Rocky Warren

Virtual Private Cloud (VPC)

AWS VPC Diagram
AWS VPC Diagram
  • Logical data center within AWS
  • Consist of Subnets, Route Tables, Internet Gateway (IGW, limit one per VPC), NAT Gateway, VPC Endpoints, Network Access Control Lists (NACLs), and Security Groups (cannot span VPCs)
  • By default, creating VPCs in console creates Route Table, NACL, and Security Group
  • Peering
    • Works cross-region
    • IPv4 CIDR blocks cannot overlap
    • Does not act like a Transit VPC (aka cannot transitively peer VPCs)
  • AZs are randomly assigned letters, us-west-2a in one account isn't necessarily the same as us-west-2a in another
  • Subnets
    • AWS reserves first four and last IP addresses in each subnet CIDR block
    • Each must be associated with only one NACL, defaults to default NACL
  • NACLs
    • Basically a firewall, whereas security groups work at instance level, NACLs work at subnet level
    • Each subnet must be associated with only one NACL, defaults to default NACL
    • Default NACL allows all inbound and outbound traffic
    • Stateless, responses to allowed inbound traffic are subject to outbound rules and vice versa
    • Since client chooses ephemeral port when initiating connection, NACLs must allow traffic on appropriate ports in outbound rules
    • List of inbound and outbound allow and deny rules evaluated in order starting with lowest number, as soon as rule matches, it applies and remaining rules aren't checked
    • Put deny rules first
    • Default created with VPC allows all in and outbound traffic
    • Newly created disallow all in and outbound traffic
    • Can block specific IPs, unlike Security Groups
    • Entry max default 20, can be increased up to 40
  • NATs
    • Provide internet traffic to instances in private subnets
    • Prefer Gateways to Instances for management and scaling benefits
    • Create in multiple AZs for high availability
    • Must be in public subnet with private subnet route to corresponding NAT
    • Must disable source/destination checks on Instances and increase instance size for performance
  • Bastion Host/Jump Box/Proxy Server
    • Provide SSH and RDP connections to instances in private subnet
    • Must be in public subnet
    • SSH agent forwarding allows users to use their local SSH keys to connect to instances in private subnet, SSH keys remain on user workstation
  • VPC Endpoints
    • Provide private subnet connections to AWS services and PrivateLink services without leaving AWS network
    • Horizontally scaled, highly-available virtual devices
    • Interface, Gateway (S3 and DynamoDB), and Gateway Load Balancer endpoints
    • Gateway endpoint (1st gen)
      • Sits outside VPC, must have route in route table where target is endpoint
      • Cannot use directly from VPNs or Direct Connect
      • Only supports same region access and IPv4 traffic
      • Must enable DNS resolution in VPC
      • Can use endpoint policies to control access
      • If you get AccessDenied, check instance, endpoint, and bucket policies
    • Interface endpoint (2nd gen)
      • ENI with private IP from IP range of your subnet
      • Can use security groups to control access and also have endpoint policies
    • Service VPC endpoints
      • For things like Datadog, Splunk, etc.
      • Endpoint in service consumer sends to load balancer in service provider, sent over AWS private network
    • Doesn't go over internet, reducing data transfer costs and latency, improving security via E2E encryption, and preventing internet gateway bottlenecks
  • Flow Logs
    • Records traffic visiting resources and resource outbound connection details
    • Not real-time, every few minutes
    • Cannot enable across accounts
    • Cannot change configuration after creation
    • Format
      • Version
      • Account ID
      • Interface ID
      • Source IP
      • Destination IP
      • Source Port
      • Destination Port
      • Protocol
      • Packets
      • Bytes
      • Start Time
      • End Time
      • Action
      • Log Status
    • Not monitored: traffic to reserved IPs, instance metadata to and from 169.254.169.254, Amazon DNS, Amazon Windows license activation, and DHCP
  • DNS
    • enableDnsHostnames: Indicates whether instances with public IPs get public DNS hostnames
    • enableDnsSupport: Indicates whether DNS resolution is supported through Amazon-provided DNS server
  • Direct Connect
    • Connects your data center to AWS for high-throughput and/or reliable connections

Stay up to date

Get notified when I publish. Unsubscribe at any time.