Monday, 6 May 2019

Amazon Virtual Private Cloud(VPC)

Amazon VPC is the networking layer, which allows you to build your own virtual network within AWS t0 launch AWS resources that you define. VPC allows the user to select IP address range, create subnets, and configure route tables, network gateways, and security settings. Within a region, you can create multiple Amazon VPCs, and each Amazon VPC is logically isolated even if it shares its IP address space.



When you create an Amazon VPC, you must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block, such as 10.0.0.0/16. The address range of the Amazon VPC cannot be changed after the Amazon VPC is created. An Amazon VPC address range may be as large as /16 (65,536 available addresses) or as small as /28 (16 availableaddresses) and should not overlap any other network with which they are to be connected.

VPC default limits

  • Maximum of 5 VPC per region.
  • Each VPC have a max of 1 Internet gateway and 1 Virtual private getaway.
  • Each VPC hosting a maximum 200 subnet per VPC (Increase limit by requesting AWS).
  • 200 Network ACL per VPC by default
  • 200 Route table per VPC by default
  • 500 Security Group per VPC by default.
  • 50 Active VPC peering connection per VPC by default. (Max 125)
  • 10 VPN connections per VPC.

Amazon VPC components


Subnets

A subnet is a segment of an Amazon VPC's IP address range where you can launch the AWS resources like Amazon EC2, Amazon RDS etc.
After creating an Amazon VPC, you can add one or more subnets in each Availability Zone. Subnets reside within one Availability Zone and cannot span zones. One subnet equals one Availability Zone. You can have multiple subnets in one Availability Zone. Default Amazon VPCs contain one public subnet in every Availability Zone within the region. 
Subnet can be classified as below.
Public subnet: A public subnet is one in which the associated route table directs the subnet's traffic to the Amazon VPC's IGW.
Private subnet: A private subnet is one in which the associated route table does not direct the subnet's traffic to the Amazon VPC's IGW.
VPN-only subnet: A VPN-only subnet is one in which the associated route table directs the subnet's traffic to the Amazon VPC's VPG and does not have a route to the IGW.


Route tables

A route table is contains a set of rules (called routes) that are applied to the subnet and used to determine where network traffic is directed. A route table's routes are what permit Amazon EC2 instances within different subnets within an Amazon VPC to communicate with each other. You can modify route tables and add your own custom routes. You can also use route tables to specify which subnets are Public and which subnets are private.
You should remember the following points about route tables:
  • Your VPC has an implicit router.
  • Your VPC automatically comes with a main route table that you can modify.
  • You can create additional custom route tables for your VPC.
  • Each subnet must be associated with a route table, which controls the routing for the subnet. If you don't explicitly associate a subnet with a particular route table, the subnet uses the main route table.
  • Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it.
  • You can replace the main route table with a custom table that you've created so that each new subnet is automatically associated with it.
  • Each route in a table specifies a destination CIDR and a target.

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. AWS automatically creates and associates a DHCP option set for your Amazon VPC upon creation and sets two options: domain-name-servers (defaulted to AmazonProvidedDNS) and domain-name (defaulted to the domain name for your region).
The DHCP option sets element of an Amazon VPC allows you to direct Amazon EC2 host name assignments to your own resources. To assign your own domain name to your instances, create a custom DHCP option set and assign it to your Amazon VPC.
  • Domain-name: Specify the desired domain name here (for example, mycompany.com).
  • Ntp-servers: The IP addresses of up to four Network Time Protocol (NTP) servers, separated by commas.
  • Netbios-name-servers: The IP addresses of up to four NetBIOS name servers, separated by commas.
  • Netbios-node-type: Set this value to 2.

Security Groups

security group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances. All Amazon EC2 instances must be launched into a security group. If a security group is not specified at launch, then the instance will be launched into the default security group for the Amazon VPC. The default security group allows communication between all resources within the security group, allows all outbound traffic, and denies all other traffic. You may change the rules for the default security group, but you may not delete the default security group.
  • You can create up to 500 security groups for each Amazon VPC.
  • You can add up to 50 inbound and 50 outbound rules to each security group.
  • You can specify allow rules, but not deny rules By default, no inbound traffic is allowed until you add inbound rules to the security group.
  • By default, new security groups have an outbound rule that allows all outbound traffic.
  • Security groups are statefull.

Network Access Control Lists (ACLs)

A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level. A network ACL is a numbered list of rules that AWS evaluates in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
  • Default network ACL associated with every subnet that allows all inbound and outbound traffic.
  • Custom network ACL, its initial configuration will deny all inbound and outbound traffic.
  • A network ACL associate with multiple subnet but subnet can be associate with only one network ACL at a time.

Amazon VPC optional components

Internet Gateways (IGWs)

An Internet Gateway (IGW) is a VPC component that allows communication between instances in your Amazon VPC and the Internet. An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.

Amazon EC2 instances within an Amazon VPC are only aware of their private IP addresses. When traffic is sent from the instance to the Internet, the IGW translates the reply address to the instance's public IP address (or EIP address, covered later) and maintains the one-to-one map of the instance private IP address and public IP address.

When an instance receives traffic from the Internet, the IGW translates the destination address (public IP address) to the instance's private IP address and forwards the traffic to the Amazon VPC.

  • You must do the following to create a public subnet with Internet access:Attach an IGW to your Amazon VPC.
  • Create a subnet route table rule to send all non-local traffic (0.0.0.0/0) to the IGW.
  • Configure your network ACLs and security group rules to allow relevant traffic to flow to and from your instance.


Elastic IP (EIP) addresses

An Elastic IP Addresses (EIP) is a static, public IP address in the pool for the region that you can allocate to your account (pull from the pool) and release (return to the pool). AWS maintains a pool of public IP addresses in each region and makes them available for you to associate to resources within your Amazon VPCs.

You must first allocate an EIP for use within a VPC and then assign it to an instance. EIPs are specific to a region (that is, an EIP in one region cannot be assigned to an instance within an Amazon VPC in a different region).

  • There is a one-to-one relationship between network interfaces and EIPs.
  • You can move EIPs from one instance to another, either in the same Amazon VPC or a different Amazon VPC within the same region.
  • EIPs remain associated with your AWS account until you explicitly release them. There are charges for EIPs allocated to your account, even when they are not associated with a resource.


Elastic Network Interfaces (ENIs)

An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC. ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses. If there are multiple private IP addresses, one of them is primary. Assigning a second network interface to an instance via an ENI allows it to be dual-homed.
  • ENI can be attached to an instance, detached from that instance.
  • Primary ENIs (eth0) are created automatically when an EC2 instance is launched and also deleted when the instance is terminated 
  • An instance in a VPC always has a default primary ENI attached (eth0) with a private ip address assigned from vpc range and cannot be detached.
  • ENI can be attached to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
  • ENI in one subnet can be attached to an instance in another subnet, but the same AZ and same VPC
  • Primary (eth0) interface can’t be detached.
  • Secondary (ethN) ENI can be detached when the instance is running or stopped.

Network Address Translation (NATs) instances and NAT gateways

By default, any instance that you launch into a private subnet in VPC is not able to communicate with the Internet through the IGW. This is problematic if the instances within private subnets need direct access to the Internet from the VPCin toapply security updates, download patches, or update application software. AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets to access Internet.

NAT Instance
A network address translation (NAT) instance is an Amazon Linux Amazon Machine Image (AMI) that is designed to accept traffic from instances within a private subnet, translate the source IP address to the public IP address of the NAT instance, and forward the traffic to the IGW.

  • NAT instance allow in private subnet to send outbound internet communication, but it prevent the instance from receiving inbound traffic initiate by someone to the internet.
  • When creating a NAT Instance, Disable Source/Destination check on the instance.
  • NAT instance must be in public subnet.
  • There must be a route out of the private subnet to the NAT instance, in order for this work.
  • The amount of traffic that NAT instance can support depend on the instance size.
NAT Gateway
A NAT gateway is an Amazon managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

  • Less administrative effort than NAT instances.
  • Scale automatically up to 10Gbps and Not associated with security group.
  • Automatically assign a public Ip address.
  • No need to disable Source/Destination check.
  • Configure the route table associate with the private subnet to direct internet-bound traffic to the NAT gateway.
  • Amazon VPC offer two way to connect a corporate network to a VPC.
  • Virtual Private Gateway (VPG): VPG is the virtual private Network concentrator on the AWS side of the VPN connection between the two network.
  • Customer Gateways (CGWs): Represent a physical device or a software application on the customer side of VPN connection.


Peering

An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon VPC in another AWS account within a single region. 

A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.

  • You cannot create a peering connection between Amazon VPC that have matching or overlapping CIDR block.
  • You cannot create a peering connection between Amazon VPC in different region.
  • You cannot have more than one peering connection between the same two Amazon VPC at the same time.


Endpoints

An Amazon VPC endpoint create a connection between your Amazon VPC and another AWS service via private network without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect.
  • In VPC do not require public IP addresses for the Instance to communicate with other services.
  • Ensure that the endpoint is created in the same region as your bucket created. Endpoints currently do not support cross-region requests.
  • AWS currently supports endpoints for S3 service and DynamoDB services.
  • Multiple endpoint routes to different services can be specified in a route table.
  • Multiple endpoint routes to the same service can be specified in different route tables.
  • You cannot have multiple endpoints to the same service in a single route table.
  • Security groups needs to be modified to allow Outbound traffic from the VPC to the service that’s specified in the endpoint.
  • A route is automatically added to the Route table



Share:

Total Pageviews

Lables

Powered by Blogger.

Followers