VPC Fundamentals

What is Amazon VPC? - Amazon Virtual Private Cloud
I. VPC & Subnets Primer

  • VPC: private network to deploy your resources (regional resorce)
  • Subnets allow you to partition your network inside your VPC (Availability Zone resource)
  • A public subnet is a subnet that is accessible from the internet
  • A private subnet is a subnet that is not accessible from the internet
  • To define access to the internet and between subnets, we use the Routes Tables
VPC Diagram

Internet Gateway & NAT Gateways
  • Internet Gateways helps our VPC instances connect with the internet
  • Public Subnets have a route to the internet gateway
  • NAT Gateways (AWS-manged) & NAT instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private
II. NACL, SG, VPC Flow Logs
Network ACL & Security Groups
  • NACL (Networl ACL)
    • A firewall which control traffics from and to subnet
    • Can have ALLOW and DENY rules 
    • Are attached at the subnet level 
    • Rules only include IP addresses
  • Security Groups
    • A firewall that controls traffic to and from an ENI / an EC2 instance
    • Can have only ALLOW rules
    • Rules include IP addresses and other security groups

VPC Flow Logs
  • Capture information about IP traffic going into your interfaces:
    • VPC Flow Logs
    • Subnet Flow Logs
    • Elastic Network interface Flow Logs
  • Helps to monitor & troubleshoot connectivity issues. Example:
    • Subnets to internet
    • Subnets to subnets
    • Internet to subnets
  • Captures network information from AWS managed interfaces too: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc...
  • VPC Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
II. VPC Peering, Endpoints, VPN, DX
1. VPC Peering
  • Connect two VPC, privately using AWS' network
  • Make them behave as if they were in the same network
  • Must not have overlapping CIDR (IP address range)
  • VPC Peering connection is not transitive (must be established for each VPC that need to communicate with one another)

2. VPC Endpoints
  • Endpoint allow you to connect to AWS services using a private network instead of the public www network
  • This gives you enhanced securiry and lower latency to access AWS services
  • VPC Endpoint Gateway: S3 & DynamoDB
  • VPC Endpoint Interface: the rest
  • Only uses within your VPC

3. Site to Site VPN & Direct connect
  • Site to Site VPN
    • Connect an on-premises VPN to AWS
    • The connection is automatically encrypted
    • Goes over the public internet
  • Direct Connect (DX)
    • Establish a physical connection between on-premises and AWS
    • The connection is private, secure and fast
    • Goes over a private internet
    • Takes at least a month to establish

III. VPC Cheat sheet & Closing Comments
  • VPC: Virtual Private Cloud
  • Subnets: Tied to an AZ, network partition of the VPC
  • Internet Gateway: at the VPC level, provide Internet Access
  • NAT Gateway / Instances: give internet access to private subnets
  • NACL; stateless, subnet rules for inbound and outbound
  • Security Groups: Stateful, operate at the EC2 instance level or ENI
  • VPC Peering: Connect two VPC with non overlapping IP ranges, non transitve
  • VPC Endpoints: Provide private access to AWS services within VPC
  • VPC Flow logs: network traffic logs
  • Site to Site VPN: VPN over public internet between on-premises DC and AWS
  • Direct Connect: direct private connection to AWS
IV. Three Tier Architecture
Typical 3 tier solution architecture


Comments

Post a Comment

Popular posts from this blog

IAM & AWS CLI

Image
 I. IAM introduction: Users. Groups, Policies 1. IAM: Users & Groups IAM = indentity and Access Management, Global service. Root account create by default, shouldn't be used or shared (not best practice to use the root account) Users are people within organization, and can be grouped. Groups only contain users, not other groups. Users don't have to belong to a group, and user can belong to mutiple groups 2. IAM: Permissions Users or Groups can be assigned JSON ducuments called policies. These policies define the permissions of the users In AWS you apply the least privilege principle: don't give more permissions than a user needs. II. IAM Users & Groups Hands On create User  create or select one Group existed III. IAM Policies A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Permissions in the policies determine whether the request is allowed or denied. AWS Document :  Policies and permissions in IAM 1...
Read more

EC2 Fundamentals

Image
  I. AWS Budget Setup Bills Free tier To get alerts about your upcomming costs, the best thing to do is to go into creating an AWS Budget. II. EC2 basics. 1. Amazon EC2. EC2 is one of the most popular of AWS's offering. EC2 = Elastic Compute Cloud = infrastructure as a service it mainly consists in the capbility of: Renting Virtual machines (EC2) Storing data on virtual drives (EBS) Distributing load across machines (ELB) Scaling the services using an auto-scaling group (ASG) Knowing EC2 is fundamental to understand how to Cloud works 2. EC2 rizing & and configuration options. Operation System (OS): Linux, MacOS, Window. How much compute power & cores (CPU)? How much ramdom-access memory(RAM) How much storage space: Network-attached (EBS &EFS) hardware  (EC2 instance storage) Network card: speed of the card, Public IP address. Firewall rules: security group Bootstrap script ( configure at the first launch): UC2 User Data 3. EC2 User Data it's possible to bootstrap ...
Read more

AWS Fundamentals: ELB + ASG

Image
I. Elastic Load Balacing overview 1. What is load balacing? Load Balances are servers that forward traffic to multiple servers(e.g., EC2 instances) downstream 2. Why use a load balacer? Spread load across multiple downstream instances Expose of single point of access (DNS) to your application Seamlessly hanle failures of downstream instances Do regular health checks to your instances Provide SSL termination (HTTPS) for your websites Enforce stickiness with cookies High availability across zones Separate public traffic from private traffic 3. Why use an Elastic load balancer? An Elastic load balancer is a managed load balancer AWS guarantees that it will be working AWS takes care of upgrades, maintenance, hight availability AWS provides only a few configuration knobs It costs less to setup your own load balancer but it will be a lot more effort on your end It's intergrated with many AWS offerings/ services EC2, EC2 Auto Scaling Groups, Amazon ECS AWS Certificate Manager (ACM), Cloud...
Read more