rd party appliances
Direct Connect (DX) Gateway
TGWs in other regions or accounts
Transit VIF
Virtual interface specifically used for DX Gateway associated to TGW
transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with any AWS Direct Connect dedicated or hosted connection of any speed.
What is the structure of an IPv6 address
What limitation other than IP space does IPv6 address vs IPv4?
128 bits
uses hexidecimal
8 16 bit quartet’s separated by a colon
has a network part to represent the network
and a node part to represent the machine
All IPv6 addresses are publicly routable; no NAT required
What do you need to configure to use IPv6 in your VPC?
Configure public subnet
configure IPv4 CIDR block to assign subnet ranges for VPC subnets and CIDR for subnets
AWS will assign IPv6 CIDR (/56) address range for your VPC
Create CIDR for subnets; The subnet receives a /64 range - allowing 18 million trillion addresses
The last 2 digits in the hexidecimal IPv6 - a hexidecimal pair is assigned for each subnet - values from 00-FF, which designates the individual subnet; so it must be unique
256 possible subnets with /64 (18 million trillion IPs)
What is the all traffic IPv6 address
When would we use this?
::/0
configuring route tables for all traffic outside IPv6 CIDRs mapped in the route table - likely sending all other traffic to IGW
VPC Flow Logs
Capture information about IP traffic going to and from network interfaces in a VPC
Data is stored uisng cloud watch logs or S3
Access data in EC2 or VPC console
Turned off by default
What are the levels flow logs can be created?
VPC
Subnet
Network Interface
Flow logs can help you…?
Diagnose overly restrictive security group rules.
*
Monitor the traffic that is reaching your instance.
*
Determine the direction of the traffic to and from the network interfaces.
relation of subnet to route table?
a subnet can only be associated with one route table at a time and is a subnet is always associated with at least one route table (by default the main route table)
