De-abstracting Concepts: VPC

Introduction

This serves as my quick cheatsheet for VPC; it contains different concepts, including their definition and how they fit along with the VPC.

What exactly is a VPC? A VPC is an isolated network dedicated to your AWS account.

This is a work in progress. Some of the items are missing. Yeah, I’ll get back to them in the future.

Prerequisite

• IP Address: Think of it as a unique identifier for a device; all device has their own IP address.

• IPv4: Only 4 billion unique IP addresses, clearly not enough for all devices in the world; Example — 192.168.1.152
• IPv6: 340 trillion trillion trillion unique IP addresses, a clear modern replacement for IPv4;
  Example — 2001:0db8:85a3:0000:0000:8a2e:0370:7334
• Dual Stack Mode: devices are able to run IPv4 and IPv6 in parallel.

• Subnet Mask (Subnetting): It is used to divide an IP address into two parts. Example — 255.255.255.192 is the subnet mask of IP address 192.168.1.1, for this certain example the first three octet part represents the network while the last octet represents the host(computer).
  - Network: This part specifies the unique number assigned to your network. It also identifies the class of network assigned
  - Host: This is the part of the IP address that you assign to each host. It uniquely identifies this machine on your network. Note that for each host on your network, the network part of the address will be the same, but the host part must be different.
• CIDR:
  - CIDR Notation: Easy way to write subnet mask. Instead of writing 255.255.255.0, which is a full form of subnet mask, you could simply just write its CIDR notation equivalent of /24. In a nutshell, /24 means the first-24-bits/first-three-octet of the corresponding IP address of the CIDR represents the network size

Can you explain deeply what /24 really means?

So let's take IPv4 for example. Each and every IPv4 address is exactly 32 bits long. Now look at the following IP (which is in binary (base-2) form at the moment instead of the regular dotted notation (1.2.3.4)):
00001010000010010010101000010001
This translates to the decimal (base-10) number 168372753. Obviously, both the binary form and the decimal form are not easy to remember and can be confusing to compare for a human. So instead, we break the string of 32 bits into 4 groups of 8 bits:
00001010 00001001 00101010 00010001
Each of those groups is then translated to a decimal number:
00001010 = 10
00001001 = 9
00101010 = 42
00010001 = 17
So that means the IP 00001010000010010010101000010001 in dotted notation is 10.9.42.17 which is much easier to remember.  Why is this important? Well the number after the / refers to a number of bits in the network part of the IP address. So if you have 10.9.42.17/24, that means that the first 24 bits of the IP address represent the size of the network, and the rest are the host. So at a binary level, you actually have this:
ip: 10.9.42.17 = 00001010000010010010101000010001
cidr: 24       = 11111111111111111111111100000000
To save you from counting, the cidr line has 24 1 bits, and then the remaining are 0. You can then use 11111111111111111111111100000000 to perform mathematical operations on 00001010000010010010101000010001 (the original IP) to get things like the first IP in the network range and the last IP in the network range. For example, to get the beginning of the range, you do:
00001010000010010010101000010001
& 11111111111111111111111100000000
which gives you 00001010000010010010101000010001 which translates to 10.9.42.0, the first IP in the range

CIDR Conclusion: The higher the /n (e.g. /16, /24) the bigger the network size and the bigger the network size the smaller the host size. These host sizes has different classes (A,B,C,D,E).
- Class A: Typically used by big companies.
- Class B: Typically used by medium size companies.
- Class C: Typically used by small businesses.
- Class D and E: Reserved, used for experimental purposes.

Concepts

VPC

• VPC: Virtual Network in AWS; a place where you can launch AWS services and other resources.
  - CIDR Blocks: You can associate IPv4 and IPv6 addressing. By default, all VPCs and subnets must have IPv4 CIDR blocks — you can’t change this behavior but you can optionally associate an IPv6 CIDR block with your VPC.
  — How to choose CIDR Range?
  Tool: https://www.davidc.net/sites/default/subnets/subnets.html
  How-to-use-the-tool: https://www.youtube.com/watch?v=aEee6z1wqfY
  How-to-choose-CIDR-Range: https://serverfault.com/questions/630022/what-is-the-recommended-cidr-when-creating-vpc-on-aws
• VPC Flow Logs: enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
• Subnet: Logical subdivision of an IP Network. Subnetting is the practice of dividing a network into two or more networks.
  - Public Subnets: Allows the internet to access the resources.
  - Private Subnets: Disallow the internet to access the resources. Although Private Subnets accessing the internet is feasible.
• Route Tables: Contains a set of rules called routes that are used to determine where network traffic from your subnet or gateway is directed. Each subnet is always associated with a route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
  - Public Route Tables: Route Tables with dedicated traffic towards Internet Gateway. Used by Public Subnets.
  - Private Route Tables: Route Tables with dedicated traffic towards Public Subnet’s NAT Gateway, which enables internet access from the Private Subnet. Used by Private Subnets.
• Internet Gateways: Allows communication between instances in your VPC and the internet.
• Egress-only Internet Gateways: Think of it as a NAT Gateway but only for IPv6 traffic since NAT Gateway doesn’t support IPv6. It’s kinda similar to NAT Gateway since it allows you internet connection on your instances but no inbound traffic.
• Carrier Gateways: VPCs that contain a subnet in a Wavelength Zone can connect to a carrier gateway. A carrier gateway allows you to connect to the following resources: 4G/LTE and 5G devices on the telecommunication carrier network.
• DHCP Options Sets:
• Elastic IPs: In simple words, permanent IP addresses. For a more proper definition, It is a static public IPv4 address associated with your AWS account in a specific Region. Unlike an auto-assigned public IP address, an Elastic IP address is preserved after you stop and start your instance in a virtual private cloud (VPC)
• Managed Prefix Lists:
• Endpoints: Allows private connection between your AWS VPC and other AWS services without using the internet.
  - Interface Endpoints: Allows you to connect to services powered by AWS PrivateLink. This includes a large number of AWS services.
  - Gateway Load Balancer Endpoints: Allows you to intercept traffic and route it to a network or security service that you’ve configured using a Gateway Load Balancer.
  - Gateway Endpoints: Provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC.
• Endpoint Services:
• NAT Gateways: Gateway that enables instances from the Private Subnet to connect to the internet.
• Peering Connections: Networking connection between two VPCs that enables you to route traffic between them privately.

Security

• Network ACLs: Firewall at a subnet level. Includes access and deny rules.
• Security Groups: Firewall at an instance level. Includes inbound and outbound access rules.
  - Type: You can choose a common protocol, such as SSH (for a Linux instance), RDP (for a Windows instance), and HTTP and HTTPS to allow Internet traffic to reach your instance. You can also manually enter a custom port or port ranges.
  - Protocol: The type of protocol, for example TCP or UDP. Something worth mentioning, SSH uses TCP not UDP.
  - Port Range: You can manually enter a port number or a port range.
  - Destination/CIDR Notation
  — /0: refers to the entire network
  — /32: refers to one IP address

Network Analysis

• Reachability Analyzer: Enables you to analyze and debug reachability between any two resources in your VPC
• Network Access Analyzer: feature of VPC that reports on unintended access to your AWS resources based on the security and compliance that you set.

DNS Firewall

• Rule Groups:
• Domain Lists:

Network Firewall

Network Firewall allows you to deploy essential network protections for your VPCs.

• Firewalls: Firewall at a VPC level. Stateful, managed network firewall and intrusion prevention/detection service that allows customers to filter traffic at the perimeter of their VPC.
  - Policies:
  - Network Firewall Rule Groups:

VPN

• Customer Gateways: Used to connect to physical or software appliances that you own or manage in your on-premises network.
• Virtual Private Gateways: VPN concentrator on the Amazon side of the site-to-site VPN connection. Only a single VPG is available for each VPC.
• Site-to-Site VPN Connections: Create a connection from your remote network to your VPC.
• Client VPN Endpoints: Managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network.

AWS Cloud WAN

• Network Manager:

Transit Gateways

• Transit Gateways: Mostly to enable connections to multiple VPCs; Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway
  - Attachments:
  - Policy Tables:
  - Route Tables:
  - Multicast:

Traffic Mirroring

• Traffic Mirroring: Used to capture and inspect network traffic.
  - Sessions: Establishes a relationship between a traffic mirror source and a traffic mirror target. A traffic mirror session contains a source, target, and filter.
  - Targets: A destination for a traffic mirror session.
  - Filters: Used to determine the traffic that is mirrored.

VPC: Real Life Application

Ideal VPC Network

Three Tier Architecture

EKS VPC Sample #1