AWS - VPC Gateway

• Network Connectivity - Gateway
  • VPC Connectivity
    • VPC peering
    • VPN hub-and-spoke architecture
    • AWS Transit Gateway [connecting multiple VPCs]
  • Internet Connectivity
    • Internet Gateway
    • NAT Gateway - Network address translation Gateway
      • NAT INSTANCES
      • NAT GATEWAYS
    • Virtual Private Gateway: 
    • Customer Gateway: 
    • Egress-only Internet Gateway: 
    • Amazon API Gateway
    • AD Connector
    • how subnets, Gateways, and routes work together.

---

Network Connectivity - Gateway

configure your VPCs in several ways, and take advantage of numerous connectivity options and gateways.

• These options and gateways include
  • AWS Direct Connect (via DX gateways),
  • NAT gateways,
  • internet gateways,
  • VPC peering, etc.

hundreds of VPCs distributed across AWS accounts and Regions to serve multiple lines of business, teams, projects, and get complex to set up connectivity between VPCs.

---

VPC Connectivity

---

VPC peering

• All the connectivity options are strictly point-to-point, so the number of VPC-to-VPC connections can grow quickly.
  • As grow the number of workloads run on AWS
  • scale your networks across multiple accounts and VPCs to keep up with the growth.
  • Though you can use VPC peering to connect pairs of VPCs,
    • managing point-to-point connectivity across many VPCs
    • without the ability to centrally manage the connectivity policies
    • operationally costly and difficult.
  • For on-premises connectivity, you must attach your VPN to each individual VPC. This solution can be time-consuming to build and difficult to manage when the number of VPCs grows into the hundreds.

---

VPN hub-and-spoke architecture

• EC2 VPN instances to the central customer gateway.
• two EC2-based VPN endpoints in each spoke to support high availability.
• a central VPC (hub) that contains common services for all application VPCs.
• a dynamic routing protocol between the spokes and the hub.

---

AWS Transit Gateway [connecting multiple VPCs]

• to connect Amazon VPCs and on-premises networks to a single gateway for connecting multiple VPCs and on-premises networks.

• enables customers to connect their Amazon VPCs and their on-premises networks to a single gateway.
  • can replace many point-to-point peering connections.
  • simplify your networking model.
    • only create and manage a single connection from the central gateway into
    • each VPC,
    • on-premises data center,
    • or remote office across your network.
• acts as a hub, hub-and-spoke model
  • controls how traffic is routed among all the connected networks, which act like spokes.
  • simplifies management and reduces operational costs
    • because each network only needs to connect to the transit gateway and not to every other network.
    • Any new VPC is connected to the transit gateway, then automatically available to other network connected to the transit gateway.
  • easier to scale your network as you grow. 

---

Internet Connectivity

Gateway terminology:

• Internet gateway (IGW) – AWS VPC side of the connection to the public Internet.
• Virtual private gateway (VPG) – VPC endpoint on the AWS side.

• Customer gateway (CGW) – representation of the customer end of the connection.

• Network address translation Gateway (NAT)
• Egress-Only Gateway

---

Internet Gateway

• AWS VPC side of the connection to the public Internet.

• a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the internet.

link to detail page

---

NAT Gateway - Network address translation Gateway

link to detail page

NAT INSTANCES

• NAT instances are managed by you.
• Used to enable private subnet instances to access the Internet.
• When creating NAT instances always disable the source/destination check on the instance.
• NAT instances must be in a single public subnet.
• NAT instances need to be assigned to security groups.

NAT GATEWAYS

• NAT gateways are managed by AWS.
• A highly available, managed Network Address Translation (NAT) service for the resources in a private subnet to access the Internet.
  • No need to patch.
  • preferred by enterprises.
  • Not associated with any security groups.
  • No need to disable source/destination checks.
  • Port forwarding is not supported.
  • Traffic metrics are not supported.
• Must be created in a public subnet.
  • Created in a specified AZ with redundancy in that zone.
  • For multi-AZ redundancy
    • create NAT Gateways in each AZ with routes for private subnets to use the local gateway.
  • Automatically assigned a public IP address.
    • Uses an Elastic IP address for the public IP.
  • Private instances in private subnets must have a route to the NAT instance, usually the default route destination of 0.0.0.0/0.
• NAT gateways are highly available in each AZ into which they are deployed.
  • Can scale automatically up to 45Gbps.
• They are preferred by enterprises.
• Can’t use a NAT Gateway to access VPC peering, VPN or Direct Connect, so be sure to include specific routes to those in the route table.
• Remember to update route tables and point towards the gateway.
• More secure
  • you cannot access with SSH and there are no security groups to maintain
• Egress only Internet gateways operate on IPv6 whereas NAT gateways operate on IPv4.
• Using the NAT Gateway as a Bastion host server is not supported.

---

Virtual Private Gateway: 

• The Amazon VPC side of a VPN connection.

1. A virtual private Gateway is HA by design
2. Only one VGW can be associated with a VPC

When would a virtual private Gateway be used

• when a VPC connects to a Private VIF with Direct Connect
  • connects a VPC to a Private VIF (in conjunction with Direct Connect) for direct private connectivity from on on-premise site.
• when needing to attach to multiple VPN connections
  • VPG act as the termination point for many different VPN connections.
• when using a VPN connection between a customer Gateway and a VPC
  • VPN connection occurs between the customer Gateway and the virtual private Gateway.
  • The VPG acts as the endpoint for VPN tunnels

---

Customer Gateway: 

• Your side of a VPN connection.
  • Best practice to use custom route tables for each subnet, which enable granular routing for destinations.
  • Route leads according to rules you set up, making sure they are going to those agents best suited to conversion
  • have to maintain unique IP addresses on your end and on your route.

---

Egress-only Internet Gateway: 

• A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

• require a private subnet on IPv6-enabled VPCs, the Egress-only Internet Gateway, to allow one-way access to internet resources
  • With the Egress-only Internet Gateway, outgoing traffic to the internet will be allowed. However, incoming traffic that’s initiated from the internet will be blocked.
  • no additional charge to use the Egress-only Internet Gateways.
  • However, data transfer charges apply.
• IPv6 addresses are globally unique and are therefore public by default.
  • Must create a custom route for ::/0 to the Egress-Only Internet Gateway.
  • Use Egress-Only Internet Gateway instead of NAT for IPv6.
• Stateful
  • forwards traffic from instance to Internet and then sends back the response.
• allows IPv6 traffic from instances to the Internet.
  • does accept inbound traffic, but it is a certain type of inbound traffic.
• Prevents inbound access to those IPv6 instances.
  • Internet initiated traffic to those instances is blocked.
• Provides outbound Internet access for IPv6 addressed instances.

---

Amazon API Gateway

• a fully managed service
• for developers to create, publish, maintain, monitor, and secure APIs at any scale.
  • in AWS Management Console
  • create an API that acts as a “front door” for applications to access data, business logic, or functionality from the back-end services,
    • such as workloads running on Amazon EC2,
    • code running on AWS Lambda, or any web application.
• Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

---

---

AD Connector

• AD Connector is a directory gateway
• can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud

---

how subnets, Gateways, and routes work together.

• This diagram, we have two Availability Zones, two instances and private subnets, the NAT instance with the public IP address, and the public subnet.
• have an internet Gateway connected to the VPC.
• have a NAT instance, it needs a route to the internet Gateway so that the instance can talk to the internet.
  • the internet is in the route table, as indicated by the 0.0.0.0/0 address.
  • The targets that use the internet Gateway have the local route group, 10.0.0.0/20 address.
• to let private subnet connect to the internet
  • go through the NAT instance.
  • The 0.0.0.0 address indicates that it must route to the NAT.
  • The NAT will route the request to the Internet.
• The second private instance currently has no route.
  • If that instance needs to go to the internet,
  • a route needs to be created to the NAT instance with the public IP address 0.0.0.0/0 with the target of NAT.
  • This will enable the private instances to access the internet
• You can further tighten security using security groups.
  • a security group for the two private instances.
  • a security group for the public NAT group.
  • The security groups and the route tables helps control traffic within the VPC.
• The diagram also contains a DynamoDB instance
  • sits outside of the VPC, but in the same Region as the VPC.
  • Traffic could be routed to it via the internet Gateway.
  • there will be some services that reside outside of your VPC. One of those services is DynamoDB.

.