Graduate Program KB

VPC

  • Only need to know:
    • VPC, Subnets, Internet Gateways & NAT Gateways
    • Security Groups, Network ACL (NACL), VPC Flow Logs
    • Site to Site VPN & Direct Connect
    • Transit Gateway

IP Addresses in AWS

  • IPv4 - Internet Protocol version 4
    • 4.3 billion addresses
    • A public IPv4 can be used on the Internet
      • An EC2 instance gets a new public IP everytime it stops and restarts by default
      • All public IPv4 addresses on AWS are charged $0.005 per hour (including EIP)
        • Free tier: 750 hours usage per month
    • A private IPv4 can be used on private networks (LAN) such as internal AWS networking
      • Fixed for EC2 instances even after stopping and restarting them
  • Elastic IP
    • Allows you to attach a fixed public IPv4 address to EC2 instance
  • IPv6 - Internet Protocol version 6
    • 3.4 x 1038 addresses
    • Free

VPC & Subnets Primer

  • VPC - Virtual Private Cloud

    • Private network to deploy your resources (regional resource)

  • Subnets

    • Allow you to partition your network inside your VPC (AZ resource)
    • A public subnet is accessible from the internet
    • A private subnet is not accessible from the internet

  • Route Tables are used to define access to the internet and between subnets

Internet Gateway & NAT Gateways

  • Internet Gateways

    • Helps our VPC instances connect with the internet
    • Public subnets have a route to the internet gateway

  • NAT Gateways

    • Managed by AWS
    • NAT Instances are self-managed
    • Allow your instances in your private subnets to access the internet while remaining private

Network ACL & Security Groups

  • NACL (Network ACL)

    • A firewall which controls traffic from and to the subnet
    • Can have ALLOW and DENY rules
    • Attached at the subnet level
    • Rules only include IP addresses
    • Operates at the subnet level
    • Stateless: Return traffic must be explicitly allowed by rules
    • Process rules in number order when deciding whether to allow traffic
    • Automatically applies to all instances in the subnets it's associated with (don't have to rely on users to specify security group)

  • Security Groups

    • A firewall that controls traffic to and from an ENI / an EC2 Instance
    • Can have only ALLOW rules
    • Rules include IP addresses and other security groups
    • Operates at instance level
    • Stateful: Return traffic is automatically allowed, regardless of any rules
    • Evaluate all rules before deciding whether to allow traffic
    • Applies to an instance only if someone specifies the security group when launching the instance, associating the security group with the instance later on

VPC Flow Logs

  • Capture information about IP traffic going into your interfaces

    • VPC Flow Logs
    • Subnet Flow Logs
    • Elastic Network Interface Flow Logs

  • Helps monitor and troubleshoot connectivity issues

    • Subnets to internet
    • Subnets to subnets
    • Internet to subnets

  • Captures network information from AWS managed interfaces as well

    • Elastic Load Balancers, ElastiCache, RDS, Aurora, etc.

  • VPC Flow logs data can go to S3, CloudWatch Logs and Kinesis Data Firehose

VPC Peering

  • Connect two VPC privately using the AWS network
    • Behaves as if they were in the same network
    • Must not have overlapping CIDR (IP address range)
    • VPC Peering connection is not transitive (must be established for each VPC that needs to communicate with aone another)

VPC Endpoints

  • Endpoints allow you to connect to AWS services using a private network instead of a public network
    • Gives enhanced security and lower-latency to access AWS services
    • VPC Endpoint Gateway: S3 & DynamoDB
    • VPC Endpoint Interface: The other services
  • Most secure & scalable way to expose a service to thousands of VPCs
  • Doesn't require VPC peering, internet gateway, NAT, route tables, etc.
  • Requires a network load balancer (Service VPC) and ENI (Customer VPC)

Site to Site VPN & Direct Connect

  • Site to Site VPN
    • Connect an on-premises VPN to AWS
    • The connection is automatically encrypted
    • Goes over the public internet
    • On-premises must use a Customer Gateway (CGW)
    • AWS must use a Virtual Private Gateway (VGW)
  • Direct Connect (DX)
    • Establish a physical connection between on-premises and AWS
    • Connection is private, secure and fast
    • Goes over a private network
    • Takes at least a month to establish

AWS Client VPN

  • Connect from your computer using OpenVPN to your private network in AWS and on-premises
    • Allows you to connect to your EC2 instances over a private IP
    • Goes over public Internet

Transit Gateway

  • For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
    • A single gateway is needed to provide this functionality
    • Works with Direct Connect Gateway and VPN connections