Scribd
Upload
64 views3 pages

VPC Cantrill

VPC allows creation of virtual networks within AWS. Key aspects include IP ranges, number of subnets, IPs per subnet. VPCs are isolated but can connect to the internet via internet gateways. Subnets are linked to availability zones and route tables control internal and external routing. Network components like NAT gateways, VPC peering, and transit gateways can help connect VPCs to each other and on-premises networks privately. VPC flow logs capture metadata about network traffic and can be analyzed using services like Athena.

Uploaded by

Mike Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
64 views3 pages

VPC Cantrill

VPC allows creation of virtual networks within AWS. Key aspects include IP ranges, number of subnets, IPs per subnet. VPCs are isolated but can connect to the internet via internet gateways. Subnets are linked to availability zones and route tables control internal and external routing. Network components like NAT gateways, VPC peering, and transit gateways can help connect VPCs to each other and on-premises networks privately. VPC flow logs capture metadata about network traffic and can be analyzed using services like Athena.

Uploaded by

Mike Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

AWS VPC :

** when designing note the ip ranges to avoid , how many subnets , IPs per subnet.
can add ipv4 secondary blocks . up to 5 blocks per account .
FOR IPB6 BLOCKS , you can use one assigned by aws or one you owned .
VPC is within a region . A subnet is linked to an AZ .
By default VPC is isolated from the internet and public AWS zone except the default
VPC .
One default VPC per region . You can remove it and recreate it . 172.31.0.0/16
The VPC router takes care of routing inside the VPC and outside . it has one
interface in each subnet .
Only one igw per VPC . VPC CIDR from /16 to /28 .
You can create max 5 VPC per region .
Subnet are created based on the primary or secondary VPC cidr
The cidr block must not overlap with existing cidr associated with the vpc .
you cannot change the cidr and subnet mask once created
Consider deploying application tiers per subnet

Egress only Internet Gateway is used for ipv6 addresses to access internet .

transit vif / private vif / public vif

enbale dns hostname helps an instance to get a public dns name if a public ip was
assigned
By default subnets can communicate with other subnets in the vpc

netw +1 vpc router : used to me data between subnets and out of the vpc . it has an
interface in each subnets
netw +2 dns ( enableDnsSupport / enableDnsHostnames : gives instances DNS Names)
netw +3 reserved

one DHCP option set per VPC at one time . You can change the options set but you
cannot edit them .
dont forget to enable auto assign public ipv4 address or auto assign ipv6

Each subnet has one route table (has to have) . one route table can be associated
to many vpc . netw+1 address . VPC has a MAIN route table .
local = in the VPC itself . Local routes always takes priority even against a
higher prefix lentgh .

Each VPC has one or 0 igw . 1 igw can only be attached to one VPC .
can assign same igw for ipv4 and v6
Gateways traffic betwwen VPC and internet or AWS public zone .
Once an igw route is in a subnet , its a public subnet .
The instance (OS) itself doesnt get the public IPV4 , a record is created on the
igw . For ipv6 , the instance does have the address .

Bastion host = Jumpbox : an instance in public subnet used to access private


ressources. often the only way in to a VPC .

custom NACLs can be create for a specific VPC . cannot be assigned to AWS resources
.
each subnet can hace on nacl and one , no explicit deny )cannot block specific
addresses like nacl . They are attached to an ENI .

Use a Nat gateway to make private instances access the internet . The Nat gateway
is located in the public subnet to have a route to the internet via the igw .
The default route for private instances , points to the NAT gateway .
The NAT gateway maintains a Translation table . It uses its public own ip add to
connect to the IGW . The IGW translates the NAT gatw ip to a real public ip .
Runs from public subnet because it needs to be assigned a public ip for itself .
NAT GAteways uses EIPs. AZ resilient service . For region resilience , deploy a
One NAT gateway per AZ and add default route in each subnet .
Charged based on data processed ( /GB) and usage hour .
( to use nat instance , disable soure/dest checks ; NAT instance can be cheaper ,
more flexible ) . nat gateway is AZ resilience but nat instance are not .
Sg only apply to nat instances , nacl apply to both .
sg self references scales with adds and removes from the sg .
nat and nat gateway dont work with ipv6 .

Global Accelerator uses Anycast Ip to route to the closest location .


user -> internet -> global accelerator -> vpc
can be used for non http/s
When you create one ,you get 2 anycast Ips : helps users to cennect to the closest
global accelerator .
- Cloudfront only cached HTTP , HTTPS content but Global Accelerator can be used
with variety of uses cases , its a network product .

VPC flow logs only capture packets metadata , not content . For content you need a
packet sniffer .
can be applied at the VPC , Subnet , ENI level . They are not real time .
Logs Destinations can be S3 or CloudWatch . with S3 , you can access the logs and
integrate them with third party monitoring tool .
With cloudwatch logs , you can integrate wiht other product , access it
programmatically or using the cloudwatch console .
.Athena can be used to query those logs in S3 .
Flow logs capture from the capture point down .

Version account-id interface-id srcip dstip srcprt dstprt proto packets bytess
start end action log-status .

Some data are not recorded by flow logs . metadata address , dhcp within vpc ,
ntp , amazon windows licence server , amazon dns server .

Egress only gat is HA by default for all AZs . to use it , add a default route in
the subnet pointing to the eigw-id .

VPC endpoints helps private subnet access AWS service privately :


**gateway endpoints ==> access to S3 , dynamoDB . max 255 per vpc .
VPC endpoints are per service per region .
A prefix list is added to the route table when you add a gateway endpoint to a
subnet . HA accross all AZs by default .
An endpoint policy can be applied to a gateway endpoints to control which
ressources can be accessed .
Gateway End_ can be used to access services in the same region ; not cross region .
S3 can be private and be accessed only from a gateway end_
The gateway end_ can only be accessed within that VPC .
** Interface endpoints can now be used to access S3 . not HA by default .
For HA , use one endpoint interf to one subnet per AZ .
Network acces controlled via sg . You can use endpoint policies . TCP and IPV4 only
.
Behind the scenes , Interf end_ uses PrivateLink : inject AWS or third party
services inside the VPC .
When you create an interface endpoint , you get an new dns name for the service ,
that helps you access the service via the interface endpoint .
- interface endpoints gives regional dns : single dns name worked with any AZ used
to access ; each interface in each AZ gets a zonal DNS : resolves one specific
interface in that one specific AZ .
- Interface end_ comes with PrivateDNS : associates Route 53 private hosted zone
with your vpc ; overides default service dns with the interface end_ ip.
only one interf endpoint per AZ . so pick one subnet in the AZ . an intance in az a
can use interf endpoint in az b .

**VPC peering : direct encrypted ntwk link between two VPCs through aws global
secure network ( no more than 2) . works same / cross region and cross account .
(optional) Public Hostnames resolve to private IPs .
Same region SG's can reference peer SGs . ( only in same region) . VPC peering is
not transitive .
Routing config is needed , Sgs and NACLs can filter .
invite and accept architecture . for ping to work , create icmp rule .

**Direct Connect : physical connection --> 1 , 10 , 100 Gbps .


Port alloaction at a DX location . Hourly cost and outbound data transfer .
inbound is free .
there is a provisionung time . physical cables and no resilience . provides low and
consistent latency + high speeds . Can be used to accessed private services in vpc
or aws public services . cannot access internet unless you add a network device on
your behalf . dx loaction : aws direct connect cage and customer / comms partner
cage .
on premise --> DX location [ customer/partner dx router & AWS DX router ] --> AWS
region . Cross connect is the connection from your aws allocated port and the
customer dx router . The connection acn be extended from the customer dx router to
your on-premise router .
aws regions have multiple dx locations . Vpns can be used as backup with direct
connect.

**Transit gateway connects VPCs to on premises networks . reduces network


complexity ; HA and scalable . VPC , site to site vpn (termination of vpn) , direct
connect gateway are the attachements .
VPC attachements are configured with an subnet in each AZ . transitive traffic
allowed . can peer transit gateway in other account and regions .

dhcp option set / vpc and subnet interface / sg self reference / one nat gateway /
nat ga - nat inst / global accelerator / in private or public subnet / aws global
network /

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy