###### tags: `AWS`
# VPC AWS training
- AWS cloud offers pay-as-you-go on demand compute as well as managed services
- VPC = is the networking AWS service that will meet your networking requirements
VPC
1. A private, virtual network in the AWS Cloud
- Uses same concepts and constructs as an on premise networking
3. Allows complete control of network configuration
- Ability to isolate and expose resources inside VPC
define normal networking configuration items
- IP address spaces
- Subnets
- Routing tables
This allows you to control what you expose to the internet and what you isolate within the VPC
4. Offers several layers of security controls
- Ability to allow and deby specific internet and internal traffic
- isolated subnets
- defining ACLs
- and customizing routing rules
You have a complete control to allow and deny both INCOMMING and OUTGOING traffic
5. Other AWS services deploy into VPC
- Services inherent security built into network
VPC integrates with numerous AWS services like:
- Amazon EC2
- Amazon EMR
- Amazon RDS
- Amazon WorkSpaces
- Elastic Load Balancing
- AWS OpsWorks
- Amazon EFS
- AWS ELastic Beanstalk
- Amazon Route 53
- AWS Data Oipeline
- Amazon S3
- Amazon DynamoDB
- Amazon ElasticCache
Amazon VPC builds upon the AWS Global IUnfraestructure of REgions and Availabity Zones - AZs
**Features** - AMazon VPC
* Builds upon high availability of AWS Regions and Availability Zones (AZ)
- Amaon VPC lives within a Region
- Multiple VPCs per account
* Subnets
- Used to divide Amazon VPC
- Allows Amazon VPC to span multiples AZs
* Route tables
- Control traffic going out of the subnets
* Internet Gateway (IGW)
- Allows access to the Internet from Amazon VPC
* NAT Gateway
- Allows private subnets resources to access Internet
* Network Access Control List (NACL)
- Control access to subnets; stateless
- A VPC defines an IP address space that is then devided by subnets.
- This subnets are deployed within AZ, causing the VPC to span AZs
You can create many subnets in a VPC
- though fewer is recomended to limit the complexity of the networl topology
- You can configure route tables for your subnets to control the traffic between subnets and the internet
- By default, all subnets within a VPC can communicate with each other
- Subnets are generally classified as public or private
PUBLIC: Have direct access to the internet
PRIVATE: Not having direct access to the Internet
* For subnet to be public we need to:
- attach an IGW tp the VPC and update the route table of the public subnet to send non-local traffic to the IGW
- EC2 instances also need a public IP address to route to an IGW
EXAMPLE VPC:
Let's design an example Amazon VPC that we can use to start deploying compute resourcds and AWS services
** We'll create a network that supports high availability and uses multiple subnets
First, since VPCs are Region-based:
- we need to select a region
- I've selected N. Virginia region
- Next, I'll create the VPC
- I'll give it a name, yt-clone-vpc
- and I'll define the IP address base for the VPC
- The 10.0.0.0/16 - 16 is the CIDR format and means that I have over 65.000 IP addresses to use in the VPC
- Next, I create a subnet named Subnet A1, and I have assigned an IP address base that contains 256 IP addresses
- Also, I specify that this subnet will live in AZ A
NEXT,
- I create another subnet called Subnet B1, assign an IP address space 10.0.2.0/23, but this contains 512 IP addresses
- I've added an IGW called test-IGW
Subnet A1 will become a public subnet where non-local traffic is routed through the IGW
- B1 will be our private subnet that is isolated from the internet
*****************
### 1. Amazon VPC Deployment
In this module, you explore the following concepts and learn about their benefits:
- Identify what an Amazon Virtual Private Cloud (Amazon VPC) is
- Describe the difference between a default Amazon VPC and a custom Amazon VPC
- Demo: Deploying a simple Amazon VPC through the AWS Management Console
- Demo: Deploying a simple Amazon VPC through the AWS Command Line Interface (AWS CLI)
### 2. Securing and Configuring High Availability
In this module, you explore the following concepts and learn about their benefits:
- Describe AWS Identity and Access Management (IAM)
- Identify network access control lists (network ACLs)
- Identify security groups
- Compare and contrast stateless and stateful controls
- Identify Elastic Load Balancing and the different types
### Module 3: Multi-Tier Application Architecture
In this module, you explore the following concepts and learn about their benefits:
- Explain how to design a custom Amazon VPC for your requirements
- Describe a multi-tier application architecture design
- Identify how to strengthen security by customizing an Amazon VPC
- Identify how to limit exposure to resources in an Amazon VPC
### Module 4: Check Your Understanding
- Apply knowledge from Modules 1–3.
### Optional Lab: Configuring and Deploying Amazon VPC for a Three-Tier Web Application (Fee Required)
– This lab presents a walk-through of how to configure an Amazon VPC and deploy a 3-tier web application.
# --------
In this module, you explore the following concepts and learn about their benefits:
- Identify what an Amazon Virtual Private Cloud (Amazon VPC) is
- Describe the difference between a default Amazon VPC and a custom Amazon VPC
- Demo: Deploying a simple Amazon VPC through the AWS Management Console
- Demo: Deploying a simple Amazon VPC through the AWS Command Line Interface (AWS CLI)
## What is an Amazon VPC?
A VPC is a virtual private cloud. In essence, a VPC is a virtual data center in the Cloud. Amazon VPCs are virtual networks, associated to a single AWS Region, and is a service that defines a boundary around the AWS services and resources that customers choose to deploy and how those services and resources communicate with each other and external networks such as the internet. AWS supports hybrid Cloud configurations that facilitate a connection between an Amazon VPC and an on-premises location such as a physical data center.
There are two types of Amazon VPCs in an AWS account: a default Amazon VPC and a custom Amazon VPC.
## **Default Amazon VPC**
When you create an AWS account, default Amazon VPCs are created in each supported AWS Region. Using the default Amazon VPC, you can immediately start deploying resources and not have to think about the underlying network.
- Each default Amazon VPC creates a public subnet within each Availability Zone within the supported Region.
- Each public subnet is configured with a default route for all inbound and outbound traffic that routes IP traffic to the general internet.
- AWS sets up the configuration that allows all traffic, so there is no privacy and isolation by default.
- Only one default Amazon VPC per Region is permitted.
- Each default comes with one Amazon VPC Classless Inter-Domain Routing (CIDR) range, which is a given range of IP addresses.
This default Amazon VPC CIDR defines the start and end range of the IP address that the default Amazon VPC can use. Everything inside an Amazon VPC uses this CIDR range. All communications to the Amazon VPC will need to use the Amazon VPC CIDR and outgoing communications will be from this Amazon VPC CIDR.
All default Amazon VPCs are configured in the same way. For added resiliency, the default Amazon VPC is automatically divided into subnets across Availability Zones.
- Each default Amazon VPC is configured to have one subnet located in each Availability Zone of that Region.
- Each subnet in the default Amazon VPC uses part of the IP address range of the Amazon VPC CIDR.
- Each subnet's IP address range must be unique to the other subnets' IP address range and cannot overlap.
If one Availability Zone fails in your default Amazon VPC, the associated subnet will also fail, but with the default Amazon VPC, the other subnets in other Availability Zones are still operating.
The Amazon VPC IPv6 CIDR for your subnet range is /64, and the Amazon VPC CIDR range is /56. The local route is used to communicate between subnets inside your Amazon VPC. The default Amazon VPC IPv4 CIDR,172.31.0.0/16, is always the same, and is designed and configured the same too.
## **Custom Amazon VPC**
A custom Amazon VPC is a logically isolated virtual network within a supported Region under a single account, making it a regional service.
- Unlike a default Amazon VPC, each component of a custom Amazon VPC must be explicitly defined when you create it; nothing is allowed in or out without explicit configuration.
- Some decisions, such as the IPv4 and IPv6 support and the CIDR block for the Amazon VPC, cannot be modified later.
- Other features of an Amazon VPC, such as subnets, routing, and VPC endpoints, can be modified as needed.
A custom Amazon VPC, similar to a default Amazon VPC, provides a logically isolated virtual network that supports the deployment of resources and services supported by the Region that the Amazon VPC is created in. Complete control is provided over the virtual network defined by the Amazon VPC.
This includes:
- Choosing the IP address ranges supported by defining each subnet
- Managing network internal traffic flow
- Managing how traffic enters and leaves the Amazon VPC through route tables and network gateways
In a later section of this course, you learn how a public subnet can be configured to allow an application or resource to have access to the internet and how a private subnet, a subnet without external network access, can be used to help secure a database or backend system. You also learn about the multiple layers of security available through an Amazon VPC and how an Amazon VPC can use; for example, network ACLs and security groups to control who and what is allowed access to resources deployed within the Amazon VPC.
AWS supports extending your AWS environment by establishing a secure connection between an Amazon VPC and an on-premises network using:
- AWS Direct Connect
- AWS Site-to-Site Virtual Private Network (VPN)
- AWS Client VPN
This is covered in more detail in the course _AWS Network Connectivity Options_.
## **Default Amazon VPC versus Custom Amazon VPC**
DEFAULT VPC DIAGRAM
# AZ
# EC2
# Security Group
# Network ACL
# DHCP
# Amazon VPC
# Internet Gateway
# Route Table
* **You can have as many Subnets as you like in each AZ. By default AWS creates one VPC containing one Subnet in each AZ. The number of AZ varies from region to region.**
# Starting with a basic Amazon VPC architecture
When deploying an Amazon VPC, there are certain infrastructure considerations to be aware of. For a quick review, start by building a basic Amazon VPC architecture piece by piece.
### Amazon VPCs live in the AWS Cloud
-------------------------------------
Amazon VPCs are hosted entirely within the AWS Cloud, gaining all of the security, cost, performance, and availability benefits of the AWS Global Infrastructure.
### An Amazon VPC lives in one Region
---------------------------------
A single Amazon VPC can't live in more than one Region. Choose carefully: The Region in which you place your infrastructure impacts costs and, depending on where your end users live, latency.
Also, check that the services your applications need are available in the Region you select. Some Regions (especially newer ones) don't have every AWS service available.
To check service availability by Region, see AWS Regional Services.
A subnet can only live in one Availability Zone
-----------------------------------------------
While an Amazon VPC can span more than one Availability Zone within one Region, a subnet is restricted to one Availability Zone.
Some AWS resources must be launched into an Amazon VPC
------------------------------------------------------
Most AWS resources can be launched within an Amazon VPC. That means those resources live within a specific Region, just like their Amazon VPC does, and become unavailable if that Amazon VPC becomes unavailable for any reason.
Internet gateways let your Amazon VPC resources reach the internet
---------------------------------------------------------
If you route a subnet to an internet gateway, that subnet becomes a public subnet. With the right configuration, resources within that subnet can then reach and be reached by the internet.
Internet gateways are:
- Horizontally scaled
- Redundant
- Highly available
This means that even though each Amazon VPC has a single internet gateway, this internet gateway is not a bottleneck nor a single point of failure.
Route tables control the routing of traffic related to your Amazon VPCs
---------------------------------------------------------
Route tables direct traffic to targets based on the IP address the traffic is seeking. Each Amazon VPC comes with its own route table called the _main route table_, which handles all traffic by default. By creating custom route tables and associating them with subnets, you can further customize how traffic is handled on a per-subnet basis.
In this example, the subnet is associated with a route table. The first row takes all traffic from that subnet, intended to remain within the VPC (10.0.0.0/16), and routes it within the Amazon VPC (local). The second row takes all traffic coming from that subnet and directs it to the internet gateway (igw-id). This association is what makes this subnet public.
However, because 10.0.0.0/16 is a more specific range than 0.0.0.0/0, the route table knows to direct all of that traffic to _local_, overriding the route in the second row. When destinations overlap, the more specific destination IP range is the one that is carried out.
Summary
-------
Remember:
1. Amazon VPCs live entirely within the AWS Cloud.
2. An Amazon VPC lives in one Region.
3. A subnet can only live in one Availability Zone.
4. Some AWS resources must be launched into an Amazon VPC.
5. Internet gateways let your VPC resources reach the internet.
6. Route tables control the routing of traffic coming into, going out of, and moving within your Amazon VPC.
# TEST
## What is the maximum number of AWS Regions in which an Amazon Virtual Private Cloud (Amazon VPC) can be deployed?
## Is the following statement correct: To ensure high availability, you should make your subnets span across more than one Availability Zone (make them Multi-AZ).
Subnets cannot span more than one Availability Zone.
## True or False: The Amazon Virtual Private Cloud (Amazon VPC) is where all Amazon web Services (AWS) resources are launched.
Only some AWS services, such as Amazon EC2, require their resources be launched into an Amazon VPC.
## In order for resources in your public subnet to reach the internet, they need to be provided with what kind of target?
An internet gateway serves two purposes:
- To provide a target in your VPC route tables for internet-routable traffic
- To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses
## What does this route table do? (Select TWO)
Each route in a route table specifies a destination and a target. If a route table has multiple routes, the most specific route that matches the traffic is used to determine how to route the traffic.
In the example provided, IPv4 addresses within the 10.0.0.0/16 range will route to the destination **local** and all traffic destined for IPv4 addressed destinations will be routed to the internet gateway attached to the Amazon VPC.
# Summary
In this module, you learned to:
- Identify what an Amazon Virtual Private Cloud (VPC) is
- Describe the difference between a default Amazon VPC and a custom Amazon VPC
- Deploy a simple Amazon VPC via the AWS Management Console
- Deploy a simple Amazon VPC via the AWS Command Line Interface (AWS CLI)
In the next module, you explore adding security and high availability to your custom Amazon VPC.
`There is a bunch already there. That is because you have one default subnet in each default VPC in each Availability Zone
And we also have default route tables and a lot of other default VPC resources in every Region`
But I want be able to create those VPCs from scratch, when you go to work on it on your own and this is gonna help me when i need to custom build your VPC in my own environments later.
## WIZARDS
But these wizards options are a good start if you're looking to spin up sth quickly.
## Creating VPC from scratch
This already has a default VPC in it, in this region.
And you can tell which one of your VPCs is the default VPC because there's this handy column here
- **need to be careful when you're working with your VPCs, because IF YOU DELETE YOUR DEFAULT VPC you can't recreate it without filing a ticket with Support first and getting their help.**
- it is really easy just to select it and accidentally delete it and maybe you missed the warning pop-up and then you are out a default VPC for that REgion until you get Customer Support to put it back.
YOU DON'T NEED A DEFAULT VPC FOR ANYTHING BUT IT IS HANDY TO HAVE WHEN YOU JUST FEEL LIKE LAUNCHING SOME NEW RESOURCES TO PLAY WITH AND YOU DON'T FEEL LIKE CREATING A HOLE NEW SEPARATE VPC JUST FOR THEM.... BUT JUST BE MINDFUL THAT IT'S REALLY ONLY SUITABLE FOR EXPERIMENTING or LEARNING SERVICES or launching simple things like a blog or a simple website.
- For your majority of your production environmets you really should be creating custom VPC for those resources, which is what we're gonna do.
# CREATING VPC
- give it a friendly name
- so we are gonna make this a medium sized VPC with a /22 CIDR block with a private IP range 10.0.0.0/22 this is going to reserve all the IPs from 10.0.0.0 through 10.0.3.255 for this VPC and that spans a total of 1024 IPs.
- Your CIDR block for an IPv4 VPC in the 10.0.0.0 to 10.255.255.255 range has to be from /16 to /28 in size, so /16 would cover that entire range and /28 would be the smallest you could have and that would be just 16 addresses in size.
- A good rule here for sizing is that when you're trying to figure out how many IPs you might need in a VPC or a subnet and estimate how many** you might need 2 years from now..
- You are gonna need to make sure your applications have room to grow...
- We are gonna specify NO IPv6 CIRD block, as mentioned
- Then we get to tenancy
- TENANCY is about where your VPC's instance are running
- DEDICATED TENANCY: in a VPC means any instances that are launched into that VPC by any user will be forced to be dedicated instances.
- DEDICATED INSTANCES run on hardware that's dedicated to a single customer.
- DEDICATED INSTANCES in one AWS account are actually physically isolated from instances in other AWS accounts.
- So if you leave a VPC TENANCY as default, like we're actually gonna do here. MEANS that when an instance is launched into that VPC, the person launching it can determine at that time if they want to use dedicated hardware or not.**
- setting is as DEDICATED will force any instances launched inside of the VPC to be dedicated instances
- DEFAULT means that each instance can either be shared tenancy or dedicated tenancy.
- Choose what you want when you launch the instance with the default.
- We could also create more tags here, if we want to.
- That is helpful if you want to add more things that you could search for later.
- Like say if you want to tag all the resources associated with your web application.
- All of the resources across all the diferent services.
- then we need to to find everything related to that one thing.. you just search for that tag and you can find it all..
### VPCs are usually created pretty quickly, so you should see it has the state as AVAILABLE right here, but if you don't, just be patient and refresh periodically until this is available
### So we have a VPC, but we actually still need a subnet
# SUBNET
So let's go to the Subnets page,
So again, you are gonna see some subnets are already here, these are the defaults subnets and you see one for each availability ZOne. And we go over here, you'll see there are four AZ, for default zones.
So we are gonna create a subnet for our new VPC
- Click CREATE SUBNET
- it's got a VPC dropdown menu, as you can see this is a one place where it's helpful
- we could give it a name here, we are gonna give another friendly name so we can see it later yt-clone
- you can see it's populated with all of the VPCs in this region
### NOTE: Different AWS services has different scopes or different level which they operate.
- SG works at instance level and the NACL works at the subnet levels, which means whatever rules you put into this firewall will be applied all EC2 instances. And what rules you put to the inside a security group it applies to only the EC2 instances to which the SG is connected.
#### DAY 2, wednesday 22
Sign in with Wallet
Connect another wallet