Intro
- a subnet belongs to 1 AZ
- SG are stateful
- nACL are stateless
- No transitive peering - needs peering connection to work
- When created, a nACL and default SG also created
- Amazon always resolves 5 IPs
- Only 1 IGW per VPC
- By default SGs do not allow access to each other
- Logical data center in AWS
Public subnets
- route to igw for internet access
Private subnets
- use NAT gateway for internet access
- NAT gateway sits on the public subnet
NAT
- NAT instances no longer used
- NAT gateways used instead
- Put this on the public SN
- Let Private SN access this
- Needs an elastic IP (can generate on creation)
- Redundant in the AZ
- 1 NAT per AZ
- Not part of any SG
- Should update route tables to point internet traffic from default/private SN to this NAT
Access Control Lists (ACL)
- At vpc level
- Deny everything by default
- Ephemeral ports outbound AND inbound rule 1024-65535 (NAT gateway ports)
- Control list is in order of priority
- e.g. If you have a deny, it must fall before the deny for it to correctly deny
- ACLs are checked before anything else, such as SGs
Flow Logs
- Logs of traffic in network interfaces
- VPC level
- Subnet level
- Network interface level
- To output the logs to Cloudwatch, needs a log group (can create one via cloudwatch)
- Doesnt work with peered VPCs if they are across multiple accounts. Single accounts work
- Traffic generated by instances connecting to amazon dns server not monitored
Bastion host
- A way to SSH or RDP into a private subnet area
- Harden up the bastion host, and it points to private SN
Direct Connect
- Private connectivity between AWS and your data centre
- Uses our 'cage' with partner's 'cage' - for a dedicated connection
- for high throughput
Setting up a VPN Over a Direct Connect Connection
- Create virtual interface is DN console (this is a public VI)
- Create customer gateway (in vpn connections)
- Create a VGW (private)
- Attach the VGW to desired vpc
- Select VPC connections and create new vpn connection
- Select VGW and customer GW
- Once VPN is available, setup the VPN on the customer GW or firewall
Global Accelerator
- Directs traffic to optimal endpoints over the AWS global network
- Improves availability and performance of internet applications used by global audience
- Provides 2 static IPs
- Acceelerator
- NZ (Network Zone) similar to a AZ. Pointd to by a DNS
- Listener
- Endpoint group - region (?)
VPC End points
-
A way to traverse traffic without leaving the amazon network
-
e,g, dont neet IGW, NAT GW, DN
-
Endpoints are virtual devices, horizontally scaled, redundant, HA
-
Types
-
Interface endpoints
- ENI with a private IP that serves as an entry point for traffic destined to a supported service
- Attach an ENI to an EC2 instance, that will allow you to communicate to various services through amazon internal network
- Enables connectivity to services over AWS PrivateLink
- Collection of one or more ENI with a private IP that serves as an entry point for traffic destined to a supported service
-
Gateway endpoints
- e.g. VPC gateway
- Targets specific IP routes in an Amazon VPC route table in the form of a prefix-list
- Used for traffic destined to DynamoDB or S3
- Gateway endpoints do not enable AWS Privatelink
- Are destinations that are reachable from within an Amazon VPC through prefix-lists within the Amazon VPC route table
-
Instances in an Amazon VPC do not require public IP to communicate with VPC endpoints - as interface endpoints use local IP addresses within the Amazon VPC
-
-
Endpoints -> create endpoint
-
Choose service e.g. s3
-
Choose route table
-
IAM policy / full access
-
Endpoint creates straight away but route table takes a few mins to update sometimes
-
cli command e..g s3 ls... must specify region
-
VPN CloudHub
- Single public virtual gateway
- Single point of contact to connect vpn infrastructure to
- i.e. multiple VPN sites, use cloudhub to connect those
AWS Network Costs
- Use Private IPs over Public to use AWS backbone network
- Cheaper to use on AZ, but not the best architecture obviously...