VPC Flashcards
What do you get with the default VPC?
1 VPC with CIDR 172.31.0.0/16
1 subnet per AZ with ipv4 /20 CIDRs.
Each subnet has auto assign public ipv4 address enabled.
1 Route table
1 Network ACL with 2 inbound and 2 outbound rules that allow all traffic + the implicit deny under it.
2 Routes: 1 for public destination traffic (0.0.0.0/0) pointing to the internet gw target, and 1 for private destination traffic (172.31.0.0/16) pointing to “local” target. (172.31.0.0/16) has higher priority than (0.0.0.0/0).
1 Internet gateway (igw connect VPCs to the internet)
What are VPC limits?
Max 5 VPC per region.
Up to 5 CIDR per VPC between /16 and /28
VPC must have private range.
Should 2 VPCs CIDRs overlap or not? Why?
No. Because if you want to connect the 2 VPCs you must make sure the IP addresses of the 2 VPCs don’t overlap.
If you have a CIDR block 10.0.0.0/24 how many free IPs do you have?
Normally you would have 256 addresses, the first of which is the network address, and the last is the broadcast address, so you have 254 free IPs for hosts.
But AWS reserves 5 addresses, so you will actually have 251 addresses for hosts.
The 5 reserved addresses:
10.0.0.0: Network address
10.0.0.1: VPC Router
10.0.0.2: AWS DNS
10.0.0.3: Reserved for future AWS use
10.0.0.255: Broadcast Address
How many addresses does AWS reserve for each subnet, which are there, and what are they for?
5
Example 10.0.0.0/24 CIDR:
10.0.0.0: Network address
10.0.0.1: VPC Router
10.0.0.2: AWS DNS
10.0.0.3: Reserved for future AWS use
10.0.0.255: Broadcast Address (Not for broadcast, just reserved by aws)
What is the broadcast address of a subnet used for in aws?
AWS VPC does not support Broadcast traffic, so the usual broadcast address of a subnet is reserved by AWS.
In AWS, what CIDR block size would you use if you need 29 addresses?
/26.
Normally it would be /27 since it gives you 32 - 2 = 30 addresses. But AWS reserves 5 addresses in total, so you would just get 27 usable addresses for hosts.
So you need a /26 subnet, giving you 59 IPs.
How many internet gateways can a VPC have?
Only 1
What are internet gateway characteristics?
Only 1 igw per VPC
Created separately from a VPC
It scalers horizontally and is HA and redundant.
You need to edit the route tables to make your igw work
What do you need to create in the network side for a resource like an EC2 instance to be able to access internet?
A VPC
An igw
A subnet
Enable auto asign public ipv4 address to your subnet
Attach your new igw to your VPC
Create a route table for your VPC
Associate your subnet to your route table
Create a route that forwards external destined traffic: 0.0.0.0/0 to your internet gateway.
What are Bastion hosts?
Bastion hosts, are for when users want to access EC2 instances that are in a private subnet from their computer, so from the internet.
For this we can use an EC2 instance called Bastion Host, located in a public subnet.
This Bastion Host does have access to the private net EC2 instance.
So we first connect with SSH to the bastion host, then connect from the bastion to the private net instance through SSH.
What inbound rule would you configure in a bastion host?
An inbound rule that allows SSH traffic only from select IPs.
For example your organization public ip or CIDR.
(You would also configure inbound SSH rules in the EC2 instances that the bastion host will connect to. Only allowing inbound traffic from the bastion host private ip or sg)
What do you need besides connectivity to connect from a bastion host to a private net EC2 instance?
The bastion host needs to have a key pair for the private ec2 instance to be able to ssh into it
What is a NAT instance?
An EC2 instance with an elastic ip, that receives traffic from private ips, and translates it to send it to its destination, usually the internet.
The route table for the private ip must redirect traffic to the NAT instance.
EC2 Nat instance must have the setting “source/destination” check disabled for NATting to work.
The AMI used for this is an Amazon Linux AMI that comes pre configured for NAT instances.
NAT instance has reached the end of support. NAT Gateway is the recommended better solution for NAT.
What is NAT?
Network Address Translation: A feature of routers, firewalls, etc, that rewrites the packets it receives, and sends them to their destination with their source ip modified.
What is the better solution, NAT Instance or NAT Gateway?
NAT Gateway. The other one has reached end of support by aws.
What are the differences between NAT Gateway and NAT Instances?
NAT GW is AWS managed, instead of an EC2 instance that you need to update OS, software patches, etc.
NAT GW is higher bandwidth, HA within an AZ, no administration of servers.
With NAT GW you don’t need to manage any security groups for it to work.
NAT GW is easier to set up. You just assign it to a subnet, give it an elastic ip, and edit the route table of the network you want to route to it: (Destination: 0.0.0.0/0 > Target: nat-xxxxx) so that it routes internet facing traffic to the NAT GW. *Or other traffic in case of private natting: (Destination: 10.0.0.15/32 > Target: nat-xxxxx). This last example routes traffic from my private subnet to the ip 10.0.0.15 to the NAT GW.
**The NAT GW can route traffic to the internet by being in a public subnet with an igw, an elastic ip, and routes to the internet. If your NAT is private, your NAT GW network needs to have routes in its route table that point for example towards 10.0.0.15.
What do you pay for when using NAT Gateway?
Per hour of usage and bandwidth used.
What do NAT gw and NAT instances need to connect to internet?
An igw
How do you acomplish multi AZ with NAT Gateway?
You need to deploy a NAT GW per AZ
Can you use a NAT Gateway as a Bastion Host?
No because you cant connect with SSH to the NAT Gateway, since its AWS managed.
How does NAT Gateway work?
NAT Gateway works in a specific subnet, similar to an EC2 instance.
For routing traffic to the internet it needs to be in a public subnet. But it can route traffic to private destinations too.
And it uses an Elastic IP (Static Public IP).
You then need to update the private network route table to point to the NAT GW when trying to connect to the internet.
NACLs are Stateless, and SGs are Stateful. What does this mean?
Stateless means it doesn’t keep track of active connections when allowing or denying traffic. (NACLs are stateless). In this case you need to make rules to allow ephemeral ports so that traffic flows normally.
Stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic.
This means it knows then a packet is in response to a different request. In this case you don’t need to make rules for ephemeral ports, because it keeps track of initiated connections.
When there is an incoming request to an EC2 instance, first it goes through the NACL inbound rules to check if it’s allowed. If it is, then it goes through the SG inbound rules of the instance to check if it’s allowed. Then if it is, there is a response from the EC2 instance to the request, and this response is automatically allowed at the SG level, not checking for the outbound rules of the SG, because the SG rules are STATEFUL.
But, then the response goes through the NACL rules, and is not automatically allowed because NACL rules are STATELESS. This means you need to configure the same inbound rules as outbound rules for communication traffic to flow normally.
The same applies for outbound traffic.
What is a NACL?
Network Access Control List:
It’s like a firewall, that controls traffic from and to subnets
Each subnet can only have 1 NACL. A NACL can have many subnets assigned. New subnets are assigned to the Default NACL.
In other words, you can use a NACL to control the way many subnets behave.