Friday, July 3, 2020

VPC - Virtual Private Cloud



VPC - Virtual Private Cloud

-      AWS hosts service in multiple locations world-wide. These locations are composed of Regions, Availability Zones, and Local Zones. Each Region is a separate geographic area. Each Region has multiple, isolated locations known as Availability Zones. Local Zones provide you the ability to place resources, such as compute and storage, in multiple locations closer to your end users. Resources aren't replicated across Regions unless you specifically choose to do so
Regions
-        NOTE: To ensure that resources are distributed across the Availability Zones for a Region, AWS independently map Availability Zones to names for each AWS account. For example, the Availability Zone us-east-1a for your AWS account might not be the same location as us-east-1a for another AWS account 
-        To coordinate Availability Zones across accounts, you must use the AZ ID, which is a unique and consistent identifier for an Availability Zone. For example, use1-az1 is an AZ ID for the us-east-1 Region and it has the same location in every AWS account
-     Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
-        Regional resource – a VPC spans all of the Availability Zones (AZ) in the Region. After creating a VPC, you can add one or more subnets in each Availability Zone. 
-        VPC can span over multiple availability zones, but not multiple regions. Each AZ retains its own sub-net – i.e. you can have one or more sub-net in a single VPC.

Components:
-        CIDR and IP address subnets
-        Implied Router (built-in)
-        Route tables - managed by AWS
-        Internet g/way
-        Security groups
-        Network Access Control List (Virtual Firewall - A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.)
-        Virtual Private Gateway - point of entry, used with VPN or direct comms

CIDR and IP addresses:
-     A publicly routable IP can be supplied by AWS. Private (non-publicly routable) IP address ranges can be selected from those specified in RFC 1918
o   10.0.0.0/8           :  10.0.0.0 to 10.255.255.255 range (10/8 prefix)
o   172.16.0.0/16     :  172.16.0.0 to 172.31.255.255  (172.16/12 prefix)
o   192.168.0.0/16   :   192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
-      CIDR block (private IP range) is defined at VPC creation. Once defined, it can't be changed
-     The address range is between /28 and /16. The smallest possible is /28 - 28 for Network, 4 for Host (2^4 = max 16 addresses). If additional IPs are required, the following work around exists:
        -        create a new VPC, copy over the contents
         -        can add secondary CIDR blocks within the same VPC - these CAN NOT overlap w existing
o   an appropriate route is automatically added to the routing tables w/in VPC once this is done
-         AWS can optionally supply Elastic IP - a static IPv4 address designed for dynamic cloud computing. It is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account

-        Public IP - gets released when you terminate EC2 instance

-        Elastic IP - yours until you release; can have up to 5; more - need to request; chargeable unless used

-         By default, all AWS accounts are limited to five (5) Elastic IP addresses per Region, because public (IPv4) internet addresses are a scarce public resource 

-       Reserved IPs:
         The first 4 IPs and the last IP in VPC range (10.0.0.0/24) are reserved by AWS:
o   10.0.0.0 - local, base network
o   10.0.0.1 - VPC router
o   10.0.0.2 - DNS related
o   10.0.0.3 - reserved for future use
o   10.0.0.255 - last IP
 

Implied Router
-        Connects subnets together
-        keeps a routing table for each subnet: main route table (default) & custom route table
-        Can have up to 200 route tables, 50 entries each
-        1:Many - each subnet MUST be associated w a single table. BUT a single table can serve multiple subnets
-        by default, the implied router is associate with main/default VPC route table
-        you can edit all tables, CANNOT delete the main route table. Can delegate another table to be Main and then delete the old Main.
-        Default rule pointing to "local" - exists in every table, it can't be modified/deleted. It allows subnets in VPC to communicate. This entry is always created by default 10.0.0.0 -> local.
-        Intra VPC routing is taken care of by AWS, no need to create new routing table entries etc.

Internet Gateway
-        Only single g/w is available, can’t add another. Fully managed by AWS, horizontally scalable, fully redundant. It will NAT internal addresses; supports IPv4/6
-        Uses BGP - The Border Gateway Protocol (BGP) is the routing protocol of the Internet, used to route traffic across the Internet.
-       DEFAULT - 1 VPC created w 1 subnet in each availability zone. See VPC-Default VPC->Yes.
-     Smallest default IP CIDR range is /16. When creating yourself - smallest is /28 (16 IPs)
-     A Subnet cannot stretch beyond a single avail zone. You can have multiple subnets in 1 avail zone.

Route Table
-         A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed
-        One table on the VPC/Internet Gateway level and one on a Subnet level
-        VPC needs to have one table designated as Main Route Table. This one cannot be deleted. But you can re-designate anther table to be the Main and then delete old Main.
-        Internal routing within a VPC is always on by default - main route table with '<IP>local' entry allowing local routing is created by AWS.
-        Can re-assign a table from one subnet to another.
-        Target – can be a instance / gateway (ex: VGW) / network interface – can’t be a direct connect link or VPN link
  


Security Groups       
-         A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to 5 security groups to the instance. Security groups are VPC resources – available to all instances in the VPC. Yet they act at the instance level (EC2), not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
-         Security Groups function on ENI (Elastic Network Access, Virtual NIC) level of an EC2 (AWS server instance). An EC2 can have up to 5 Security Groups allocated at the same time.
-         Security Groups are VPC specific, get assigned to EC2 instances in VPC.
-         REGIONAL - can be shared across Availability Zones and subnets in same region
-         Default Security Group - created by default, can NOT be deleted; Custom - one added manually
-         Rules are ALLOW only – by default the rest is denied (implicit deny)
-         Source or Destination in a group can be one of: another Security Group, CIDR IP or Prefix List only (not a subnet)
-        DEFAULT Security Group in a custom VPC:
- Inbound – allow only traffic from my Sec Gr instances
- Outbound - all traffic to all destinations (0.0.0.0/0) is allowed
- these rules can be subsequently changed manually
-        CUSTOM Security Gr-oup in a custom VPC:
- Inbound - all denied - unless configured otherwise
- Outbound - all allowed - to all destinations (0.0.0.0/0) is allowed
-        Security groups are STATEFUL — if you send a request from your instance, the response traffic for that request is allowed to flow out regardless of inbound security group rules. Anything you add to Inbound is automatically added to Outbound - return traffic is automatically allowed. (Important: Security Group STATEFUL vs Network Access Control Lists STATELESS). If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. 
-        Connection Tracking - ex: you ICMP ping the instance and there is a rule allowing incoming ping. The response traffic from the instance for the ping command is not tracked as a new request, but rather as an established connection and is allowed to flow out of the instance, even if your outbound security group rules restrict outbound ICMP traffic.
-        Security Groups are DIRECTIONAL - OUT of one group can be IN for another group (ex: webserver communicating w DB server)
-        The default (implied rule) is to DENY - deny all traffic unless an ALLOW is explicitly stated
-        Outbound Rules - everything that is added to Inbound rules is automatically added to Outbound even though it does not appear on the Outbound tab.
-        Can only define ALLOW rules, cannot do DISALLOW rules.
-        To add multiple Security Groups to an EC2 instance, add via Actions->Networking->Change Security Groups
-         You can have any number of EC2 instances within a security group
-         Configuring rules:
             o   Source / Destination can be CIDR or another Security Group
      o   Can't use a SubNet ID for this         

-        Changes take effect IMMEDIATELY


NACL - Network Access Control List
-        NACL - security on subnet level, first line of defense
-        NACL sits on the Virtual Router, along with Routing Tables
-        STATELESS - traffic allowed inbound, does not guarantee permitted outbound
-        Explicit rules for inbound and outbound need to be configured
-        Rules - can configure ALLOW and DENY
-        Rule # - allow spacing to insert new rules.
-        Rules are interpreted from the lowest number on until a match is found
-        “*” fallback, explicit DENY ALL rule, can't be deleted

-      If EC2 instances in VPC can’t communicate:
            o   Routing is never a problem
            o   Check the Security Group or NACL of the source
            o   Check Security Group or NACL of the destination
            o   NACL Rule Inbound - coming from outside of subnet into the subnet
            o   Security Group Inbound - coming from outside the instance

-        DEFAULT NACL in a custom or default VPC:
            - Inbound - by default all traffic ALLOWed
            - Outbound - by default all traffic ALLOWed
-        CUSTOM NACL in a custom or default VPC:
            - Inbound - by default all traffic is DENY'd
            - Outbound - by default all traffic is DENY'd
 










No comments:

Post a Comment