您的位置: 首页  >  文章  >  AWS - VPC

AWS - VPC

分类: 文章 2023-03-27 17:33:24

Think VPC is a logical datacenter.

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Clould where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Additionally, you can create a Hardware Virtual Private Network (v*n) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

 

AWS - VPC

What can you do with a VPC

  • Launch instances into a subnet of your choosing
  • Assign custom IP address ranges in each subnet
  • Configure route tables between subnets
  • Create internet gateway and attach it to your VPC
  • Much better security control over your AWS resources
  • Instance security groups
  • Subnet network access control lists (ACLS)

 

Default VPC vs Custom VPC

  • Dafault VPC is user friendly, allowing you to immediately deploy instances
  • All Subnets in default VPC have a route out to the internet
  • Each EC2 instance has both a public and private IP address
  • If you delete the default VPC the only way to get it back is to contact AWS

 

VPC Peering

  • Allows you to connect one VPC with another via a direct network route using private IP address
  • Instances behave as if they were on the same private network
  • You can peer VPC's with other AWS accounts as well as with other VPCs in the same account
  • Peering is in a star configuration, ie 1 central VPC peers with 4 others. NO TRANSITIVE PEERING!!!

AWS - VPC

 

Exam Tips

  • Think of a VPC as a logical datacenter in AWS
  • Consists of IGW's (Or Virtual Private Gateways), Route Tables, Network Access Control Lists, Subnets, Security Groups
  • 1 Subnet = 1Availability Zone
  • Security Groups are Stateful, Network Access Control Lists are Stateless
  • NO TRANSITIVE PEERING

NAT instances

  • When creating a NAT instance, Disable Source/Destination Check on the Instance
  • NAT instance must be a public subnet
  • There must be a route out of the private subnet to the NAT instance, in order for this to work
  • The amount of traffic taht NAT instances supports, depends on the instance size. If you are bottlenecking, increase the instance size.
  • You can create high availability using Autoscaling Groups, multiple subnets in different AZ's and a script to automate fialover

Network ACL's

  • Your VPC automatically comes a default network ACL and by default it allows all outbound and inbound traffic
  • You can create a custom network ACL. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
  • Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default net work ACL.
  • You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed.
  • A network ACL contains a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.
  • A network ACL has separate inbound and outbond rules, and each rule can either allow or deny traffic.
  • Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)

 

NAT vs Bastions

  • A NAT is used to provide internet traffic to EC2 instances in private subnets
  • A Bastion is used to securely administer EC2 instances ( using SSH or RDP ) in private subnets. (jump boxes)

 

相关推荐