AWS - VPC - Amazon Virtual Private Cloud

• VPC Amazon Virtual Private Cloud
  • 2 VPC infrastructure
    • Multi-VPC pattern
    • Multi-Account pattern
  • basic
  • custom VPC
  • VPC router
  • Route table

---

VPC Amazon Virtual Private Cloud

---

---

2 VPC infrastructure

2 primary patterns for organizing VPC infrastructure:

• Multi-VPC or Multi-Account

Multi-VPC pattern

• shared services, development, test, and production each have their own VPC. easier to maintain for smaller organizations.

• Best suited for:
  • single team or for organizations, such as Managed Service Providers, MSPs who manage all resources in test and production.
    • maintain full control over the provisioning and management of all resources in each application environment.
  • Limited teams make maintaining standards and managing access far easier.
    • single team developing a large e-commerce application might use this pattern, when the developers have full access to the development and production environments.
• Exception: governance and compliance standards that require workload isolation, regardless of organizational complexity.

Multi-Account pattern

• can have multiple Amazon web services accounts with the same information—such as shared services, development, test and production—instead of having multiple VPCs.

• best suited for

  • larger organizations, organizations with multiple IT teams
  • medium-sized organizations that anticipate rapid growth.
  • managing access and standards can be challenging in more complex organizations.
  • consider where your team will be in five years.
  • It’s easier with larger companies to manage with multiple accounts, versus having everything inside of one account with multiple VPCs.

The majority of AWS services do not actually sit within a VPC

• EC2 instances are configured with public IP addresses
  • But network traffic between AWS Regions traverse the AWS global network backbone by default,
  • which typically provides more consistent, lower-latency network connectivity than equivalent internet-based connections.
  • On occasion, some traffic between Regions uses the public internet.
  • If use public internet for to connect to services like S3 or DynamoDB, should use a VPC endpoint.
  • use a VPC endpoint to privately connect your VPC to supported AWS services and to VPC endpoint services that are powered by PrivateLink without using an internet gateway; NAT device; VPN connection, or AWS Direct Connect connection.
• Instances in your VPC do not require public IP addresses to communicate with resources in the service.
  • Traffic between your VPC and the other service does not leave the Amazon network.

---

basic

physical: global > Region > AZ

logical: AWS cloud > VPV > subnet

1. a service provision a logically isolated section of the AWS Cloud (virtual private cloud/VPC) to launch your AWS resources.
   • Analogous to having your own DC inside AWS.
     • VPC is logically isolated from other VPCs on AWS.
     • Possible to connect the corporate data centre to a VPC using a hardware VPN (site-to-site)
   • can use both IPv4 and IPv6 in VPC for secure access to resources and applications
   • Full complete control over virtual networking resources:
     • the selection of your own IP address range,
     • the creation of subnets,
     • and the configuration of route tables and network gateways.
     • customize the network configuration for VPC.
     • example,
       • create a public subnet for web servers that can access the public internet.
       • place backend systems (databases/application servers…) in a private subnet with no public internet access.
       • use multiple layers of security (security groups and network access control lists (networkACLs)…) to control access to Amazon Elastic Compute Cloud (Amazon EC2) instances in each subnet.

2. account > one Region > a default VPC > AZs > a default subnet

3. A VPC is dedicated to your account when create the account
   • When create VPC, it belong to a single Region
     • auto created for each AWS account the first time EC2 resources are provisioned.
   • VPCs are region wide.
     • span all AZs in 1 region
     • By default can create up to 5 VPCs per region.
   • AZs
     • After create, a VPC can divide it into more subnets in each AZ,
     • Each subnet must reside entirely within 1 AZ and cannot span zones.
     • A default VPC is created in a region with a public subnet in each AZ.
     • Instances in the default VPC always have both a public and private IP address.
     • AZs names are mapped to different zones for different users (i.e. the AZ “ap-southeast-2a” may map to a different physical zone for a different user).
4. default VPCs:
   • CIDR
     • default CIDR range is 172.31.0.0/16
     • max size of a VPC is /16. The min is /28.
     • The first 4 IP addresses and the last IP address in each CIDR block are reserved by AWS.
     • Once the VPC is created, cannot change the CIDR block.
     • cannot create additional CIDR blocks that overlap with existing CIDR blocks.
     • cannot create additional CIDR blocks in a different RFC 1918 range.
     • IPv6 addresses are all public and the range is allocated by AWS.
   • entities are included when a default VPC is created
     • DHCP
     • Public subnet
     • default subnet,
     • an IGW internet gateway,
     • a main route table (connects the default subnet to the internet gateway),
     • a security group
     • a default NACL.
   • create a VPC-based resource (EC2, RDS, ELB, etc.) without specify a custom VPC, it will be placed in default VPC in that Region.
     • In general, this situation is not a good because many people know the default CIDR range, and that those ranges are automatically connected to internet gateways by default unless they are disabled.
   • Default VPCs are configurable like other VPCs.
     • For example, you can add more subnets.
5. Default subnets:
   • default subnets are created within each AZ for each default VPC.
   • public subnet with CIDR block of /20 (4,096 IP addresses).
     • Public subnets are subnets that have:
       • Private subnets
       • VPN-only subnet
     • Can be converted into a private subnet by removing its route to the internet gateway.
     • the default subnet and the default VPC. Many people might know how to use these default credentials, not secure.
   • When new AZ is added to a region, default VPC in that region gets a subnet placed in the new AZ (unless you’ve made modifications to that VPC)
     • New subnets are always associated with the default route table.
6. Default VPCs are a quick start solution.
   • provide an easy way to test launching instances of your VPC-based resources without having to set up a new VPC.
   • For real-world applications, create your own VPCs and subnets.
   • have greater control and knowledge of their configurations.
   • It’s possible to re-establish a default VPC if it’s accidentally deleted.
7. limited use cases work best with single VPC
   • High-performance computing environments: as a single VPC environment will have lower latency than one that’s spread across multiple VPCs.
   • The use of Microsoft Active directory for identity management: for the strongest security measures.
   • For small, single app that managed by one person or very small team: easiest to use one Virtual Private Cloud.

8. can define dedicated tenancy for a VPC to ensure instances are launched on dedicated hardware (overrides the configuration specified at launch).

9. Most AWS service do not reside in the VPC.
   • Use a VPC endpoint to access S3:
     • to provide secure access to an S3 bucket not using the internet
     • access to S3 resources from within a VPC by a VPC endpoint.
   • These endpoints are
     • easy to configure,
     • highly reliable,
     • provide a secure connection to S3 that does not require a gateway or NAT instances.

10. to capture information about IP or any traffic flowing in VPC, use VPC Flow Logs.

11. benefits of a VPC
    • two types of VPCs: custom and default.
    • option to create a VPC in many regions.
    • Provides a virtual private data center inside the AWS platform
    • can isolate malware by VPC isolation.

---

custom VPC

• make a subnet public
  • Create an IGW and attach it to the VPC
    • By default, custom VPCs do not automatically come with IGWs (Internet Gateways)
  • Add a route on the associated route table to forward internet bound traffic to the IGW
  • Enabling a subnet to auto-assign public IPs
    • allow all resources provisioned in this subnet to have a public IP by default as opposed to just having a private IP.

To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

• Attach an Internet Gateway to VPC.
• Ensure that subnet’s route table points to the Internet Gateway
  • To all destinations
    • 0.0.0.0/0 for IPv4
    • ::/0 for IPv6.
  • To specific public IPv4 addresses
    • your company’s public endpoints outside of AWS.
• Ensure that instances in subnet have a globally unique IP address
  • (public IPv4 address, Elastic IP address, or IPv6 address).
• Ensure that network access control and security group rules allow the relevant traffic to flow to and from your instance.

---

VPC router

• performs routing between AZs within a region.
• connects different AZs together and connects the VPC to the Internet Gateway.

---

Route table

Direct traffic between VPC resources

Basic

• a map tells how to enter and leave the network.
  • It contains a set of rules, routes
  • to determine where network traffic is directed.
  • Route tables also have entries to external destinations.
    • Up to 200 route tables per VPC.
    • Up to 50 route entries per route table.
• have main route tables (default), and custom route tables

default route table (default)

• Every VPC has a default route table when be created.
  • Default VPC already has a main route table
    • Cannot delete

      the main route table.

    • When create a VPC, it automatically has a main route table.
  • If no route table is specified, a subnet will be assigned to the main route table at creation time.
  • can manually set another route table to become the main route table.

custom route tables

• use custom route table if need infrastructure within VPC that can connect back to on-premises environment.

route

• All route tables in VPC include a single route: a local route entry
  • a default rule (local route)
    • enables communication within the VPC.
      • allows all VPC subnets to communicate with one another
    • cannot be deleted or modified.
    • Routing between subnets is always possible because of this rule
    • any problems communicating is more likely to be security groups or NACLs.
  • launch an instance in VPC, the local route automatically covers that instance. don’t need to add the new instance to route table.

subnet and route table

• Each subnet has a route table the router uses to forward traffic within the VPC
  • Each subnet can only be associated with one route table
  • route table can be share between subnets
    • Can assign one route table to multiple subnets.
• Each subnet must be associated with a route table
  • controls the routing for the subnet.
  • forward traffic within the VPC
  • one subnet can only be associated with one route table
  • route table can be share between subnets
    • Can assign one route table to multiple subnets.
  • If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with and uses the main route table (default).
  • best practice:
    • use custom route tables for each subnet.
    • enables granular routing for destinations.

.