AWS VPC?
A virtual private cloud (VPC) is a private cloud computing environment contained within a public cloud. Essentially, VPC provisions logically isolated sections of a public cloud in order to provide a virtual private environment.
AWS VPC Components:
CIDR
CIDR is classless interdomain Routing. It is a method to allocate IP Addresses to devices.
192.168.0.0/26 => 192.168.0.0–192.168.0.63 (64 IPs)
There are 2 Components for a CIDR IP:
- Base IP (192.168.0.0)
- Subnet Mask(26): Allows what part of an IP can change.
here in this case, 192.168.0.0 is a Base IP & 26 subnet mask. Here, (32–26=6) part of an IP can change which means from this CIDR we can obtain 2⁶ IP Addresses.
SUBNET
A subnetwork or subnet is a logical subdivision of an IP network. Dividing a network into two or more networks is called subnetting. In other words, A Subnet is like a room inside a House called VPC.
Route Table
A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed. The route table in VPC controls the routing for all subnets. VPCs come with default RT & one can create own RT & attach it with VPCs as well.
Internet Gateway (IG)
An Internet Gateway is a VPC component that allows communication between your VPC and the internet. It supports IPv4 and IPv6 traffic.
The main use of Internet Gateway is to connect with the outside world (Internet). It enables resources in your public subnets (such as EC2 instances) to connect to the internet if the resource has a public IPv4 address or an IPv6 address.
╔═══════════╦══════════════════════╦
║ VPC CIDR ║ local ║
║ 0.0.0.0/0 ║ internet-gateway-id ║
╚═══════════╩══════════════════════╩Bastian Host
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.
NAT Gateway
NAT means Network Address Translation. The main use of NAT Gateways is to provide an internet connection to instances in a private subnet that has private IP Addresses. AWS-managed NAT Gateways provide High availability & Bandwidth and also pay per data transfer.
- NAT Gateway must be in the public subnet Only.
- A NAT gateway supports the following protocols: TCP, UDP, and ICMP.
- The Route should be like this:
In Public subnet RT:
╔═══════════╦══════════════════════╦
║ VPC CIDR ║ local ║
║ 0.0.0.0/0 ║ internet-gateway-id ║
╚═══════════╩══════════════════════╩In Private subnet RT:
╔═══════════╦══════════════════════╦
║ VPC CIDR ║ local ║
║ 0.0.0.0/0 ║ nat-gateway-id ║
╚═══════════╩══════════════════════╩Network ACL
NACL is stateless: Whatever is accepted in/out can not go out/in. we need to explicitly allow inbound & Outbound rules.
NACLs are at subnet-level firewalls.
Security Group
SG is stateful: Whatever is accepted in/out can go out/in.
SGs are instance-level firewalls.
In simple words, for any traffic coming inside the instance, SG will allow it to exit as well but in the case of NACL it is not the same one need to put rules in both inbound as well as outbound.
VPC Peering
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. One can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions (also known as an inter-Region VPC peering connection).
It is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.
There is no charge to create a VPC peering connection. Charges apply for data transfer over a VPC Peering connections that cross Availability Zones and Regions.
Transit Gateway
A transit gateway acts as a Regional virtual router for traffic flowing between your virtual private clouds (VPCs) and on-premises networks. A transit gateway scales elastically based on the volume of network traffic. Routing through a transit gateway operates at layer 3, where the packets are sent to a specific next-hop attachment, based on their destination IP addresses.
Transit Gateway can also work cross region, it reduces complexity when infra grows & cost such as hourly for each attachment on a transit gateway, and you are charged for the amount of traffic processed on the transit gateway.
VPC Flow Logs
VPC Flow Logs is a feature that enables, to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose.
VPC Endpoint
Suppose you have services in AWS such as S3, DynamoDB, and Cloudwatch & these services are accessible via the Internet. So, using VPC Endpoint these services can be accessed via private route.
It enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
Types:
Interface Endpoint
Provisions an ENI which is a route with AWS services & VPC. It also has a cost associated with data transferred as well as per-hour cost.
Gateway Endpoint
Supports Only s3 & DynamoDB. AWS provisions a Gateway which will be used as a target in RT. This endpoint does not have any cost associated.
Site-to-Site VPN
By default, instances that you launch into an Amazon VPC can’t communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection and configuring routing to pass traffic through the connection.
Customer Gateway(CGW):
- A customer gateway device is a physical device or software application on the customer side of the Site-to-Site VPN connection.
- By default, your customer gateway device must bring up the tunnels for your Site-to-Site VPN connection.
Virtual Private Gateway (VGW):
- It is part of a VPC that provides edge routing for AWS-managed VPN connections and AWS Direct Connect connections.
- AWS side VPN connection
- It is created & attached to VPC from which we want a VPN connection
Direct Connect
AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, and the other to an AWS Direct Connect router.
It provides a dedicated connection between AWS & Datacenter. One can access all AWS resources in the data center. It provides a consistent network & high bandwidth.
Data is not encrypted by default in DX, to enable this we need to setup a VPC connection.
To get resiliency in DX, one must set up Connections in multiple DX locations & to achieve maximum resiliency one must set up 2 connections in each DX location.
Types of connections:
A physical Ethernet connection is associated with a single customer.
A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer.
Direct Connect Gateway:
If we want to set up DX in multiple regions then we need DX Gateway to route traffic.
VPC Traffic Mirroring :
Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface. You can then send the traffic to out-of-band security and monitoring appliances for Content inspection, Threat monitoring, and Troubleshooting.
The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind either a Network Load Balancer with a UDP listener or a Gateway Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation so that you only extract the traffic of interest to monitor by using the monitoring tools of your choice.
Egress Only Internet Gateway:
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents the Internet from initiating an IPv6 connection with your instances
These are just like NAT Gateways but for IPv6.
Thanks for your Time! Follow & Clap 👏.
Happy Learning!
