VPC - Virtual Private Cloud
- AWS hosts service in multiple locations world-wide. These locations are composed of Regions, Availability Zones, and Local Zones. Each Region is a separate geographic area. Each Region has multiple, isolated locations known as Availability Zones. Local Zones provide you the ability to place resources, such as compute and storage, in multiple locations closer to your end users. Resources aren't replicated across Regions unless you specifically choose to do so
- NOTE: To ensure that resources are distributed across the Availability Zones for a Region, AWS independently map Availability Zones to names for each AWS account. For example, the Availability Zone us-east-1a for your AWS account might not be the same location as us-east-1a for another AWS account
- To coordinate Availability Zones across accounts, you must use the AZ ID, which is a unique and consistent identifier for an Availability Zone. For example, use1-az1 is an AZ ID for the us-east-1 Region and it has the same location in every AWS account
- Amazon Virtual Private Cloud (Amazon VPC) enables you to launch
AWS resources into a virtual network that you've defined. This virtual network
closely resembles a traditional network that you'd operate in your own data
center, with the benefits of using the scalable infrastructure of AWS.
-
Regional resource – a VPC spans all of the Availability Zones (AZ) in the
Region. After creating a VPC, you can add one or more subnets in each
Availability Zone.
-
VPC can span over multiple availability zones, but not multiple
regions. Each AZ retains its own sub-net – i.e. you can have one or more
sub-net in a single VPC.
Components:
-
CIDR and IP address subnets
-
Implied Router (built-in)
-
Route tables - managed by AWS
-
Internet g/way
-
Security groups
-
Network Access Control List (Virtual Firewall - A network access
control list (ACL) is an optional layer of security for your VPC that acts as a
firewall for controlling traffic in and out of one or more subnets. You might
set up network ACLs with rules similar to your security groups in order to add
an additional layer of security to your VPC.)
-
Virtual Private Gateway - point of entry, used with VPN or direct comms
CIDR and IP addresses:
- A
publicly routable IP can be supplied by AWS. Private (non-publicly routable) IP
address ranges can be selected from those specified in RFC 1918
o
10.0.0.0/8 : 10.0.0.0 to 10.255.255.255 range (10/8 prefix)
o
172.16.0.0/16 : 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
o
192.168.0.0/16 : 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
- CIDR block (private IP range)
is defined at VPC creation. Once defined, it can't be changed
- The address range is between /28
and /16. The smallest possible is /28 - 28 for Network, 4 for Host (2^4 = max 16
addresses). If additional IPs are required,
the following work around exists:
-
create a new VPC, copy over the contents
- can add secondary CIDR blocks within the same VPC - these CAN NOT
overlap w existing
o
an appropriate route is automatically added to the routing tables
w/in VPC once this is done
- AWS can optionally supply Elastic
IP - a static IPv4 address designed for dynamic cloud computing. It
is a public IPv4 address, which is reachable from the internet. If your
instance does not have a public IPv4 address, you can associate an Elastic IP
address with your instance to enable communication with the internet. With
an Elastic IP address, you can mask the failure of an instance or software by
rapidly remapping the address to another instance in your account
- Public IP - gets released when you
terminate EC2 instance
- Elastic IP - yours until you release; can have up to 5; more - need to request; chargeable unless used
- By default, all AWS accounts are limited to five (5) Elastic IP addresses per Region, because public (IPv4) internet addresses are a scarce public resource
- Reserved IPs:
The first 4 IPs and the last IP in VPC range (10.0.0.0/24) are reserved by AWS:
o
10.0.0.0 - local, base network
o
10.0.0.1 - VPC router
o
10.0.0.2 - DNS related
o
10.0.0.3 - reserved for future use
o
10.0.0.255 - last IP
Implied Router
- Connects subnets together
-
keeps a routing table for each subnet: main route table (default)
& custom route table
-
Can have up to 200 route tables, 50 entries each
-
1:Many - each subnet MUST be associated w a single table. BUT a
single table can serve multiple subnets
-
by default, the implied router is associate with main/default VPC
route table
-
you can edit all tables, CANNOT delete the main route table.
Can delegate another table to be Main and then delete the old Main.
-
Default rule pointing to "local" - exists in every
table, it can't be modified/deleted. It allows subnets in VPC to communicate.
This entry is always created by default 10.0.0.0 -> local.
-
Intra VPC routing is taken care of by AWS, no need to create new routing table
entries etc.
Internet Gateway
-
Only single g/w is available, can’t add another. Fully managed by
AWS, horizontally scalable, fully redundant. It will NAT internal addresses;
supports IPv4/6
-
Uses BGP - The Border Gateway Protocol (BGP) is the routing
protocol of the Internet, used to route traffic across the Internet.
-
BGP, RFC4271: http://www.enterprisenetworkingplanet.com/netsp/article.php/3615896/Networking-101-Understanding-BGP-Routing.htm
- DEFAULT - 1 VPC created w 1
subnet in each availability zone. See VPC-Default VPC->Yes.
- Smallest default IP CIDR range is /16. When creating yourself - smallest is /28 (16 IPs)
- A Subnet cannot stretch beyond a single avail zone. You can have multiple subnets in 1 avail zone.
Route Table
-
A route table contains a set of
rules, called routes, that are used to determine where network traffic from
your subnet or gateway is directed
-
One table
on the VPC/Internet Gateway level and one on a Subnet level
-
VPC needs to have one table
designated as Main Route Table. This one cannot be deleted. But you can
re-designate anther table to be the Main and then delete old Main.
-
Internal routing within a VPC
is always on by default - main route table with '<IP>local' entry allowing
local routing is created by AWS.
- Can re-assign a table from one
subnet to another.
- Target – can be a instance /
gateway (ex: VGW) / network interface – can’t be a direct connect link
or VPN link
Security Groups
-
A security group acts as a virtual firewall for your instance to
control inbound and outbound traffic. When you launch an instance in a VPC, you
can assign up to 5 security groups to the instance. Security groups are VPC
resources – available to all instances in the VPC. Yet they act at the instance
level (EC2), not the subnet level. Therefore, each instance in a subnet
in your VPC could be assigned to a different set of security groups. If you
don't specify a particular group at launch time, the instance is automatically
assigned to the default security group for the VPC.
-
Security Groups function on ENI (Elastic Network Access, Virtual
NIC) level of an EC2 (AWS server instance). An EC2 can have up to 5
Security Groups allocated at the same time.
-
Security Groups are VPC specific, get assigned to EC2 instances in
VPC.
-
REGIONAL - can be shared across Availability Zones and subnets in
same region
-
Default Security Group - created by default, can NOT be deleted; Custom - one added manually
-
Rules are ALLOW only – by default the rest is denied (implicit
deny)
-
Source or Destination in a group can be one of: another Security Group, CIDR IP or Prefix List only
(not a subnet)
- DEFAULT Security Group in a custom VPC:
- Inbound – allow only traffic
from my Sec Gr instances
- Outbound - all traffic to all
destinations (0.0.0.0/0) is allowed
- these rules can be
subsequently changed manually
- CUSTOM Security Gr-oup in a custom VPC:
- Inbound - all denied - unless
configured otherwise
- Outbound - all allowed - to
all destinations (0.0.0.0/0) is allowed
- Security groups are STATEFUL
— if you send a request from your instance, the response traffic for that
request is allowed to flow out regardless of inbound security group rules. Anything you add to
Inbound is automatically added to Outbound - return traffic is automatically
allowed. (Important: Security Group STATEFUL vs Network Access Control Lists
STATELESS). If you send a request from your instance, the response traffic for that
request is allowed to flow in regardless of inbound security group rules.
Responses to allowed inbound traffic are allowed to flow out, regardless of outbound
rules.
- Connection Tracking - ex: you ICMP ping the
instance and there is a rule allowing incoming ping. The response traffic from
the instance for the ping command is not tracked as a new request, but rather
as an established connection and is allowed to flow out of the instance, even
if your outbound security group rules restrict outbound ICMP traffic.
-
Security Groups are DIRECTIONAL - OUT of one group can be
IN for another group (ex: webserver communicating w DB server)
-
The default (implied rule) is
to DENY - deny all traffic unless an ALLOW is explicitly stated
- Outbound
Rules - everything that is added to Inbound rules is automatically added to
Outbound even though it does not appear on the Outbound tab.
- Can
only define ALLOW rules, cannot do DISALLOW rules.
- To
add multiple Security Groups to an EC2 instance, add via
Actions->Networking->Change Security Groups
-
You
can have any number of EC2 instances within a security group
-
Configuring rules:
o Source / Destination can be CIDR or another Security Group
o Can't use a SubNet ID for this
- Changes take effect IMMEDIATELY
NACL - Network Access Control List
- NACL - security on subnet level, first line of defense
- NACL sits on the Virtual Router,
along with Routing Tables
- STATELESS - traffic allowed inbound, does not guarantee permitted
outbound
- Explicit rules for inbound and outbound need to be configured
- Rules - can configure ALLOW and DENY
- Rule # - allow spacing to insert new rules.
- Rules are interpreted from the lowest number on until a match is found
- “*” fallback, explicit DENY ALL rule, can't be deleted
- If EC2 instances in VPC can’t communicate:
o
Routing is never a problem
o
Check the Security Group or NACL of the source
o
Check Security Group or NACL of the destination
o
NACL Rule Inbound - coming from outside of subnet into the subnet
o
Security Group Inbound - coming from outside the instance
- DEFAULT NACL in a custom or default VPC:
- Inbound - by default all
traffic ALLOWed
- Outbound - by default all
traffic ALLOWed
- CUSTOM NACL in a custom or default VPC:
- Inbound - by default all
traffic is DENY'd
- Outbound - by default all
traffic is DENY'd
No comments:
Post a Comment