VPCs Flashcards
VPC
- VPC - Virtual Private Cloud: private network to deploy your resources. It’s a regional resource
- Subnets allow you to partition your network inside your VPC (Availability Zone resource)
- A public subnet is a subnet that is accessible from the internet
- A private subnet is a subnet that is not accessible from the internet
- To define access to the internet and between subnets, we use Route Tables
Internet Gateway & NAT Gateway
- Internet Gateways help our VPC instances connect with the internet
- Public Subnets have a route to the internet gateway
- NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private
NACL (Network ACL)
- A firewall which controls traffic from and to subnet
- Operates at the subnet level
- Is stateless: Return traffic must be explicitly allowed by rules
- We process rules in number order when deciding whether to allow traffic
- Can have ALLOW and DENY rules
- Are attached at the Subnet level
- Rules only include IP addresses
- Automatically applies to all instances in the subnet it’s associated with
Security Groups
- A firewall that controls traffic to and from an ENI / an EC2 Instance
- Can have only ALLOW rules
- Rules include IP addresses and other security groups
- Is stateful: Return traffic is automatically allowed, regardless of any rules
- We evaluate all rules before deciding whether to allow traffic
- Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on
VPC Flow Logs
- Capture information about IP traffic going into your interfaces
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface Flow logs
- Helps to monitor & troubleshoot connectivity issues
- Subnets to internet
- Subnets to subnets
- Internet to subnets
- Captures network information from AWS managed interfaces too: ELB, ElastiCache, RDS, Aurora, etc…
- VPC Flow logs data can go to S3 / CloudWatch Logs
VPC Peering
- Connect two VPC, privately using AWS network
- Make them behave as if they were in the same network
- Must not have overlapping CIDR (IP address range)
- VPC Peering connection is not transitive (must be established for each VPC that need to communicate with one another)
VPC Endpoints
- Endpoints allow you to connect to AWS Services using a private network instead of the public www network
- This gives you enhanced security and lower latency to access AWS Services
- VPC Endpoint Gateway: S3 & DynamoDB
- VPC Endpoint Interface: the rest
Site to Site VPN
- Connect an on-premises VPN to AWS
- The connection is automatically encrypted
- Goes over the public internet
- On Premises: must use a Customer Gateway (CGW)
- AWS: must use a Virtual Private Gateway (VGW)
Direct Connect (DX)
- Establish a physical connection between on-premises and AWS
- The connection is private, secure and fast
- Goes a private network
- Takes at least a month to establish
Transit Gateway
- For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
- One single Gateway to provide this functionality
- Works with Direct Connect Gateway, VPN connections
___ allow your instances in your private subnets to access the Internet while remaining private, and are managed by AWS
NAT Gateways
___ is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They have both ALLOW and DENY rules
Network access control list (NACL)
___ connects thousands of VPC and on-premises networks together in a single gateway
Transit Gateway
___ is a network connection between two VPCs using AWS’s network
VPC Peering connection
___ is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud.
VPC (Virtual Private Cloud)
