Virtual Private Cloud (VPC)

-

 Virtual Private Cloud (VPC)




What is VPC ?
  • Amazon VPC lets you create a logically isolated section of the AWS cloud where you can launch AWS service in the vitual network which you defined
  • VPC is a regional resource
  • Soft limit of 5 VPC per region
  • Subnet are AZ specific

IP Adresses And CIDR Notation - 
  • What is IP ? - Unique string of numbers assigned to a computer using the internet protocol to communicate over a network
IPv4 Address - 
  • The internet protocol addresses are 32 bits in length,this gives us a maximum of 2^32 addresses. This addresses reffered as IPv4 notation
  1. Binary Notation - In binary notation, the IPv4 address is displayed as 32 bits. Each octate is often referred to as a byte. So it is common to hear on IPv4 address referred to as 32 bits address or a 4 byte address. Ex - 00000001 00000001 00000001 00000001 
  2. Dotted Decimal Notation - To make the IPv4 address more compact and easier to read, internet addresses are usally written in decimal form. Ex - 172.54.0.254
  3. Classful Addressing -  IPv4 addressing, as its inception, used the concept of classes. The architecture is called classful addressing. A 32 bits IPv4 address is hierarchical and devided into two parts 
  1. the first part of the address is "prefix" defines the "network id" 
  2. The last part called "suffix" defines the node connection of a device to the internet "Host ID" 



Subnet - 
  • Sub-ranges of IP addresses within in VPC 
  • Each subnet is bound to an AZ
  • Subnet in VPC cannot have overlapping CIDRs
  • Default VPC only has public subnet ( 1 public subnet per AZ, no private )
  • AWS reserves 5 IP address (first 4 and last 1) in each subnet. These 5 IP addresses are not available for use. Example: if CIDR block 10.0.0.0/24, then reserved IP addresses are 10.0.0.0, 10.0.0.1, 10.0.0.2, 10.0.0.3 & 10.0.0.255 
  • To make the Ec2 instances running in private subnet acessible on the internet, place them behind an internet facing (running in a public subnet) ELB
  • There is no concept of public and private subnet. Public subnets are subnets that have - ' Auto assign public IPv4 address' set to 'yes'. The subnet route table has an attached internet gateway
  • This allows the resources within the subnet to make request that go to the public internet. A subnet is private by default
  • Since the resources in private subnet dont have public IPs, they need a NAT gateway for address translation to able make requests that go to the public internet. NAT gateway also prevents these private resources from being accessed from the internet.
  • You can have upto 200 subnets per VPC

Firewall - 
  • Firewall is a system made to prevent unauthorized traffic to and from your private network/
  • Allowing and denying traffic are mentioned by rules, also called firewall rules
  • Types - 
  • Stateful - No additional rules are needed for response traffic
  • Stateless -  Rules have to be mentioned for both request and response 




Internet Gateway - 
  • Allow resources in a VPC to connect to the internet
  • Should be used to connect public resources to the internet 
  • Route table of the public subnets must be edited to allow requests destined outside the VPC to be routed to the IGW 
  • An IGW is a horizontally scaled, redundant and highly available for VPC component that allows communication between instances in your VPC and the internet 
  • Purpose of IGW - 
  • Created to an instance
  • Attached to an instance 
  • Detached from an instance
  • Re-attached to another instance




NAT Gateway - 
  • Internet cannot initiate any connection to the instances via NAT 
  • NAT device enable instances in the subnet to connect to internet and brings responses back to the internet
  • NAT gateway is created in public subnet 
  • Uses an Elastic IP and IGW behind the scene
  • Pay per hour
  • Ceate an NGW in public subnet bound to diff AZ all round outbound connections to the IGW 
  • No cross AZ failover needed because needed if an AZ goes down, all of the instances  in that AZ also go down
  • AWS managed NAT bandwidth autoscaling (upto 45gbps)


Route Table - 

Route table contains a set of rules, called routes, that are used to determine where network traffoc from your subnet or gateway is directed. To put it simply, a route table tells network which way they need to go to get their destination.
  • Network Routing: They define how traffic should be routed within the VPC and to external networks. 
  • Associations: Each subnet in the VPC is associated with a route table to determine its routing behavior. 
  • Default Route: They typically include a default route (0.0.0.0/0) to direct traffic outside the VPC, usually to an internet gateway. 
  • Custom Routes: You can add custom routes for specific destinations or services within your VPC or to connect to other VPCs

Network Access Control List (NACL) -  
  • NACL is firewall at the subnet level 
  • Optional layer of security in your VPC that acts as a firewall 
  • Controles traffic in and out of one or more subnet
  • Based only on IP address 
  • NACL are greate way of blocking unwanted IP at the subnet level



Security Group vs NACL - 




VPC Peering - 
  • Network connection between two VPC which enables traffic flow between them using private IP address
  • Peering connection can be created between VPC in the same or different accounts and between VPCs in the same or different regions
  • Participating VPCs must have non-overlapping
  • Must update route tables in each VPCs subnet to ensure requests destined to the peered VPC can be routed through the peering connection
  • VPC peering does not facilitate centrally-managed VPC like VPC Sharing 
  • You can reference a security group in a peered VPC across account or region. This allows us to use SG instead of CIDR when configuring rules 





VPC Endpoints - 
  • Private endpoints within your VPC that allows AWS services to privately connect resources within your VPC without traversing the public internet 
  • Powered by AWS PrivateLink
  • Route table is updated automatically 
  • Bound to a region (do not support inter-region communication 
  • Two types - 
  • Interface Endpoints - 
  • Provisions an ENI as an entry point per subnet
  • Need to attach a SG to to the interface endpoint to control access
  • Supports most AWS services
  • Gateway Endpoint - 
  • Provisions a gateway
  • Must be used as a target in a route table 
  • Supports only S3 and DynamoDB




VPC Flow Logs - 
  • Captures information about IP traffic going into your interface 
  • Can be configured to show accpeted, rejected or all traffic 
  • Flow logs data can be sent S3 (Bulk Analytics) or CloudWatch logs (near real-time decision making) 
  • Query VPC flow logs using Athena in S3 or CloudWatch Logs Insights





Comments

Post a Comment

Popular posts from this blog

AWS Instance Store

-
Image
 AWS Instance Store  AWS Instance Store -  Hardware storage directly attached to EC2 instance amd cannot be detached and attached to another instance  Highest IOPS for any available storage Ephemiral Storage (Loses data when instance is terminated, stopped or hibernated) Good to buffer/cache/scratch data/temporary content  AMI created from an instance does not its instance store volume preserved  You can specify the instance store volumes to an instance when you launch the instance. You can't attach instance store volumes to an instance after you’ve launched it. Raid -  Raid 0  Improve performance of a storage volume by distributing reads and write in a stripes across attached volumes  If you add a storage volume you get the straight addition of throughput and iops For high performance applications Raid 1   Improve data availability by mirroring in multiple volumes For critical applications
Read more

AWS Identity and Access Management

-
Image
  IAM Introduction to IAM -  AWS identity and management is a web service that helps you to securely control access to AWS resources You use IAM to control who is authenticated and authorized to use resources IAM allows you to create and manage AWS users and groups , and use permissions to allow or deny their access to AWS resources IAM is a fundamental part of AWS security, as it allows you to implement the principle of least privilege , ensuring that users and applications have only the permissions they need to perform their tasks IAM also provides features such as multi-factor authentication (MFA) , password policies, and access keys to enhance the security of your AWS environment Features of IAM -  IAM User  -   IAM allows you to create and manage users in your AWS account Each IAM user has a unique name and security credentials, which are used to authenticate and authorize their access to AWS resources IAM users have security credentials that are us...
Read more

Elastic Block Storage (EBS)

-
Image
 Elastic Block Storage (EBS) Elastic Block Storage (EBS) -  AWS Elastic Block Storage is a web service that provides block level storage volumes for use with amazon EC2 instances Amazon EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used like hard drive Amazon EBS allows you to create storage volumes and attach them to EC2 instances   It is used for various databses (both relational and non relational) as well as a wide range of application such as software testing and development  EBS provides a high performance option for many use cases it is directly attached to the instance Features of EBS  -  Amazon Elastic Block Storage  Region and availability zones are multiple physical location for your resources such as instances and EBS volumes Using security groups, you can specify the protocols, ports and source IP ranges that can reach your instances Elastic IP addresses are static IPv4 ...
Read more