VPCs Flashcards
1
Q
What is a Virtual Private Cloud (VPC)?
A
- Virtual data centre in the cloud
- Amazon VPC lets your provision a logically isolated section of the AWS cloud where you can launch resources in a virtual network that you define
- You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways
- E.g. you could create a public-facing subnet for your web servers that has access to the internet, and place your backend systems (DBs & servers) in the private facing subnet with no internet access
2
Q
VPCs cont.
A
- You can leverage multiple layers of security, including security groups and network access control lists, to help control access to EC2 instances in each subnet
- Additionally, you can create a hardware VPN connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter
- The internet assigns 3 different IP address ranges for VPCs specifically
- 1 subnet = 1 AZ (cannot stretch across multiple AZs, but you can have multiple subnets in 1 AZ)
- Network ACLs are Stateless (as opposed to Security Groups, which are Stateful). This means you can allow access and deny rules, and if you open up an inbound port, that doesn’t automatically open an outbound port.
3
Q
What can we do with a VPC?
A
- Launch instances into a subnet of your choosing
- Assign custom IP address ranges in each subnet
- Configure route tables between subnets
- Create internet gateway and attach it to you VPC
- Much better security control over your AWS resources
- Instance security groups
- Subnet network access control lists (ACLs)
4
Q
Default VPC vs Custom VPC
A
- Default is user-friendly, allowing you to immediately deploy instances
- All subnets in default VPCs have a route out to the internet
- Each EC2 instance has both a public and private IP address
5
Q
VPC Peering
A
- Allows you to connect one VPC to another via a direct network route using private IP addresses
- Instances behave as if they were on the same private network
- You can peer VPCs with other AWS accounts as well as with other VPCss in the same account
- Peering is in a star configuration: 1 central VPC peers with 4 others. You cannot do transitive peering (i.e. all 4 peer to all four)
6
Q
Setting up a VPC
A
- When we create a new VPC, we get the following by default: route table, network access control list, default security group
- We can go in a create our own: internet gateway (1 per VPC), subnets (one public, one private), EC2 instances within subnets
- Amazon always reserves 5 IP addresses within your subnets
- Security groups cannot span VPCs
7
Q
NAT instances
A
- Network Address Translation is public subnet in your VPC that enables instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevents receiving inbound traffic initiated by someone on the internet
- When creating a NAT instance, disable source/destination check on the instance
- NAT instances must be in a public subnet
- Must be a route out of the private subnet to the NAT instance
- Amount of traffic that NAT instance supports depends on instance size
- You can create high availability using Autoscaling Groups, multiple subnets in different AZs, and a script to automate failover
- NAT instances sit behind a Security Group
8
Q
NAT Gateways
A
- Perform the NAT task but do not require the creation of an EC2 instance
- Most commonly used nowadays than NAT instances
- Continue working where the instance may fail
- Are redundant inside the AZ
- Preferred by enterprise
- Not associated with security groups
- Automatically assign a public IP address
- No need to disable Source/Destination checks
- If you have multiple AZs and they share one NAT gateway, in the event that the NAT gateway’s AZ is down, resources in other AZs lose internet access
9
Q
Network Access Control Lists
A
- Optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets
- Allows you to configure inbound and outbound traffic rules
- Default NACL comes with a VPC, allowing everything in and out
- Each custom NACL denies all inbound and outbound traffic until allow access (add rules)
- Each subnet in your VPC must be associated with a NACL
- Can block certain IP Addresses using NACLs, not Security Groups
- Can associate a NACL with multiple subnets, but each subnet can only be associates with one NACL at a time
- NACLs contain a numbered list of rules that are evaluated in order - starting with the lowest number
- NACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic
- NACLs are stateless: response to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)
10
Q
Custom VPCs and ELBs
A
You must have at least two public subnets in order to provision a Load Balancer
11
Q
VPC Flow Logs
A
- VPC flow logs are a feature that enables you to capture information about IP traffic going to and from network interfaces in you VPC
- Flow log data is stored using CloudWatch Logs
- Can be created at 3 levels: VPC, Subnet and Network Interface
- Cannot enable flow logs for peered VPCs unless the peer VPC is in your account
- Once created, you cannot change the configuration of the flow log
12
Q
Bastion Hosts
A
- A NAT Gateway or NAT Instance is used to provide internet traffic to EC2 instances in private subnets
- A Bastion is used to securely administer EC2 instances (using SSH). They are called Jumpboxes in Australia
- You cannot use a NAT Gateway as a Bastion Host
- Bastion hosts can be purchased as AMIs on AWS marketplace, coming “pre-hardened” from a security standpoint
13
Q
Direct Connect
A
- Directly connects your data center to AWS (VPC) - i.e. not over the internet but through a physical connection and AWS’s backbone network.
- Useful for high throughput workloads (i.e. lots of network traffic)
- Or if you need a stable and reliable secure connection
14
Q
Global Accelerator
A
- A service in which you create accelerators to improve availability and performance of you applications for local and global users
- It directs traffic to optimal endpoints over the AWS global network. This improves the availability and performance of your internet applications that are used by a global audience
- By default, Global Accelerator provides you with two static IP addresses that you associate with you accelerator. Alternatively you can bring your own
- You can control traffic using traffic dials. This is done within the endpoint group
15
Q
VPC Endpoints
A
- Enables you to connect your VPC to supported AWS services and VPC services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
- Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between you VPC and the other service does not leave the Amazon network
- E.g. access to a S3 bucket via a VPC endpoint from a private subnet
- Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available. They don’t impose availability risks or bandwidth constraints on your network traffic
- There are two types of VPC endpoint: Interface Endpoints (supports a large number of AWS services) and Gateway Endpoints (supports S3 and DynamoDB)
