Module 5
Last updated
Last updated
Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
•Gives you control over your virtual networking resources
IP address range
Creation of subnets
Configuration of route tables and network gateways
You can customize the network configuration for your VPC
You can use multiple layers of security
VPC's are isolated (logically) from other VPCs and are only for your own AWS Account
They belong to a single Region but can be across multiple Availability Zones
The subnets belong to a single Availability Zone and are classified as public or private
There aint no CTRL+Z for the address range after creating a VPC AND CIDR blocks of subnets cannot overlap
/16 (65,536 addresses) is the maximum size of a VPC
/28 (16 addresses) is the minimum size of a VPC
IPv6 is also supported
For each CIDR block that you make, AWS will reserve 5 IP's in that block which won't be available for use
These addresses are reserverd for:
Network address
VPC local router (internal communications)
Domain Name System (DNS) resolution
Future use
Network broadcast address
Manually assigned through an Elastic IP address
Associated with your AWS account
Automatically assigned through the auto-assign public IP address settings at the subnet level
Can be allocated and remapped anytime
Uses NAT
Additional costs may apply
A virtual network interface that you can attach/detach in an instance and attach to another instance to redirect network traffic
Its attributes follow when it's reattached to a new instance
You cannot detach a primary network interface from an instance.
You can configure route tables to direct network traffic from your subnet
Each route specifies a destination and a target
By default, every route table contains a local route for communication within the VPC
A subnet can be associated with only one route table at a time, but you can associate multiple subnets with the same route table
A VPC is a logically isolated section of the AWS Cloud
A VPC belongs to one Region and requires a CIDR block.
A VPC is subdivided into subnets.•A subnet belongs to one Availability Zone and requires a CIDR block.
Route tables control traffic for a subnet.•Route tables have a built-in local route.
You add additional routes to the table
The local route cannot be deleted1
An internet gateway allows communication between instances in your VPC and the internet and serves two purposes:
Provide a target in your VPC route tables for internet-routable traffic
Perform NAT for instances that were assigned public IPv4 addresses
To make a subnet public, you attach an internet gateway to your VPC and add a route to the route table to send non-local traffic through the internet gateway to the internet (0.0.0.0/0)
Functions the same way a router performing NAT would. Allows for private to public translation but blocks connections initiated from the internet
Creation steps:
Specify the public subnet in which the NAT gateway should reside
Specify an Elastic IP address to associate with the NAT gateway
Update the route table that is associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway
You can also use a NAT instance in a public subnet in your VPC instead of a NAT gateway but, a NAT gateway is a managed NAT service that provides better availability, higher bandwidth, and less administrative effort.
AWS recommends that you use a NAT gateway instead of a NAT instance.
VPC sharing enables customers to share subnets with other AWS accounts in the same organization in AWS Organizations.
VPC sharing allows multiple AWS accounts to create their application services (Amazon EC2 instances, Amazon RDS databases, Amazon Redshift clusters, and AWS Lambda functions) into shared centrally managed VPCs
Transitive peering is not supported. For example, suppose that you have three VPCs: A, B, and C. VPC A is connected to VPC B, and VPC A is connected to VPC C. However, VPC B is not connected to VPC C implicitly. To connect VPC B to VPC C, you must explicitly establish that connectivity
Steps to connect your VPC to a remote network:
Create a new virtual gateway device (VPN Gateway) and attach it to your VPC
Define the configuration of the VPN device or the customer gateway. The customer gateway is not a device but an AWS resource that provides information to AWS about your VPN device
Create a custom route table to point corporate data center-bound traffic to the VPN gateway. You also must update security group rules
Establish an AWS Site-to-Site VPN connection to link the two systems together.
Configure routing to pass traffic through the connection.
Dynamic routing protocols can be used
Literally just a physical cable going from an AWS data center backbone to your remote network
A VPC endpoint is a virtual device that enables you to privately connect your VPC to supported AWS services and VPC endpoint services that are powered by AWS PrivateLink. Allows you to not have to pay extra if the services being accessed are ran by AWS
The connection to these services does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
Instances in your VPC don't require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network
Two types of endpoints:
Interface endpoints (powered by AWS PrivateLink)
Gateway endpoints (Amazon S3 and Amazon DynamoDB)
Gives a central place to manage and configure VPCs
The default is block and the only rules that you can create are to allow things
A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
Default network ACLs allow all inbound and outbound IPv4 traffic.
Network ACLs are stateless
Network ACLs are stateless, which means that no information about a request is maintained after a request is processed.
The lower the rule number more priority it gets
Scope
Instance level
Subnet level
Supported Rules
Allow rules only
Allow and deny rules
State
Stateful (return traffic is automatically allowed, regardless of rules)
Stateless (return traffic must be explicitly allowed by rules)
Order of Rules
All rules are evaluated before decision to allow traffic
Rules are evaluated in number order before decision to allow traffic
Is a highly available and scalable Domain Name System (DNS) web service
Is used to route end users to internet applications by translating names (www.example.com) into numeric IP addresses (like 192.0.2.1) that computers use to connect
IWorks withPv4 and IPv6
Connects user requests to infrastructure running in AWS and also outside of AWS
Can be used to check the health of your resources
Lets you register domain names
Process Route 53 follows when a user initiates a DNS request
With Route 53, the user is automatically directed to the Elastic Load Balancing load balancer that’s closest to the user. This allows for latency-based routing to the Region and ;load balancing routing to the Availability Zone
Route 53 can provide high availability by allowing you to:
Configure backup and failover scenarios for your own applications
Enable highly available multi-region architectures on AWS
Create health checks
Fast, global, and secure CDN service
Global network of edge locations and Regional edge caches
Self-service model
Pay-as-you-go pricing
