Provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
Think of a AWS VPC as your own personal data center. Gives you complete control over your virtual networking environment.
AWS has a default VPC in every region so you can immediately deploy instance
knows as default
It represents all possible IP address
When we specify 0.0.0.0/0 in our route table for IGW we are allow internet access.
When we specific 0.0.0.0/0 in our security groups inbound rules we are allowing all traffic from the internet access our public resources.
When you see 0.0.0.0/0, just think of giving access from anywhere or the internet.
VPC Peering allows you to connect one VPC with another over a direct network route using private IP addresses.
Route tables are used to determine where network traffic is directed
Each subnet in your VPC must be associated with a route table
A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
The Internet Gateway allows your VPC access to the internet.
IGW does two things:
To route out to the internet you need to add in your route tables you need to add a route to the internet gateway and set the Destination to be 0.0.0.0/0
Bastins are EC2 instances which are security harden. They are designed to help you gain access to your EC2 instances via SSH or RCP that are in private subnet
They are also knowns as Jump boxes because you are jumping from one box to access another.
NAT Gateways/Instances are only intended for EC2 instances to gain outbound access to the internet for things such as security updates. NATs cannot/should not be used as Bastins.
AWS Direct Connect is the AWS solution for establishing dedicated network connections from on-premises locations to AWS.
Very fast network Lower Bandwidth 50M-500M or Higher Bandwidth 1GB or 10GB
think of a secret tunnel where you don’t have to leave the AWS network
VPC Endpoints allow you to privately connect your VPC to other AWS services, and VPC endpoint services.
There are two Types of VPC Endpoints
Interface Endpoints are Elastic Network Interfaces (ENI) with a private IP address. They serve as an entry point for traffic going to a supported service.
Interface Endpoints are powered by AWS PrivateLink.
Access services hosted on AWS easily and securely by keeping your network traffic within the AWS network.
Interface Endpoints supported the following AWS Services
A Gateway Endpoint is a gateway that is a target for a specific route in your route table, used for traffic destined for a supported AWS service.
To create a Gateway Endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection.
AWS Gateway Endpoint currently only supports 2 services
VPC Flow Logs allow you to capture IP traffic information in-and-out of Network Interfaces within your VPC.
Flow Logs can be created for
All log data is stored using Amazon CloudWatch Logs.
After a Flow Log is created it can be viewed in detail within CloudWatch Logs.
version
The VPC Flow Logs version
account-id
The AWS account ID for the flow log.
interface-id
The ID of the network interface for which the traffic is recorded
srcaddr
The source IPv4 or IPv6 address. The IPv4 address of the network interface is always its private IPv4 address
dstaddr
The destination IPv4 or IPv6 address. The IPv4 address of the network interface is always its private IPv4 address
srcport
The source port of the traffic
destport
The destination port of the traffic
protocol
The IANA protocol number of the traffic. For more information. see Assigned Internet Protocol Numbers.
packets
The number of packets transferred during the capture window
bytes
The number of bytes transferred during the capture window
start
The time, in Unix seconds, of the start of the capture window
end
The time, in Unix seconds, of the start of the capture window
action
The action associated with the traffic:
log-status
The logging status of the flow log
NACLs act as a virtual firewall at the subnet level
Subnets are associated with NACLs. Subnets can only belong to a single NACL.
VPCs automatically get a default NACL.
Each NACL contains a set of rules that can allow or deny traffic into(inbound) and out of (outbound) subnets.
Rule # determines the order of evaluation. From lowest to highest. The highest rule # can be 32766 and its recommend to work in 10 or 100 increment.
You can allow or deny traffic. You could block a single IP address (You cant’t do this with Security Groups)
We determine there is a malicious actor at a specific IP address is trying to access our instance so we block IP
We never need to SSH into instances so we add a DENY for there subnets. This is just an additional measure in case our Security Groups SSH prot was left open.
A virtual firewall that controls the traffic to and from EC2 Instances.
Security Groups acts as a virtual firewall at the instance level, associated with EC2 instances.
Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances.
Provide security at the protocol and port access level.
There are no DENY rules. All traffic is block by default unless a rule specifically allows it.
Multiple Instances across multiple subnets can belong to a Security Group
You can specify the source to be an IP range or A specific ip(/32 is a specific IP Address)
You can specify the source to be another security group.
An Instance can belong to multiple Security Groups, and rules are permissive (instead of restrictive). Meaning if you have one security group which has no Allow and you add an allow to another then it will Allow.
You can have upto 10000 Security Groups in a Region (default is 2500)
You can have 60 inbound rules and 60 outbound rules per security group
16 Security Group per Elastic Network Interface (ENI) (default is 5)
Network Address Translation(NAT) is the method of re-mapping one IP address space into another.
If you have a private network and you need to help gain outbound access to the internet you would need to use a NAT gateway to remap the Private IPs.
If you have two networks which have conflicting network addresses you can use a NAT to make the address more agreeable.
NATs have to run within a Public Subnet
NAT Instances (legacy) are individual EC2 instance. Community AMIs exist to launch NAT Instances.
NAT Gateways is a managed service which launches redundant instances within the selected AZ.