[AWS Certificate] Developer - VPC memo

VPC (*****) Overview (Architect, Developer and Sysop)

Think of a VPC as a virtual data center in the cloud.

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

What can you do with a VPC?

- Launch instances into a subnet of your choosing

- Assign custom IP address ranges in each subnet

- Configure route tables between subnets

- Create internet gateway and attach it to our VPC

- Much better security control over your AWS resources

- Instance security groups

- Subnet network access control list (ACLS)

Default VPC vs. Custom VPC

- Default VPC is user friendly, allowing you to immediately deploy instances.

- All Subnets in default VPC have a route out to the internet

- Each EC2 instance has both a public and private IP address

VPC Peering

- Allows you to connect one VPC with another via a direct network route using private IP addresses

- Instances behave as if they were on the same private network

- You can peer VPC's with other AWS accounts as well as with other VPCs in the same account.

- Peering is in a star configuration : i.e. 1 central VPC peers with 4 others. NO TRANSITIVE PEERING!!!

Exam Tips

- Think of a VPC as a logical datacenter in AWS.

- Consistes of IGWs (or Virtual Private Gateways), Route Tables, Network Access Control Lists, Subnets, and Security Groups

- 1 Subnet = 1 Availability Zone

- Security Groups are Stateful; Network Access Control Lists are Stateless

- NO TRANSITIVE PEERING

===================================

* Create VPC

Automatically created Route Tables, Network ACLs and Security Groups

Create 1st Subnet - 10.0.2.0-us-east-1a

VPCs and Subnet  - http://docs.aws.amazon.com/ko_kr/AmazonVPC/latest/UserGuide/VPC_Subnets.html 

Create 2nd Subnet - 10.0.2.0-us-east-1b

* Internet Gateway

Create Internet Gateway - Attach the VPC

1 VPC can be assigned to 1 Internet Gateway (*****)

* Route Table

Create new route table with the VPC

-> Navigate to Routes tab in Route Table -> Edit -> Add another route 0.0.0.0/0 - Target = above internet gateway -> Save

Add another route ::/0 - Target = above gateway - Save

-> Navigate to Subnet Associations tab -> Edit -> select first one as main

Go to Subnets - Set Auto-assign Public IP to Yes for first one

-> Subnet Actions -> Modify auto-assign IP settings -> Check Enable auto-assign public IPv4 address

* Create New EC2 Instance

Select the VPC for Network, Select Subnet (first one), 

Create 2nd EC2 instance - Select the VPC for Network, Select Subnet (2nd one), 

1st Instance has public IP address

2nd Instance has no public IP address

* Open a Terminal

1178578-C02NW6G1G3QD:AWS_SSH changsoopark$ ssh ec2-user@34.228.40.70 -i EC2KeyPair.pem.txt 

The authenticity of host '34.228.40.70 (34.228.40.70)' can't be established.

ECDSA key fingerprint is SHA256:CNhUvY2BVwpZrGXQOE/SWocZS17IKYP8xKWKApE6P9c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '34.228.40.70' (ECDSA) to the list of known hosts.

       __|  __|_  )

       _|  (     /   Amazon Linux AMI

      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.09-release-notes/

[ec2-user@ip-10-0-1-232 ~]$ sudo su

[root@ip-10-0-1-232 ec2-user]# yum update -y

=========================================================

Network Address Translation (NAT)

NAT Instances & NAT Gateways

http://docs.aws.amazon.com/ko_kr/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

Exam Tips - NAT instances

- When creating a NAT instance, Disable Source/Destination Check on the Instance

- NAT instances must be in a public subnet

- There must be a route out of the private subnet to the NAT instance, in order for this to work.

- The amount of traffic that NAT instances can support depends on the instance size. If you are bottlenecking, increase the instance size.

- You can create high availability using Autoscaling Groups, multiple subnets in different AZs, and a script to automate failover

- Behind a security group

Exam Tips - NAT Gateways

- Preferred by the enterprise

- Scale automatically up to 10Gbps

- No need to patch

- Not associated with security groups

- Automatically assigned a public ip address

- Remember to update your route tables

- No need to disable Source/Destination Checks

- More secure than a NAT instance

=========================================

Network Access Control Lists vs. Security Groups

can block specific IP address

Ephemeral Port

Exam Tips - Network ACLs

- Your VPC automatically comes a default network ACL, and by default it allows all outbound and inbound traffic

- You can create custom network ACLs. By default, each custom network ACL denies all inbound and outbound traffic until you add rules

- Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

- You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed

- Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.

- Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic

- Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

- Block IP addresses using network ACLs not security Groups

========================================

Custom VPC's and ELB

=========================================

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

Flow logs can be created at 3 levels

- VPC

- Subnet

- Network Interface Level

Create Flow Log 

Create Log Group in CloudWatch - Create Flow log

VPC Flow Logs Exam Tips

- You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account

- You cannot tag a flow log

- After You've created a flow log, you cannot change its configuration; for example, you can't associate a different IAM role with the flow log.

Not all IP Traffic is monitored

- Traffic generated by instances then they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged

- Traffic generated by a Windows instance for Amazon Windows license activation

- Traffic to and from 169.254.169.254 for instance metadata

- DHCP traffic

- Traffic to the reserved IP address for the default VPC router.

=================================================

NAT vs. Bastion

Exam Tips - NAT vs Bastions

- A NAT is used to provide internet traffic to EC2 instances in private subnets

- A Bastion is used to securely administer EC2 instances (using SSH or RDP) in private subnets. In Australia we call them jump boxes.

==================================================

VPC End Points

Create Endpoint 

===================================================

VPC Clean up

===================================================

VPC Summary

NAT instances

- When creating a NAT instance, Disable Source/Destination Check on the Instance.

- NAT instances must be in a public subnet

- There must be a route out of the private subnet to the NAT instance, in order for this to work.

- The amount of traffic that NAT instances can support depends on the instance size. If you are bottlenecking, increase the instance size.

- You can create high availability using Autoscaling Groups, multiple subnets in different AZs, and a script to automate failover.

- Behind a security group

NAT Gateways

- Preferred by the enterprise

- Scale automatically up to 10Gbps

- No need to patch

- Not associated with security groups

- Automatically assigned a public ip address

- Remember to update your route tables

- No need to disable Source/Destination Checks

- More secure than a NAT instance

Network ACLs

- Your VPC automatically comes a default network ACL, and by default it allows all outbound and inbound traffic.

- You can create custom network ACLs. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

- Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

- You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed

- Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.

- Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic

- Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa.)

- Block IP Addresses using network ACLs not Security Groups

ALB's

- You will need at least 2 public subnets in order to deploy an application load balancer

VPC Flow Logs Exam Tips

- You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account

- You cannot tag a flow log.

- After you've created a flow log, you cannot change its configuration; for example, you can't associate a different IAM role with the flow log.

Not all IP Traffic is monitored;

- Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.

- Traffic generated by a Windows instance for Amazon Windows license activation

- Traffic to and from 169.254.169.254 for instance metadata

- DHCP traffic

- Traffic to the reserved IP address for the default VPC router.

=================================

VPC Quiz

- VPC stands for Virtual Private Cloud : True

- Security groups act like a firewall at the instance level whereas ______ are an additional layer of security that act at the subnet level.

  : Network ACL's

- Select the incorrect statement

  1. In Amazon VPC, an instance retains its private IP

  2. It is possible to have private subnets in VPC

  3. A subnet can be associated with multiple Access Control Lists

  4. You may only have 1 internet gateway per VPC

==> Answer is 3

- How many VPC's am I allowed in each AWS Region by default?  : 5

- How many internet gateways can I attach to my custom VPC?  : 1