AWS VPC Exam Preparation

  • Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
  • Components
    • VPC is your private network, where all your services will be deployed.
    • Below components will be created by Default when a VPC is created.
      • Route Table
        1. To Route the Traffic from & To & between VPC.
        2. Internet Gateway will have to be attached here.
        3. If the traffic is coming from vpc’s ip, then treat as local, anything else then route it via internet gateway.
        4. Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.
        5. Subnets will have to  be manually associated.
      • Network ACL (NACL)
        1. By Default allow all traffic.
        2. If we create a new NACL manually then its Deny all.
        3. Should always be associated with a Public Subnet.
        4. This can be used if we want to restrict incoming traffic based on IP address.(Security Gateway cannot be used in this case).
        5. NACL Operate at subnet level .
        6. They cannot restrict instance access with in the same subnet.
        7. Stateless filtering.
      • Security Group (SG)
        1. By default All traffic will be Blocked.
        2. We can manually create SG’s mainly one for Public Access (application tier) & another for Private Access (Database Tier).
        3. For Private security group, we need to assign the IP range of Public Subnet and provide source as Public SG.
        4. SG are Stateful – meaning, tracks the origin of a request and can automatically allow the reply to the request to be returned.
    • Below components we will have to created manually,
      • Subnet
        1. An address range, with in your VPC range.
        2. A Subnet can be associated with a Particular AZ only.
        3. Always first 4 and last ip address are used by AWS
        4. Subnet are used to isolate different web tier, app tier & db tier.
        5. Public Subnet is where the Internet Gateway & NACL need to be attached.
      • Internet Gateway (ig)
        1. Provides connection to Internet.
        2. There can be only one ig per VPC.
      • Nat Instance.
        1. Another EC2 instance, created to provide internet connection to Private Subnet.
        2. NAT should be created inside a Public subnet.
        3. Allows only outbound internet connection.
      • Nat Gateway
        1. A highly available service, to provide internet access to private subnet.
        2. Allows only outbound internet connection.
        3. NAT should be created inside a Public subnet for each AZ.
        4. Horizontally scalable.
      • VPC Endpoints
        • Direct private connections to AWS services within VPC and other AWS service outside VPC, like application (EC2) inside VPC and connecting to S3.
        • This is done without going to internet via route table.
        • Endpoints does not support cross region requests.
        • VPC Endpoints doesn’t need internet gateway , NAT to connect to other resources.
        • VPC Endpoints Gateway is available only for S3 & DynamoDB, for others use VPC Endpoint Interface *.
  • Flow Logs
    • Flow Logs to monitor the network traffic in your VPC.
    • Can be streamed to Lambda or Elastic search service for on-line analysis.
  • Gateways which can be connected via VPC,
    • AWS Direct Connect (via Direct Connect Gateways)
    • NAT Gateways
    • Internet Gateways
    • Egress-Only Internet Gateways
    • VPC Peering
    • AWS Managed VPN Connections
    • PrivateLink.

EXAM TIPS: – VPC is a very important Topic.

  • Default / reserved IP  are 5 , eg:10.0.0.0 … 0.1,0.2,0.3 and 0.255 @ each subnet level.
  • VPC Peering Connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs and this can be across Regions.
  • Default VPCs are assigned a CIDR range of 172.31.0.0/16
  • Subnets – we can create 200 subnets per VPC.
  • VPC Peer is free,however data transfer is not.
  • IPv6 – Inter-Region VPC Peering does not support IPv6.
  • An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in a VPC.
  • Cloudwatch metrics for VPN Metrics.
  • Amazon VPC, all subnets can communicate with each other by default.
  • DHCP (Dynamic Host Configuration Protocol) option set allows customers to define DNS servers for DNS name resolution, establish domain names for instances within an Amazon VPC.
  • VPG is the Amazon side of a VPN connection.
  • IPsec is the security protocol supported by Amazon VPC.
  • Use VPN to connect between VPC & on-prem and ensure data is encrypted(using Ipsec).
  • VPC Peering cannot have CIDR overlapping.

Practice:

  • Create VPC with Pvt & Public subnet and try this setup multiple times.
  • Practice creating 2 subnets and check if you can access instances between them and how to stop accessing between them and allow access only one to connect and not vice versa.

3 thoughts on “AWS VPC”

Leave a Reply

Your email address will not be published. Required fields are marked *