Scribd
Upload
2 views

VPC

The document outlines the configurations and limitations of Virtual Private Clouds (VPCs) in AWS, including dedicated tenancy, CIDR blocks, and various networking components such as Internet Gateways, NAT Gateways, and VPC endpoints. It also explains the differences between Network Access Control Lists (NACLs) and Security Groups (SGs), as well as the use cases for VPC peering and DHCP options. Additionally, it provides examples of AWS CLI commands for interacting with S3 and configuring access policies for EC2 instances.

Uploaded by

vacapil145
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views

VPC

The document outlines the configurations and limitations of Virtual Private Clouds (VPCs) in AWS, including dedicated tenancy, CIDR blocks, and various networking components such as Internet Gateways, NAT Gateways, and VPC endpoints. It also explains the differences between Network Access Control Lists (NACLs) and Security Groups (SGs), as well as the use cases for VPC peering and DHCP options. Additionally, it provides examples of AWS CLI commands for interacting with S3 and configuring access policies for EC2 instances.

Uploaded by

vacapil145
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

VPC (Virtual Private Cloud)

Dedicated tenancy ensures all EC2 instances that are launched in a VPC run on hardware that's
dedicated to a single customer.

CIDR to VPC : 170.0.0.0/16 ,10.0.0.0/24 and 190.0.0.0/16

Public : 170.0.16.0/20 , 190.0.32.0/20

Private : 170.0.32.0/20, 10.0.0.0/24 and 190.0.16.0/20

5 non default VPC per region

200 subnets per region

5 IPV4 CIDR blocks per VPC

1 IPV6 CIDR blocks per VPC

5 elastic ips per region

5 Egress only internet Gateway per region

5 IGW per region is

5 NAT gateway per AZ

200 NACL per region

20 rules per NACL is

5000 N/W interfaces per region is

200 Route table per region

50 Routes per Route table

5 Security Groups Per Instance

50 inbound and 50 outbound rules per Security Group

IGW---create -----RT---edit route----add route-----0.0.0.0/0---select IGW

NAT---create in public subnet ----create a secondary RT----edit route ---add route----0.0.0.0/0----select


NAT Gateway-----subnet associaton-------edit subnet ----add subnet ---select private subnet
Egress Internet Gateway : only for IPV6

Carrier Gateway :

A carrier gateway supports IPv4 traffic.

Carrier gateways are only available for VPCs that contain subnets in a Wavelength Zone.

The carrier gateway provides connectivity between your Wavelength Zone and the
telecommunication carrier, and devices on the telecommunication carrier network.

AWS Wavelength is an AWS Infrastructure offering optimized for mobile edge computing
applications. Wavelength Zones are AWS infrastructure deployments that embed AWS compute and
storage services within communications service providers’ (CSP) datacenters at the edge of the 5G
network, so application traffic from 5G devices can reach application servers running in Wavelength
Zones without leaving the telecommunications network. This avoids the latency that would result
from application traffic having to traverse multiple hops across the Internet to reach their destination,
enabling customers to take full advantage of the latency and bandwidth benefits offered by modern
5G networks.

AWS Wavelength Zones are available in eight cities across the U.S. with Verizon and in Tokyo, Japan
with KDDI.

DHCP options Sets:

By default, all instances in a nondefault VPC receive an unresolvable host name that AWS assigns (for
example, ip-10-0-0-202). You can assign your own domain name to your instances, and use up to four
of your own DNS servers. To do that, you must create a custom set of DHCP options to use with the
VPC.

VPC Enpoints:

A VPC endpoints enables you to access your vpc to supported AWS services from Private instances
also in your VPC do not require public IP address to communicate with the resources in the services.

Scenario: We have a One VPC , Route Table, IGW, Private Subnet, Public Subnet, and One EC2 in
Public Subnet and One EC2 in Private Subnet we can able to call S3 bucket from Public Subnet EC2 via
IAM Role but if we want to access S3 bucket from Private Subnet EC2 then we have to configure VPC
Endpoint.

VPC---Create VPC Endpoint-----Search S3-gateway------RouteTable-----Select your VPC-----Select route


Table---Create Endpoint

Create a role in which EC2 service can able to call the S3 Bucket.
Attach this role to both the instances

OR

We can configure aws cli by using command #aws configure

$$aws S3 Terminal Commands

#aws s3 ls - - region

#aws sync /home/ec2-user/backup s3://Bucket_Name

#aws s3 mb s3://prafulsi

#aws s3 rb s3://prafulsi

#aws s3 cp test.txt s3://prafulsi

#aws s3 cp s3://prafulsi /home/ec2-user/backup

#aws s3 cp s3://prafulsi /home/ec2-user/backup --recursive

#aws s3 cp s3://prafulsi/init.xml s3://backup-bucket

#aws s3 cp s3://prafulsi s3://backup-bucket --recursive

#aws s3 mv source.json s3:// prafulsi

#aws s3 rm s3://prafulsi/queries.txt
When to use an AWS S3 VPC endpoint - YouTube

VPC Peering

A VPC peering connection is a networking connection between two VPCs that enables you to route
traffic between them using private IPv4 addresses or IPv6 addresses in between Private Subnets.

After creating VPC Peering we need to add route in route table of VPC-A of VPC-B and vise-versa.
Difference Between NACL and SG

Stateful : If we allow http port in Inbound rule then its allow in outbound automatically.

Stateless : if we want to allow http port then we need to allow this port in both Inbound as well as outbound
rule.

In NACL less the rule number higher the Priority.

The highest number that you can use for a rule is 32766. We recommend that you start by creating
rules in increments (for example, increments of 10 or 100) so that you can insert new rules where you
need to later on. A network ACL has separate inbound and outbound rules, and each rule can either
allow or deny traffic.

Use Case

We have a multiple Public Instance Name as Public-EC2_1, Public-EC2_2, Public-EC2_3 and having
multiple Private EC2 instances like Private-ec2-1, Private-ec2-2, Private-ec2-3 what we need to do
here we have to apply policy in which only Private-ec2-1 can be access from only Public-EC2_1 not
others.

Configure Private-ec2-1 Security group in such a way that in which it can be access from Public-
EC2_1 only

go to the Private-ec2-1 edit inbound rule -------add rule------select ssh protocol and in source field
select SG of Private-ec2-1 and save the SG.
scp -i myAmazonKey.pem phpMyAdmin-3.4.5-all-languages.tar.gz ec2-user@mec2-50-17-
16-67.compute-1.amazonaws.com:~/.

You might also like