VPC

  • This of VPC as a data center as a data center
  • They do not span regions, but they spans availabilitiy zone

The red line on the outside is our Region (US-East-1).
Then we have our VPC, which we are going to define our IP address rage as 10.0.0.0/16, that adress range is basically a private network address, the document RC19:18, defines 3 different private IP address ranges:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

We have routes two routes of entry in our VPC:

  • Internet Gateway (Which is how we connect to the internet, or internet connect to us)
  • Virtual Private Gateway (Where we terminate our VPN connection, so we might have a site to site VPC between our VPC and our data centre and that will go through the VPG,

Once the traffic comes in through IG OR VPG, it is going to be routed, what we define in our Route Table, it then goes through a Network Access Control List (Second line of defence), then we go through our different subnets.

Then we have our Security Group. Remember, Security Group and Network ACL can spans subnets.

Then finally we have our instances.

Each subnet is always mapped directly to an availability zone,

What can you do with a VPC

  • Launch instances into a subnet of your choosing
  • Assign custom IP address ranges in each subnet
  • Configure route tables between subnets (That route table is going to define wether or not a subnet is going to be public or to be private)
  • Create internet gateway and attach it to our VPC (Only 1 IG, per VPC)
  • Instance security groups (They are stateful, so if you create a rule that allows HTTP in your SG, by default HTTP is allowed our of the security group, whereas with subnet access control list, it is stateless (If you create a group allowing HTTP traffic in your access list, you need to create a rule to allow it back again.

Default VPC vs Custom VPC

  • All Subnets in default VPC have a route out to the internet
    • Means they are all public, no such thing as a private subnet in a default VPC automatically
  • Each EC2 instnace has both a public and private IP adress
  • If you delete the default VPC the only way to get it back is to contact AWS

VPC Peering

  • Allows you to connect VPC another via a direct network route using private ip address
    • That is to say its not going to go back out over the internet
    • You can have a VPC that you have monitoring service, active service, like an administration VPC, you can connect that to your Production VPC, DEV VPC..etc
  • Instances behave as if they were on the same private network
  • You an peer VPCs with other AWS accounts as well as with other VPCs in the same account
  • Peering is in a start configuration, ie 1central VPC peers with 4 others. No transitive peering

NAT (Network Address Translation)

NAT Gateway

  • Released in 2016 (Prefered
  • Scaled automatically, no need to patch..etc

NAT Instance

  • Been around for a long time
  • Literally an EC2 instance that acts like a gateway to the internet

results matching ""

    No results matching ""