AWS - Virtual Private Cloud (VPC)

  December 09, 2018 Editor   No comments


  • VPC is virtual datacenter in the cloud.
  • Amazon VPC lets you provision a logically isolated section of the AWS where you can launch AWS resource in a virtual network that you define.
  • You have complete control over the virtual network you define, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
  • You can create public and private subnets for isolating and securing your resources.
  • You can also create a Hardware Virtual Private Network (VPN) connection between your corporate data center and your VPC and leverage AWS as extension of your private datacenter.
  • Consists of IGWs (or Virtual Private Gateways), Route Tables, Network Access Control Lists, Subnets and security groups.
  • 1 subnet = 1 AZ
  • Security groups are stateful, Network Access Lists are stateless.
  • No transitive peering.

What can you do with a VPC?
  • Launch instance in a subnet of your choice.
  • Assign custom IP ranges to each subnet.
  • Configure route tables between subnet.
  • Create internet gateway and attach it to your VPC
  • Much better security control over your resources.
  • Instance security groups
  • Subnet network access control lists (ACLS)
Default VPC vs Custom VPC
  • Default VPC is user friendly allowing you to immediately deploy resources.
  • All subnets in a default VPC have a route out to internet.
  • Each instance has both public and private IP addresses.
VPC Peering
  • Allows you to connect two VPCs via a direct network route using private IP addresses.
  • Instances behave as if they were on same private network.
  • Communication is done using private IP addresses.
  • You can peer VPCs with other AWS accounts as well as with other VPCs in the same account.
  • Peering can be done between VPCs within a Region.
  • The IP address CIDR block between peering VPCs should be different, they can not overlap.
  • Peering is in a star configuration: ie one central VPC peers with 4 others, there is no transitive peering.
  • When we create a new VPC it creates a Route table, NCL and Security group, No subnet or Internet Gateway is created.
  • VPC spans across multiple AZs
  • One subnet can be in one AZ only.
  • Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
  • 5 IP addresses in a subnet are reserved by AWS nd not available for use, these are first 4 and last.
  • Internet Gateway is by default detached. We need to attach it to our VPC.
  • One Internet Gateway can be attached to only one VPC, and one VPC can have only one Gateway.
  • On creation a Subnet is attached to main route table. We can edit this later by going to route table.
  • On new subnet auto assign public IP is disabled by default.
NAT Instance
  • Must disable Source/Destination check on NAT Instance.
  • NAT instance must be in a public subnet
  • There must be a route out of Private subnet to NAT instance.
  • The amount of traffic that a NAT instance can handle, depends on the instance size.
  • You can create highly available NAT instances, using Auto scaling groups, multiple subnets in different AZs and a script to automate failovers.
  • Nat instances are behind a security group
NAT Gateway:
  • Preferred by enterprises.
  • Scale automatically upto 10Gbps.
  • No need to patch
  • Not associated with Security Groups.
  • Automatically assigned a public IP address.
  • Route tables in private subnet must have a route through NAT Gateway.
  • No need to disable Source/Destination checks.
Network Access Control Lists:
  • Each VPC comes with a default NACL, which allows all inbound and outbound traffic.
  • By default, a new NACL denies all inbound and outbound traffic.
  • Each subnet must be associated with a NACL.
  • An NACL can be associated to multiple subnets, but a subnet can be associated to a single NACL.
  • The rules are evaluated in order starting with lowest number first.
  • NACLs are stateless
  • NACLs can block specific IP addresses.
Loadbalancer in a VPC:
  • A load balancer needs atleast 2 public subnets, hence to add a load balancer we need to add 2 public subnets, one public and one private will not do the work.
VPC Flow Logs:
  • VPC flow log enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
  • Flow logs are stored in CloudWatch.
  • Flow logs can be created at 3 levels:
    • VPC
    • Subnet
    • Network interfaces
  • You can not create Flow Logs for VPC that are peered with your VPC, unless the peered VPC is in your account.
  • You can not tag a flow log.
  • After you have created a flow log, you can not change its configuration, like roles etc.
  • Not all traffic is monitored:
    • Traffic generated by instances when they contact Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server will be logged.
    • Traffic generated for Windows activation.
    • Traffic to and from 169.254.169.254 for metadata.
    • DHCP traffic
    • Traffic to the reserved IP address for default VPC router.
NAT vs Bastion
  • NAT is used to provide internet traffic to EC2 instances in a private subnet.
  • Bastions (also called Jump Boxes) are simple EC2 servers are used to administer EC2 instances using SSH or RDP. We SSH to bastion server and from there SSH to a private EC2 instance.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)