NAT instance can work as a bastain server, NAT gateway cannot be used.
NAT instances supports IP faragmented packets of TCP, UDP and ICMP protocol, NAT gateway will drop them.
VPC Peering:
Communication between two VPCs. Route the traffic between them using privare IP addresses of the instances.
- You cannot edit VPC peeering connection once established. Also cannot attach or detach an existing VPC peering connection.
-Requester VPC sends request to the acceptor VPC.
-Requester route table will have an entry with destination as IP address range of the acceptor and target as VPC perring. Similarly Acceptor will have route table entry for the other VPC ip address.
-Transitive VPC peering not supported. A<--->B B<---->C does not mean A<---> C
VPC Endpoints:
-The instances in VPC do not required public IP addresses to communicate with te reqources in the ed point services.
1. Interface endpoitns: An elastic network interface with a private IP address that serves as an entry point.eg. cloud formation, cloudwatch etc.
2. Gateway endpoints: Endpoint is a gateway which is a target for a specific route in the route table.
We have a separate entry in the route table wheere the destination is the prefix ID of endpoint (eg. s3) private ip address of the connection target say S3 endpoint and target is VPC endpoint. Communication is done through aws private IP addresses and not through internet.
- Gateway endpoints are not supported outside VPC.
-Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region.
-You cannot transfer an endpoint from one VPC to another, or from one service to another.
- S3 and DynamoDB two services have a Gateway endpoint (remember it), all the other ones have an interface endpoint (powered by Private Link - means a private IP)
How to avoid multiple VPC Peering:
AWS Private Link(VPC end point Services)
- Capture IP traffic going to and from network interfaces in a VPC.
- Flog logs can be sent to S3 buckets or Clousdwatch.
DHCP traffic, reserved IP addresses for defaut VPC, endpoint network interface between NLB network interface are not captured.
VPC Gateway:
- Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
VPC Direct connect: It does not require Internet.instead rely on dedicatd private network between on-premise internet and AWS VPC.
#When there is need to increase bandwidth throughput, especially when you're working with large data setsand you want lower cost on your bandwidth.
#Maybe sometimes you need more consistent network experience, because you're experiencing data drops,you're experiencing connection shutdowns.
#You want to have real-time data feeds on your application, they're shutting down too often.
Or maybe you want to just have a hybrid environment of on-premise data center and cloud data center.
Because it also supports both IPv4 and IPv6.
Connection Types: Dedicated connections, Hosted connections. Takes 1 month to setup a new connection.
Data in-transit is not encrypted but is private. Use direct connect + VPN to IPSec encrypted private connection.
VPC Direct connect Gateway: To connect with multiple VPCs.
The VPCs must not have overlapping CIDERs
They are not replacing Peering connection.
AWS VPN CloudHub:
When you have multiple branch offices and existing internet connections and
would like to implement a convenient, potentially low cost hub-and-spoke model for primary or backup connectivity between these remote offices.
The remote network prefixes for each spoke must have unique ASNs, and the sites must not have overlapping IP ranges.
Each site can also send and receive data from the VPC as if they were using a standard VPN connection.
AWS Site to site VPN connection
Customer Gateway Device
- A customer gateway device is a physical device or software application on your side of the Site-to-Site VPN connection
- When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN (64512)
-The public IP address value must be static. If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
AWS Site to site VPN connection
- A customer gateway device is a physical device or software application on your side of the Site-to-Site VPN connection
- When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN (64512)
-The public IP address value must be static. If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
Custom VPC:
-enableDnsHostnames :whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses, default false.
- enableDnsSupport: whether DNS resolution through the Amazon DNS server is supported for the VPC.Default true.
Egress Internet Gateway:
-Only Outgoing, Only for IPV6
-NAT is for IPV4
Transit Gateway: (* network)
-To simplify network topology.
-Can peer Transit Gateways across regions.
- connects VPCs and on-premises networks through a central hub.
-Simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.
Supports IP Multicast
-An Interface endpoint uses AWS PrivateLink and is an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supported service. Using PrivateLink you can connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services.
No comments:
Post a Comment