-In a one single Region/account, you can have multiple VPCs.
-VPC can exist in multiple AZs within the same region.
-By default all subnets within a VPC can communicate with each other.
-VPC can exist in multiple AZs within the same region.
-By default all subnets within a VPC can communicate with each other.
-One Internet gateway per VPC.
-First 4 and last 1 IPs are reserved in each CPC .
-Minimum CIDR /28 = 16 ad Max /16 65536 addresses.
-VPC CIDR should not overlap with other network/corporate network.
-Source destination check must be disabled in NAT instance.
-One Net gateway per AZ for high availability,
-In Route table when the destination does not lead anywhere blackhole is called.
Default VPC
Samples
Sales department: Do not want the servers to be shared across department.
-Create a Sales VPC. For eg. Based on the department or env I can create VPCs
Prod VPC/ Developer VPC.
10.1.0.0/16
All servers will have Network Id= 10.1
Sub network / Subnet:
I can divide my servers into multiple subnets
Private IPS 10.1.1.222 : last octate is host id
Public IP is unique that amzn is providing which would be unique over the internet
Prod VPC: 10.50.0.0/16
Subnet : Use smaller range as possible.
Prod Subnet -1 10.50.1.0/24
Prod Subnet-2 10.50.
Internet Gateway IGW:
- We need to create internet gateway then only we will be able to connect to the VPC
- VPC needs a gateway to connect over internet
- Attach IGW to VPC
- We need to define rule that subnet knows the gateway via creating route table.
- Add Route table entry
- Associate subnet association
- One Internet gateway per VPC
- All instances in the subnet must have either public IP or elastic IP
- Network access control and secuity group must be configured to allow traffic to and from the instances.
NAT Gateway:
- Private subnet gets internet connectivity through NAT network address transalation device.
- NAT: work as a proxy server
- NAT gateway : Chargeable
- Always created in a subnet which has internet access, ie within the public subnet. That will have route to the internate through internet gateway.
- NAT gateway cannot be created without elastic IP address. There is a possibility the EIP added manually is not assigned ot any instance.
- My private network running server not internet access NAT Internet
- It's a managed service and has better availability than NAT instance
-My isolated server
1) create a NAT gateway
2) Create new Route table from NAT to my isolated server vpc
3) Subnet association. Select subnet prod
Even though I have not given public IP access we are able to connect internet on the VPC not available over internet.
NAT Instance:
-Anohter alternative to NAT Instance.
- Runs as an instance in the VPC.
Route Table:
- It knows where the network traffic would be directed by defining a set of rules.
- By deafult subnet has a default round table entry with allowing all local network within the saubnet.
- Each subnet must be assocaited with only one route table.
- public access 0.0.0.0/0 access to all/everything
Elastic IP addresses:
- By default when instance terminates, public IP address is released.
- If you want to retain public IP address even if the intence terminates. Static public IP address is
assigned to your account that can be used by the instances.
-This can be asigned to an isntance or network interface.
VPC Peering :
- One to one Peering.
- Applies always within the same Region
- Pairing is one to one relataionship. Transitive relationship is not allowed.
-VPCs with overlapping CIDR/ same IPranges wouldn't be paired
Internet/Private Gateway(VPC)--> Routing Table -->ACL-->Subnet -->Security Group --> Instance
Inter Communications
- Use inter-region VPC peering
- Implement a fully meshed architecture
Security Group:
- It controls how traffic is allowed for instances basically inbound/outbond traffic.
-Always premissive.
-Are stateful. Response will always flow in regragrdless of inbound security rule.If traffic is allowed into an instance, the response is allowed out regardless of explicit outbound rules.
- Rules can be modified at any time and reflected immediately.
- Resides in a VPC
- IP Range. x.x.x.x MySQL port :1433, RDP port 3389
- By default security group allow all outbond traffic, deny all inbound traffic. Allow traffic between instances.
-sample names: Webserver sec group, DB server sec group
-Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
Default VPC
Samples
Sales department: Do not want the servers to be shared across department.
-Create a Sales VPC. For eg. Based on the department or env I can create VPCs
Prod VPC/ Developer VPC.
10.1.0.0/16
All servers will have Network Id= 10.1
Sub network / Subnet:
- Always resides only in one availability zone.
- Every subnet can be associated with only one Route table. But a Route table can be associated with more than one subnets.
- Allowed subnet mask is between /28 to /16. This results 16 to 65,536 possible IP addresses in a VPC.
- AWS reserves both the first four and the last IP address in each subnet's CIDR block. They're not available for use.
Sample:
Sales Subnet 10.1.1.0/24I can divide my servers into multiple subnets
Private IPS 10.1.1.222 : last octate is host id
Public IP is unique that amzn is providing which would be unique over the internet
Prod VPC: 10.50.0.0/16
Subnet : Use smaller range as possible.
Prod Subnet -1 10.50.1.0/24
Prod Subnet-2 10.50.
Internet Gateway IGW:
- We need to create internet gateway then only we will be able to connect to the VPC
- VPC needs a gateway to connect over internet
- Attach IGW to VPC
- We need to define rule that subnet knows the gateway via creating route table.
- Add Route table entry
- Associate subnet association
- One Internet gateway per VPC
- All instances in the subnet must have either public IP or elastic IP
- Network access control and secuity group must be configured to allow traffic to and from the instances.
NAT Gateway:
- Private subnet gets internet connectivity through NAT network address transalation device.
- NAT: work as a proxy server
- NAT gateway : Chargeable
- Always created in a subnet which has internet access, ie within the public subnet. That will have route to the internate through internet gateway.
- NAT gateway cannot be created without elastic IP address. There is a possibility the EIP added manually is not assigned ot any instance.
- My private network running server not internet access NAT Internet
- It's a managed service and has better availability than NAT instance
-My isolated server
1) create a NAT gateway
2) Create new Route table from NAT to my isolated server vpc
3) Subnet association. Select subnet prod
Even though I have not given public IP access we are able to connect internet on the VPC not available over internet.
NAT Instance:
-Anohter alternative to NAT Instance.
- Runs as an instance in the VPC.
Route Table:
- It knows where the network traffic would be directed by defining a set of rules.
- By deafult subnet has a default round table entry with allowing all local network within the saubnet.
- Each subnet must be assocaited with only one route table.
- public access 0.0.0.0/0 access to all/everything
Elastic IP addresses:
- By default when instance terminates, public IP address is released.
- If you want to retain public IP address even if the intence terminates. Static public IP address is
assigned to your account that can be used by the instances.
-This can be asigned to an isntance or network interface.
VPC Peering :
- One to one Peering.
- Applies always within the same Region
- Pairing is one to one relataionship. Transitive relationship is not allowed.
-VPCs with overlapping CIDR/ same IPranges wouldn't be paired
Internet/Private Gateway(VPC)--> Routing Table -->ACL-->Subnet -->Security Group --> Instance
Inter Communications
- Use inter-region VPC peering
- Implement a fully meshed architecture
- Software/Hardware based VPN.// bandwidth and latency problem.
- Direct Connect.
- VPN CloudHub.
VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC without using an an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
-To push messages to Amazon SNS topics from an Amazon VPC, create an interface VPC endpoint.
-To push messages to Amazon SNS topics from an Amazon VPC, create an interface VPC endpoint.
- It controls how traffic is allowed for instances basically inbound/outbond traffic.
-Always premissive.
-Are stateful. Response will always flow in regragrdless of inbound security rule.If traffic is allowed into an instance, the response is allowed out regardless of explicit outbound rules.
- Rules can be modified at any time and reflected immediately.
- Resides in a VPC
- IP Range. x.x.x.x MySQL port :1433, RDP port 3389
- By default security group allow all outbond traffic, deny all inbound traffic. Allow traffic between instances.
-sample names: Webserver sec group, DB server sec group
-Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
Network ACL:
- Sits between Route Table and Subnet. Applicable at subnet level.
- Inbound and outbond rule.
- Network ACL Outbond is not open by default.
- Each subnet must be assocaited with one ACL and ACL can be associated with multiple subnets.
- Statelss, it is possible inbound is allowed but not the outbond.
-Rules evaluated in order starting from lowest.
Flow logs:
- Data is stored using Cloudwatch Logs.
- VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- At 3 different levels, VPC, Subnet and Network Interface levels. Gets stored into s3 and Cloud Watch
- Can be configured to stream to services such as Elasticache, or Lambda
- You cannot enable flow logs for VPC's that are peered with your VPC unless the peer VPC is in your account
- You cannot tag a flow log.
- Sits between Route Table and Subnet. Applicable at subnet level.
- Inbound and outbond rule.
- Network ACL Outbond is not open by default.
- Each subnet must be assocaited with one ACL and ACL can be associated with multiple subnets.
- Statelss, it is possible inbound is allowed but not the outbond.
-Rules evaluated in order starting from lowest.
Flow logs:
- Data is stored using Cloudwatch Logs.
- VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- At 3 different levels, VPC, Subnet and Network Interface levels. Gets stored into s3 and Cloud Watch
- Can be configured to stream to services such as Elasticache, or Lambda
- You cannot enable flow logs for VPC's that are peered with your VPC unless the peer VPC is in your account
- You cannot tag a flow log.
-Athena can be used to analysis and query VPC flow log.
Best Practices: Use public and private subnets.
Default Limit
5 VPC per Region
200 Subnets per VPC
200 RouteTable per VPC
500 sec group per VPC
50 in/out bounrules per VPC
5 IPV4 CIDR blcok
5 Internet gateway per region
5 NAT gatway per AZ
200 Network ACLs per VPC
20 max number of rules per ACL
NateGatwway and VPN conenection is charged on hourly basis.
-Use Sec group for whitelisting traffic ACL for blacklisting traffic
VPC endpoint:
VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
- Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Best Practices: Use public and private subnets.
Default Limit
5 VPC per Region
200 Subnets per VPC
200 RouteTable per VPC
500 sec group per VPC
50 in/out bounrules per VPC
5 IPV4 CIDR blcok
5 Internet gateway per region
5 NAT gatway per AZ
200 Network ACLs per VPC
20 max number of rules per ACL
NateGatwway and VPN conenection is charged on hourly basis.
-Use Sec group for whitelisting traffic ACL for blacklisting traffic
VPC endpoint:
VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
- Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Even if no internet is there/needed, VPC instances would be able to access the AWS services outside VPC.
aws s3 ls --region eu-west-1
More:
https://thetechiehouse.blogspot.com/2020/02/vpc-deep-dive.html
https://aws.amazon.com/vpc/faqs/
More:
https://thetechiehouse.blogspot.com/2020/02/vpc-deep-dive.html
https://aws.amazon.com/vpc/faqs/
Site to Site VPN: Customer Gateway + Virtual Private Gateway.
Virtual Private Gateway:
VPN Gateway on the VPC side.
VPG is created and attached to the VPC. Possibility to customize ASN.
Customer gateway at the Corporate DC
IP Addresses of the customer gateway :
It's either the static internet-routable
IP address for your customer gateway device.
So it will have a static IP address.
Or, if it's behind a NAT, okay if it's behind a NAT, use the public address of the NAT.
Gateway VPC endpoints only for Amazon S3 Endpoints for Amazon DynamoDB. Rest of the services use Interface VPC endpoints :
IP address for your customer gateway device.
So it will have a static IP address.
Or, if it's behind a NAT, okay if it's behind a NAT, use the public address of the NAT.
Gateway VPC endpoints only for Amazon S3 Endpoints for Amazon DynamoDB. Rest of the services use Interface VPC endpoints :