# AWS Certified Solutions Architect - Associate (VPC) ###### tags: `AWS` ### VPC Virtual data center of the cloud #### features - Launch instances into a subnet of your choosing - Assign custom IP address ranges in each subnets - Configure route tables between subnets - Create internet gateway and attach it to our VPC - Much better security control over your AWS resources - Instance security groups - Subnets netswork access control lists(ACLS)   #### Default VPC vs Custom VPC - Default VPC is user friendly, allowing you to immediately deploy instance - All Subnets in default VPC have aroute out to the internet - Each EC2 instance has both a public and private IP address #### VPC Peering - Allows oyu to connect one VPC with another via a direct network route using private IP addresses - Instances behave as if they were on the same private network - You can peer VPC's with other AWS accounts as well as with other VPCs in the same account - Peering is in a star configuration: ie 1 central VPC peers with 4 other. "NO TRANSITIVE PEERING"  > Example: B can not communicate with C through A(so called transitive), it need to construct a new connection with C - You can peer between regions Tops: - Think of VPC as a logical datacenter in AWS - Consists of IGWs(Or Virtual Private Gateways), Route Tables, Network Access Control Lists, Subnets, and Security Groups - 1 Subnet = 1 AZ - Security Groups are Stateful; Network Access Control Lists are Stateless - NO TRANSITIVE PEERING Tips: Remember the following; - When you create a VPC a default Route Table, Network Access Controll List(NACL) and a default Security Group. - It won't create any subnets, nor will it create a default IGW. - US-East-1A in your AWS account can be a complete different AZ to US-East-1A in another AWS account. The AZ's are randomized. - Amazon always reserve 5IP addresses within your subnets. - You can only have 1 IGW per VPC. - Security Groups can't VPCs. #### NAT Instance & NAT  Tips: - When creating a NAT instance, Disable Source/Destination Check on the Instance - NAT instances must be in a public subnet - There must be a route out of the private subnet to the NAT instance, in order for this to work - The amount of the traffic that NAT intances can support depends on the instance size. If you are bottlenecking, increase the instance size - You can create HA using Autoscaling Groups, multiple subnets in different AZs, and a script to automate failover - Behind a Security Group **NAT gateways** - Redundant inside the AZ - Preferred by the enterprise - Starts at 5Gps and scales currently to 45Gbps - No need to patch - Not associated with security groups - Automatically assigned a public ip address - Remember to update your route tables - No need to disable Source/Destination Checks > If you have resources in multiple AZ and they share one NAT gatway, in the event that the NAT gateway's AZ, resources in the other AZ lose internet access. > To create an AZ-independent architecture, create a NAT gateway in each AZ and configure your routing to ensure that resources use the NAT gatway in the same AZ. Tips: - VPC automatically comes with a default network ACL, by default it allows all inbound and outbound traffic - Create custom network ACLs. By default, each customer network ACL denies all inbound and outbound traffic - Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with ACL, the subnet is automatically associated with default ACL - Block IP Addresses using network ACLs not Security groups - A ACL -> multiple subnets - A subnet -> A ACL - Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule - Network ACLs have seperate inbound and outbound rules, and each rule can either allow or deny traffic - Network ACLs are stateless; response to allowed inbound traffic are subject to the rules for outbound traffic(and vice versa) ### ELB It required two subnets to create a ELB ### VPC Flow Logs VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Anazon CloudWatch Log. #### 3Levels - VPC - Subnet - Network Interface Level Tips: - You cannot enable flow logs for VPCs taht are peered with your VPC unless the peer VPC is in your account. - You can tag flow logs - After you've created a flow log, you cannot change its configuration; for example, you can't associate a different IAM role with the flow log > Not all IP Traffic is monitored; > - Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged. > - Traffic generated by a Windows instances for Amazon Windows license activation > - Traffic to and from 169.254.169.254 for instance metadata > - DHCP traffic > - Traffic to the reserved IP address for the default VPC router ### Bastion Hosts A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks.  Tips: - A NAT Gateway or NAT instance is used to provide internet traffic to EC2 intances in a private subnets - A bastion is used to securely administer EC2 instances (Using SSH or RDP). Bastions are called Jump Boxes in Australia - You cannot use a NAT gateway as Bastion Host ### Direct Connect AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premise to AWS. Tips: - Direct Connect directly connects your data center to AWS - Useful for high throughput workloads (ie lots of network traffic) - Or if you need a stable an reliable secure conncetion #### Direct Connect setting Step - Create a virtual interface in the Direct Connect console. This is a PUBLIC Virtual Interface. - Go to the VPC console and then to VPN connections Create a Customer Gateway. - Create a Virtual Private gateway - Attach the Virtual Private Gateway to the desired VPC - Select VPN Connections and create new VPN Connection - Select the Virtual Private Gateway and the Customer Gateway - Once the VPN is available, set up the VPN on the customer gateway or firewall ### Global Accelerator AWS Global Accelerator is a service in which you create accelerator to improve availability and performance of your applications for local and global users.   #### AWS Global Accelerator components - Static IP addresses - Accelerator Direct traffic to optimal endpoints over the AWS global network - DNS Name Assign each accelerator a default DNS name - Network Zone A network zone services the static IP addresses for your accelerator from a unique IP subnet.(like AZ) - Listener A listener processes inbound connections from clients to Global Accelerator, based on the port and protocol that you configure. - Endpoint Group Each endpoint group is associated with a specific AWS region. Endpoint groups include one or more endpoints in the region (percentage of traffic to directed to the group) - Endpoint Endpoints can be Network Load Balancers, Application Load Balancers, EC2 intances or Elastic IP addresses Tips: - AWS Global Accelerator is a service in which you create accelerators to improve availability and performance of your applications for local and global users - You are assigned two static IP addresses (or alternatively you can bring your own) - You can control traffic using traffic dials. This is done within the endpoint group ### VPC endpoint A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring and IGW, NAT device, VPN, AWS Direct Connect connection Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC. #### Two types - Interface Endpoints - Gateway Endpoints #### Currently GW Endpoints support - Amazon S3 - DynamoDB ### AWS PrivateLink Opening your services in a VPC to another VPC  - Open the VPC up to the internet - Security considerations; everything in the public subnet is public - A lot more to manage - Use VPC peering - Ypu will have to create and manage many different peering relationships - The whole network will be accessible. This isn't good if you have multiple applications within your VPC  Tips: - If you see a question asking about peering VPCs to tens, hundreds, or thousands of customer VPCS, think of AWS PrivateLink - Doesn't require VPC peering; no route tables, NAT, IGWs, etc. - Requires a Network Load Balancer on the service VPC and an ENI on the customer VPC ### Transit Gateway Simplify your Network Topology  Tips: - Allow you to have transitive peering between thousands of VPCs and on-premises data centers. - Works on a hub-and-spoke model - Works on a regional basis, but you can have it across multiple regions - You can use it across multiple AWS accounts using RAM - You can use route tables to limit how VPCs talk to one another. - Works with Direct Connect as well as VPN connections - Supports **IP multicast** (not supported by any other AWS service) ### VPN Cloud Hub  Tips: - IF you have multiple sites, each with its own VPN connection, you can use AWS VPN CloudHub to connect those sites together. - Hub-and-spoke model - Low cost; easy to manage - It operates over the public internet, but all traffic between the customer gateway and the AWS VPN CloudHub is encrypted ### Network Costs  Tips: - Use private IP addresses over public IP addresses to save on costs. This then utilizes the AWS backbone network - If you want to cut all network costs, group your EC2 instances in the same AZ and use private IP addresses. This will be cost-free, but make sure to keep in mind single point of failure issues.