Allow define virtual networks with salable infrastructure.
- VPC - logically isolated (with other VPC) virtual network
- Coverage
- AZ: spans all of the Availability Zones in the Region
- Can has many subnets, each subnet in one AZ
- Contains:
- 1..n IPv4 ranges
- 0..1 IPv6
- 1..n route table (one is main, others not)
- 1..n ACL (only one is default)
- Subnet - range of IP in VPC (one VPC <= n Subnet)
- Public - connected to Internet, or Private
- In one AZ
- Associate with
- EC2-Classic - early day, single, flat network, no longer supported for new instances
- Security & routing
- Security Group (stateful, allow-only, instance interface firewall rules)
- Route Table (one VPC <- n route tables, one subnet <- one route table)
- ACL (stateless subnet inbound/outbound rules)
- Connection
- Internet Gateway
- NAT
- VPN
- PrivateLink: link VPC to supported AWS services, services hosted by other AWS account (VPC endpoint) & supported Marketplace partner services, through AWS network (not through Internet)
- AWS Private Global Network
Configurations:
- Name
- IPv4 CIDR block (one or more, editable, restrictions apply, for example should be in same range, i.e. 192.168 not together with 10.0 )
- IPv6 (optional, provided by Amazon, only one)
- Tenancy (default / dedicated)
- ACL
- DHCP options set
- Route table
- DNS resolution (on/off)
- DNS hostnames (on/off)
Instances & IP addresses:
- IP Address
- private IPv4 to instances
- static, persistent
- single or multiple
- define interfaces & attach to instances
- optional IPv6 block to VPC and addresses to instances
Default VPC:
- one default subnet in each AZ, public
- has one router and gateway
- each instance has a private and public address (non-default subnet has only private address by default)
Flow log: capture IP traffic flow
PCI DSS compliance (Payment Card Industry Data Security Standard)
Settings:
- Name
- Options
- Domain name
- DNS servers
- NTP servers (time protocol)
- NetBIOS name servers
- NetBIOS node type
Public & private, default one in each AZ.
Settings:
- Name
- ID (given, "subnet-")
- VPC (1 VPC <-> n subnet)
- AZ (select one or "no preference", only in one)
- IPv4 CIDR (must be same or within VPC CIDR)
- ACL (can change association)
- Route table
- Flow log
- Tags
- Action / Auto-assign IP (public IP)
- Sharing - share subnet with other AWS account or organization (with Resource Access Manager https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html)
Setting:
- IPv4 pool
- Amazon pool (* default and most common)
- Owned by me (bring your own IP)
- Associate with
- Instance
- Network interface
VPC Endpoint allows to securely connect VPC to another service.
An interface endpoint is powered by AWS PrivateLink, and uses an elastic network interface (ENI) as entry for traffic to the service.
A gateway endpoint service as a target for a route in route table.
Adding with:
- Service Category
- AWS services (of same region)
- Private service (by name)
- Marketplace services (subscribed)
- Service (select or input a name, according to category)
- VPC
Properties / Editing:
- ID - assigned
- Status
- Service name
- DNS name
- VPC (belongs to one)
- Type (interface / gateway)
- Associations:
- Gateway endpoint
- Route tables (can edit, can associate with 0..n)
- Policy - can further control access with IAM policy
- Interface endpoint
- Subnets (associate with 0..n in same AZ)
- Security Groups (associate with 0..n)
- Notifications (send endpoint events Delete/Accept/Reject to SNS topic)
- Tags
Result:
- Endpoint
- of type interface or gateway according to the specific service that connects to (cannot change)
- as the target of a route (see below)
- Route (Gateway)
- Added to the default route table of the VPC
- Network Interface (Interface) in EC2
- Added a Network Interface, assigned with an IP address (private, editable), attached (cannot attach to EC2 then)
Provide service to other AWS accounts use PrivateLink.
Add:
- Associate Network Load Balancer (required)
- Included/Excluded AZ
- Require acceptance
Security Group (Instance Level)
Belongs to one VPC. Associate with instances. Virtual firewall for instance. Associate with interface. One instance (interface) can have 1..5 security groups.
Only ALLOW rules. No Deny rules.
Stateful. Allows response.
Instances in same security group still requires rules to talk to each other. (default security group has the rule by default)
If has VPC peering, allows rules refer another security group in another VPC. If the other rule is deleted, its marked STALE
Inbound Rules:
- Type (common services or custom)
- Protocol (e.g. TCP)
- Port range
- Source
- Custom - CIDR, IP, another Security Group, Prefix List
- Anywhere
- My IP - the public IPv4 of the local computer
Outbound Rules:
- Type (common service or custom)
- Protocol
- Port range
- Destination (Custom, Anywhere, My IP), can be another security group, CUDR, single address, prefix list ID (name and ID of a service for a region)
Associate with VPC, subnets
Settings (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html):
- ID - given
- Owner, association with VPC
- Routes
- Subnet Associations
- Route Propagation (select Virtual Private Gateway to propagate the route table)
- Tags
1 Subnet - (0..n) ACL, default ACL by default allows all traffic, custom ACL by default denies all traffic
Stateless:
- to allow response to inbound, add outbound to destination port 32768-65535 0.0.0.0/0 ALLOW (ephemeral port range, varies depending on OS, 1024-65535 the most wide)
- to allow response to outbound, add inbound Custom TCP / TCP / 32768-65535 / 0.0.0.0/0 / ALLOW
Evaluation: from low to high, first met
To create:
- Name
- VPC - one VPC <= n ACL (1 default)
To config:
- Inbound rule / Outbound rule
- Rule # (low -> high)
- Type (Custom TCP/UDP/ICMP/other protocol, ALL TCP/UDP/ICMP IPv4)
- Protocol (TCP/UDP/ICMP...)
- Port range
- For inbound rule: destination (listening) port
- For outbound rule: destination port
- Address range (e.g. 0.0.0.0/0)
- For inbound, source
- For outbound, destination
- ALLOW/DENY
- Subnet association
- with 0..n subnets (each subnet only associate with one ACL)
To use:
Simply attach to VPC to allow Internet access
Setting:
Egress Only Internet Gateway
No name. Attach to VPC
To add:
- Subnet - select a public subnet
- Elastic IP Allocation ID (use existing or create new)
Result & usage:
- NAT Gateway Added
- Can be used as route destination (requires creation)
- Uses Elastic IP
VPC to VPC connection, may cross account & region
To access Internet:
- In (unsolicited inbound) & Out
- attach Gateway to VPC (default VPC already has)
- associate Elastic IP
- Out only
For Amazon VPN connection linking customer (your) data center to VPC. Supports Cisco, Check Point, Juniper, etc. (IPSEC) See https://docs.aws.amazon.com/vpn/index.html
Customer Gateway is the "data center" side. "Virtual Private Gateway" is the VPC side. Site-to-Site VPN Connection is the "connection" (IPSEC)
To add: provide Internet-routable IP address & optional routing information. Certificate.
To add: provide name, ASN (for BGP protocol)
Site-to-Site VPN Connections
For connection between VPC & data center (on premise network)
To use:
- create an interface VPC endpoint for a service in VPC (creates an elastic network interface in subnet with a private IP)
- can create PrivateLink powered service (endpoint service) for other accounts (customers) to access
Traffic routes over AWS private global network:
- Within, between AZ in all Regions
- Between regions (except China)
Settings:
- Filter (Accept / Reject / All) - what to log
- Destination