Virtual Private Cloud (VPC)
- AWS Virtual Private Cloud (VPC) helps to provision a logically isolated section of AWS cloud, where you can launch AWS resources in a virtual network you define (and completely control).
- An VPC stays in a single region, but could cross multiple AZs (for example, you can create one subnet for each AZ);
- A subnet is called a public subnet if its route table has an entry that directs traffic to the Internet Gateway.
- However, VPC peering supports for cross-region VPCs;
- EC2 instances in a clustered placement groups could exist in VPC in different regions as long as they are peered.
- We could create 2 types of VPCs: default VPC and custom VPC.
- VPC peering: connect one VPC with another via a direct network route using private IP addresses. This make instances behave as if they were on the same private network.
- You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks;
- Communication over IPv6 is not supported for an inter-region VPC peering connection;
- Currently, VPC peering only allows star configuration, no transitive peering (i.e., VPC peering does not support chaining);
- VPC peering does not support edge-to-edge routing. This means, VPC peering cannot be further extended by VPN connection, DirectConnect, Internet Gateway, NAT device, VPC endpoint, etc.
- SGs are stateful, while network ACLs are stateless.
- All resources in the same subset must be in the same AZ.
- Within each subset, 5 IP addresses are reserved.
- To balance the usage, AWS randomizes the names of the AZs for each region.
- Each load balancer has to be associated with at least 2 subsets.
- To ensure all
COPY
and UNLOAD
traffic flows inside an VPC, you should enable AWS Redshift Enhanced VPC Routing.
NAT Instance & NAT Gateway
- NAT Gateway should always be used over NAT instance due to its HA support.
- NAT instance is simply an EC2 instance with a special AMI, whose source & destination check is disabled.
- An NAT instance itself must be in a public subnet.
- In order to work, there must be a route out of the private subnet to the NAT instance.
- To create an AZ-independent architecture, create an NAT instance for each AZ and make sure resources in each AZ use the NAT gateway in the same AZ.
- NAT Instance / Gateway is different from Internet Gateway:
- NAT devices are used to direct traffic from private subnet to public subnet, while Internet Gateway is used to direct traffic from public subnet to external Internet outside the VPC;
- Each VPC can only have 1 Internet gateway. However, there should be 1 NAT device in each AZ of the VPC;
- Internet Gateway is not a physical device, thus it does not limit the bandwidth of Internet connectivity. However, even an NAT Gateway has a bandwidth limit of 10Gbps.
Network ACL
- Network ACL has both ALLOW and DENY rules.
- Network ACL is stateless (inbound rules and outbound rules are not symmetric).
- Network ACL evaluates its rules based on the priority assigned.
- However, network ACL rules always have a higher priority than SG rules.
- Each VPC comes with a default ACL, which by default allows all inbound & outbound traffic.
- Each subset can only be associated with only 1 ACL at a time.
Flow Log
- VPC Flow Logs is a feature to capture information about IP traffic going from & to network interfaces in a VPC. It uses CloudWatch logs (or S3 bucket) to store the data.
- Flow logs can be created at 3 different levels: VPC, subset, network interface.
- The configrations for flow logs cannot be changed once created.
- Not all traffic are logged. For example, the following traffic will not be logged:
- Traffic generated by instances when they try to contact AWS DNS server;
- Traffic generated by instances on Windows OS when they try to contact AWS Windows Licence server;
- Traffic from & to
169.254.169.254
regarding instance metadata;
- Traffic to the reserved IP addresses for the default VPC router;
- DHCP traffic.
Bastion
- A Bastion instance (or called "jump boxes") is used to securely adminster EC2 instances.
- NAT gateway cannot be used as a Bastion host.
Direct Connect
- Direct Connect is a service to establish a dedicated network connection from your premises to AWS.
- Direct Connect is useful if you need a stable and reliable secure connection, or have high throughput workloads.
- AWS has recently announced a new service Direct Connect Gateway, which alllows the users of Direct Connect to connect to multiple VPCs in the same or different regions.
- Direct Connect Gateway is built on top of Direct Connect.
Virtual Private Gateway
- To help services inside an AWS VPC get access to your on-premise network, the following components have to be created:
- A Virtual Private Gateway, which is the VPN concentrator on the AWS side;
- An AWS Transit Gateway or Customer Gateway (i.e., your VPN gateway device), which is from the on-premise side.
- Traffic via Virtual Private Gateway will still go through the public Internet (although it will be encrypted).
- However, Direct Connect provides a fully dedicated & private connection.
VPC Endpoint
- VPC endpoint helps to privately connect VPC to supported AWS services and VPC endpoint services by PrivateLink.
- There are two types of VPC endpoints: interface endpoints and gateway endpoints.
- VPC endpoints are virtual devices.
References