Introduction
A Virtual Private Cloud (VPC) is your very own part of the AWS Cloud. It's the equivalent of buying a router, some switches and setting up a network locally with a load of Ethernet cables, but it's all in the cloud, and everything inside the VPC is yours... so you have to make sure what you run in the VPC is secure and well managed.When AWS first started, you didn't have the option of a VPC and this way of operating is now called EC2-Classic. In this incarnation, your instances ran in a single, flat network that was shared with other customers. Thankfully, that is old now and you won't be able to create anything in EC2-Classic if you open a new AWS account these days.
If you do have an old AWS account with some EC-Classic instances provisioned, you can use ClassicLink to associate these with a VPC. If you decide you want to step into 2017 totally, you can also migrate your EC2-Classic instance into a VPC, but it does mean creating an AMI of the existing instance and redeploying it in the VPC.
- CIDR Blocks for VPCs start at /16 and can be subdivided to /28.
Default VPC
- Has an Internet Gateway (IGW) attached by default.
- Each instance in the Default VPC has Private and Public IP addresses.
- VPC services can communicate between each other within the Default VPC, but not in a newly created VPC.
VPC Limits
- Default VPCs per Region: 5
- EIPs per VPC: 5
Subnets
- Addresses Reserved per Subnet: 5 (First 4, Last 1)
- Subnets can't span Availabbility Zones
- In addition to Private and Public subnets, the VPC Subnet directs traffic through the VPG/VPN.
- Internal IPs are non-routable to the Internet.
- Public instances must have a public IP otherwise they can't route out.
Routing
- VPC is an implicit router
- Local Route for routing data locally is included in each routing table and can't be edited or deleted.
- Subnets must be associated to a Routing Table, the main route table is assigned by default.
- Each Route Table has a Destination and Target CIDR.
Internet Gateway (IGW)
- Traffic routed to an Internet Gateway translates this to the address of an EIP and keeps that 1-to-1 NAT mapping.
- Traffic coming from the Internet is translated back to the instance internal IP.
- Overall, its purpose is to route Internet traffic and to perform NATing for instances with a public IP.
Elastic IP (EIP)
- EIPs are allocated to a VPC and assigned to an instance.
- EIPs are region specific.
- EIPs map 1-to-1 to an ENI.
- EIPs are charged whether they are assigned to a resource or not.
- You can have 1 EIP per instance.
Elastic Network Interface (ENI)
- You can attache an ENI to an EC2 instance within a VPC.
- ENI is associated to a subnet.
- ENI can have 1 public IP but many private IPs.
- Dual home by assigning different interfaces with IPs in different subnets.
- You can move an ENI anywhere and attach it to a new instance.
Peering
- VPC to VPC connections within the same region, but with different accounts.
- Must have non-overlapping IP address blocks.
- You cannot pass through 1 VPC to get to another i.e. it's not Transitive.
Security Groups
- Default Security Group - Allows communication between all services in the Security Group and all outbound traffic.
- Default Security Group - Can't be deleted but can be modified.
- New Security Groups - Have a default which allows all outbound traffic.
- Only Default Security Groups can talk to the instances connected to the same Security Groups without rules.
Network Access Control Lists (NACL)
- Rules are processed in numerical order, low to high (low has priority)
- Default NACL - Is modifiable
- Deny is Default... Allow explicitly overrides.
- Deny All is a catchall, denies everything not explicitly allowed.
Network Address Translation (NATs)
- NAT Instance: AMI - amzn-ami-vpc-nat Disable - "Source/Destination Check"
- NAT Instance: Assign EIP to instance and put in Private subnet.
- NAT Gateway: Create Gateway and EIP, Add route from Private Subnet to IGW, For HA create NAT Gateway in each AZ and routing accordingly.
No comments:
Post a Comment