VPC Flashcards
Subnets and Availability Zones?
One Subnet equals = 1 availability zone.
You cannot have a subnet that crosses multiple availability zones.
What is a security group
1) Your first line of defense against hackers.
2) It is a virtual FireWall
3) Associated to an EC instance.
4) Multiple security groups can be associated with an EC2 instance.
Security Groups are stateful
Whenever you add an inbound rule, it also adds an outbound rule.
Security group denial
Everything is denied/blocked by default, so you need to select what you want to allow, not what you want to. deny.
Security Groups outbound
All outbound traffic is allowed.
NACL State
Network Access Control Lists are stateless.
What is a VPC ?
Think of it as a virtual data centre in the cloud.
* You are given one on account setup.
What does a VPC do?
Lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.
* You have complete control over your virtual networking environment. (IP Addresses, subnets, route tables and gateways)
VPC and VPN
YOu can create hardware VPNS connections between your corporate data centre and your VPC and leverage the AWS cloud as an extension of your DC.
How you do access a VPC ?
1) Internet Gateway (Internet access)
2) A virtual private gateway (VPN Access)
Subnets and Availability Zones
1 subnet = 1 availability zone
Security groups and Subnets
Security groups can span subnets.
AWS approved Internal IP Ranges:
- 0.0.0 - 10/8
- 16.0.0. - 172.16/12
- 168.0.0 - 192.168/16
VPC limit per region ?
Soft: 5
Default vs Custom VPC ?
All subnets in a default VPC have a route to the internet.
VPC peering
Allows you to connect 1 vpc with another via a direct network route using private ip addresses.
Instances behave as if they were on the same private network.
You can peer VPCs with other AWS accounts as well as with other VPCs in the same account.
Always in a hub and spoke, not transitive peering.
VPC consists of:
Internet gateways virtual private gateways route tables Network Access Control Lists Subnets Security Groups
IP Address Restrictions CIDR blocks:
The first 4 and last IP Address in each subnet CIDR block are not available for you to use and cannot be assigned.
VPCs and Multiple Internet Gateways
you can only have 1 internet gateway per VPC.
NAT Instances
This is a community amazon-AMI.
Can be used as a bastion server.
disable SRC / DST check on the instance.
Must be on a public subnet.
Traffic support is directly correlated to the NAT instance size.
You can create HA using autoscaling groups.
Can script an automated failover
Nat Gateways
Preferred by Enterprises.
scale automatically up to 10 Gbps
No patching.
Not associated with a security group
automatically assigned a public ip address
remember to update route tables post-implementation.
higher level of security.
managed 100% by Amazon.
no need to disable source-destination checks.
NACL
private NACL’s deny everything by default.
NACL rule numbering
ipv4 - start at 100, and go up in increments of 100
ipv6 - start at 101, and go up in increments of 100
Rules are evaluated in order, lowest to highest.
Default NACL
Your VPC comes with a default NACL, and by default it allows all inbound / outboard traffic.
Custom NACLs
Remember you need to build inbound and outbound NACL rules. They are seperate due to being stateless. .
NACLS and Subnets:
Each subnet must be assigned to a default NACL and if you don’t assign one then it is associated with the default.
A NACL can be associated with multiple subnets, but a subnet can only be associated with a single NACL.
NACLs vs Security Groups
Block IPs using NACLs not Security Groups
VPC flow logs can be created at how many levels?
1) VPC
2) Subet
3) Network Interface Level
IP Traffic not Monitored:
1) DNS Traffic to the Amazon DNS Server
2) Traffic generated by a windows instance for activation.
3) traffic to and from 169.254.169.254 for metadata
4) DHCP traffic
5) Traffic to the reserved IP address for the default VPC router.
VPC Endpoints
is an inside gateway or interface that allows you connect to an endpoint outside of the VPC.
Application Load Balancers
You will need at least 2 public subnets in order to deploy an application load balancer.
VPC flow log tagging
You cannot tag a VPC flow log.
