Virtual Private Cloud (VPC)

  • AWS Virtual Private Cloud (VPC) helps to provision a logically isolated section of AWS cloud, where you can launch AWS resources in a virtual network you define (and completely control).
    • An VPC stays in a single region, but could cross multiple AZs (for example, you can create one subnet for each AZ);
      • A subnet is called a public subnet if its route table has an entry that directs traffic to the Internet Gateway.
    • However, VPC peering supports for cross-region VPCs;
    • EC2 instances in a clustered placement groups could exist in VPC in different regions as long as they are peered.
  • We could create 2 types of VPCs: default VPC and custom VPC.
  • VPC peering: connect one VPC with another via a direct network route using private IP addresses. This make instances behave as if they were on the same private network.
    • You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks;
    • Communication over IPv6 is not supported for an inter-region VPC peering connection;
    • Currently, VPC peering only allows star configuration, no transitive peering (i.e., VPC peering does not support chaining);
    • VPC peering does not support edge-to-edge routing. This means, VPC peering cannot be further extended by VPN connection, DirectConnect, Internet Gateway, NAT device, VPC endpoint, etc.
  • SGs are stateful, while network ACLs are stateless.
  • All resources in the same subset must be in the same AZ.
  • Within each subset, 5 IP addresses are reserved.
  • To balance the usage, AWS randomizes the names of the AZs for each region.
  • Each load balancer has to be associated with at least 2 subsets.
  • To ensure all COPY and UNLOAD traffic flows inside an VPC, you should enable AWS Redshift Enhanced VPC Routing.

NAT Instance & NAT Gateway

  • NAT Gateway should always be used over NAT instance due to its HA support.
  • NAT instance is simply an EC2 instance with a special AMI, whose source & destination check is disabled.
    • An NAT instance itself must be in a public subnet.
    • In order to work, there must be a route out of the private subnet to the NAT instance.
  • To create an AZ-independent architecture, create an NAT instance for each AZ and make sure resources in each AZ use the NAT gateway in the same AZ.
  • NAT Instance / Gateway is different from Internet Gateway:
    • NAT devices are used to direct traffic from private subnet to public subnet, while Internet Gateway is used to direct traffic from public subnet to external Internet outside the VPC;
    • Each VPC can only have 1 Internet gateway. However, there should be 1 NAT device in each AZ of the VPC;
    • Internet Gateway is not a physical device, thus it does not limit the bandwidth of Internet connectivity. However, even an NAT Gateway has a bandwidth limit of 10Gbps.

Network ACL

  • Network ACL has both ALLOW and DENY rules.
  • Network ACL is stateless (inbound rules and outbound rules are not symmetric).
  • Network ACL evaluates its rules based on the priority assigned.
    • However, network ACL rules always have a higher priority than SG rules.
  • Each VPC comes with a default ACL, which by default allows all inbound & outbound traffic.
  • Each subset can only be associated with only 1 ACL at a time.

Flow Log

  • VPC Flow Logs is a feature to capture information about IP traffic going from & to network interfaces in a VPC. It uses CloudWatch logs (or S3 bucket) to store the data.
  • Flow logs can be created at 3 different levels: VPC, subset, network interface.
  • The configrations for flow logs cannot be changed once created.
  • Not all traffic are logged. For example, the following traffic will not be logged:
    • Traffic generated by instances when they try to contact AWS DNS server;
    • Traffic generated by instances on Windows OS when they try to contact AWS Windows Licence server;
    • Traffic from & to 169.254.169.254 regarding instance metadata;
    • Traffic to the reserved IP addresses for the default VPC router;
    • DHCP traffic.

Bastion

  • A Bastion instance (or called "jump boxes") is used to securely adminster EC2 instances.
  • NAT gateway cannot be used as a Bastion host.

Direct Connect

  • Direct Connect is a service to establish a dedicated network connection from your premises to AWS.
  • Direct Connect is useful if you need a stable and reliable secure connection, or have high throughput workloads.
  • AWS has recently announced a new service Direct Connect Gateway, which alllows the users of Direct Connect to connect to multiple VPCs in the same or different regions.
    • Direct Connect Gateway is built on top of Direct Connect.

Virtual Private Gateway

  • To help services inside an AWS VPC get access to your on-premise network, the following components have to be created:
    • A Virtual Private Gateway, which is the VPN concentrator on the AWS side;
    • An AWS Transit Gateway or Customer Gateway (i.e., your VPN gateway device), which is from the on-premise side.
  • Traffic via Virtual Private Gateway will still go through the public Internet (although it will be encrypted).
    • However, Direct Connect provides a fully dedicated & private connection.

VPC Endpoint

  • VPC endpoint helps to privately connect VPC to supported AWS services and VPC endpoint services by PrivateLink.
  • There are two types of VPC endpoints: interface endpoints and gateway endpoints.
  • VPC endpoints are virtual devices.

References

results matching ""

    No results matching ""