VPC Flashcards
VPC facts
housed within a region;
spans multiple AZs;
AWS provides a DNS server for your VPC so each instance has a hostname. However, you can run your own DNS servers by changing the DHCP option set configuration within the VPC.
Layered Security
Instance level Security Group;
Subnet level network ACLs;
Default VPC
all subnets have a route to the internet via route table and an attached IGW.
each instance launched in the default VPC has a private and public IP address(define on the subnet settings);
VPC limits
5 VPCs per region; 5 internet gateways per region; 50 customer gateways per region 50 VPN connections per region; 200 route tables per region/50 entries per route table. 5 EIP; 500 security groups per VPC; 50 rules per security group; 5 security groups per network interface
Internet Gateway
allows communication between instances in your VPC and the internet.
redundant and highly available.
Internet Gateway rules and details
Only 1 IGW to a VPC at a time.
can not be detached from a VPC while ether are active AWS resources in the VPC such as EC2 instance or RDS Database.
IGW must be attached to a VPC if ther resources in the VPC need to connect to resources via the open internet,
Route Tables
a set of rules, called routes, used to deternine where network traffic is directed,
Destination and target
by default, all subnets traffic is allowed to each other available subnet within your VPC which is called the local route. you can not modify the local route.
you can have multiple “active” route tables in a VPC;
you can not delete a route table if it has “dependancies”.
Route Tables Best Practice
is to leave the default route table and create a new route table when new routes are needed for specific subnets.
default VPC has a main route table.
Subnets
must reside entirely within one availability Zone.
must assoicated with a route table
a public subnet has a route to the internet.
private subnet does NOT have a route to the internet.
Instances launched into a private subnet can not communicate with the internet.
is solved by routing traffic through a NAT instance.
ACLs Essentials
Operate at the network/subnet level;
support ALLOW and DENY for traffic into or out of a subnet.
Stateless: must define outbound rule.
Rules are evaluated in order, starting with the lowest rule number,
The last rule in every ACL is a “catch all” deny rule.
is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
default VPC already has a NACL and it is associated with the default subnets.
ACL Best practice
to increment numbers by 10 so if you have to place in a rule in a certain order it does not create an issue.
ACLs Rules
a subnet can only be associated with one NACL as a time.
Security groups
for instance level;
only support allow rules;
stateful: so return traffic requests are allowed regardless of rules.
all rules are evaluated before deciding to allow traffic.
Security Groups best pratice
allow only traffic that is required.
