Home networks: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
The remaining addresses are public
VPC
All new AWS accounts have a default VPC, new EC2 instances are launched here if no subnet is specified
It has internet connectivity and all EC2 instances have public IPv4 addresses
You also get a public and private IPv4 DNS name
Can have 5 VPCs per region
The max. CIDR per VPC is 5
Min. size is /28 (16 IP addresses)
Max. size is /16 (65536 IP addresses)
Since VPCs are private, only the private IPv4 ranges are allowed (your VPC CIDR shouldn't overlap with your other networks)
VPC Subnets (IPv4)
AWS reserves 5 addresses (first 4 and last) in each subnet
Network address: 1.0.0.0.0
VPC router: 1.0.0.0.1
Mapping to Amazon-provided DNS: 1.0.0.0.2
Future use: 1.0.0.0.3
Network broadcast address (reserved because VPC can't support broadcast): 1.0.0.0.255
Internet Gateway
Allows resources such as EC2 instances to connect to the internet in a VPC
Horizontally scalable and highly available
Must be created separately from a VPC, a VPC can only be attached to one IGW
Need to define route tables to enable internet access
Bastion Hosts
A bastion host can be used to SSH into private EC2 instances
A bastion is in the public subnet which gets connected to all other private subnets
The security group for the bastion host must allow inbound from the internet on port 22 from restricted CIDR
The security group for the EC2 instances must allow the security group or private IP of the bastion host
NAT Instance
Enables EC2 instances in private subnets to connect to the internet
Requirements:
Launched in public subnet
Disable EC2 setting Source / destination check
Has an elastic IP attached to it
Route tables must be configured to route traffic from private subnets to the NAT instance
Not highly available, need to create an ASG in multi-az with a resilient user-data script
Internet traffic bandwidth depends on EC2 instance type
Need to manage inbound and outbound rules in security groups
NAT Gateway
An AWS managed NAT with higher bandwidth, high availability and no administration
5 Gbps of bandwidth, scaling up to 100 Gbps automatically
Resilient within a single AZ, but need to create multiple NATGW in multiple AZs for fault-tolerance
There's no cross-AZ failover needed because if an AZ goes down, it doesn't need a NAT
You pay per hour for usage and bandwidth
The NATGW is created in a specific AZ, using an elastic IP
Can't be used by an EC2 instance in the same subnet
Requires an IGW (private subnet --> NATGW --> IGW)
No security groups are required or to be managed
Network Access Control List
NACL are similar to firewalls, controlling traffic from and to subnets
Each subnet has one NACL, new subnets are assigned the default NACL
Default NACL accepts all inbound/outbound traffic with the associated subnets, don't modify this, just create a new custom NACL
You define NACL rules:
Rules have a number between 1-32766, a lower number has higher precedence
Decisions are made based off first rule match
The last rule is an asterisk (*), denying a request in case of a no rule match
Recommended to add rules by increments of 100
Newly created NACLs deny everything
Good way of blocking a specific IP address at the subnet level
Ephemeral Ports
Ports are necessary to establish a connection between two endpoints
Clients connect to a defined port, expecting a response on an ephemeral port
Port ranges differ between operating systems
IANA and Windows: 10 --> 49152 - 65535
Linux: 32768 --> 60999
Security Group vs. NACLs
Security Group
Operates at instance level
Supports allow rules only
Return traffic automatically allowed regardless of any rules (stateful)
All rules are evaluated
Applies to an EC2 instances when specified by a user
NACL
Operates at subnet level
Supports allow rules and deny rules
Return traffic must be explicitly allowed by rules (stateless)
Rules are evaluated in order, first match decision
Automatically applies to all EC2 instances in the subnet it's associated with
VPC Peering
Privately connect two VPCs using the AWS network
Can't have overlapping CIDRs
The connection is not transitive, it must be established for each VPC that needs to communicate with one another
Must update route tables in each VPC's subnets to ensure EC2 instances can communicate with each other
Can create VPC Peering connection between VPCs in different AWS accounts and regions
Can reference a security group in a peered VPC
VPC Endpoints (AWS PrivateLink)
Every AWS service is public exposed via a public URL
VPC Endpoints allows you to connect to services using a private network instead of the internet
Redundancy and horizontal scaling
Removes the need of IGW, NATGW, etc. to access AWS services
If issues arise, check DNS Setting Resolution in your VPC and the route tables
Types of endpoints:
Interface Endpoints
Provisions an Elastic Network Interface (private IP address) as an entry point (must attach security group)
Supports most services
Pricing is per hour and GB of data processed
Gateway Endpoints
Provisions a gateway and must be used as a target in a route table (no security groups needed)
Supports S3 and DynamoDB
Free
Gateway generally preferred, use interface endpoint when access is required from on-premises (site-to-site VPN or direct connect), a different VPC or different region
VPC Flow Logs
Capture information about IP traffic going into your interfaces
VPC flow logs, subnet flow flogs, ENI flow logs
Monitor and troubleshoot connectivity issues
Flow logs data can go to S3, CloudWatch Logs and Firehose
Can capture network information from AWS managed interfaces such as ELB, RDS, ElastiCache, Redshift, WorkSpaces, NATGW, Transit Gateway, etc.
Site-to-Site VPN
Virtual Private Gateway
VPN concentrator on the AWS side of the VPN connection
The VGW is created and attached to the VPC from which you want to create the Site-to-Site VPN connection
Can customize the autonomous system number
Custom Gateway
Software app or physical device on the custom side of the VPN connection
For a custom gateway device on-premises, use the public internet-routable IP address for your device
If it's behind a NAT device that's enabled for NAT traversal, use the public IP of the NAT device
Enable route propagation for the VGW in the route table associated with your subnets
Add ICMP protocol on inbound of security groups if you need to ping your EC2 instances from on-premises
AWS VPN CloudHub
Provide secure communicate between multiple sites if you have multiple VPN connections
Goes over the public Internet as it's a VPN connection
Low-cost hub-and-spoke model for primary/secondary network connectivity between different locations (VPN only)
To set up, connect multiple VPN connections to the same VGW and set up dynamic routing and configure the route tables
Direct Connect
Provides a dedicated private connection from a remote network to your VPC
The setup must be between your DC and AWS Direct Connect locations
Need to setup a VGW on your VPC
Can access public resources (S3) and private (EC2) on same connection
Useful for increasing bandwidth throughput (large data sets), more consistent network experience and hybrid environments
Supports both IPv4 and IPv6
Direct Connect Gateway
Setting up DC to one or more VPC in different regions (same account) requires a Direct Connect Gateway
Types of connections:
Dedicated
1, 10 and 100 Gbps capacity
Physical ethernet port dedicated to a customer
Request made to AWS first then completed by AWS Direct Connect Partners
Hosted
50, 500 Mbps to 10 Gbps
Connection requests made via AWS Direct Connect Partners
Capacity can be added/removed on demand
1, 2, 5 and 10 Gbps available at select AWS Direct Connect Partners
Lead times are often longer than 1 month to establish a new connection
Encryption:
Data in transit is not encrypted but privat
DC + VPN provides an IPsec-encrypted private connection
Good for extra level of security but more complex to put in place
In case DC fails, can set up a backup DC connection or Site-to-Site VPN connection
Transit Gateway
Enable peering between thousands of VPC and on-premises, hub-and-spoke (star) connections
Cross-regional
Regional resource
Can share cross-account using Resource Access Manager
Integrates with Direct Connect Gateway and VPN connections
Supports IP Multicast
Site-to-Site equal-cost multi-path routing
A routing strategy to allow forwarding packets over multiple best paths
Useful for creating multiple Site-to-Site VPN connections to increase bandwidth of your connection to AWS
VPC Traffic Mirroring
Capture and inspect network traffic in VPC
Route traffic to security appliances that you manage
Capture traffic from:
From ENIs (source)
To an ENI or NLB (target)
Capture all packets or packets of interest
Source and target can be in the same VPC or different VPCs
Useful for content inspection, threat monitoring, troubleshooting, etc.