Module 5

PreviousModule 4 NextModule 6

Last updated 12 months ago

Module 5

Amazon VPC

Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
•Gives you control over your virtual networking resources
- IP address range
- Creation of subnets
- Configuration of route tables and network gateways
You can customize the network configuration for your VPC
You can use multiple layers of security

VPC and Subnets

VPC's are isolated (logically) from other VPCs and are only for your own AWS Account
They belong to a single Region but can be across multiple Availability Zones
The subnets belong to a single Availability Zone and are classified as public or private

There aint no CTRL+Z for the address range after creating a VPC AND CIDR blocks of subnets cannot overlap

/16 (65,536 addresses) is the maximum size of a VPC
/28 (16 addresses) is the minimum size of a VPC
IPv6 is also supported

Example

For each CIDR block that you make, AWS will reserve 5 IP's in that block which won't be available for use
These addresses are reserverd for:
- Network address
- VPC local router (internal communications)
- Domain Name System (DNS) resolution
- Future use
- Network broadcast address

Public IP address types

Public IPv4 address 👘

Elastic IP address🧽

Manually assigned through an Elastic IP address

Associated with your AWS account

Automatically assigned through the auto-assign public IP address settings at the subnet level

Can be allocated and remapped anytime

Uses NAT

Additional costs may apply

Elastic network Interface

A virtual network interface that you can attach/detach in an instance and attach to another instance to redirect network traffic
Its attributes follow when it's reattached to a new instance

You cannot detach a primary network interface from an instance.

Route tables and routes

You can configure route tables to direct network traffic from your subnet
Each route specifies a destination and a target
By default, every route table contains a local route for communication within the VPC
A subnet can be associated with only one route table at a time, but you can associate multiple subnets with the same route table

Some Takeaways

A VPC is a logically isolated section of the AWS Cloud
A VPC belongs to one Region and requires a CIDR block.
A VPC is subdivided into subnets.•A subnet belongs to one Availability Zone and requires a CIDR block.
Route tables control traffic for a subnet.•Route tables have a built-in local route.
You add additional routes to the table
The local route cannot be deleted1

Internal Gateway

An internet gateway allows communication between instances in your VPC and the internet and serves two purposes:

Provide a target in your VPC route tables for internet-routable traffic
Perform NAT for instances that were assigned public IPv4 addresses

To make a subnet public, you attach an internet gateway to your VPC and add a route to the route table to send non-local traffic through the internet gateway to the internet (0.0.0.0/0)

NAT Gateway

Functions the same way a router performing NAT would. Allows for private to public translation but blocks connections initiated from the internet

Creation steps:

Specify the public subnet in which the NAT gateway should reside
Specify an Elastic IP address to associate with the NAT gateway
Update the route table that is associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway

You can also use a NAT instance in a public subnet in your VPC instead of a NAT gateway but, a NAT gateway is a managed NAT service that provides better availability, higher bandwidth, and less administrative effort.

AWS recommends that you use a NAT gateway instead of a NAT instance.

VPC sharing enables customers to share subnets with other AWS accounts in the same organization in AWS Organizations.

VPC sharing allows multiple AWS accounts to create their application services (Amazon EC2 instances, Amazon RDS databases, Amazon Redshift clusters, and AWS Lambda functions) into shared centrally managed VPCs

VPC Peering

Transitive peering is not supported. For example, suppose that you have three VPCs: A, B, and C. VPC A is connected to VPC B, and VPC A is connected to VPC C. However, VPC B is not connected to VPC C implicitly. To connect VPC B to VPC C, you must explicitly establish that connectivity

AWS Site-to-Site VPN

Steps to connect your VPC to a remote network:

Create a new virtual gateway device (VPN Gateway) and attach it to your VPC
Define the configuration of the VPN device or the customer gateway. The customer gateway is not a device but an AWS resource that provides information to AWS about your VPN device
Create a custom route table to point corporate data center-bound traffic to the VPN gateway. You also must update security group rules
Establish an AWS Site-to-Site VPN connection to link the two systems together.
Configure routing to pass traffic through the connection.

Dynamic routing protocols can be used

AWS Direct Connect

Literally just a physical cable going from an AWS data center backbone to your remote network

VPC Endpoints

A VPC endpoint is a virtual device that enables you to privately connect your VPC to supported AWS services and VPC endpoint services that are powered by AWS PrivateLink. Allows you to not have to pay extra if the services being accessed are ran by AWS

The connection to these services does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection

Instances in your VPC don't require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network

Two types of endpoints:

Interface endpoints (powered by AWS PrivateLink)
Gateway endpoints (Amazon S3 and Amazon DynamoDB)

AWS Transit Gateway

Gives a central place to manage and configure VPCs

Examples

Security Groups

The default is block and the only rules that you can create are to allow things

Network ACLs

A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
Default network ACLs allow all inbound and outbound IPv4 traffic.
Network ACLs are stateless

Network ACLs are stateless, which means that no information about a request is maintained after a request is processed.

The lower the rule number more priority it gets

Differences between Security Groups and Network ACLS

Attribute

Security Groups

Network ACLs

Scope

Instance level

Subnet level

Supported Rules

Allow rules only

Allow and deny rules

State

Stateful (return traffic is automatically allowed, regardless of rules)

Stateless (return traffic must be explicitly allowed by rules)

Order of Rules

All rules are evaluated before decision to allow traffic

Rules are evaluated in number order before decision to allow traffic

Amazon Route 53

Is a highly available and scalable Domain Name System (DNS) web service
Is used to route end users to internet applications by translating names (www.example.com) into numeric IP addresses (like 192.0.2.1) that computers use to connect
IWorks withPv4 and IPv6
Connects user requests to infrastructure running in AWS and also outside of AWS
Can be used to check the health of your resources
Lets you register domain names

Route 53 DNS resolution

Process Route 53 follows when a user initiates a DNS request

Multi-region deployment

With Route 53, the user is automatically directed to the Elastic Load Balancing load balancer that’s closest to the user. This allows for latency-based routing to the Region and ;load balancing routing to the Availability Zone