VPC & Networking

Question 1

VPC & Subnets

Answer 1

• VPC -Virtual Private Cloud: private network to deploy your resources (regional resource)
• Subnets allow you to partition your network inside your VPC (Availability Zone resource)
• A public subnet is a subnet that is
accessible from the internet
• A private subnet is a subnet that is not
accessible from the internet
• To define access to the internet and
between subnets, we use Route Tables.

Question 2

Internet Gateway & NAT Gateways

Answer 2

• Internet Gateways helps our VPC instances connect with the internet Public Subnets have a route to the internet gateway.

• NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private

Question 3

Network ACL & Security Groups

Answer 3

NACL (Network ACL)
• A firewall which controls traffic from and to
subnet
• Can have ALLOW and DENY rules
• Are attached at the Subnet level

Security Groups
• A firewall that controls traffic to and from an
ENI / an EC2 Instance
• Can have only ALLOW rules
• Rules include IP addresses and other security
groups

Question 4

Network ACLs vs Security Groups

Answer 4

• NACL (Network ACL) = Operates at the SUBNET level, Supports ALLOW and DENY rules & is STATELESS, return traffic must be explicitly allowed by rules
• Security Groups = Operates at the INSTANCE level, Supports ALLOW rules only & is STATEFULL, return traffic is automatically allowed

Question 5

VPC Flow Logs

Answer 5

• Capture information about IP traffic going into your interfaces: VPC Flow Logs, Subnet Flow Logs & Elastic Network Interface Flow Logs
• Helps to monitor & troubleshoot connectivity issues. Example: Subnets to internet, Subnets to subnets & Internet to subnets
• Captures network information from AWS managed interfaces
• VPC Flow logs data can go to S3 / CloudWatch Logs

Question 6

VPC Peering

Answer 6

• Connect two VPC, privately using AWS’ network
• Make them behave as if they were in the same network
• Must not have overlapping CIDR (IP address range)
• VPC Peering connection is not transitive

Question 7

VPC Endpoints

Answer 7

Endpoints allow you to connect to AWS Services using a private network instead of the public www network
• This gives you enhanced security and lower latency to access AWS services

• VPC Endpoint Gateway: S3 & DynamoDB
• VPC Endpoint Interface: the rest

Question 8

AWS PrivateLink (VPC Endpoint Services)

Answer 8

Most secure & scalable way to expose a service to 1000s of VPCs

• Requires a network load balancer (Service VPC) and Elastic Network Interface (ENI) (Customer VPC)

Question 9

Site to Site VPN & Direct Connect (Ways to connect on-premise with cloud)

Answer 9

Site to Site VPN
• Connect an on-premises VPN to AWS
• The connection is automatically
encrypted
• Goes over the public internet

Direct Connect (DX)
• Establish a physical connection between
on-premises and AWS
• The connection is private, secure and fast
• Goes over a private network

Question 10

Site-to-Site VPN

Answer 10

• On-premises: must use a Customer Gateway (CGW)
• AWS: must use a Virtual Private Gateway (VGW)

Question 11

AWS Client VPN

Answer 11

Connect from your computer using OpenVPN to your private network in AWS and on-premises

• Allow you to connect to your EC2 instances over a private IP (just as if you were in the private VPC network)
• Goes over public Internet

Question 12

Transit Gateway

Answer 12

• For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
• One single Gateway to provide this functionality
• Works with Direct Connect Gateway, VPN connections

Question 13

VPC Closing Comments

Answer 13

• VPC: Virtual Private Cloud
• Subnets:Tied to an AZ, network partition of the VPC
• Internet Gateway: at the VPC level, provide Internet Access
• NAT Gateway / Instances: give internet access to private subnets
• NACL: Stateless, subnet rules for inbound and outbound
• Security Groups: Stateful, operate at the EC2 instance level or ENI
• VPC Peering: Connect two VPC with non overlapping IP ranges, nontransitive

Question 14

VPC Closing Comments 2

Answer 14

• VPC Endpoints: Provide private access to AWS Services within VPC
• PrivateLink: Privately connect to a service in a 3rd party VPC
• VPC Flow Logs: network traffic logs
• Site to Site VPN: VPN over public internet between on-premises DC and AWS
• Client VPN: OpenVPN connection from your computer into your VPC
• Direct Connect: direct private connection to AWS
• Transit Gateway: Connect thousands of VPC and on-premises networks together