#AWS
#DevOps
- Amazon Virtual Private Cloud
- A VPC is an
isolated portion of the AWS Cloud
- i.e define and launch AWS resources in a
logically isolated virtual network
Pricing for Amazon VPC
- There’s no additional charge for using a VPC.
- There are charges for some VPC components, such as NAT gateways, Reachability Analyzer, and traffic mirroring
Concepts
- A subnet is a range of IP addresses in your VPC.
Subnet Types -- based on IPs
- IPv4-only
- Dual-stack (IPv4 and IPv6)
- IPv6-only
Subnet Types -- based on configuration
- Public subnet
- Private subnet
- VPN-only subnet
Public subnet
- If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet.
- Resources are connected to the internet
Private subnet
- If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
- Resources are not connected to the internet
Route Table
- A route table contains a
set of rules, called routes,
- Its like a rule-book, where to look an IP –> On internal or internet
- A route table specifies how packets are forwarded
between the subnets within your VPC, the internet, and your VPN connection
Internet gateway
- An internet gateway enables resources in your public subnets to
connect to the internet if the resource has a public IP address
CIDR
- Classless Inter Domain Routing
IPs range
- 0.0.0.0/0 –> all IPs
- IP range –> 0 - 255
/32 means 1 IP(2^0)
/31 means 2 IP(2^1)
/28 means 16 IP(2^4)
/25 means 128 IP (2^7) --> x.x.x.0 to x.x.x.127
/24 means 256 IP (2^7) --> x.x.x.0 to x.x.x.255
/32 --> No IP change
/24 --> Last 1 IP values can change
/16 --> Last 2 IP values can change
/8 --> Last 3 IP values can change
/0 --> Last 4, all IP values can change
Create replica of default VPC
- Create VPC
- Create Subnet
- 1st subnet –> IPv4 CIDR block –> 10.0.0.0/24
- 2st subnet –> IPv4 CIDR block –> 0.0.1.0/24
- Create Internet Gateway
- Create Route table
VPC > Route tables > Create route table > select vpc- Also add ‘Subnet associations’ and ‘Routes’
Launch instance
- Update subnet
Edit subnet settings > Enable auto-assign public IPv4 address --> check- If this is unchecked, While launching EC2 instance and custom VCp is selected
- then by default
Network settings > Auto-assign public IP --> is disabled
- Launch instance with custom VPC
- Connect to AWS
- Edit VPC DNS Hostname and Resolution
- Enable dns Hostname
- Now ‘Public IPv4 DNS’ will be available
VPC Security
Security Group
- A security group is a virtual firewall which is controlling the traffic to your EC2 instances.
- A Security group is the first defence against hackers.
- It controls traffic –> who can come IN and –> who can go OUT
NOTE:
- If a port is open for inbound then by default outbound is also opened
- If a port is open for outbound then by default inbound is also opened
Network ACLs
- Network Access Control List
- NACl is an
optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
- Try Block all outbound
- Doing on default N ACL
VPC > Network ACLs > Select N ACL > Edit outbound rules
- Network Address Translation (NAT)
- Allows private subnet connect to services outside your VPC
- And external services cannot initiate a connection with those instances.
NOTE
- It requires Elastic IP –> Cost may occur if IP not used
- Enable
SSH agent forwarding with caution
- Alt
- Never place your SSH private keys on the bastion instance.
- Instead, use SSH agent forwarding to connect first to the bastion and from there to other instances in private subnets.
- Configuring ssh-agent
ssh-add -K myPrivateKey.pem
- Connect to public-instance
ssh –A user@<bastion-IP-address –> Public IP is used
- From public connect to private instance
ssh user@<instance-IP-address –> Private IP is used
Create VPC with private and public subnet
- You can create your own AMI that provides network address translation
- and use your AMI to launch an
EC2 instance as a NAT instance
- Used as an
alternative of NAT Gateway for less cost
- Lanuch instance using –> public subnet
- After Launch
EC2 > Action > Change source / destination check > check(stop)- If this is a NAT instance, you must
stop source / destination checking
- A NAT instance must be able to send and receive traffic when the source or destination is not itself.
NOTE
- Support has been removed
- If you use an existing NAT AMI, AWS recommends that you migrate to a NAT gateway.
- A VPC peering connection is a networking
connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
- In Simple
- Two different VPC can connect privately
- VPC can be in same/different AWS account
- There is
no charge to create a VPC peering connection
- AWS Transit Gateway connects your Amazon VPCs and on-premises networks through a central hub.
- This simplifies your network and puts an
end to complex peering relationships
- In Simple
- One VPC peering –> done between 2 VPCs
- But with One Transit Gateway –>
Any no of VPCs are connected
- Costlier than VPC peer connection
- Price per AWS Transit Gateway attachment($0.05)
- Price per GB of data processed ($0.02)
- There are three types of VPC endpoints –
- Interface endpoints
- Gateway Load Balancer endpoints
- Gateway endpoints
- Only
Amazon S3 or DynamoDB uses this
- Interface endpoints and Gateway Load Balancer endpoints are powered by AWS PrivateLink
- and use an Elastic Network Interface (ENI) as an entry point for traffic destined to the service
- Interface endpoints are typically accessed using the public or private DNS name associated with the service
- Gateway endpoints and Gateway Load Balancer endpoints serve as a target for a route in your route table for traffic destined for the service.
- Flow Logs is a feature that enables you to
capture information about the IP traffic going to and from network interfaces
- Flow log data can be published to Amazon
CloudWatch Logs or Amazon S3
- Analysis
- In S3
- Query with S3 Select
- Athena
- In Cloudwatch
- A customer gateway device is a physical or software appliance that you own or manage in your
on-premises network
- Must configure the device to work with the
AWS Site-to-Site VPN connection
Reference