VPC

Solution Architect Associate

Developer Associate

Security Specialty

  • Very important for the exam, know it inside and out
  • Every region in the world has a default VPC created and provided for you when you create an account
  • Allows you to provision a logically private section of the AWS cloud
  • You have complete control over this environment, including IP ranges, subnets, etc.
  • Use Security Groups and Network Access Control Lists for security
  • Can create VPN connections between your corporate network and your VPC
  • Security Groups can span Subnets
  • Subnets can only exist on one AZ (know this for the test!!)
  • Soft limit of 5 VPCs per region, can be increased by contacting AWS
  • The largest CIDR ranges supported by AWS is a /16, giving you 64k IP addresses
  • The smallest CIDR range supported by AWS is a /28, giving you 16 IP addresses
  • AWS reserves 5 IP addresses per subnet for internal use (know this for the test!!)
  • You can only have one Internet Gateway per VPC (know this for the test!!)
  • All Subnets in the default VPC have a route to the internet (know this for the test!!)
  • VPC Peering
    • Allows you to connect one VPC with another via a direct network route using private IP Addresses
    • Instances behave as if they were on the same private network when peered
    • Can peer instances across AWS accounts in this manner
    • Peering is always in a hub and spoke model, 1 central VPC with other peers which are not connected
  • Security Groups are stateful, NACLs are stateless (know this for exam!!)
    • If you open up port 80 for inbound traffic on a security group, you don’t have to enable outbound on 80 it will just work
    • On NACL, you have to define both inbound and outbound if you want both
  • When creating a subnet, there are five reserved IP addresses in your CIDR block that are reserved by AWS. (know this for your exam!!!)
  • By default, when creating an Internet Gateway it will be detached. You need to attach it to your VPC manually
  • You can only have one Internet Gateway per VPC
  • Every time you create a new subnet, it will be associated by default to your main route table. For this reason, on custom VPCs you shouldn’t have your IG connected to your default route table to avoid mistakes
    • Instead, create your own Route Table and add it to your Custom VPC. Then associate the IG to this route table to create the internet connectivity
    • Then associate the Subnets you want to with this now publicly available Route Table

NAT Instances and NAT Gateways

  • NAT Instances are on their way out, replaced by NAT Gateways. Need to understand them for the test though.
  • NAT Instances are EC2 AMIs you can find in Community AMIs in EC2. Search for NAT
  • When you create a NAT Instance, you next need to change the Source and Destination Checks. You must disable source destination checks on the NAT Instance (you don’t have to do this on the NAT Gateway)
  • NAT Gateways are created so that you don’t have to deal with single instances granting internet access to private networks
  • NAT Gateways only work on IPV4
  • NAT Gateways need to exist in each AZ for high availability
  • NAT Gateways are redundant within the AZ automatically
  • NAT Gateways are not associated with security groups
  • NAT Instances must be in a public subnet, and there must be a route out of the private subnet to the NAT instance in order for anything to work (know this for the test!!)
  • Remember to update your route tables to point to your NAT Gateways when they’re created (know this for the test!!)
  • NAT Gateways are more secure. They’re full managed, and do not allow SSH access

Security Groups

  • See EC2 for more information on Security Groups. Know the difference between a NACL and a Security Group for the test.
  • Remember Security Groups are Stateful (know this for the exam!!!)
    • For inbound traffic, if the inbound rule is allowed the outbound will automatically be allowed.
    • For outbound traffic, if the outbound rule is allowed the inbound will automatically be allowed.

Network Access Control List (NACL)

  • Network ACLs are essentially virtual firewalls
  • You can only ever associate a subnet to one NACL, but you can associate more than one subnet to a NACL (know this for exam!!)
  • You can only specify a single VPC for a NACL (know this for exam!!)
  • By default, NACLs deny all traffic on inbound and outbound (know this for exam!!)
  • Always start at rule #100 when creating a NACL (Amazon recommends this, gives you a buffer in case you need to change them later). Then use increments of 100 between rules.
  • Ephemereal Ports support short lived transport protocol for TCP, UDP and SCTP as the port assignment for the client end of a client/server app. AWS suggests using 1024-65535 for NACLs to support these unless security requires a reduced set
  • Rules are evaluated in numerical order of rule number. Deny should be done before allows if overlaps exist. This is why you should give yourself room between rules to avoid having to change all your NACL rules.
  • NACLs are assessed before Security Groups, so even if you have a Security Group allowing port 80 if its blocked by a NACL it will be blocked.
  • Your VPC comes with a default NACL that allows all inbound/outbound traffic (know for exam!!)
    • You can modify the default NACL, but you shouldn’t. Just create your own and associate them to subnets
  • You can associate more than one Subnet at a time.
  • Remember NACLS are Stateless, you must specify inbound and outbound rules independently (know this for exam!!)
    • Both inbound and outbound rules are evaluated for each request
  • Remember to specify ephemereal ports on outbound rules for your NACL
  • You can block IP Addresses using NACLs, but not using Security Groups (know this for exam!!)

VPC Flow Logs

  • Allows you to capture information about the IP traffic going to and from your network interfaces in your VPC
  • Flow log data is stored using CloudWatch
  • Can be created at 3 levels
    • VPC, Subnet, Network Interface
  • You can stream your flow log group to Lambda or export to S3
  • You cannot enable flow logs for your VPC that are peered unless the peer VPC is in your account
  • You cannot tag a flow log yet
  • Not all IP Traffic is monitored
    • traffic generated by instances contacting Amazon DNS servers won’t be logged
    • traffic generated by a Windows instance for Amazon Windows license activation won’t be logged
    • traffic to and from 169.254.169.254 for instance metadata won’t be logged
    • DHCP traffic won’t be logged
    • traffic to the reserved IP address for the default VPC router won’t be logged

Bastion Instance

  • NAT Instance is used to provide internet access to private instances for updating dependencies, etc
  • Bastion instances are used to securely administer private EC2 instances by allowing you to securely connect to the Bastion, then from there securely connect to another instance in the private subnet
  • You can make a Bastion instance highly accessible by having an auto-scaling group on your bastion server and auto-deploy it across AZs
  • With NAT Gateways, AWS handles this for you

VPC End Points

  • Enables private communication between AWS services without going across the internet
  • First are basically creating a role which grants EC2 with the ability to access S3
  • The general idea here is we are going to allow EC2 instances in a private subnet to access S3 not by going to through the internet, but instead going through an internal gateway
  • This is done in the VPC dashboard under Endpoints
  • Endpoints come in two different varieties
    • Interface endpoint - entry point for traffic headed to a supported AWS service
    • Gateways endpoints are similar to NAT Gateways, this is what we are going to use
  • You then add a policy to the endpoint, by default it grants all
  • With this setup, you will have access to what your role allows using the internal AWS infrastructure without going over the public internet
  • Allows you to establish connections between your VPC and thousands of customer VPCs without managing peering connections
  • Requires a network load balancer in the service VPC and an ENI on the customer VPC

VPN CloudHub

  • Useful if you have multiple sites, each with its own VPN connection
  • Works on a hub and spoke model
  • Allows you to aggregate VPN connections, allowing you to connect to a New York site VPN and access data on your Miami site VPN
  • Operates over the public internet, but all traffic is encrypted
< Previous: Transit Gateway Next: Security, Identity & Compliance >