VPC

Introduction

Amazon Virtual Private Cloud (Amazon VPC) is like a virtual data center in the cloud.
When a VPC is created, a Route Table, a Network ACL, a Security Group are created also, but not Subnets, a Internet Gateway.
A VPC is created with a primary CIDR block (16~28) but can expand with utmost 4 secondary CIDR blocks.

VPC Overview

Tips

CIDR notation: ${ip}/${digits_of_prefix}, based on the variable-length Subnet masking to allieviate hosts address exhaustion
5 addessses in each Subnet CIDR block are not available. Ex. Subnet: 20.0.0.0
- 20.0.0.0: Network address.
- 20.0.0.1: Reserved by AWS for the VPC router.
- 20.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two
- 20.0.0.3: Reserved by AWS for future use.
- 20.0.0.255: Network broadcast address. AWS do not support broadcast in a VPC, so reserve this address.
Subnet
- 1 Subnet resides within only 1 AZ, however 1 AZ may have multiple Subnets.
- When creating new Subnets, those would be associated with the main Route Table, main Network ACL.
- The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC).
1 VPC can have 0 or 1 Internet Gateway (a way in/out)
Enabling Subnets of the VPC to initiate outbound IPv4 traffic to the Internet
- NAT Gateway for IPv4 / Egress-Only Gateway for IPv6 (recommended)
  - Must be in a public Subnet (For HA, 1 NAT Gateway per AZ)
  - Automatically scale up to 10 Gbps
  - Automatically assign a public IP (AWS Elastic IP)
  - Not associated with a security group
  - Remember to update the main Route Table
- NAT instance in a public Subnet in your VPC
  - When creating a NAT instance, disable source/destination check
  - Must be in a public Subnet
  - Can increase instances or adding an ELB for performance
  - Can use a script for failover handling
  - Always behind a security group
  - Remember to update the main Route Table
Network ACL vs Security Group
- A VPC comes with a default Network ACL which allows all inbound/outbound traffic.
- A manually created custom Network ACL by default denys all inbound/outbound traffic.
- 1 Subnet is associated with 1 Network ACL, however 1 Network ACL may be associated with multiple Subnets.
- When creating a Subnet, a default Network ACL is associated.
- The rule list in a network ACL is evaluated in ASC order (If conflicts, lower number wins).
- Network ACLs are stateless (inbound/outbound traffic rules are required at the same time).
- Security Groups are stateful.
- Blocking malicious IPs with Network ACLs not Security Groups
VPC Peering (connect 2 VPCs privately with AWS network)
- Can connect to your own or another accounts' VPCs
- Not allowed matching or overlapping CIDR blocks
- Peering is not transitive.
- Doesn't support edge to edge routing for NAT devices
  - Use Transit Gateway instead of NAT Gateway in the case.
- Can refer a Security Group of peered VPC (works cross account)
- Must update Route Tables in each VPC's Subnets.
- Longest Prefix Match for working with multiple VPCs that overlaps.

NAT vs Bastion (Jump Box)
- A NAT is to provide network traffic to EC2 instances in private Subnets.
  - Create NAT in public subnet
  - Set in Route Table of private subnet to route to NAT
- A Bastion is for securely administer EC2 instances in private Subnets through SSH/RDP.
  - SSM Session Manager is a more secure way to remote control without SSH.
- NAT Gateway cannot be a Bastion, but NAT Instance can.
VPC Flow log
- Can be defined at VPC level, Subnet level, ENI level.
- Can send to CloudWatch, S3.
- Traffic not captured:
  - Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
  - Traffic generated by a Windows instance for Amazon Windows license activation.
  - Traffic to and from 169.254.169.254 for instance metadata.
  - DHCP (Dynamic Host Configuration Protocol) traffic
  - Traffic to the reserved IP address for the default VPC router.
- Limit:
  - Cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
  - Cannot tag a flow log
  - After you've created a flow log, you cannot change its configuration.
VPC Endpoints
- Connect your VPC to an AWS service internally (no need for: IGW, NAT, etc.)
- Type:
  - Gateway (for S3, DynamoDB)
    A gateway (per VPC) used for traffic destined to S3 or DanamoDB.
    Must update Route Tables (ex. specify Destination with S3 url prefix, then Target with VPC Endpoint)
    Must enable DNS resolution in the VPC
    Gateway endpoint cannot be extended out of a VPC (VPN, DX, TGW peering)
  - Interface (for the rest)
    Provision an Elastic Network Interface (ENI) with a private endpoint interface hostname.
    Leverage Security Groups for security
    Private DNS (setting when create the endpoint)
    The public hostname of a service will resolve to the private endpoint interface hostname
    VPC Setting: enableDnsHostNames, enableDnsSupport.
    Interface can be accessed from DX / Site-to-site VPN
- VPC Endpoint Policies (similar with S3 bucket policy)

Transit VPC (Non-AWS Software VPN)
- Not an AWS offering, newer managed solution is Transit Gateway
- Uses the public internet with a software VPN running on an EC2 instance.
- Other VPCs and on-premise can connect to the Transit VPC with self-managed VPN. (VPN connections can be transitive)
Transit Gateway
- For having transitive peering between thousands of VPC and on-premise, hub-and-spoke (star) connection.
- A Regional resource but can work cross-region
- Share cross-account with Resource Access Manager (RAM)
- Route Tables: limit which VPC can talk with other VPC
- Works with Direct Connect / VPN Connections
- Supports IP Multicasst (not supported by any other AWS Service)
- Instances in a VPC can access a NAT Gateway, NLB, PrivateLink, and EFS in other VPCs attached to the AWS Transit Gateway.

PreviousRoute53 NextVPN

Last updated 4 years ago