Introduction
VPC:Virtual private cloud, is a vritual network, provide logical isolation
VPC
- each VPC has items
- subnets
- from /16 to /28
- AWS reserves first 4 and the last IP.
- subnets resides in one AZ and cannot SPAN zones.
- subnets can be classified as public(has IGW), private(do NOT has IGW), VPN-only (to VPN and NOT has a IGW)
- each AZ has a default VPC, 172.31.0.0/16
- default VPC of each AZ has a public subnet of /20 (4096 - 4)
- route table
- local(not default) route can not be modified or deleted, to route VPC internal traffic. it looks like this: destination=10.0.3.0/24 route=local
- you can replace the main route table with a custom table that you have created, so that each new subnet is automatically associated with it.
- DHCP
- AWS automatically creates and associates a DHCP option set
- DNS (default is amazonprovidedDNS)
- Domain Name (default is the domain name for your region)
- DHCP options sets elements can be ad hoc. you can assign your own domain name to your instance here. You can also creates following options.
- domain-name-servers
- domain-name
- ntp-servers
- netbios-name-servers
- netbios-node-type
- AWS automatically creates and associates a DHCP option set
- security group
- on instance level
- stateful firewall
- up to 500 security groups per VPC
- up to 50 inbound 50 outbound rules per security group
- up to 5 security groups per NIC
- you can NOT specific Deny rules in security group, this is an important difference between security groups and ACL.
- ACL
- every subnet must has a ACL.
- ACL is on subnet level
- stateLESS
- Ineternet GW (optional)
- IGW
- Elastic IP (optionial)
- static
- first allocate an EIP and then assign it to an instance
- specific to a region
- one to one map to internal IP. like NAT
- it can be moved from one instance to another, with in the region.
- EIP is charged
- Elastic Network Interface (Optionial)
- virtiual network interface can be attached to an instance in an VPC.
- it can only be available within in a VPC.
- can be considered as a NIC with TCP/IP stack installed. can be plugged to any instance, can be moved to other instances. If there server failed, the ENI still stands.
- can be used for management network, OOB network, dual homed network. etc…
- Endpoints (Optionial)
- it is like a tunnel, for private connection between VPC and another AWS Service, so no VPN, NAT, internet, DirectConnect .etc are needed.
- can create multiple endpoints for a single instance.
- creation steps
- choose a VPC
- specify a service like com.amazonwas.<regoion>.<service>
- specify access policy
-
specify route table.
like DEST=s3_bucket_name_here, ROUT=end_point_name
- Peering (Optionial)
- connection between two VPC. (like BGP?)
- not a VPN nor a GW
- request/accept protocol, has reciever has one week to accept or reject.
- VPC peering does not support transit routing
- Peering VPC can not have matching or overlaping CIDR blocks.
- two VPCs can olny have one peering.
- NAT (Optionial)
- we have NAT instances and NAT GW
- NAT Instances
- create a security group for the NAT with outbound rules that specify the needed Inetnet resources by port, protocol and IP address.
- launch NAT AMI in public subnet and associate it with the security grioup
- disable the source/destination check attribute of the NAT
- configure the route table associated with a private subnet in a direct Internet-bound traffic to the NAT instance.
- Allocate an EIP and assocate it with the NAT instance.
- NAT Gateway
- create the route table, to route traffic to
- allocate EIP and associate it to NAT GW
-
Virtual Private GW, Customer GW VPN (Optionial)
this is a way to connet customer data center and AWS
- a VPG is a VPN concentrator on AWS side
- CGW is a physical or software on customer side.
- if CGW support BGP, please use dynamic route, else please use static route
- A VPN consists of two IPSec, for HA
- VPN is initiated by CGW
- subnets
Security Group VS ACL
security group | ACL |
---|---|
Instance level | subnet level |
you can config allow only | both allow and deny rules |
statful | stateless |
evaluate all rules before decide if a traffic can pass | decision is made when it hit a rule |
apply to selected instances | apply to all the instances in the subnet. |