VPC - Build Your Own Custom VPC Flashcards
How to create a VPC with public and private subnets:
- Create VPC, which creates a main route table, default security group, and default network ACL.
- Create 2 subnets.
- Create and attach an IGW to the VPC.
- Create another route table.
- Associate the IGW and one of the subnets to the custom route table.
- Launch instance in the public subnet with a security group allowing HTTP, HTTPS, SSH.
- Launch instance in the private subnet with a security group allowing SSH, ICMP, .
- Launch NAT instance or create NAT gateway or Bastion.
- Create Network ACL mirroring security groups
What is the purpose of the CIDR block?
Specifies IP address ranges
What size can the CIDR be for a VPC or subnet?
Between /16 and /28
What is meant by “Tenancy?”
Determines whether VPC and its assets are deployed onto shared hardware or dedicated hardware. Default is shared hardware.
When would you want the Tenancy to be Dedicated?
Security concerns, e.g. regulatory requirements
When you create a VPC, what else is created?
Main route table, default security group, default network ACL
When you create a VPC, what is NOT created?
Subnets, Internet Gateway
Can a subnet be the same size as your VPC?
Yes
1 Subnet always equals
1 Availability Zone
1 Subnet = 1 AZ = 1 NACL. Remember an AZ or NACL CAN have many Subnets but a Subnet can only be in one AZ or in one NACL
To make a subnet public…
…create and attach an Internet Gateway, associate it with a route table, and associate the subnet with that route table. Additionally, enable auto-assign IP on that subnet.
When you create a new Subnet, is it associated with any route tables?
Yes, it will be associated with the Main Route Table by default.
Why is it considered a best practice to keep the main route table private?
If there is a route out to the Internet from the main route table, all subnets in that route table will automatically be public, which is a security risk.
If you forget to enable auto-assign public IP for a subnet…
…when you launch an EC2 instance you can enable auto-assign there.
If you forget to assign a public IP address to a public EC2 instance…
…you can allocate an Elastic IP address to it
When you launch an instance in the private subnet…
…traffic will be sourced from the public subnet.