AWS’s Logically isolated Virtual Private Could- VPC allows customers to create secure enclaves within their AWS architecture.
To understand network addresses , the concepts of a CIDR. are important. A CIDR consists of two parts
Base IP — This could be range of IPs such as 10.0.0.0 or 192.168.0.0
Subnet mask — This defines how many bits can change in the IP.
For example -
192.168.0.0/32 will allow for only 1 IP. 2⁰ — 10.0.0.0
So if the 192.168.0.0/24 , then (32–24=8), so 2⁸ = 256 addresses would be allowed.
if 192.168.0.0/16, then (32–16=16), so 2¹⁶ = 65536 addresses would be allowed
All new AWS accounts have a default VPC.
When creating a new VPC , you can select the CIDR value based on how many IP addresses you may need.
You can have at least 5 VPCs per region and this can be increased.
Minimum size of a VPC is /28–16 addresses
Maximum size of a VPC is /16–65536 addresses.
VPCs allow Private IP Ranges only for example 10.0.0.0/12, 172.16.0.0/8 or 192.168.0.0/16
VPC CIDR should not overlap across VPCs or corporate networks to prevent duplication of IP addresses.
VPCs can be setup with dedicated hardware for specialized use cases.
Subnets are created within the VPC.
Each subnet has its own CIDR value,
AWS reserves 5 IP addresses in each subnet.This is important so we choose the right value for the CIDR for our needs.For example if we need 31 IP addresses, we cannot choose /27 since that will give us 2⁵= 32 total IP addresses but when we deduct the 5 reserved, we would be left with only 27 addresses.In this case we will have to choose 26 which will give us 2⁶=64 IP addresses, so we would be left with 59 even after deducting the 5.
When defining subnets , we select CIDR blocks such that dont overlap.
Internet Gateways are used to provide access to a subnet to the public internet. Internet gateways scale horizontally and are highly available and redundant.
However just attaching an internet gateway to a subnet is not enough to give it internet access. The route table for the subnets should also be configured to allow access.
When setting up the route table , two route tables should be setup
- Local Route , for all private IPs
- All IPs(0.0.0.0/0) that should be routed to the Internet Gateway.
Access to Ec2 instances inside of private subnet is restricted. A bastion host is a server that can be deployed into the Public Subnet to SSH into private subnet Ec2 instances.
Bastion host should only have Port 22 traffic enabled to prevent unauthorized access.
When creating an Ec2 instance, ensure you define in its security group, the source IP of the bastion host. This way the SSH access for TCP port 22 would be restricted only from the bastion host.
NAT instances are outdated (End of Support— Dec 2020), EC2 instances can connect to the internet using these instances.They must be launched in a public subnet. The Ec2 setting -source/destination check should be disabled since the NAT instance rewrites the IP.An Elastic IP should be attached to it.Security groups should enable access to internet through HTTP/s.They should also give HTTP/s access for public IPs to access them.NAT instances can be used as Bastion Hosts.
These are managed by AWS so there is no administration required. Nat gateways are tied to a specific availability zone.EC2 instances have to be in a different subnet to use the NAT gateway,
For High Availability , separate NAT gateways should be setup in separate AZs.
A private subnet will connect to the NAT gateway in a public subnet. The public gateway should be tied to an Internet Gateway.
DNS Resolution in AWS VPCs is supported through Route 53 resolver. By default enableDNSSupport is true.
DNS Hostnames — enableDNSHostnames is set to true for default VPCs. For new VPCs, it is set to false by default.If it is true, a public hostname gets assigned to EC2 instances in that VPC, assuming the EC2 instances have a public IP.
A hosted zone is a container that holds information on how to route traffic for a domain and its subdomains.Hosted zones can be public(on the open internet) or private(internal to AWS).
To use custom internal DNS domain names in a Private Hosted zone, both these flags must be set true.This helps internal DNS resolution to private IPs for internal applications.
Network access Control Lists — NACL
NACLs control traffic from and to subnets. They are an internal firewall for either public or private subnets.
The default NACL allows all traffic in and out.
Both inbound and outbound rules can be set to explicitly ALLOW or DENY access to certain traffic on certain ports.
Rules are typically numbered in increments of 100 as a best practice.
The lower the Rule no. the higher the priority in which it gets executed and applied. So for example if Rule 100 says ALLOW and Rule 200 says DENY on the same resource, Rule 100 has higher precedence and the resource will be accessible as Rule 100 takes priority over 200.
These are ports that a client opens to receive a response from a server.
The client request sends it source Ip and source Port to the destination IP/Port.
VPC Reachability Analyzer — A network diagnostics tool that troubleshoots network connectivity between two endpoints in your VPC.
Connecting different VPCs is possible through VPC Peering .
VPC Peering is not transitive , so each VPC has to connect explicitly with each other, just because A is connected to B and B is connected to C , does not mean now A will be connected to C. A will have to connect to C separately if that is required.
VPC Peering can be between different AWS accounts.
VPC Peering can be between VPCs in different regions.
VPC Peering connections are only possible if the CIDRs of the two VPCs do not overlap.
The steps are as follows
- Set up a peering connection from one VPC to another.Choose the VPC in same or different account/region.
- Accept the peering request in the account of the VPC.
- Setup configuration in the route table for VPC A to send traffic going to VPC B from VPC A should go through the peering connection.
- Setup configuration in the route table for VPC B to send traffic going to VPC A from VPC B should go through the peering connection.
AWS Services can be connected without traversing through the public internet using VPC Endpoints. VPC Endpoints are powered by AWS PrivateLink.
An ENI needs to be provisioned with a private IP Address . This needs to have a security group attached to it.
These need the provisioning of a gateway provided by the service that needs to be accessed. Gateway endpoints are supported by S3 and DynamoDB.
VPC FLow Logs
There are three types of flow logs
- VPC Flow Logs
- Subnet Flow Logs
- ENI Flow Logs
Flow logs can be stored in S3 and Cloudwatch Logs.Logs may be analyzed using a service such as AWS Athena
Flow logs contain the source and destination addresses and ports for all activity.
Troubleshooting Security Group issues and NACL issues is one of the main use cases
AWS Site to Site VPN
Virtual Private Gateway is a VPN concentrator on the AWS side of the VPN connection.
Route Propagation should be enabled in the AWS VPC.
Customer gateway (CGW) is a software application or physical device on customer side of the VPN connection.Either the public internet routable IP address for the corporate network or a public address of a NAT device is used for the connection.
To be able to ping AWS EC2 instances from a corporate on-prem network that is connected through VPN, the ICMP protocol should be enabled.
Direct Connect DX
Direct Connect can be used to create dedicated private connection from a corporate data center network to an AWS VPC.
A virtual Private Gateway should be setup on the AWS VPC.
An AWS Direct Connect Location should be chosen.
The customer or partner router that is located in a Customer or Parter cage.
The AWS Direct Connect Endpoint is colocated in the same AWS Direct Connect Location in an AWS cage.
The on prem network can then connect into AWS using the Virtual Private Gateway through the customer/partner router and the AWS Direct Connect Endpoint.
A Private Virtual Interface can be set up that connects to the Virtual Private Gateway on the AWS VPC.
Alternatively a Public virtual interface can be used that goes through the same AWS Location but instead of using the AWS Virtual Private Gateway it connects directly into the services such as S3.
VPN CloudHub is the preferred solution for customers with multiple locations, multiple on prem data centers that need to be connected to each other and to AWS.
The hub-and-spoke model can be used for primary or backup connectivity between these remote locations.