AWS认证解决方案架构助理 - AWS VPC笔记
Virtual Private Cloud
Provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
Think of a AWS VPC as your own personal data center. Gives you complete control over your virtual networking environment.
Key Features
- VPCs are Region Specific they do not span regions
- You can create upto 5 VPC per region
- Every region comes with a default VPC
- You can have 200 subnets per VPC
- You can use IPv4 CIDR Block and in addition to a IPv6 CIDR Blocks(the address of the VPC)
- Cost nothing: VPC’s, Route Tables, Nacls, Internet Gateways, Security Groups and Subnets, VPC Peering
- Some things cost money: eg. NAT Gateway, VPC Endpoints, VPN Gateway, Customer Gateway.
- DNS hostnames (should your instance have domain name address)
Default VPC
AWS has a default VPC in every region so you can immediately deploy instance
- Create a VPC with a size /16 IPv4 CIDR blcok(172.31.0.0/16)
- Create a size /20 default subnet in each Availability Zone.
- Create an Internet Gateway and connect it to your default VPC.
- Create a default security group and associate it with your default VPC
- Create a default network access control list (NACL) and associate it with your default VPC
- Associate the default DHCP option set for your AWS account with your default VPC.
- When you create a VPC, it automatically has a main route table
0.0.0.0/0
knows as default
It represents all possible IP address
When we specify 0.0.0.0/0 in our route table for IGW we are allow internet access.
When we specific 0.0.0.0/0 in our security groups inbound rules we are allowing all traffic from the internet access our public resources.
When you see 0.0.0.0/0, just think of giving access from anywhere or the internet.
VPC Peering
VPC Peering allows you to connect one VPC with another over a direct network route using private IP addresses.
- Inscances on peered VPCs behave just like they are on the same network
- Connect VPCs across same or different AWS accounts and regions
- Peering uses a Star Configuation: 1 Central VPC - 4 other VPCs
- No Transitive Peering (peering must take place directly between VPCs)
- Need a one to connect to immediate VPC
- No Overlapping CIDR Blocks
Route Tables
Route tables are used to determine where network traffic is directed
Each subnet in your VPC must be associated with a route table
A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
Internet Gateway(IGW)
The Internet Gateway allows your VPC access to the internet.
IGW does two things:
- provide a target in your VPC route tables for internet route table traffic
- perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
To route out to the internet you need to add in your route tables you need to add a route to the internet gateway and set the Destination to be 0.0.0.0/0
Bastion / Jumpbox
Bastins are EC2 instances which are security harden. They are designed to help you gain access to your EC2 instances via SSH or RCP that are in private subnet
They are also knowns as Jump boxes because you are jumping from one box to access another.
NAT Gateways/Instances are only intended for EC2 instances to gain outbound access to the internet for things such as security updates. NATs cannot/should not be used as Bastins.
Direct Connect
AWS Direct Connect is the AWS solution for establishing dedicated network connections from on-premises locations to AWS.
Very fast network Lower Bandwidth 50M-500M or Higher Bandwidth 1GB or 10GB
- Helps reduce network costs and increase bandwidth throughput. (greate for high traffic networks)
- Provides a more consistent network experience than a typical internet-based connection, (reliable and secure)
VPC Endpoints
think of a secret tunnel where you don’t have to leave the AWS network
VPC Endpoints allow you to privately connect your VPC to other AWS services, and VPC endpoint services.
- Eliminates the need for an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect connections.
- Instances in the VPC do not require a public IP address to communicate with service resources.
- Traffic between your VPC and other services does not leave the AWS network
- Horizontally scaled. redundant, and highly available VPC component.
- Allows secure communication between instances and services without adding availability risks or bandwidth constrains on your traffic.
There are two Types of VPC Endpoints
- Interface Endpoints
- Gateway Endpoints
Interface Endpoints
Interface Endpoints are Elastic Network Interfaces (ENI) with a private IP address. They serve as an entry point for traffic going to a supported service.
Interface Endpoints are powered by AWS PrivateLink.
Access services hosted on AWS easily and securely by keeping your network traffic within the AWS network.
Interface Endpoints supported the following AWS Services
- API Gateway
- CloudFormation
- CloudWatch
- Kinesis
- SageMaker
- CodeBuild
- AWS Config
- EC2 API
- ELB API
- AWS KMS
- Secret Manager
- Security Token Service
- Service Catalog
- SNS
- SQS
- Systems Manager
Gateway Endpoints
A Gateway Endpoint is a gateway that is a target for a specific route in your route table, used for traffic destined for a supported AWS service.
To create a Gateway Endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection.
AWS Gateway Endpoint currently only supports 2 services
- S3
- Dynamo DB
VPC Flow Logs
VPC Flow Logs allow you to capture IP traffic information in-and-out of Network Interfaces within your VPC.
Flow Logs can be created for
- VPC
- Subnets
- Network Interface
All log data is stored using Amazon CloudWatch Logs.
After a Flow Log is created it can be viewed in detail within CloudWatch Logs.
-
version
The VPC Flow Logs version -
account-id
The AWS account ID for the flow log. -
interface-id
The ID of the network interface for which the traffic is recorded -
srcaddr
The source IPv4 or IPv6 address. The IPv4 address of the network interface is always its private IPv4 address -
dstaddr
The destination IPv4 or IPv6 address. The IPv4 address of the network interface is always its private IPv4 address -
srcport
The source port of the traffic -
destport
The destination port of the traffic -
protocol
The IANA protocol number of the traffic. For more information. see Assigned Internet Protocol Numbers. -
packets
The number of packets transferred during the capture window -
bytes
The number of bytes transferred during the capture window -
start
The time, in Unix seconds, of the start of the capture window -
end
The time, in Unix seconds, of the start of the capture window -
action
The action associated with the traffic:- ACCEPT: The record traffic was permitted by the security groups or network ACLs.
- REJECT: The record traffic was not permitted by the security groups or network ACLs.
-
log-status
The logging status of the flow log- OK: Data os logging normally to the chosen destinatios.
- NODATA: There was no network traffic to or from the network interface during the capture window.
- SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.
Network Access Control List(NACLs)
NACLs act as a virtual firewall at the subnet level
Subnets are associated with NACLs. Subnets can only belong to a single NACL.
VPCs automatically get a default NACL.
Each NACL contains a set of rules that can allow or deny traffic into(inbound) and out of (outbound) subnets.
Rule # determines the order of evaluation. From lowest to highest. The highest rule # can be 32766 and its recommend to work in 10 or 100 increment.
You can allow or deny traffic. You could block a single IP address (You cant’t do this with Security Groups)
Use Case
We determine there is a malicious actor at a specific IP address is trying to access our instance so we block IP
We never need to SSH into instances so we add a DENY for there subnets. This is just an additional measure in case our Security Groups SSH prot was left open.
Security Groups
A virtual firewall that controls the traffic to and from EC2 Instances.
Security Groups acts as a virtual firewall at the instance level, associated with EC2 instances.
Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances.
Provide security at the protocol and port access level.
There are no DENY rules. All traffic is block by default unless a rule specifically allows it.
Multiple Instances across multiple subnets can belong to a Security Group
Use Case
You can specify the source to be an IP range or A specific ip(/32 is a specific IP Address)
You can specify the source to be another security group.
An Instance can belong to multiple Security Groups, and rules are permissive (instead of restrictive). Meaning if you have one security group which has no Allow and you add an allow to another then it will Allow.
Limits
You can have upto 10000 Security Groups in a Region (default is 2500)
You can have 60 inbound rules and 60 outbound rules per security group
16 Security Group per Elastic Network Interface (ENI) (default is 5)
Network Address Translation(NAT)
Network Address Translation(NAT) is the method of re-mapping one IP address space into another.
If you have a private network and you need to help gain outbound access to the internet you would need to use a NAT gateway to remap the Private IPs.
If you have two networks which have conflicting network addresses you can use a NAT to make the address more agreeable.
NAT Instances vs NAT Gateways
NATs have to run within a Public Subnet
NAT Instances (legacy) are individual EC2 instance. Community AMIs exist to launch NAT Instances.
NAT Gateways is a managed service which launches redundant instances within the selected AZ.