VPC Basics Flashcards
How many classes of addresses are in the IPv4 format?
What are the ranges?
There are 3 classes:
○ Class A - 0.0.0.0 to 127.255.255.255.255
○ Class B - 128.0.0.0 - 191.255.255.255
Class C - 192.0.0.0 - 225.255.255.255
Can multiple entities use the same private IP address space?
Yes - so long as the overlapping IP’s remain within their intern network and do not get advertised or communicate over the internet.
What address class is the default VPC in AWS configured with?
Class B - 172.16.0.0
What is CIDR?
Classless Inter-Domain Routing – this method allows you to create networks of any size within the respective network range and the notation is the IP address followed by a “slash” i.e 10.10.0.0 /16.
REVIEW: CIDR Notation
- notation is the IP address followed by the /xx which tells you the size of the network. The “slash” is called the PREFIX.
- the BIGGER the prefix, the smaller the network and the SMALLER the prefix the larger the network
- a /16 network is a lot bigger than a /17 network and so on
- prefix /0 means “all IP addresses” and prefix /32 means one single usable IP
- the most common ranges are /8, /16, /24, /32
- Each time you increase the prefix, you are creating MORE networks but SMALLER networks
- Each time it goes up, it’s a multiple of TWO: from /16 to /17 it creates 2 more networks, from /16 to /18 it creates 4 more, from /16 to /19 it creates 8, and so on….
→ If you’re given a 10.0.0.0/16 network, the “16” means that the first 2 octets are fixed (network address) and last 2 octets are yours to play around with for hosts - each octet has EIGHT bits so 16 = 2
○ If you wanted to cut the /16 in half, you could create 2 x /17 networks which would be:
1. 10.0.0.0 to 10.0.127.255 2. 10.0.128.0 - 10.0.255.255
*** All we’ve done is take the last 2 octets (which are ours to play around with) and cut it in half… the “10.0.x.x” portion stays fixed.
What is the difference in notation between IPv4 and IPv6?
v4 is Octets and v6 is Hextets
An octet is 8 bits whereas a hextet is 16 bits.
There are FOUR octets in IPv4 and EIGHT hextets in IPv6
REVIEW: IPv6
→ You can replace the HEXTETS full of 0’s with just a single 0, or you can simply put double colons “ :: “ if there are multiple hextets of 0’s in a row.
→ A hextet is 16 bits instead of 8 (like in IPv4) + IPv6 addresses are much longer i.e 2 x octets = 8 Hextets where each Hextet is 16 bits
Example:
→ 2001:db8:1234::/48 is the address
○ The network part is everything in front of the “ :: “ because each /48 means 3 x sets of Hextets which we see in the address (48 bits where each Hextet is 16 bits)
○ The rest of the address (after the “1234”) is the HOST part of the network. This would look like:
** 2001:db8:1234:0000:0000:0000:0000.0000 or 2001:db8:1234:ffff:ffff:ffff:ffff
** There are a total of EIGHT hextets in an IPv6 address
What are big things to consider when designing a VPC?
- what size should the VPC be?
- are there any networks that CANT be used?
- what is future growth like?
- what kind of structure do we need? Tiers/Resiliency/AZs/etc.
What is the VPC minimum of and maximum network sizes?
Review - when you are given a VPC by AWS, you’re always allocated 1 x Primary Private IPv4 CIDR address by default. The smallest or largest it can be are the answer to the above question.
Min = /28 (16 usable IP addresses) Max = /16 (65456 usable IP addresses)
REVIEW: Adrian Advice When Creating VPCs
– Personal preference is to use the 10.x.y.z range
– Avoid common ranges such as 10.0.x.x … it’s better to avoid 10.0.x.x through 10.10.x.x just to play it safe since everyone uses those. Basically, just start start at 10.16.0.0.
– the Private Block of IP’s (10.x.x.x) is the primary method for IP comms from VPC’s by default. Public IP’s are used when you need to make resources public, or communicate with the internet/public AWS zone, or allow communication to the VPC from the outside
– When designing, you want to reserve 2+ network ranges with can be used in EACH region in EACH AWS account that your business uses.
§ Example: Your business has 3 x regions in the US, a region in Europe, and a region in Australia with a total of 4 x AWS accounts –> you want 2 x ranges per region for each of the 4 accounts, so that would be –> 2 x 5(regions) = 10 … 10 x 4 (accounts) = a total of 40 IP Ranges that the business can use
** this is IDEAL but not mandatory.
– Each subnet is contained in exactly ONE Availability Zone. When creating VPCs you also have to figure out how many AZ’s your VPC will need/use. Best practice is to accommodate for 3 x AZ’s and then have an extra 4th AZ as a spare (just for potential growth of that VPC).
How big is a “Micro Size” VPC?
This is a /24.
A /24 gives us 8 x subnets to work with that have 27 hosts in each for a total of 216 hosts.
How big is an “Extra Large” VPC?
This is a /16.
A /16 gives us 16 subnets to work with, each with 4091 hosts for a total of 65456 hosts.
Are VPC’s a global service?
False - they are regionally isolated/regionally resilient; they only operate our of the AZ’s of the region that they are created in.
Unless there is an explicit config allowing or denying traffic, nothing can get in or out of the localized zone.
What is a benefit of VPC’s being regionalized?
This effectively limits the blast radius - If a VPC vulnerability is exploited, only that VPC and potentially anything connected to it is affected - the threat cannot move about your AWS environment.
Are VPC’s single or multi-tenant?
They can be either on shared HW or or on dedicated HW, with dedicated obviously being much more expensive.
If you don’t make the designation, they the VPC will default to shared HW.
Quick Summary:
Upon creation, a VPC has a pool of private IPv4 addresses and can also use (optionally) public IP addresses to use/allocate to the hosts/services/apps/whatever that’s running within the VPC.
You don’t just “launch AWS services” into a VPC. All services use subnets that have IP addresses allocated to them i.e VPC services run from a subnet, not directly from the VPC.
You can also assign IPv6 addresses by assigning a /56 IPv6 CIDR Range.. This can be a good practice to start using as more of the world converts to IPv6.
For IPv6, the range is either allocated by AWS (most circumstances) or you can use your own if you own them.
IPv6 allocated addresses are all publicly routable by default - no need to worry about the distinction between public/private and you still have to explicitly allow connectivity from the outside so they are secure.
Do subnets start off as Public or Private when they are first created?
They start off as private. You must input some configuration in order to make them public.
Are VPC Subnets Region or AZ resilient?
AZ Resilient.
If the AZ fails, the subnet fails, and therefore any of the services that are only running in that one subnet also fail.
To achieve HA, we place different components of a service into different subnets in different AZ’s within the region.
How many AZ’s can a subnet be in?
ONE subnet = ONE AZ
A subnet can’t span across multiple AZs. ONE AZ can have many subnets however.
Where are VPC’s segmented/isolated?
VPCs are segmented/isolated at the perimeter of the VPC.
Subnets within the same VPC can communicate with each other by default. If communication needs to happen externally, it will have to be configured.
What are the (5) “reserved” IP addresses in a VPC Subnet that can’t be used.
- Network Address - the FIRST address of any subnet i.e where the network starts
- Network +1 Address - the first IP address after the network address; this is used by the VPC Router
- Network +2 address - the next address after the VPC Router address (aka the 3rd host address); this is reserved for the VPC DNS
- Network +3 address - the next address after the DNS address; it has no use yet today but is reserved for future requirements
- Broadcast Address - the LAST IP in every subnet is reserved for the broadcast address, even though broadcasting isn’t supported in a VPC
What does the Routing GW do? (RGW)
Is it resilient?
The routing GW runs in every VPC - takes up the Network+1 address.
The routing GW controls how subnet traffic gets routed when it leaves the VPC by way of the Route Table.
It is AZ resilient i.e runs in every AZ that a VPC takes up.
REVIEW:
What is a Route Table?
A route table is a list of routes that’s associated to ONE subnet at any given time i.e every subnet has ONE route table, but a route table can be associated to multiple subnets.
Summary - RT’s are attached to zero or more subnets, every subnet has an RT (Main RT by default if not specified), and RT’s can be attached to many subnets but every subnet has exactly ONE RT (Main or Custom).
→ The destination address for a particular route in the VPC’s RT could either be a single IP address or the address for the entire network
→ An entire network could be a “catch all” match where if no specific route matches, it’ll just go to the “catch all” network i.e like a default GW concept
→ If there are multiple routes to a given network, the VPC Routers goes with the higher the prefix value i.e the higher prefix, the more specific the route = the higher the priority the route has.
** the only exception to the higher prefix rule is that LOCAL routes are always preferred i.e routes within the same VPC; Local Route Target **
What does an Internet GW do? (IGW)
Is it resilient?
This is an add-on feature within a VPC. The IGW connects a private VPC (default state) to the public internet.
It is regionally resilient meaning there is ONE IGW for every Region. 1 x IGW covers all the AZs within that region.
