What is VPC?
- With VPC you get an isolated network section in AWS cloud. In VPC, customers have complete control over IP address range, subnets, route tables and network gateways
- VPC is a logical datacenter in a region. It can span availability zones in the region
- On Premise datacenters, can be extended to AWS VPC by creating hardware VPN connection. (Hybrid cloud)
What can you do with VPC?
- Create subnets in VPC (Subnet cannot span multiple AZs)
- Assign custom ip address ranges to each subnet
- Configure route tables between subnets
- Launch instances in VPC subnets
- Create internet gateway and attach to VPC. (One internet gateway per VPC)
- Better security control over your AWS resources
- Instance security groups (Stateful)
- Subnet network ACLs(Stateless)
- All subnets in the default VPC have a route out to the internet
- Each EC2 Instance has both a private IP and public IP
- If you delete the default VPC you need to contact AWS to get it back
- Allows you to connect one VPC with another in the same region via direct network route using IP address.
- Peering is not Transitive.
- VPC peering can be done with other VPCs in same account or different AWS account
- Instances behave as if they are on same private network
When you create a VPC
- Subnets ( not created by default)
- Internet gateway (not created by default)
- Route table (created by default)
- Network ACL(created by default)
- Security group(created by default)
When you create a subnet (e.g. 10.0.0.0/24)
- First 4 IP addresses and the last IP address in each subnet CIDR are not available for customers to use
- First address is network address (10.0.0.0)
- Last address is network broad cast address(10.0.0.255)
- AWS reserves 3 IP address in the subnet (10.0.0.1,10.0.0.2,10.0.0.3)
To make a subnet public,
- Attach internet gateway to VPC
- Create a route out to the internet. Source subnet and Target is internet gateway. Best practice is to create new route table. Main route table will have all subnets associated to it.
- Associate the subnet to route table
- Enable ‘auto assign public IP’ in the subnet. If you don’t enable this option at subnet level , you can enable at instance level while launching instances
Secure internet access to private subnet
Instances in private subnet will not have a route to internet. We can provide secure internet access through NAT instance or NAT gateway
- NAT instance is an Amazon AMI
- Deploy the NAT instance in public subnet. NAT instances are always behind a security group. Use an Elastic IP or a Public IP address
- Disable source/destination check for the NAT instance. If Source/Destination check instance is enabled the instance should be either source or destination for the network traffic
- Create a route; Destination 0.0.0.0/0 Target Nat Instance
- NAT Instance is managed by Customer. Need to consider SPOF situation. You can consider Auto scaling groups
- The amount of traffic that NAT Instance supports, depends on the instance sizes.
- Supports bursts up to Instance bandwidth
- Can be used as a bastion server
- Create NAT gateway, Deploy in public subnet and assign elastic IP.
- Add route to private subnet in route table. Destination 0.0.0.0/0 Target Nat gateway
- With NAT gateway : need not disable “Source/Destination Check, Need not put behind Security group
- NAT gateways are managed by AWS
- Supports bursts up to 1Gbps
- Security groups cannot have associated (not required)
- AWS Link : http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
Security for VPC
- Security groups: Instance Level. Acts as firewall for associated EC2 instances. Controls both inbound and outbound traffic.
- ACLs: Subnet Level. Act as firewall for associated subnets. Controls both inbound and outbound traffic
- Flow Logs: Capture information about the IP traffic going to and from network interfaces in your VPC.
- ACLs are stateless. Return traffic must be explicitly allowed by rules. Responses to allowed input traffic are subject to the rules for outbound traffic.
- Default ACL – By default, allows all inbound and outbound traffic
- Custom ACL – By default, Denies all inbound and outbound traffic
- Each subnet must be associated with a network ACL, if you don’t explicitly associate a subnet to ACL, it will be automatically associated with default ACL.
- When you change ACL association of a subnet, its previous association will be removed.
- Subnet can be associated with only one ACL. But ACL can span multiple subnets.
- ACL rules are evaluated in number order. In case of conflict lower order rule wins. (e.g. inbound rule# 200 denies http traffic for 10.0.0.0/24 and inbound rule# 500 allows http traffic for 10.0.0.0/24-> rule# 200 wins)
- (Amazon Recommendation): Create rule numbers in increments of 100.
- (Amazon Recommendation): Create inbound rule for ephemeral ports.
- (Exam Tip): Block IP Addressing using ACLs not security groups
VPC Flow logs
- VPC Actions -> Create Flow Log: Filter, IAM Role, and Destination CloudWatch Log group.
NAT vs Bastion
- NAT instance is used to route traffic to instances in private subnet from Internet
- Bastion host (Jump Box) is used to administer instances in private subnet from internet. Bastion host is hardened one.
- For highly available create bastion instance, create at least two public subnets in different AZs and Auto scaling group.
No tags for this post.