Scribd
Upload
456 views

AWS VPC Notes

VPC allows users to launch AWS resources in a virtual network that they have defined. This document provides details about IP address ranges, subnets, network access control, routing and security within a VPC. It also summarizes VPC endpoints, AWS PrivateLink, NAT gateways, internet gateways, VPN connections and examples of VPC architectures for single-tier and multi-tier applications.

Uploaded by

Joel White
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
456 views

AWS VPC Notes

VPC allows users to launch AWS resources in a virtual network that they have defined. This document provides details about IP address ranges, subnets, network access control, routing and security within a VPC. It also summarizes VPC endpoints, AWS PrivateLink, NAT gateways, internet gateways, VPN connections and examples of VPC architectures for single-tier and multi-tier applications.

Uploaded by

Joel White
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

===========

VPC
===========

The private IPv4 address ranges that can be specified while creating a VPC are
between:

10.0.0.0 - 10.255.255.255 (10/8 prefix)


172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Subnet Sizing for VPC IPv6 fixed prefix length of /56.


A subnet's IPv6 CIDR block uses a fixed prefix length of /64

=======
NAT
======
(NAT) device is used to control the inbound connections from the Internet

EC2 -> NAT Device with Elastic (public) IP -> Internet Gateway -> Internet

If your VPC is associated with IPv6 address and instances are assigned to IPv6
addresses, you can initiate outbound connections to the Internet through an egress-
only Internet gateway.

VPN connection costs between $0.05 to $0.065/hour based on the region


NAT gateway costs between $0.045 to $0.093 / hour

========
Route Table
============
Each route table can be associated with multiple subnets, but a subnet is
associated with only one route table.
default route table (which cannot be deleted) called main route table.

NACLs is the security layer at a subnet level, it acts as a firewall and controls
outbound and inbound traffic for subnets.

Elastic IP address is a static, public IPv4 address that can be associated with any
instance and can be moved from one instance to another within your AWS account.
Once you released the assigned elastic IP address, you cannot get it again.

==============
VPC Endpoints
===============
VPC endpoints are virtual devices that enable private connection from VPC to
supported AWS services and VPC endpoint services powered by PrivateLink without
requiring a VPN connection or NAT device or an Internet gateway.

There are two types of VPC endpoints:

Interface endpoints
It is an elastic network interface with a private IP address that acts as an entry
point for traffic destined to supported services such as Amazon EC2 API, Elastic
Load Balancing API, and many other services.

Gateway endpoints
It is a gateway that is a target for a specified route in your route table, used
for traffic destined to Amazon S3, DynamoDB services.

=================
AWS PrivateLink
===================
AWS PrivateLink is a VPC endpoint service.
connect to VPC to supported AWS services privately, and services hosted by other
AWS accounts

Instances in VPC -> [Private Link] -> AWS Services

To enable PrivateLink, create an interface VPC endpoint for a service in your VPC,
which creates an elastic network interface in your subnet with a private IP address
that serves as an entry point for traffic destined to the service.

===============================
Egress-Only Internet Gateways
==================================
Egress-Only Internet Gateways is used only for IPV6 traffic, enables outbound
communication from instances in the VPC to Internet, and prevents the Internet from
initiating an IPv6 connection with your instances.

==================
VPC Peering
==================
VPC peering is used to enable route traffic between two VPCs privately.

======================
VPC Scenario
=====================
--> VPC with a single public subnet. (recommended to a single tier, public-facing
simple applications such as a website or a blog.)

--> VPC with public and private subnets (NAT)

Provisioning VPC With Public and Private Subnets is recommended for multi-tier
applications where web servers are in public subnet, and back-end servers are in
private subnet.

Instances in the public subnet can directly communicate to the Internet but the
instances in private subnet can't. So, here the NAT device is attached to the VPC

--> VPC with public and private subnets and AWS managed VPN access
({Public,Private} Subnet --> Virtual Private GW --> VPN Connection --> Customer
gateway --> On Prem)

--> VPC with a private subnet only and AWS managed VPN access

===========
Practice
===========
VPC - Create Subnets in VPC

Create Public Subnet and Private Subnet (5 ip's are reserved, 4 in the beginning of
the range and 1 in the end of the range)
Create Seperate RouteTables for Public and Private Subnet
Associate RT to subnets (otherwise Main RT will be used)

Create IGW attach to VPC


In Public Subnet RT create a route entry for public traffic to IGw

Create NAT GW and select public subnet


In Private Subnet RT create route entry for public traffic to NATGW

VPC Settings - Select your VPC, Edit DNS Resolution and DNS Hostname as True
In the Public Subnet select Auto assign public address

==============
VPN Connection
===============
AWS managed VPN connection enables your VPC to connect to your own corporate data
center. It comes with a virtual private gateway attached to your VPC and a customer
gateway located in your data center.

===========
TryOut
===========

##VPC with a Public Subnet


Create a VPC with a Public Subnet.
Specify own IPV4 CIDR block ranges for the VPC and Subnet.
Create a Security group.
Add an inbound rule that allows SSH traffic from an IPV4 address.
Launch a Linux AMI into the VPC and configure instance details.
Associate elastic IP to the instance.
Launch the instance by pairing your key.

##Associate VPC with NAT Gateway


Create a NAT gateway and configure its details.
Create VPC with public and private subnets.
Specify the details of the NAT gateway.
Create two security group rules, one for web servers and other for databases.
Add an inbound rule to allow RDP traffic from an IPV4 address (for windows client).
Add an outbound rule to connect to the Internet for HTTPS traffic for destination
0.0.0.0/0.
Define the database security rules basing on your 3rd party resource.
Launch a windows AMI into the VPC and configure instance details.
Launch the instance by pairing the key.

##AWS Managed VPN Connection


Create VPC with public and private subnets, and AWS managed VPN access.
Create a Customer gateway.
Configure the customer gateway with static routing and provide on-premises endpoint
IP address.
Create a Virtual Private gateway.
Attach it to your VPC.
Create a new VPN connection.
Specify your customer and private gateway details.
Download your configuration details from download configuration.

You might also like