VPC & Networking

Moving on to the next session, VPC and Networking.

VPC :

  • Your private, isolated network where you can launch, use or test AWS resources.

  • You can specify various things, such as an IP address range, add subnets associate security groups, and configure route tables.

  • Attached to a region.

Subnets :

  • Allows you to split your network inside the VPC.

  • You have it within your VPC.

  • Public subnet - Accessible from the internet : put the resources you want to be public in there, e.g. EC2 instances

  • Private subnet - Not accessible from the internet : put the resources you want to be private in here, e.g. database.

  • Route table - Define where network traffic is directed.

  • Attached to an availability zone.

Internet Gateway & NAT Gateway ;

  • Internet Gateway - Provides access to the internet ; so if the subnet has a route to the internet gateway, it makes it a public subnet

  • NAT Gateway/Instance - Provides Internet access to the private subnets ; Then the private subnet won't be accessible from the internet but it will have access to the internet.

NACL & Security Groups ;

  • NACL :

    • Network Access Control List.

    • Stateful - Return traffic must be explicitly defined.

    • Rules are which subnets can go inbound and outbound.

    • Firewall at the subnet level.

    • Supports allow and deny rules

  • Security Groups ;

    • Stateless - Return traffic is automatically allowed.

    • Firewall at the instance level.

    • Only supports allow rules.

VPC Flow logs :

=> Capture network traffic logs of network traffic to and from your VPC.

VPC Peering ;

  • Way to connect 2 VPCs together via AWS's private network to make them behave as 1.

  • The 2 VPCs cannot have overlapping IP address ranges.

  • Not transitive - VPCs can only communicate if they are directly connected to each other.

VPC Endpoints ;

  • Connect VPCs to AWS services using AWS private network.

  • Gateway endpoints services ; Amazon S3 and DynamoDB powered by PrivateLink ("Establish private connectivity between VPCs and services hosted on AWS or on-premises, without exposing data to the internet")

  • Interface endpoints services ; Every other Endpoint supported service.

  • Endpoints give you much lower latency and better security as instead of the internet, you're using AWS's network.

Direct Connect & Site-to-site VPN ;

  • These are both services for connecting on-premises data center to VPC

  • Site-to-Site VPN ;

    • Data travels over the public internet but encrypted

    • Can be set up very quickly in 5min.

    • On-premises needs a customer gateway CGW

    • AWS need a virtual private gateway VGW

  • Direct Connect ;

    • This is a physical connection between on-premises and AWS.

    • Private, secure and fast.

    • Data travels over private network

    • take +1 month to set up

    • FASTER BUT MUCH MORE EXPENSIVE.

  • Transit Gateway ;

    • Connect thousands of VPCs and on-premises networks together to a central hub.

VPC & Networking - Summary

  • VPC - Virtual Private Cloud

  • Subnets : Tied to an specific AZ, network partition of the VPC

  • Internet Gateway : at the VPC level, provide Internet Access.

  • Nat Gateway/Instances : Give internet access to private subnets.

  • Network Access Control List - NACL : Stateless, subnet rules for inbound and outbound traffic

  • Security Groups : Stateful, operate at the EC2 instance level or ENI

  • VPC Perring : Connect two VPC with non overlapping IP ranges, nontransitive.

  • VPC Endpoints : Provide private access to AWS services within VPC

  • VPC Flow Logs : Network traffic logs

  • Site-to-site VPN : VPN over public internet between on-premises DC and AWS

  • Direct Connect : Direct private connection to AWS.

  • Transit Gateway : Connect thousands of VPC and on-premises networks together.

Last updated