--- tags: AWS --- [VPC]([https://aws.amazon.com/vpc/faqs/]) Virtual Private Cloud ===  **private subnet** should be used for resources not avaiable over internet public subnet Virtual data centre in cloud single subnet corresponds to single AZ custom ip address within subnet route tables between subnets create gateway (HA) and attach it to VPC instance security groups When you launch an EC2 instance into a ==default VPC==, AWS provides it with public and private **DNS hostnames** that correspond to the public IPv4 and private IPv4 addresses for the instance. However, when you launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname only. New instances will only be provided with public DNS hostname depending on these two DNS attributes: the ==DNS resolution and DNS hostnames==, that you have specified for your VPC, and if your instance has a public IPv4 address. Security Groups -- >Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. * security groups can spawn multiple AZ(subnets) but belong to single VPC public and private ip addresses. denies all traffic. by default VPC is having public ip adresss are stateful * all inbound traffic is blocked by default * all outbound traffic is allowed by default * all changes to security groups take effect immediately * multiple security groups can be attached to EC2 * By default blocks everything,need to add allow rule * Can not block specific IP addresses using security groups, instead use Network Access Control Lists * SG can be stateful * you can not block specific ip address with security group use access control list instead * you can always allow rule not deny rules * above 16000 iops go to provisioned iops * Security groups per Region : 2500 (default limit) * Security Groups per Network Interface (EC2 Instance) : 5 (default limit), 16 (the maximum per request) * Inbound or Outbound rules per Security Group : 60 (default limit). You can have 60 inbound and 60 outbound rules per security group (making a total of 120 rules) Network Access Control Lists -- >Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level * List are stateless, default allows all traffic. there is *no transitive peering* * You can associate a network ACL with multiple subnets * Specific i/p address can be clocked by network acl * Netwrork ACL contain a numbered list of rules that is evaluated in order, stating with loweres numbered rule * they have seperate inbound / outbound rules and each rule can allow or deny traffic > AWS have reserved (starting 3 and ending 2) 5 ip address hence you will get total number -5 ip addresses Reserved private i/p address range 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 0.0.0.0/0 means ALL IP addresses 10.0.0.0/8 means 10.ANYTTHING - Class A - 16 million IPs 10.0.0.0/16 means 10.0.ANYTHING - Class B - 65,536 IPs 10.0.0.0/24 means 10.0.0.0-255 - Class C - 256 IPs 1.3.3.7/32 the 32 means 1 IP address * Ephemeral Port : short lived port for ip communications. it has a range. * nat gateway uses ephemeral port in the range of 1024-65535 A NAT will allow private instances (without a public IP) to access the Internet, but not the other way around. So, for the EC2 instances that need to be available to the Internet, you need to assign a public IP. ... A public subnet means a subnet that has internet traffic routed through AWS's Internet Gateway. when VPC is created it creates 1. Route tables 1. Network ACL 1. Security groups Only one Internet gateway can be assigned to VPC New network ACL is by default have deny all rules | Security group|Network ACL| |-|-|- |Is stateful: Return traffic is automatically allowed, regardless of any rules|Is stateless: Return traffic must be explicitly allowed by rules| |We evaluate all rules before deciding whether to allow traffic|We process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic| |Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on|Automatically applies to all instances in the subnets that it's associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)| **Traffic mirroring** You can copy network traffic from an elastic network interface of an Amazon EC2 instance. You can then send the traffic to out-of-band security and monitoring appliances. NAT Instance -- > disable source and destination checks after instance creation * NAT instance must be in public subnet * There must be a route out of the private subnet to nat instance in order this to work * Always behind security group NAT Gateway --- Nat gateway -> enables internet access to private subnet instances. nat gateways created in public subnet. NAT gateways are not supported for IPv6 traffic—use an outbound-only (egress-only) internet gateway instead. For more information, see Egress-only internet gateways. * nat gateway are highly available and AZ independant EC2 instances * If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone. * create one nat gateways per each AZ * redundant inside az .. can not span AZ * thoughput 5gbps to 45 gbps * no need to patch * nat gateways are not associated with any security groups * port forwarding not supported in nat gateway while it is allowed in nat instance. * Default network ACL is created with VPC and by default allows all inbound and outbound traffic * Subnet can be associated with any one ACL at any time. By default it attaches to default network ACL * Rules are followed in <b>chronological</b> order that means if Rule 100 says Allow and Rule 400 says deny then it will allow * ACL comes before security groups * Custom netowrk acl by default blocks all inbound and outbound network traffic **Flow Logs** * can not be set up on peered VPC * Can be setup at VPC level/ subnet level/Network interface Level * you can tag a flow logs * you can not change flow log configuration once it is created * Not all traffic is monitered (traffic to and from 169.254.169), DHCP traffic, traffic generated by windows, reserved ip address for default router **Bastion Host** * SSH to private host in VPC will be hosted in public subnet * nat instance or gateway provide internet access * Bastion is used to secure the private ec2 instances access. single point of access * You can not use nat gateway as bastion host **Direct connect** : * Dedicated network connection from your data center to aws * useful for high throughput * stable or reliable internet connection Setting up Direct connect - steps 1. create a virtual interface in direct connect console 2. go to vpc console and then to vpn connection. create a customer gateway. 3. create a virtual private gateway 4. attach virtual private gateway to desired vpc 5. select VPN connections and create a new vpn connection 6. select virtual private and customer gateway 7. once vpn is available setup vpn on customer gateway or firewall. **VPC end point** : * VPC endpoint enables you to privately connect to VPC to supported aws services * Interface endpoints also known as (AWS PrivateLink) used for these services include some AWS services, services hosted by other AWS customers and partners in their own VPCs (SNS/SQS/Sagemaker/cloudwatch) * Gateway endpooint used for (s3 , dynamo db) :::info To avoid data processing charges for NAT gateways when accessing Amazon S3 and DynamoDB that are in the same Region, set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway. There are no charges for using a gateway endpoint. For more information, see Gateway VPC endpoints. ::: When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones.True vpc endpoint vpc gateway endpoint Code pipeline Code Deploy aws config aws inspector **AWS Private Link** * Best way to expose service VPC to customer VPC * Doesnt require VPC peering; NAT, Internet gateways,route tables * Requires netwrok load balancer on service VPC and ENI on customer VPC **Egress Only Internet GateWay** * An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC * allows outbound communication over IPv6 from instances in your VPC to the internet * prevents the internet from initiating an IPv6 connection with your instances. **AWS Transit Gateway** * Allows you to have trasitive peering between thousands of VPC's and on premises data centers * Simplify network topology, 100 vpn connections use AWS transit gateway * IP multicast * hub and spoke model * can work across multiple regions * can use i across multiple aws accounts with aws Resource Manager ***AWS VPN cloud Hub*** * connect multiple vpn sites usin hub * low cost ; easy to manage * **AWS Global Accelerator** : AWS Global Accelerator is a networking service that sends your user’s traffic through Amazon Web Service’s global network infrastructure, improving your internet user performance by up to 60%. When the internet is congested, Global Accelerator’s automatic routing optimizations will help keep your packet loss, jitter, and latency consistently low. * By default global accelarator give you two static ip addresses that you can associate with your accelarator * Accelarator (directs traffic to optimal endpoints) * DNS name for static ips * Network Zone : unique ip subnet * Listener : inbound connections from clients to global accelarator * end point : endpoint can be network load balacners,ec2 instances or ealstic ip addresses * Endpoint group : associated with specific regions. one or more endpoints grouops in a region ### AWS Networking Cost * Use private ip addresses over public ip address This then utilizes aws backbone network * Group EC2 instances in same AZ and use private ip addresses, this will be cost free but bear in mind single point of failure *