Amazon Virtual Private Cloud – VPC:
- VPC is a virtual network dedicated to your AWS account
- Amazon VPC is the Networking layer for EC2 which allows building virtual networks.
- You can select your own IP address range, create subnets, config route tables, gateways.
- You can configure multiple level security with security groups, network access lists
- Also you can have Hardware VPN connection between your data center and VPC
- You can directly connect to the Internet using public subnets,
- NATs – Network Address Translation can be used to connect to the Internet through private subnets
- Peer VPCs to share resources across multiple virtual networks
- Using VPC Endpoint you can connect to AWS Services such as S3, DynamoDB, Kinesis Streams, Service Catalog, EC2 Systems Manager (SSM), Elastic Load Balancing (ELB) API, and Amazon Elastic Compute Cloud (EC2) API
- VPC cannot span across regions.
- VPC can span multiple Availability Zones.
- Default Max VPCs per region is 5.
- For VPC allowed block size is between a
/16netmask (65,536 IP addresses) and
/28netmask (16 IP addresses)
- /28 is basically 2^32 – 2^28 = 2^4 = 16 IP address
- When using AWS Direct Connect to connect to multiple VPCs through a direct connect gateway, the VPCs that are associated with the direct connect gateway must not have overlapping CIDR blocks.
- IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.
- In VPC you can add one or more subnets in each Availability Zone.
- Each subnet must reside entirely within one Availability Zone and cannot span zones.
- When you route subnet’s traffic to an internet gateway, then subnet is a public subnet else private
- If a subnet does not have internet gateway but is connected to VPG for VPN then ts called VPN-only subnet.
- Max Subnets per VPC 200
- Each subnet has to be associated with a route table
- By default, there is main route table associated with VPC.
- The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4. Subnets cannot be larger than the VPC in which they are created.
- Route Tables is set of rules, these are applied to subnet to route network traffic.
- Route Tables are used for communication between subnets within a VPC.
- You configure IGW to make a subnet Public.
- The default route called as local route enables communication within a VPC
- Security Group is a virtual firewall to control inbound and outbound traffic.
- By default you can assign upto 5 SGs to an instance/network interface.
- Default limit for Security groups per VPC (per region) is 500
- Default limit you can have 50 inbound and 50 outbound rules per security group.
- SGs are applied at instance level and not subnet level.
- VPC automatically comes with a default security group.
- Default SG allow inbound traffic from instances assigned to the same security group.
- Default SG allow all outbound IPv4 traffic.
- SG rule applies either to inbound traffic (ingress) or outbound traffic (egress)
- SG are stateful i.e. if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
- Security Groups have only allow rules, you cannot specify deny rules.
Network Access Control List ACLs:
- Network ACL is security layer which acts at Subnet level.
- Network ACL is stateless
- Network ACLs are evaluated from lower number to higher to determine whether traffic is allowed in or out of network.
- By default Network ACL is created is for every subnet which allows all inbound and outbound traffic.
- If you create a Custom Network ACL then initial config will deny all inbound and outbound traffic.
- Every subnet must be associated with aNetwork ACL.
- A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
Difference between Security Groups and Network ACLs:
- Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance.
- Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet.
- Network ACLs can be used to set both Allow and Deny rules.
- Network ACLs do not filter traffic between instances in the same subnet.
- Network ACLs perform stateless filtering while security groups perform stateful filtering.
- Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer, a stateful filter that allows inbound traffic to TCP port 80 on a webserver will allow the return traffic, usually on a high numbered port (e.g., destination TCP port 63, 912) to pass through the stateful filter between the client and the webserver.
- Stateless filtering only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In above case we will need 2 rules.
Internet Gateway – IGW:
- IGW allow communication between your instances inside VPC and Internet
- IGW is highly available, redundant, and horizontally scaled.
- IGW does network address translation for instances.
- You can have max 1 Internet gateway per VPC
- Below are the steps to create public subnet
- Attach IGW to VPC
- Create route table to IGW with all non local traffic.
- Configure Security Groups and Network ACLs .
- Assign a EIP or public IPv4 address to send and receive traffic from Internet
- To enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet you can use NAT.
- To enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet you can use NAT Gateway.
- NAT gateway is highly available
- To allow intances internet access through NAt Gateway you need to:
- Config route table to direct Internet traffic to NAT Gateway.
- Assign EIP to NAT Gateway.
Elastic Network Interface – ENI:
- ENI represents a virtual network card
- ENI can include
- IPv4 address, EIP Address, public IPv4 address, IPv6 addresses
- Security Groups
- MAC address
- source/destination check flag
- You can create and configure ENI and attach them to instances.
- The attributes of a network interface follow it as it’s attached or detached from an instance and reattached to another instance.
- When you move a network interface from one instance to another, network traffic is redirected to the new instance.
- Every VPC has a default primary network interface (eth0) (you cannot detach this from instance)
- You can attach a network interface to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach)
- You can detach secondary (ethN) network interfaces when the instance is running or stopped. However, you can’t detach the primary (eth0) interface.
- Use VPC Enpoint to privately connect your VPC to aws services. (No need of IGW)
- Instances in VPC do not require public IP addresses to communicate with resources in the aws services.
- Endpoints are virtual devices, horizontally scaled, redundant, and highly available.
- VPC Peering is a connection between two VPCs.
- Peering can be done within same account or across accounts.
- Peering does not rely on a separate piece of physical hardware, nor gateway, nor VPN connection.
- In Peering there is no single point of failure for communication or a bandwidth bottleneck.
- A VPC peering connection is a one to one relationship between two VPCs, also there can be only one Peering between VPC-A and VPC-B
- Peering is not transitive which means if VPC-A is peered to VPC-B and VPC-B peered with VPC-C that does not mean you can access VPC-C from VPC-A.
- VPC Peering can be done across regions.
- Traffic between instances in peered VPCs remains private and isolated – similar to how traffic between two instances in the same VPC is private and isolated.
Elastic IP address – EIP:
- The Elastic IP address is a static IPv4 address designed for dynamic cloud computing
- EIP you can associate with your instance or a network interface
- You can disassociate an Elastic IP address from a resource, and reassociate it with a different resource.
- A disassociated Elastic IP address remains allocated to your account until you explicitly release it.
- There is an hourly charge if an Elastic IP address is not associated with a running instance.
- There is no charge if EIP associated instance is running but if there is more than one EIP associated with a running instance then there is an additional charge for the additional IPs.
- EIP is bounded by region. You cannot use EIP from a different region.
- By default, all AWS accounts are limited to five (5) Elastic IP addresses per region
- There is one to one relationship between Network Interfaces and EIPs, note that you can assign multiple Network Interfaces to an instance.
- Once you allocate EIP it will stay associated with your account until you explicitly release them.
- An IP address assigned to a running instance can only be used again by another instance once that original running instance is in a “terminated” state.
- You can assign one or more secondary private IP addresses to an Elastic Network Interface or an EC2 instance
- You can have five Amazon VPC Elastic IP addresses per AWS account per region.
Elastic IP address EC2 Classic vs EC2-VPC:
|EC2 Classic||EC2 VPC|
|Associating||You associate EIP with an instance.||You can associate an Elastic IP address with an instance by updating the network interface attached to the instance.|
|Tagging||Does not support||Supports Elastic IP address tagging.|
|Stopping||Elastic IP address is disassociated, and you must reassociate the Elastic IP address when you restart the instance.||Elastic IP address remains associated|
|multiple IP||support only a single private IPv4 address||Instances support multiple IPv4 addresses, and each one can have a corresponding Elastic IP address|
ENI Elastic Network Interfaces:
- ENI can be attached to an instance.
- ENI is only available inside Amazon VPC and are associated with subnet on creation.
- ENI can have one public IP and multiple private IPs
- If we assign the ENI more than one network interface it becomes dual-homed which is it has network presence in different subnets.
- ENI is a logical networking component in a VPC that represents a virtual network card.
- You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance.
- A network interface can include attributes such as multiple Private IPs (only one primary), EIP, SGs, MAC address, Description, Source/Destination check.
- Every instance in a VPC has a default network interface, called the primary network interface (eth0)
- VPC endpoint enables you to privately connect your VPC to supported AWS services such as S3
- Instances in your VPC do not require public IP addresses to communicate with resources in the service.
- Traffic between your VPC and the other service does not leave the Amazon network.
- VPC endpoints are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
- VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint.
- The default policy allows full access to the service.
- You cannot attach more than one policy to an endpoint
- Endpoints are supported within the same region only.
- You cannot create an endpoint between a VPC and a service in a different region.
- You cannot tag an endpoint.
- Endpoints support IPv4 traffic only.
- By default the limit is set to 20 endpoints per region.
DHCP Option Sets:
- DHCP Dynamic Host Configuration Protocol provides standard to pass config to hosts on TCP/IP Network.
- When VPC is created AWS automatically creates a DHCP Option set with 2 options set by default viz. domain-name-servers AmazonProvidedDNS and domain-name default to domain name of your region.
- To assign your own domain name you need to create Custom DHCP option set and assign it to VPC.
- The DHCP options to configure are: domain-name-servers, domain-name, ntp-servers, netbios-name-servers, netbios-node-type.
- DHCP options sets are associated with your AWS account so that you can use them across all of your virtual private clouds (VPC).
- After you create a set of DHCP options, you can’t modify them.
- If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC.
- VPC peering is a connection between two VPCs that enables traffic between them privately.
- You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.
- There is no single point of failure for communication.
- A VPC peering connection is a one to one relationship between two VPCs.
- Transitive peering relationships are not supported which means if A is connected to B and B is connected to C then that doesn’t mean A can directly connect to C
- You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks.
- You cannot have more than one Peering connection between same 2 VPCs.
- You can have multiple Peering connections from one VPC.
VPG, CGW and VPN:
- You can connect your existing datacenter to Amazon VPC and for this you need VPG and CGW.
- To create a VPN connection we connect VPG present on AWS side to CGW present on the Customer side.
- You can have static routing to dynamic routing.
- The VPN connection has 2 IPSec tunnels for HA to the Amazon-VPC.
- You always initiate VPN tunnel from CGW to VPG.
- By default you can create up to ten VPN connections for your VPC.
- You can also use multiple VPN connections to establish redundant customer gateways from a single location.
- You can have five virtual private gateways per AWS account per region
- You can have fifty customer gateways per AWS account per region
- You can have Ten IPsec VPN Connections per virtual private gateway