<\/p>\n
Virtual Private Cloud (VPC):<\/p>\n
- \n
- A private network within AWS. It’s your private data center inside the AWS platform.<\/li>\n
- Can be configured to be public\/private or a mixture<\/li>\n
- Regional (can’t span regions), highly available, and can be connected to your data center and corporate networks<\/li>\n
- Isolated from other VPCs by default<\/li>\n
- VPC and subnet: max \/16<\/strong> (65,536 IPs) and min \/28<\/strong> (16 IPs)<\/li>\n
- VPC subnets can’t span AZs (1:1 mapping)<\/li>\n
- Certain IPs are reserved in subnets (see architecture diagram)<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/VPC.jpg\")
<\/p>\nRegion Default VPC:<\/p>\n
- \n
- Required for some services, used as a default for most<\/li>\n
- Pre-configured with all required networking\/security<\/li>\n
- Configured using a \/16<\/strong> CIDR block (172.31.0.0\/16<\/strong>)<\/li>\n
- A \/20<\/strong> public subnet in each AZ, allocating a public IP by default<\/li>\n
- Attached Internet gateway with a “main” route table sending all IPv4 traffic to the Internet gateway using a 0.0.0.0\/0 route<\/li>\n
- A default DHCP option set attached.<\/li>\n
- SG: Default \u2014 all from itself, all outbound<\/strong><\/li>\n
- NACL: Default \u2014 allow all inbound and outbound<\/strong><\/li>\n<\/ul>\n
Understanding the Default VPC:<\/p>\n
- \n
- Size \/16 CIDR block (172.31.0.0\/16)<\/li>\n
- Default subnet in each AZ using \/20 subnet mask<\/li>\n
- Internet gateway<\/li>\n
- Main route table sending all IPv4 traffic for 0.0.0.0\/0 to the Internet gateway<\/li>\n
- Default security group allowing all traffic<\/li>\n
- Default network ACL (NACL) allowing all traffic<\/li>\n
- Default DHCP option set<\/li>\n<\/ul>\n
VPC IP Reservations:<\/p>\n
AWS reserves the first four IP and the last IP addresses. In a 10.0.0.0\/24, the fol-lowing IPs are reserved:<\/p>\n
- \n
- 10.0.0.0: Network address<\/li>\n
- 10.0.0.1: Reserved by AWS for the Amazon VPC router<\/li>\n
- 10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the Amazon VPC network range; however, the base of each subnet range is also reserved.<\/li>\n
- 10.0.0.3: Reserved by AWS for future use<\/li>\n
- 10.0.0.255: Network broadcast address. AWS does not support broadcast in an Ania\/on VPC; therefore, they reserve this address.<\/li>\n<\/ul>\n
Custom VPC:<\/p>\n
- \n
- Can be designed and configured in any valid way<\/li>\n
- You need to allocate IP ranges, create subnets, and provision gateways and networking, as well as design and implement security.<\/li>\n
- When you need multiple tiers or a more complex set of networking<\/li>\n
- Best practice is to not use default for most production things<\/li>\n<\/ul>\n
VPC Implementation:<\/p>\n
- \n
- Logically isolated from other networks on AWS<\/li>\n
- VPCs can’t span regions<\/li>\n
- Size can range from \/16 to a \/28 netmask (65,536 to 16 IP addresses)<\/li>\n
- Subnets can’t span Availability Zones<\/li>\n<\/ul>\n
Benefits of a VPC:<\/p>\n
- \n
- Ability to launch instances into a subnet<\/li>\n
- Ability to define custom IP address ranges inside of each subnet (private and public subnets)<\/li>\n
- Ability to configure route tables between subnets<\/li>\n
- Ability to configure Internet gateways and attach them to subnets<\/li>\n
- Ability to create a layered network of resources<\/li>\n
- Extending our network with VPN\/VPG controlled access<\/li>\n
- Ability to use security groups and subnet network ACLs<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/VPC1.jpg\")
<\/p>\nVPC Scenarios:<\/p>\n
- \n
- VPC with public subnet only: Single-tier apps<\/li>\n
- VPC with public and private subnets: Resources that don’t need public Internet access\/layered apps<\/li>\n
- VPC with public and private subnets and hardware-connected VPN: Extending to on-premises<\/li>\n
- VPC with a private subnet only and hardware VPN access<\/li>\n<\/ul>\n
<\/p>\n
VPC Routing:<\/p>\n
- \n
- Every VPC has a virtual routing device called the VPC router.<\/li>\n
- It has an interface in any VPC subnet known as the “subnet+1” address \u2014 for 10.0.1.0\/24, this would be 10.0.1.1\/32.<\/li>\n
- The router is highly available, scalable, and controls data entering and leaving the VPC and its subnets.<\/li>\n
- Each VPC has a “main” route table, which is allocated to all subnets in the VPC by default. A subnet must have one route table.<\/li>\n
- Additional “custom” route tables can be created and associated with subnets \u2014 but only one<\/strong> route table (RT) per subnet.<\/li>\n
- A route table controls what the VPC router does with traffic leaving a subnet.<\/li>\n
- An Internet gateway is created and attached to a VPC (1:1). It can route traffic for public IPs to and from the Internet.<\/li>\n<\/ul>\n
Routes:<\/p>\n
- \n
- A RT is a collection of routes that are used when traffic from a subnet arrives at the VPC router.<\/li>\n
- Every route table has a local route, which matches the CIDR of the VPC and lets traffic be routed between subnets.<\/li>\n
- A route contains a destination and a target. Traffic is forwarded to the target if its destination matches the route destination.<\/li>\n
- If multiple routes apply, the most specific is chosen. A \/32 is chosen before a \/24, before a \/16.<\/li>\n
- Default routes (0.0.0.0\/0 v4 and ::\/0 v6) can be added that match any traffic not already matched.<\/li>\n
- Targets can be IPs or AWS networking gateways\/objects<\/li>\n
- A subnet is a public subnet if it is\n
- \n
- (1) configured to allocate public IPs,<\/li>\n
- (2) if the VPC has an associated Internet gateway, and<\/li>\n
- (3) if that subnet has a default route to that Internet gateway.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/VPCrounting.jpg\")
<\/p>\n<\/p>\n
VPC peering allows you to set up direct network routing between different VPCs using private IP addresses.<\/p>\n
- \n
- Instances will communicate with each other as if they were on the same private network.<\/li>\n
- VPC peering can occur between different AWS accounts as well as VPCs in other regions using Inter-Region VPC Peering.<\/li>\n
- All inter-region traffic is encrypted.<\/li>\n
- Traffic remains on the global AWS backbone.<\/li>\n<\/ul>\n
Scenarios:<\/p>\n
- \n
- Peering two VPCs: Company runs multiple AWS accounts and you need to link all the resources as if they were all under one private network<\/li>\n
- Peering to a VPC: Multiple VPCs connect to a central VPC, but they can only communicate with the central VPC (file sharing, customer access, Active Directory) and not each other.<\/li>\n<\/ul>\n
Limitations:<\/p>\n
- \n
- Can’t peer VPC with matching or overlapping CIDR blocks<\/li>\n
- VPC peering connections are 1:1 between VPCs \u2014 transitive peering is not supported (see Transit Gateway)<\/li>\n
- One peering connection between the same two VPCs<\/li>\n
- Tags applied to the peering connection are only applied in the account and region in which you create them<\/li>\n
- Security groups can’t reference peer VPC security groups across regions<\/li>\n
- IPv6 across regions is not supported<\/li>\n
- DNS resolution for private hostnames must be enabled manually. If in different accounts, must be enabled in both accounts<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/VPC2.jpg\")
<\/p>\n<\/p>\n
VPC Flow Logs allows you to capture metadata about IP traffic going in and out of your network interfaces.<\/p>\n
- \n
- Data is stored in CloudWatch Logs;\u00a0 Each network interface has a unique log stream<\/li>\n
- Can be created for a VPC, subnet, or network interface; When choosing VPC, each network interface and subnet in that VPC is monitored<\/li>\n
- Flow log records consist of fields describing the traffic for that network interface<\/li>\n
- For security reasons, EC2 instances can’t receive or sniff traffic destined for a different instance<\/li>\n
- Delay of several minutes \u2014 flow logs do not capture real-time log streams<\/li>\n
- Ability to create multiple flow logs per interface (e.g., accepted vs. rejected traffic)<\/li>\n
- Launching new EC2 instances after creating flow logs will automatically create logs for each new network interface<\/li>\n
- Create flow logs for network interfaces created by other AWS services: Elastic Load Balancing, Amazon RDS, Amazon ElastiCache, Amazon Redshift, Amazon WorkSpaces<\/li>\n<\/ul>\n
Flow Log Record Syntax:<\/p>\n
- \n
- version<\/li>\n
- account-id<\/li>\n
- interface-id<\/li>\n
- srcaddr<\/li>\n
- dstaddr<\/li>\n
- srcport<\/li>\n
- dstport<\/li>\n
- protocol<\/li>\n
- packets<\/li>\n
- bytes<\/li>\n
- start<\/li>\n
- end<\/li>\n
- action<\/li>\n
- log-status<\/li>\n<\/ul>\n
What’s NOT Logged:<\/p>\n
- \n
- Amazon DNS server traffic<\/li>\n
- Amazon Windows license activation<\/li>\n
- Instance metadata to\/from 169.254.169.254<\/li>\n
- Amazon Time Sync to\/from 169.254.169.123<\/li>\n
- DHCP traffic<\/li>\n
- Traffic to\/from the default VPC router reserved IP address<\/li>\n
- Traffic between an endpoint network interface and a Network Load Balancer network interface<\/li>\n<\/ul>\n
<\/p>\n
Bastion Hosts (or Jumpboxes):<\/p>\n
- \n
- A host that sits at the perimeter of a VPC<\/li>\n
- It functions as an entry point to the VPC for trusted admins.<\/li>\n
- Allows for updates or configuration tweaks remotely while allowing the VPC to stay private and protected<\/li>\n
- Generally connected to via SSH (Linux) or RDP (Windows)<\/li>\n
- Bastion hosts must be kept updated, and security hardened and audited regularly<\/li>\n
- Multifactor authentication, ID federation, and\/or IP blocks.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/BastionHost-1.jpg\")
<\/p>\n<\/p>\n
Network Access Control Lists (NACLs):<\/p>\n
- \n
- NACLs operate at Layer 4<\/strong> of the OSI model (TCP\/UDP and below).<\/li>\n
- A subnet has to be associated with a NACL \u2014 either the VPC default or a custom NACL.<\/li>\n
- NACLs only impact traffic crossing the boundary of a subnet.<\/li>\n
- NACLs are collections of rules that can explicitly allow or deny traffic based on its protocol, port range, and source\/destination.<\/li>\n
- Rules are processed in number order, lowest first<\/strong>. When a match is found, that action is taken and processing stops.<\/li>\n
- The “*” rule is processed last and is an implicit deny<\/strong>.<\/li>\n
- NACLs have two sets of rules: inbound and outbound.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NACL2.jpg\")
<\/p>\nEphemeral Ports:<\/span><\/p>\n
- \n
- When a client initiates communications with a server, it is to a well-known port number (e.g., tcp\/443) on that server.<\/li>\n
- The response is from that well-known port to an ephemeral port on the client. The client decides the port.<\/li>\n
- NACLs are stateless, they have to consider both initiating and response traffic \u2014 state is a session-layer concept.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/NACL.jpg\")
<\/p>\n<\/p>\n
VPC Peering<\/span>:<\/p>\n
- \n
- Allows direct communication between VPCs.<\/li>\n
- Services can communicate using private IPs from VPC to VPC.<\/li>\n
- VPC peers can span AWS accounts<\/strong> and even regions<\/strong> (with some limitations).<\/li>\n
- Data is encrypted<\/strong> and transits via the AWS global backbone.<\/li>\n
- VPC peers are used to link two VPCs at layer 3: company mergers, shared services, company and vendor, auditing.<\/li>\n<\/ul>\n
Important Limits and Considerations:<\/p>\n
- \n
- VPC CIDR blocks cannot over lap<\/strong>.<\/li>\n
- VPC peers connect two VPCs<\/strong> \u2014 routing is not transitive<\/strong>.<\/li>\n
- Routes are required at both sides (remote CIDR -> peer connection).<\/li>\n
- NACLs and SGs can be used to control access.<\/li>\n
- SGs can be referenced but not cross-region.<\/li>\n
- IPv6<\/strong> support is not available cross-region<\/strong>.<\/li>\n
- DNS resolution to private IPs can be enabled, but it’s a setting needed at both sides.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/VPCPeering.jpg\")
<\/p>\n<\/p>\n
VPC endpoints<\/span> are gateway objects created within a VPC. They can be used to connect to AWS public services without the need for the VPC to have an attached Internet gateway and be public.<\/p>\n
VPC Endpoint Types:<\/p>\n
- \n
- Gateway endpoints: Can be used for DynamoDB and S3<\/li>\n
- Interface endpoints: Can be used for everything else (e.g., SNS, SQS)<\/li>\n<\/ul>\n
When to Use a VPC Endpoint:<\/p>\n
- \n
- If the entire VPC is private with no IGW<\/li>\n
- If a specific instance has no public IP\/NATGW and needs to access public services<\/li>\n
- To access resources restricted to specific VPCs or endpoints (private S3 bucket)<\/li>\n<\/ul>\n
Limitations and Considerations:<\/p>\n
- \n
- Gateway endpoints are used via route table entries \u2014 they are gateway devices. Prefix lists for a service are used in the destination field with the gateway as the target.<\/li>\n
- Gateway endpoints can be restricted via policies.<\/li>\n
- Gateway endpoints are HA across AZs in a region.<\/li>\n
- Interface endpoints are interfaces in a specific subnet. For HA, you need to add multiple interfaces \u2014 one per AZ.<\/li>\n
- Interface endpoints are controlled via SGs on that interface. NACLs also impact traffic.<\/li>\n
- Interface endpoints add or replace the DNS for the service \u2014 no route table updates are required.<\/li>\n
- Code changes to use the endpoint DNS, or enable private DNS to override the default service DNS.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/EndPoint.jpg\")
<\/p>\n<\/p>\n
IP version 6<\/span> (IPv6) is supported within AWS but not across every product and not with every feature.<\/p>\n
IPv6 VPC Setup:<\/p>\n
- \n
- It is currently opt-in<\/strong> \u2014 it is disabled<\/strong> by default.<\/li>\n
- To use it, the first step is to request an IPv6 allocation. Each VPC is allocated a \/56<\/strong> CIDR from the AWS pool \u2014 this cannot be adjusted<\/strong>.<\/li>\n
- With the VPC IPv6 range allocated, subnets can be allocated a \/64<\/strong> CIDR from within the \/56<\/strong> range.<\/li>\n
- Resources launched into a subnet with an IPv6 range can be allocated a IPv6 address via DHCP6.<\/li>\n<\/ul>\n
Limitations and Considerations:<\/p>\n
- \n
- DNS names are not allocated to IPv6 addresses.<\/li>\n
- IPv6 addresses are all publicly routable \u2014 there is no concept of private vs. public with IPv6 (unlike IPv4 addresses).<\/li>\n
- With IPv6, the OS is configured with this public address via DHCP6.<\/li>\n
- Elastic IPs aren’t relevant with IPv6.<\/li>\n
- Not currently supported for VPNs, customer gateways, and VPC endpoints.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/VPCIPv6.jpg\")
<\/p>\n<\/p>\n
Egress-only Internet gateways<\/span> provide IPv6 instances with outgoing access to the public Internet using IPv6 but prevent the instances from being accessed from the Internet.<\/p>\n
NAT isn’t required with IPv6, and so NATGW’s aren’t compatible with IPv6. Egress-only gateways provide the outgoing-only access of a NATGW but do so without adjusting any IP addresses.<\/p>\n
Architecturally, they are otherwise the same as an IGW.<\/p>\n
![\"\"](\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/EgresIGW.jpg\")
<\/p>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
What Is a Virtual Private Cloud? A VPC resembles private data centers or corporate networks Scalable infrastructure Ability to extend corporate\/home network to the cloud as if it were part of your network<\/p>\n","protected":false},"author":1,"featured_media":2738,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[78],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2736"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=2736"}],"version-history":[{"count":16,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2736\/revisions"}],"predecessor-version":[{"id":3338,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2736\/revisions\/3338"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/2738"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=2736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=2736"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=2736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- To use it, the first step is to request an IPv6 allocation. Each VPC is allocated a \/56<\/strong> CIDR from the AWS pool \u2014 this cannot be adjusted<\/strong>.<\/li>\n
- It is currently opt-in<\/strong> \u2014 it is disabled<\/strong> by default.<\/li>\n
- VPC peers connect two VPCs<\/strong> \u2014 routing is not transitive<\/strong>.<\/li>\n
- Data is encrypted<\/strong> and transits via the AWS global backbone.<\/li>\n
- NACLs operate at Layer 4<\/strong> of the OSI model (TCP\/UDP and below).<\/li>\n
- A \/20<\/strong> public subnet in each AZ, allocating a public IP by default<\/li>\n