Skip to content

VPC

Jump to bottom
abk edited this page Nov 26, 2019 · 1 revision

VPC - Virtual Private Cloud


  • Originally one big cloud

    • Used to restrict using firewall/Security groups.

  • Any resources within VPC can’t talk to other resources in VPC.

    • Isolated network blast radius.

  • Later VPC was launched instead of big public cloud.

    • EC2s running outside is called EC2 classic that we’re running in big one cloud.

  • Typical characteristics.

    • Every AWS region has 2 or more availability zones.
    • AZ is like a data center separated by few hundreds of miles.
    • VPC can span multiple AZs.
    • VPC do NOT span regions.
    • They are not global networks, but regional networks. (Within a region).
    • VPC comes with internal DNS server. Automatically DNS names and IP address is assigned.

  • Ability to launch into subnet

  • Ability to define custom CIDR (IP address range)

  • Ability to configure routes between subnets via route tables

  • Ability to configure Internet Gateway to provide route to internet for resources launched inside VPC

  • Ability to create layered network fo resources.

  • Ability to extend your on-premise network into cloud with VPN/VPG and IPSec VPN tunnel.

  • Layered security

    • Instance Level security groups (firewall on the Ec2).
    • Subnet level network ACLs (firewall on the subnet level).

  • 2 types of VPC

    • Custom VPC
      • Can be designed and configured any valid way
      • Have to allocate IP ranges, subnets, provision gateways, networking and also security
      • Beset practice is NOT to use default VPC.
      • DNS names are not enabled by default for the EC2s that are created in custom VPC.
    • Default VPC
      • Exists in every region and created by AWS.
      • Comes with IGW, SG, NACL and DHCP are all attached.
      • 5 VPCs / region
      • 5 Internet gateways / region
      • 50 customer gateways / region
      • 50 VPN connections / region
      • 200 route tables per region / 50 entries per route table
      • 5 Elastic IP addresses
      • 500 security groups / VPC
      • 50 rules / SG
      • 5 SG per network interface.



  • Reserved IPs )5)

    • Network (.0)
    • Router (.1)
    • DNS (.2)
    • Future, (.3)
    • Broadcast (.X)

ROUTING

  • VPC router : is what moves traffic between subnets and to and from internet
  • It’s highly available, scalable and controls data entering and leaving.
  • VPC has ONE main route table which is allocated to all subnets in VPC by default.
  • Additional “custom” route tables can be created and associated
  • RT controls what VPC router does with traffic leaving subnet.

Steps involved in creation of VPC

  1. Create VPC
  2. Create IGW and attach to VPC ( one IGW/VPC)
  3. Create subnets in different AZ (2 private, 2 public).
  4. Create custom RT to connect to public internet.
    1. There has to be RT to IGW
    2. Attach RT for public subnets.
  5. Create custom private RT that does NOT connect to inet
    1. There is NO route to public internet
    2. Attach this private RT to private subnets.

How the traffic flows into VPC?

  1. First incoming traffic hits IGW (thus VPC)
  2. Second it has to go through NACL that operate at subnet boundaries. It’s a firewall at subnet level.
  3. NCAL set of rules with protocol inbound or outbound traffic.
    • Always has 2 parts and MUST have both.
    • NACL is stateless. (Need both inbound and outbound rule).
    • NACLs are associated with one or more subnets.
  4. Security groups are next level of firewall at the instance level.
    • All traffic is DENIED unless there is explicit allow
    • There are NO deny rules for SG. Only ALLOW rules
    • SG are stateful. Meaning, once you say ALLOW it’s both
    • SGs are associated with one or more instances.
    • Instance can have more than one SG associated.

Internet Gateway

  • VPC component that allows communication between instances in your VPC and internet
  • IG can only be attached to one VPC at a time.
  • It’s Highly available and scalable. (No need to worry).
  • No internal product has public IP in AWS.
  • It’s IGW that translates public IP (that IGW has) with the private IP of the EC2 instance.
  • Static Network Address Translation (SNAT) process is performed by IGW.

Subnets:

  • You can share a subnet with other AWS accounts within an AWS organization.
  • How to make subnet public?
    • Make auto-assign IPv4 addresses automatically
    • Allocate IGW
Clone this wiki locally