VPCs Flashcards
VPC
virtual data center in the cloud
1 subnet = 1 AZ
Largest subnet you can use in your VPC
10.0.0.0/16
65,526 addresses
VPC features
launch instances in a subnet of our choosing
assign custom IP address ranges
configure route tables between subnets
create internet gateway and attach to our VPC
NACLs
instance security groups
Default vs custom vpc
default: user friendly; allows immediate deployment of instances
VPC peering
connects 2 VPCs via a direct network route using private IP addresses
Instances behave as if they were on the same private network
can peer across regions
Does not support transitive peering
security groups vs NACLs
security groups: stateful
NACLs: stateless
need to add individual allow and deny lists
What gets created by default when you create a VPC
route table
NACLs
security group
Route table best practice
Keep primary route table private
VPC security groups
security groups cannot span multiple VPCs
NAT instance vs NAT gateway
NAT instance - invidiual instance
NAT gateway - highly available way to provide internet access to private subnets w/out becoming public
NAT gateways HA/DR
redundant inside an AZ
cannot span multiple AZs
NAT gateway security groups
Not associated with security groups
NAT gateway config info
no need to patch need to update route tables automatically assigned a public ip addr no need to disable source/dest checks create a nat gateway in each availability zone
NACLs and Security Group order of operations
NACLs resolved before security groups
NACL rules resolved in order of rule #, stopping on match
ACL and subnet associations
ACL - can have many subnets
subnet - can only have one ACL
Load balancer config
need at least 2 public subnets
VPC flow log levels
vpc
subnet
network interface level
VPC flow log config
cannot change VPC config after it’s created
cannot associate a different IAM role w/ flow log
can tag flow logs
Bastion host - definition
special purpose computer designed and configured to withstand attacks
Either outside of firewall or in DMZ
helps reduce attack surface by removing need to harden devices behind it
used to securely administer EC2 instances
AKA jump box
Direct Connect
service solution used to establish a dedicated network connection from on-prem to AWS
reduces network costs
increases bandwidth
stable and reliable secure connection
global accelerator
improves availability and performance of apps
directs traffic to optimal endpoints over AWS
by default provides two default IP addresses
-customer can bring their own
global accelerator components
static ip addresses accelerator dns name network zone listener endpoint group endpoint
global accelerator network zone
services the static ip addresses
similar to an AZ
each zone is isolated within it’s own physical infrastructure
global accelerator listener
processes inbound connections from clients to global accelerator based on configured port and protocol
listeners forward traffic to endpoints in attached/associated endpoint groups
endpoint groups associated to listeners by region
global accelerator endpoint group
associated w/ specific aws regions
can specify percentage of traffic directed to each endpoint group
global accelerator endpoints
NLB, ALB, EC2 instances, Elastic IP addresses
can have weights to specify proportion of traffic received by endpoint
VPC endpoint
virtual device that allow communication between instances in your VPC and services
allows you to privately connect to VPC w/out requiring an internet gateway, NAT device, VPN, or DirectConnect
VPC endpoint types
interface endpoint
gateway endpoint
interface endpoint
network interface w/ private IP addresses that serve as an entry point for traffic to a supported service
supported gateway endpoint services
amazon s3
dynamo db
gateway endpoint
similar to NAT gateways
PrivateLink
Open services in a VPC to other VPCs
Only requires an NLB on the service VPC and an ENI on the client VPC
Transit Gateway
A way to simplify your network topology
Provides transitive peering between many VPCs and on-prem data centers
can be used across multiple AWS accounts via RAM
can use route tables
supports IP multicast
VPN Cloudhub
Allows users to connect into a virtual private gateway via VPN
The vpg provides access to VPC subnets
good when there are multiple sites w/ their own VPN connection
Network Costs
Free
-instances w/in same AZ
Not free
- instances in different AZs via private IP
- – more if traffic needs to go over public IP
- instances in different regions
IP traffic that is not monitored/logged
DNS traffic to Amazon DNS server
Traffic to Amazon Windows license activation
Traffic to/from 169.254.169.254
DHCP traffic
traffic to reserved IPs for reverse IP routing
Direct Connect setup steps
Create virtual interface in Direct Connect console
Create a customer gateway
Create a virtual private gateway
attache virtual private gateway to desired VPC
create a new vpn connection
select the virtual private gateway and the customer gateway
set up vpn on customer gateway or firewall
Max number of VPCS per account per region
5
max internet gateways per VPC
1
