VPC :
Your private, isolated network where you can launch, use or test AWS resources.
You can specify various things, such as an IP address range, add subnets associate security groups, and configure route tables.
Attached to a region.
Subnets :
Allows you to split your network inside the VPC.
You have it within your VPC.
Public subnet - Accessible from the internet : put the resources you want to be public in there, e.g. EC2 instances
Private subnet - Not accessible from the internet : put the resources you want to be private in here, e.g. database.
Route table - Define where network traffic is directed.
Attached to an availability zone.
Internet Gateway & NAT Gateway ;
Internet Gateway - Provides access to the internet ; so if the subnet has a route to the internet gateway, it makes it a public subnet
NAT Gateway/Instance - Provides Internet access to the private subnets ; Then the private subnet won't be accessible from the internet but it will have access to the internet.
NACL & Security Groups ;
NACL :
Network Access Control List.
Stateful - Return traffic must be explicitly defined.
Rules are which subnets can go inbound and outbound.
Firewall at the subnet level.
Supports allow and deny rules
Security Groups ;
Stateless - Return traffic is automatically allowed.
Firewall at the instance level.
Only supports allow rules.
VPC Flow logs :
=> Capture network traffic logs of network traffic to and from your VPC.
VPC Peering ;
Way to connect 2 VPCs together via AWS's private network to make them behave as 1.
The 2 VPCs cannot have overlapping IP address ranges.
Not transitive - VPCs can only communicate if they are directly connected to each other.
VPC Endpoints ;
Connect VPCs to AWS services using AWS private network.
Gateway endpoints services ; Amazon S3 and DynamoDB powered by PrivateLink ("Establish private connectivity between VPCs and services hosted on AWS or on-premises, without exposing data to the internet")
Interface endpoints services ; Every other Endpoint supported service.
Endpoints give you much lower latency and better security as instead of the internet, you're using AWS's network.
Direct Connect & Site-to-site VPN ;
These are both services for connecting on-premises data center to VPC
Site-to-Site VPN ;
Data travels over the public internet but encrypted
Can be set up very quickly in 5min.
On-premises needs a customer gateway CGW
AWS need a virtual private gateway VGW
Direct Connect ;
This is a physical connection between on-premises and AWS.
Private, secure and fast.
Data travels over private network
take +1 month to set up
FASTER BUT MUCH MORE EXPENSIVE.
Transit Gateway ;
Connect thousands of VPCs and on-premises networks together to a central hub.
VPC & Networking - Summary
VPC - Virtual Private Cloud
Subnets : Tied to an specific AZ, network partition of the VPC
Internet Gateway : at the VPC level, provide Internet Access.
Nat Gateway/Instances : Give internet access to private subnets.
Network Access Control List - NACL : Stateless, subnet rules for inbound and outbound traffic
Security Groups : Stateful, operate at the EC2 instance level or ENI
VPC Perring : Connect two VPC with non overlapping IP ranges, nontransitive.
VPC Endpoints : Provide private access to AWS services within VPC
VPC Flow Logs : Network traffic logs
Site-to-site VPN : VPN over public internet between on-premises DC and AWS
Direct Connect : Direct private connection to AWS.
Transit Gateway : Connect thousands of VPC and on-premises networks together.
Last updated