Amazon Virtual Private Cloud (VPC)
- VPC Overview
- Personal datacenter in the cloud, hosted by Amazon AWS
- Every account in the AWS gets default VPC
- Each instance (virtual machine) that you create gets its default VPC
- VPN connections can be made to the VPC
- Subnets can be created in the VPC
- Public subnets
- Private subnets
- Multiple VPC can be interconnected through VPC peering
- The old term of the “endpoints” means laptop or server device but in the AWS, it means services.
- Deleting default VPC is not recommended
- Elastic IP (EIP) addresses
- Public IP addresses from the VPC Region
- They are routable on the Internet
- Permanently allocated to your account until released
- Account gets charged until released
- Network interfaces use EIPs
- EIPs can be moved between instances in the same Region
- Elastic Network Interfaces (ENIs)
- Virtual network interface attached to an instance (same like you take a network card and install in a server)
- Only available within a VPC
- Associated with a subnet
- VPC peering
- Interconnected multiple VPC to each other
- Kind of like building a WAN connection between two VPC
- It is not transitive
- If VPC1 is connected to VPC2 and VPC2 connected to VPC3, VPC1 cannot talk to VPC3 because they also need a connection
- There has to be a connection among each other
- Owner role required to make and accept a VPC request
- IP CIDR blocks in each VPC must not overlap
- You must need to add both IPs in a routing table to send and receive traffic
Amazon VPC Security
- Security Group Overview
- Acts like a firewall
- Assigned to an instance in a VPC
- Applied to instances, not subnet (same as your computer internal firewall)
- Limited to five per instance
- For example, you can create a security group like HTTP and assign to different instance instead of creating a different instance
- Instances receive the default security group for the VPC
- Defines allowed traffic flows
- Ingress (entrance)
- Egress (exit)
- Supports only allow rules – deny is implicit
- Stateful processing is used
- By default, security groups are only bound to the primary network interface
- But can be bound to other network interfaces, including ENIs
- Acts like a firewall
- Network Access Control Lists (NACLs)
- Applied on subnets
- Stateless processing
- Supports both allow and deny rules
- Rule number defines the precedence
- Lowest numbered rules first
- The first match applies (it’s all about the order of evaluation)
Security Group vs NACL table:
| Security Group | Network ACL (NACL) |
| Operates at the instance level | Operates at the subnet level |
| Supports allow rules only | Supports allow and deny rules |
| Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless, Return traffic must be explicitly allowed by rules |
- Network Address Translation (NAT)
- NAT translates between:
- Private IP addresses to
- Public IP addresses
- Two ways to implement NAT instances or Gateways
- NAT Instances
- It implemented on a private and public subnet
- EIP associated with NAT instance
- Instances in the private subnet connect through the NAT instance
- Same like you are implemented a NAT router in the network, only calling it an instance
- It implemented on a private and public subnet
- NAT Gateways
- Work more like traditional NAT servers/appliance
- NAT translates between:
- Virtual Private Gateway (VPG)
- Connects local networks to the VPC
- VPG is the VPN concentrator
- Implemented in the AWS account
- Customer Gateway (CGW)
- Physical device or software application
- Anchor on the customer side
- Connects to the VPG
- Implemented on the client-side
0 Comments