VPC is a logical datacenter in AWS
VPC Consists of
Internet Gateways or Virtual Private gateways
Route Tables
Network Access Control Lists
Subnets
Security Groups
1 subnet = 1 Availability Zone
Security Group are stateful,
Network Access Control List are stateless
No Transitive Peering
VPC Management
→ Creating VPC creates default Route Table, Network Access control(NACL) and security group.
→Subnet and Default internet gateway has to be created by the user
→Us-East-1A in one account can have completely different availability zone to US-East-1A in another AWS account. The AZ’s are randomized
→Amazon reserves Five IP address within your subnet
→Only 1 Internet Gateway per VPC is allowed.
Security Groups can’t span VPCs.
NAT Instances VS NAT Gateways
→ Let instances in the private subnet to access internet.
→ An NAT Instance is an ec2 instance that lets instance in private subnet to access internet
→ NAT Instance need to disable source and destination check on the instance
→ NAT Instance must be in public subnet
→ NAT Instance could be bottleneck when there are too much traffic
→ NAT Instance could be Single Point
of failure.
→ NAT instance are always behind Security group
→ NAT Gateway are highly available solution which are replacement for NAT instance.
→ Only one NAT Gateway per Availablity zone available.
→ NAT Gateway need not be configured with Security group.
→ If there are multiple Availability zone access and there is only one NAT Gateway then it can lead to Single Point of Failure
Network Access Control List
→ Rule 100 is ipv4
→ Rule 101 is for ipv6
→ New NACL will deny everything
→ Each subnet need to be associated with NACL
→ NACL and subnet have one to one relationship.
→ NACL are stateless, Inbound and outbound rules need to be set independalty.
→ Add inbound rules to let internet to access the instance in subnet
→ Add outbound rules to let the instance in EC2 to access internet.
→ Ephemeral Ports need to enabled in case of needing internet access
→ Allow and Deny rules applied based on rule number in chronological order.
→ NACL always applied before Security groups.
VPC Flow Logs
→ Captures information about IP traffic going to IP traffic
→ Flow logs can be created at 3 Levels
→ Can log both Accepted and rejected traffic
→ Cannot create flow log Cross account with VPC peerings
→ VPC Flow log configuration cannot be changed
Bastions
→ Designed and configured to withstand attacks.
→ Bastion is used to securely administor EC2 instance..
→ Nat Gateway cannot be used as Bastion Host
Direct Connect
→ Dedicated Connection between local network and Amazon network
Global Accelerator
→ Improve performance and availability
→ Uses Amazon Backbone network
→ Provides 2 IP address or can configure your own
→ Provides Access to accelrator
→ Provides DNS Name
→ Provides Network zone
→ Provides a Listener Supports UDP and TCP
→ Provides PORT
→ Provides Endpoint group that includes ALB, NLB, EC2 instances and Elastic IP Addresses.
VPC endpoint
→ Connect to EC2 instances privately without Internet Gateway
→ Two types of VPC endpoints
- Interface endpoints
- Gateway Endpoints
→ Interface Enpoint
→ Attach ENI to ec2 instance
→ Gateway Endpoint
→ Support S3 and Dynamodb
AWS Private Link
→ Doesn’t require VPC Peering or opening up services in Subnet to internet
→ Sharing application in one VPC to other VPC easily
→ Require Network Load Balancer on one side and ENI on the other side.
AWS Transit Gateway
→ Single point where all the VPC and on-permises data center connect to
→ Works with Direct connect
→ Works Across Multiple AWS accounts
→ Use route table to restrict access between VPCs
→ IP Multicast is supported.
→ Simplify network topology
AWS VPN CloudHub
→ Cross Region VPN Connections