天天看點
傳回

AWS Certified Solution Architect Official Study Guide, Study Notes -VPCIntroductionVPC

Introduction

VPC:Virtual private cloud, is a vritual network, provide logical isolation

VPC

  • each VPC has items
    • subnets
      • from /16 to /28
      • AWS reserves first 4 and the last IP.
      • subnets resides in one AZ and cannot SPAN zones.
      • subnets can be classified as public(has IGW), private(do NOT has IGW), VPN-only (to VPN and NOT has a IGW)
      • each AZ has a default VPC, 172.31.0.0/16
      • default VPC of each AZ has a public subnet of /20 (4096 - 4)
    • route table
      • local(not default) route can not be modified or deleted, to route VPC internal traffic. it looks like this: destination=10.0.3.0/24 route=local
      • you can replace the main route table with a custom table that you have created, so that each new subnet is automatically associated with it.
    • DHCP
      • AWS automatically creates and associates a DHCP option set
        • DNS (default is amazonprovidedDNS)
        • Domain Name (default is the domain name for your region)
        • DHCP options sets elements can be ad hoc. you can assign your own domain name to your instance here. You can also creates following options.
          • domain-name-servers
          • domain-name
          • ntp-servers
          • netbios-name-servers
          • netbios-node-type
    • security group
    • on instance level
      • stateful firewall
      • up to 500 security groups per VPC
      • up to 50 inbound 50 outbound rules per security group
      • up to 5 security groups per NIC
      • you can NOT specific Deny rules in security group, this is an important difference between security groups and ACL.
    • ACL
      • every subnet must has a ACL.
      • ACL is on subnet level
      • stateLESS
    • Ineternet GW (optional)
      • IGW
    • Elastic IP (optionial)
      • static
      • first allocate an EIP and then assign it to an instance
      • specific to a region
      • one to one map to internal IP. like NAT
      • it can be moved from one instance to another, with in the region.
      • EIP is charged
    • Elastic Network Interface (Optionial)
      • virtiual network interface can be attached to an instance in an VPC.
      • it can only be available within in a VPC.
      • can be considered as a NIC with TCP/IP stack installed. can be plugged to any instance, can be moved to other instances. If there server failed, the ENI still stands.
      • can be used for management network, OOB network, dual homed network. etc…
    • Endpoints (Optionial)
      • it is like a tunnel, for private connection between VPC and another AWS Service, so no VPN, NAT, internet, DirectConnect .etc are needed.
      • can create multiple endpoints for a single instance.
      • creation steps
        • choose a VPC
        • specify a service like com.amazonwas.<regoion>.<service>
        • specify access policy

        • specify route table.

          like DEST=s3_bucket_name_here, ROUT=end_point_name

    • Peering (Optionial)
      • connection between two VPC. (like BGP?)
      • not a VPN nor a GW
      • request/accept protocol, has reciever has one week to accept or reject.
      • VPC peering does not support transit routing
      • Peering VPC can not have matching or overlaping CIDR blocks.
      • two VPCs can olny have one peering.
    • NAT (Optionial)
      • we have NAT instances and NAT GW
      • NAT Instances
        1. create a security group for the NAT with outbound rules that specify the needed Inetnet resources by port, protocol and IP address.
        2. launch NAT AMI in public subnet and associate it with the security grioup
        3. disable the source/destination check attribute of the NAT
        4. configure the route table associated with a private subnet in a direct Internet-bound traffic to the NAT instance.
        5. Allocate an EIP and assocate it with the NAT instance.
      • NAT Gateway
        • create the route table, to route traffic to
        • allocate EIP and associate it to NAT GW

    • Virtual Private GW, Customer GW VPN (Optionial)

      this is a way to connet customer data center and AWS

      • a VPG is a VPN concentrator on AWS side
      • CGW is a physical or software on customer side.
      • if CGW support BGP, please use dynamic route, else please use static route
      • A VPN consists of two IPSec, for HA
      • VPN is initiated by CGW

Security Group VS ACL

security group ACL
Instance level subnet level
you can config allow only both allow and deny rules
statful stateless
evaluate all rules before decide if a traffic can pass decision is made when it hit a rule
apply to selected instances apply to all the instances in the subnet.
aws vpc
上一篇: Linux Tools---wireless
下一篇: MT7601驅動配置檔案詳解

繼續閱讀