VPC Flashcards
What do you get with the default VPC?
1 VPC with CIDR 172.31.0.0/16
1 subnet per AZ with ipv4 /20 CIDRs.
Each subnet has auto assign public ipv4 address enabled.
1 Route table
1 Network ACL with 2 inbound and 2 outbound rules that allow all traffic + the implicit deny under it.
2 Routes: 1 for public destination traffic (0.0.0.0/0) pointing to the internet gw target, and 1 for private destination traffic (172.31.0.0/16) pointing to “local” target. (172.31.0.0/16) has higher priority than (0.0.0.0/0).
1 Internet gateway (igw connect VPCs to the internet)
What are VPC limits?
Max 5 VPC per region.
Up to 5 CIDR per VPC between /16 and /28
VPC must have private range.
Should 2 VPCs CIDRs overlap or not? Why?
No. Because if you want to connect the 2 VPCs you must make sure the IP addresses of the 2 VPCs don’t overlap.
If you have a CIDR block 10.0.0.0/24 how many free IPs do you have?
Normally you would have 256 addresses, the first of which is the network address, and the last is the broadcast address, so you have 254 free IPs for hosts.
But AWS reserves 5 addresses, so you will actually have 251 addresses for hosts.
The 5 reserved addresses:
10.0.0.0: Network address
10.0.0.1: VPC Router
10.0.0.2: AWS DNS
10.0.0.3: Reserved for future AWS use
10.0.0.255: Broadcast Address
How many addresses does AWS reserve for each subnet, which are there, and what are they for?
5
Example 10.0.0.0/24 CIDR:
10.0.0.0: Network address
10.0.0.1: VPC Router
10.0.0.2: AWS DNS
10.0.0.3: Reserved for future AWS use
10.0.0.255: Broadcast Address (Not for broadcast, just reserved by aws)
What is the broadcast address of a subnet used for in aws?
AWS VPC does not support Broadcast traffic, so the usual broadcast address of a subnet is reserved by AWS.
In AWS, what CIDR block size would you use if you need 29 addresses?
/26.
Normally it would be /27 since it gives you 32 - 2 = 30 addresses. But AWS reserves 5 addresses in total, so you would just get 27 usable addresses for hosts.
So you need a /26 subnet, giving you 59 IPs.
How many internet gateways can a VPC have?
Only 1
What are internet gateway characteristics?
Only 1 igw per VPC
Created separately from a VPC
It scalers horizontally and is HA and redundant.
You need to edit the route tables to make your igw work
What do you need to create in the network side for a resource like an EC2 instance to be able to access internet?
A VPC
An igw
A subnet
Enable auto asign public ipv4 address to your subnet
Attach your new igw to your VPC
Create a route table for your VPC
Associate your subnet to your route table
Create a route that forwards external destined traffic: 0.0.0.0/0 to your internet gateway.
What are Bastion hosts?
Bastion hosts, are for when users want to access EC2 instances that are in a private subnet from their computer, so from the internet.
For this we can use an EC2 instance called Bastion Host, located in a public subnet.
This Bastion Host does have access to the private net EC2 instance.
So we first connect with SSH to the bastion host, then connect from the bastion to the private net instance through SSH.
What inbound rule would you configure in a bastion host?
An inbound rule that allows SSH traffic only from select IPs.
For example your organization public ip or CIDR.
(You would also configure inbound SSH rules in the EC2 instances that the bastion host will connect to. Only allowing inbound traffic from the bastion host private ip or sg)
What do you need besides connectivity to connect from a bastion host to a private net EC2 instance?
The bastion host needs to have a key pair for the private ec2 instance to be able to ssh into it
What is a NAT instance?
An EC2 instance with an elastic ip, that receives traffic from private ips, and translates it to send it to its destination, usually the internet.
The route table for the private ip must redirect traffic to the NAT instance.
EC2 Nat instance must have the setting “source/destination” check disabled for NATting to work.
The AMI used for this is an Amazon Linux AMI that comes pre configured for NAT instances.
NAT instance has reached the end of support. NAT Gateway is the recommended better solution for NAT.
What is NAT?
Network Address Translation: A feature of routers, firewalls, etc, that rewrites the packets it receives, and sends them to their destination with their source ip modified.
What is the better solution, NAT Instance or NAT Gateway?
NAT Gateway. The other one has reached end of support by aws.
What are the differences between NAT Gateway and NAT Instances?
NAT GW is AWS managed, instead of an EC2 instance that you need to update OS, software patches, etc.
NAT GW is higher bandwidth, HA within an AZ, no administration of servers.
With NAT GW you don’t need to manage any security groups for it to work.
NAT GW is easier to set up. You just assign it to a subnet, give it an elastic ip, and edit the route table of the network you want to route to it: (Destination: 0.0.0.0/0 > Target: nat-xxxxx) so that it routes internet facing traffic to the NAT GW. *Or other traffic in case of private natting: (Destination: 10.0.0.15/32 > Target: nat-xxxxx). This last example routes traffic from my private subnet to the ip 10.0.0.15 to the NAT GW.
**The NAT GW can route traffic to the internet by being in a public subnet with an igw, an elastic ip, and routes to the internet. If your NAT is private, your NAT GW network needs to have routes in its route table that point for example towards 10.0.0.15.
What do you pay for when using NAT Gateway?
Per hour of usage and bandwidth used.
What do NAT gw and NAT instances need to connect to internet?
An igw
How do you acomplish multi AZ with NAT Gateway?
You need to deploy a NAT GW per AZ
Can you use a NAT Gateway as a Bastion Host?
No because you cant connect with SSH to the NAT Gateway, since its AWS managed.
How does NAT Gateway work?
NAT Gateway works in a specific subnet, similar to an EC2 instance.
For routing traffic to the internet it needs to be in a public subnet. But it can route traffic to private destinations too.
And it uses an Elastic IP (Static Public IP).
You then need to update the private network route table to point to the NAT GW when trying to connect to the internet.
NACLs are Stateless, and SGs are Stateful. What does this mean?
Stateless means it doesn’t keep track of active connections when allowing or denying traffic. (NACLs are stateless). In this case you need to make rules to allow ephemeral ports so that traffic flows normally.
Stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic.
This means it knows then a packet is in response to a different request. In this case you don’t need to make rules for ephemeral ports, because it keeps track of initiated connections.
When there is an incoming request to an EC2 instance, first it goes through the NACL inbound rules to check if it’s allowed. If it is, then it goes through the SG inbound rules of the instance to check if it’s allowed. Then if it is, there is a response from the EC2 instance to the request, and this response is automatically allowed at the SG level, not checking for the outbound rules of the SG, because the SG rules are STATEFUL.
But, then the response goes through the NACL rules, and is not automatically allowed because NACL rules are STATELESS. This means you need to configure the same inbound rules as outbound rules for communication traffic to flow normally.
The same applies for outbound traffic.
What is a NACL?
Network Access Control List:
It’s like a firewall, that controls traffic from and to subnets
Each subnet can only have 1 NACL. A NACL can have many subnets assigned. New subnets are assigned to the Default NACL.
In other words, you can use a NACL to control the way many subnets behave.
At what level do NACLs control traffic?
At the subnet level. There is 1 NACL per subnet.
How does the Default NACL behave?
Allows everything inbound/outbound.
What is the NACL rule with an asterisk (*)?
It’s the last rule of every NACL that applies if no other rule matches, and denies all traffic.
What are ephemeral ports and how do they work?
When you initiate a connection to a server, you do it to a destination port, for example for SSH you connect to destination port 22. But you initiate the connection by using a source port in the client side. This port is an ephemeral port. So, the client temporarily opens a random ephemeral port where he initiates the connection on his side, and he opens this port just for this one connection. And the desitination server has rules that keep port 22 open to receive the connection successfully.
TLDR: source ip: x, source port: 50192, dest ip: y, dest port: 22 payload: xyz
Diffferent OSs use different ephemeral port ranges.
Examples:
IANA & Windows 10: 49152-65535.
Linux: 32768-60999
When the reply comes from the ssh server, the source port that the server uses will be port 22, and the destination port will be 50192.
TLDR: source ip: y, source port: 22, dest ip: x, dest port: 50192 payload: abc
So, the ephemeral port is just a random port that is assigned by the initiator of the connection for the duration of the connection.
How do ephemeral ports work with NACLs?
You need to make rules to allow traffic coming from ephemeral ports so that connectivity works properly. Since NACLs are stateless and don’t keep track of ongoing connections between hosts.
Example: I initiate an http connection through port 443, which is allowed in my NACL, and i use ephemeral port 50192 as a source port. Then come the response packets from the HTTPS server, which will come with source port 443 and destination port 50192. In a stateful fireall this response will be allowed with no need to make an incoming firewall rule through port 50192, since the firewall knows the connection was iniciated by me through port 443.
In the case of NACLs, since they don’t keep track of these active connections, they don’t know if this connection is an ongoing connection or a new one. So I need to make a rule that allows incoming traffic to destination port 50192.
And since ephemeral ports like 50192 are randomly selected for each connection, I need to make rules for the full range of ports.
This range would be 32768-65535, if you want to include the ranges that linux and windows machines use.
What are NACLs for?
For allowing or blocking outgoing and incoming traffic between your subnet and the internet. Or between your subnet and another subnet. Or between your subnet and another VPC.
How many subnets per NACL?
as many as you want.
How many NACLS per subnet?
Only 1.
What are the differences between NACLs and SGs?
SG Operates at instance level. NACL operates at subnet level.
SG supports allow rules only. NACL supports allow and deny rules.
SGs are stateful. NACLs are stateless.
In SGs all rules are evaluated before deciding to allow traffic. In NACLs rules are evaluated in order until it finds a matching rule.
SGs applies rules to an EC2 instance when specified. NACLs apply to all EC2 instances in the subnet or subnets associated to it.
What is VPC Peering?
To privately connect 2 VPCs between each other.
These can be 2 VPCs in the same account, different region, or different accounts.
The 2 VPCs can’t have overlapping CIDRs.
VPC peering is not transitive. It must be established for each different VPC that a “VPC1” wants to communicate with.
You must update route tables in each VPCs subnets to ensure communication.
If you have VPC1 VPC2 and VPC3. You have VPC Peering between 1 and 2. And VPC Peering between 2 and 3.
Can VPC 1 communicate with VPC 3?
NO. You would need to enable VPC Peering between VPC 1 and 3.
How could AWS Account A resource communicate with AWS Account B resource? Both resources must be in private subnets (No internet).
With VPC Peering these 2 resources can communicate with each other internally.
And both their SGs can reference each other in the SG rules, ONLY if both resources are in the same region.
Can sg rule reference another sg in a different region?
No. SG rules can only reference SGs in the same region.
It can reference SGs in other accounts if VPC peering is enabled between these 2 accounts, but this is still only possible if both SGs from both AWS accounts are on the same region.
What are VCP Endpoints?
An AWS VPC feature, that lets your VPC resources access other services privately, instead of them having to go through your NAT GW, and IGW, and through the internet.
When using VPC endpoint, traffic goes from your VPC to the AWS Services through the private AWS network.
What is AWS PrivateLink?
The technology that allows you to create VPC Interface Endpoints to communicate between your VPC resources and AWS Services.
(Gateway Endpoints are not related to PrivateLink).
What are the types of VPC Endpoints and how do they work?
Interface Endpoint (Privatelink):
It provisions an ENI with a private IP, that acts as entry point to AWS Services. This ENI comes with an SG that you must configure to allow access.
Gateway Endpoint:
This type provisions a gateway similar to the igw, but that routes traffic to the aws private network and the aws services.
You must modify your route table to have a route with this gw as a target.
Gateway Endpoind can only target DynamoDB and S3. And do not use Privatelink
How many route tables can a VPC be associated with?
Up to 200.
How many route tables can a subnet be associated with?
Only 1.
Which type of VPC Endpoint uses PrivateLink technology?
Interface Endpoints
Which VPC Endpoint type uses an ENI and SG?
Interface Endpoint
Which VPC Endpoint type uses a GW and Route Table?
Gateway Endpoint.
Which type of VPC Endpoint is recommended when connecting your VPC to S3?
Gateway Endpoint.
Which type of VPC Endpoint is recommended when connecting your VPC to DynamoDB?
Gateway Endpoint.
Which type of VPC Endpoint is recommended when connecting your VPC to SNS?
Interface Endpoint.
(Gateway Endpoint is only for S3 and DynamoDB).
Which type of VPC Endpoint is recommended when connecting your VPC to Aurora.?
Interface Endpoint.
(Gateway Endpoint is only for S3 and DynamoDB).
When is Interface Endpoint preferred over Gateway Endpoint, for accesing S3 or DynamoDB?
Only when accessing those resources from On-Premises with Site to Site VPN or with Direct Connect.
The rest of the time Gateway Endpoint is preferred because it’s free.
How are you charged for using VCP Endpoints?
When using Interface Endpoint, your are charged per hour and per GB of data processed.
Gateway Endpoint is free.
Can AWS Services be accessed through the internet?
Yes. All AWS Services have access to the internet and can receive requests through it given you have the proper permissions.
AWS Services can alsobe accessed internally from VPCs through VPC Endpoints.
What are VPC Flow Logs? How does capturing Flow Logs work?
They capture information about IP traffic (Packets) going through your interfaces. You have VPC Flow logs, Subnet Flow logs, and ENI Flow logs. You can also create flow logs for ENIs that are associated to AWS Managed services like ELBs, RDS, ElastiCache, NATGW, etc.
Flow logs captures traffic in “flows”. Flows are the interaction between 2 IPs. Each flow has a duration or interval. After a flow is finished it’s registered in a text line or record that indicates packet size and bytes sent. You can configure the maximum interval to 10min or to 1 min. If maximum interval is 1 min you will get more records printed in the flow log, thus costing you more money.
A 10min interval flow record weighs the same as a 1min interval flow record, since its a text line nonetheless.
You can create flow logs for all traffic, only accepted, or only rejected traffic.
You create flow logs to capture flows of traffic constantly in intervals. Once you create a flow log for a resource (VPC, Subnet, ENI, it captures these flows in intervals indefinitely, until you delete the flow or disable it.
Flow Logs data can go into S3, CloudWatch, or Kinesis Data Firehose.
The data captured includes src ip, dst ip, src port, dst port, eni id, protocol, action, bytes, packet size, etc.
How can you query VPC Flow Logs?
With Athena on S3, or CloudWatch Logs.
What is S2S VPN?
Site to site VPN is a VPN feature that lets you connect your AWS VPC to your on premises network, privately via encrypted traffic, through the internet.
It needs a VGW: Virtual Private Gateway: This VGW is the VPN concentrator, meaning it acts as gateway for multiple VPNs from multiple locations, but always to your same aws VPC.
What is Virtual Private Gateway (VGW)?
It’s a gateway on the AWS side of a VPN connection. It’s a VPN Concentrator, so you can establish multiple VPN tunnels to it.
The VGW is created and attached to the VPC where you want to create the S2S VPN.
VGW is HA, and creates multiple tunnels for redundancy on AWS side.
What is a VPN Concentrator?
A VPN concentrator is a specialized network device that provides secure connections for multiple VPN (Virtual Private Network) tunnels. It manages and handles the encryption, decryption, and secure data transmission between remote users or sites and the internal network. Essentially, it serves as a hub for VPN connections, centralizing and managing multiple secure tunnels, making it easier to handle a large number of remote connections.
In AWS, a VPN Concentrator is the VGW (Virtual Private Gateway).
What are the terms CGW and VGW?
VGW is the VPN Concentrator on the AWS side.
CGW is the device on the customer side of the VPN connection, that connects your onpremises network to the VPN.
What should you know about setting up your CGW?
You create a CGW in aws, but this will be a representation of your onpremises CGW, so that AWS identifies it. You enter the ASN of your onpremises router if you use BGP routing, the ip address of the CGW, and a certificate for your CGW.
If you have a Public IP Address you can use that as CGW.
If you don’t, your CGW can be a private ip. And you can NAT this private ip to a public ip.
After you already configured your VGW, CGW, and S2S VPN, what is an extra step you need to take for the VPN to work?
You need to enable route propagation for the Virtual Private Gateway (VGW) in the route table associated with the subnets you want to see through the VPN.
What is AWS VPN CloudHub?
A feature that allows 2 or more different CGWs that have S2S VPNs against your VPC, to communicate between each other through your AWS side VGW and your VPC.
This provides secure communication between multiple sites.
How many VGW can you have in a VPC?
Only 1. A VGW can manage multiple VPN Tunnels with HA.
How many VGW can connect to a CGW?
Many. This enables you to connect VPNs to multiple VPCs.
How many CGW can connect to a VGW?
Many. VGW can handle having multiple tunnels to your VPC from different onpremises sites. For example, branch offices.
If you add VPN CloudHub these CGWs can also communicate with each other through the VGW.
What is Direct Connect (DX)?
It allows your business to have a dedicated private connection between your onpremises site and your aws vpc, through a Private VIF.
Or from your DC to a public service like S3, through a Public VIF.
It’s not an SSL VPN. Nor any VPN.
This doesn’t go through the internet, its private. So it needs to be set up physically between your DC and one of AWS Direct Connect locations.
For this you need a VGW for connectivity between your DC and AWS.
What are good Direct Connect use cases?
DX is good for when you need more bandwidth against your resources.
A more consistent network experience against your applications. Especially if you have bad internet connectivity to aws.
Good for using hybrid environments because you have private connectivity between your private datacenters and the aws cloud.
What are Direct Connect Locations?
These are physical locations that you can connect to, to gain private access between them and aws regions.
These locations are owned by telecommunications companies that are partnered with aws to offer this service.
The connectivity between your network and your AWS VPC is private. For this the telecommunications company usually deploys fiber to your DC if possible (close by) or they offer you a colocation service so you have presence in their DC where they have private connectivity with a region of aws.
What is a VIF?
A Private Virtual Interface (VIF), is a virtual interface that enables a private dedicated connection between your DC and your AWS VPC (VGW), through aws direct connect locations.
A Public Virtual Interface is a VIF that enables public connectivity between your onpremises datacenter and public aws services like s3.
(this case doesnt connect to to a VGW)
What is a Direct Connect Gateway?
Allows you to have the features of direct connect but to other regions as well. This improves scalability for your hybrid architectures with direct connect.
After you established a connection between your DC and a Direct Connect location for a region where you have your VGW and VPC, you can then connect to a direct connect gateway through a private VIF, that will grant you connectivity to another region.
You can do this because the direct connect gateway will have a private VIF against a VGW in your VPC in a region, and also against another VGW in your VPC in a different region.
How long does it take to set up direct connect between your DC and a direct connect location?
At least 1 month.
How do you accomplish encryption in transit for the data that goes through direct connect?
You must set up a VPN between your DC and AWS for the traffic that goes through Direct Connect, because normal traffic for direct connect is not encrypted.
Let’s say your workloads are critical, and you need very high resiliency for your connection through direct connect. How could you achieve this?
For high resiliency you can have a setup with 2 corporate datacenters, and 2 direct connect locations connected with 2 VIFs against your AWS VPC.
For Maximum resiliency, you can have a setup with 2 corporate datacenters, 2 direct connect locations, and 2 VIFs in 2 separate physical routers per direct connect location. Meaning 4 total connections in 2 locations against your VPC.
A 3rd very resilient architecture would be to use direct connect as a primary way to access your VPC, and have as a backup connection a Site to Site VPN. This would be cheaper than having 2 direct connect locations. In case direct connect fails, the vpn kicks in and connects you through the internet.
How can Direct Connect and S2S VPN work together?
Using DirectConnect as a primary connection between your DC and your VPC, and having a site to site VPN as a backup connection in case of failure.
What is Transit Gateway?
A way to simplify connectivity between VPCs, onpremises, etc, instead of using multiple S2S VPNs, multiple VPC Peerings, etc, which can become very complex architectures once your network scales.
Transit gateway solves that problem by doing transitive peering between thousands of VPCs, and your onpremises datacenters.
For this it uses a hub-spoke topology (star topology) where Transit Gateway acts as the hub (Center) of the star, and connects to your VPCs, Direct Connect Gateways,
When using transit gateway you dont need to peer the VPCs together. They all can talk to each other through the transit gateway.
When using transit gateway you use direct connect against the transit gateway, giving you access to all your VPCs. The same for S2S VPN.
How can direct connect connect against multiple VPCs easily?
By connecting to a direct connect gateway and using Transit Gateway.
Transit Gateway can connect to the direct connect gateway, and can connect to all your VPCs. With this your onpremises DC will be able to see all the VPCs thanks to transitive peering.
How can S2S VPN connect against multiple VPCs easily?
A S2S VPN CGW can establish multiple tunnels against mutliple VGWs in different VPCs, if your onpremises infrastructure allows it.
A better option, would be to use Transit Gateway. It interconnects multiple VPCs thanks to transitive peering, and can also connecto to your S2S VPN CGW, giving you connectivity against all VPCs that are connected to the Transit Gateway.
How do you define which VPCs can talk to each other with Transif Gateway?
You need to define routes in your route tables of your VPCs to decide how each VPC talks to other VPCs.
What is the only service that supports IP Multicast?
Transit Gateway
How can you increase the bandwidth of your S2S VPN?
With transit gateway you have the option of increasing the bandwidth of your VPNs, by letting you create 2 or more VPNs per CGW against your transit gw.
*With VGW you were only able to create 1 VPN per CGW per VGW.
And Transit Gateway supports ECMP: Equal cost multi-path routing. This lets you use all those multiple VPNs simultaneously, thus increasing the VPN throughput.
How can you set up direct connect for multiple AWS Accounts?
Setting up Transit Gateway as target for the Direct connect setup. (Through a direct connect gateway).
You can do it because transit gateway can connect to VPCs on different AWS accounts.
DC > Direct Connect Location > Direct Connect Gateway > Transit Gateway > VPC from account 1, VPC from account 2.
What is Traffic Mirroring?
For capturing and inspecting traffic in your VPC.
You set up a NLB, with EC2 instances with security appliance in them.
If you want to capture traffic for x EC2 instance, without disrupting the connectivity of the instance. You then set up traffic mirroring. With this enabled, all traffic of the ENI of instance x is also sent (mirrored) to our NLB. Instance x doesn’t notice the mirroring of traffic.
Traffic mirroring can be set up against multiple instances for their traffic to be mirrored to our ENI or NLB.
What about VPC and ipv6?
You can enable it to operate in dual stack with ipv4.
EC2 instances will then get 2 ips, ipv4 and ipv6 and can use either to communicate.
Ipv4 cannot be disabled.
What are Egress Only Internet Gateway?
These are for ipv6 connectivity from your VPC to the internet. Like the name says, since ipv6 ips are all public, this gateway allows only egress traffic so that EC2 instances can navigate the internet through it but no inbound requests are allowed towards your instances.
You need to update route tables for traffic from your ipv6 to go to this egress igw.
This works similarly to a NAT Gateway for browsing internet when using ipv4 from a private subnet. The difference is that since ipv6 are public, there is no network address translation going on.
For public ipv6 you just go through the internet gateway. (you dont want an egress only in this case because you want your instances to be accessible from the internet, hence a public subnet).
For private ipv6 you go through the egress only internet gateway, similarly to how you go through the NAT Gateway when using ipv4.
If we are using an EC2 instance with Ipv6 and we want to browse the internet, how should we do it?
Through an egress only internet gateway. You must update route tables to route traffic from your instances to internet through this egress only igw.
Does AWS Charge you for traffic between 2 EC2 instances in the same AZ?
No. It’s free.
Does AWS Charge you for incoming external traffic to your EC2 instances?
No. It’s free.
Does AWS Charge you for traffic between 2 EC2 instances in the same region, but in different AZs?
You are charged $0.02 per GB if traffic goes through the internet, meaning it’s through the instances public ip, and it leaves the aws network and goes back in.
You are charged half, $0.01 per GB, if you use private ips. Now you are using the internal AWS network for traffic between those 2 AZs.
Does AWS Charge you for traffic between 2 EC2 instances in different regions?
Yes. $0.02 per GB since traffic uses public IPs and leaves the AWS network to get from 1 region to the other.
You have 5 EC2 instances that communicate with each other through the network constantly. What is the best placement to lower internet traffic costs? Why?
Putting all 5 instances in the same AZ. Traffic between the same AZ using private ips is free, compared to traffic between 2 AZs in same region that costs 1 cent per GB, and between 2 regions that costs 2 cents per GB-
The issue is that you have less HA capabilities.
Which type of traffic is usually free? Ingress or Egress?
Ingress.
How can you minimize networking costs?
Keeping traffic inside aws as much as possible. Since you are only charged mostly for traffic leaving aws.
What is cheaper for accessing services like S3 from your VPC?
NAT Gateway + Internet Gateway
VPC Endpoint
VPC Endpoint. Has no cost. Only $0.01 per GB transfered through it.
What is AWS Network Firewall?
We know NACLs protect subnets, SGs protect instances or ENIs.
But AWS Network Firewall protects your WHOLE VPC.
Protection is from Layer 3 to Layer 7.
You can inspect any kind of traffic in any direction:
VPC to VPC
Inbound from internet
Outbound to internet
To/From Direct Connect
To/From S2S VPN
It’s AWS Managed. Internally it uses the GLB.
These rules can apply to multiple VPCs, and can also be applied Cross Account.
Whats the difference between dedicated or hosted direct connect connections?
Dedicated is provided by aws. Hosted is provided by an AWS Partner.
Dedicated gives you your own dedicated port, managed by aws. Hosted gives you a shared port managed by the partner and used by multiple customers.
Dedicated has higher bandwidth options: 1Gbps, 10Gbps, 100Gbps. Hosted has more flexible bandwidth options: 50Mbps, 500Mbps, 10Gbps.
Which type of direct connect hast higher bandwidth options?
Dedicated. Up to 100GBps compared to Hosted that has up to 10Gbps.
You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel’s maximum limit of 1.25 Gbps. What should you do?
Use Transit Gateway. It’s “ECMP: Equal cost multi-path routing” protocol enables you to use both tunnels of the S2S VPN simultaneously, giving you 2.5Gbps.
Besides, it lets you set up more VPNs from the Same CGW, all with simultaneous use. Giving you 2.5Gbps of added bandwidth per VPN (5Gbps, 7.5Gbps, etc).
What is dual stack?
Using ipv4 and ipv6 simultaneously.
You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?
Add an additional IPv4 CIDR to your VPC. You ran out of free IPv4 IPs.
How do you block an specific client ip address in an ELB + EC2 app infrastructure?
At the NACL.
You can also install WAF in your ELB. It lets you establish rules to limit requests from a single client, etc.
How do you block an specific client ip address in a CloudFront + ELB + EC2 app infrastructure?
NACL don’t help you block an ip because the ALB only sees the cloudfront public ip addresses, which must be allowed for the infrastructure to work. And cloudfront is external to your VPC.
If an attack comes from a specific country, you can use cloudfront georestriction to block a whole country.
For a specific IP you can use WAF similarly to with the ALB. It lets you establish rules to limit requests from a single client, or block ips, etc.
