Virtual Private Cloud (VPC)

Default VPC Walkthrough

• All new AWS accounts have a default VPC
• New EC2 instances are launched into the default VPC of no subnet is specified
• Default VPC has Internet connectivity and all EC2 instances inside it have public IPv4 addresses
• We also get a public and a private IPv4 DNS names

  VPC in AWS - IPv4

• VPC = Virtual Private Cloud
• You can have multiple VPCs in an AWS region (max. 5 per region - soft limit)
• Max. CIDR per VPC is 5, for each CIDR
  • Min. size is /28 (16 addresses)
  • Max. size is /16 (65536 IP addresses)
• Because VPC is private, only the Private IPv4 tanges are allowed
  • 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
  • 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
• Your VPC CIDR should NOT overlap with your other networks (e.g corporate)

  VPC – Subnet (IPv4)

• AWS reserves 5 IP addresses (first 4 & last 1) in each subnet
• These 5 IP addresses are not available for use and can’t be assigned to an EC2 instance
• Example; if CIDR block 10.0.0.0/24 then reserved IP addresses are:
  • 10.0.0.0 - Network Address
  • 10.0.0.1 - reserved by AWS for the VPC router
  • 10.0.0.2 - reserved by AWS for mapping to mazon-provided DNS
  • 10.0.0.3 - reserved by AWS for future use
  • 10.0.0.255 - Network Broadcast Addressm AWS does not support broadcast in a VPC therefore the address is reserved
• Exam tip: if you need 29 IP addresses for EC2 instances:
  • You can’t choose a subnet of size /27 (32 IP addresses, 32-5 = 27 < 29)
  • you need to choose a subnet of size /26 (64 IP address, 64 - 5 = 59 > 29)

    Internet Gateway (IGW)

• Allows resources (e.g EC2 instances) in a VPC connect to the Internet
• It scales horizontally and is highly available and redudant
• Must be created separately from a VPC
• One VPC can only be attached to one IGW and vice versa
• Internet Gateways on their own do not allow Internet access…
• Route tables must also be edited!

  State of Hands-on

  Adding Subnets

  Adding Internet Gateway

  Editing Route Tables

  

  Bastion Hosts

• We can use a Bastion Host to SSH into our private EC2 instances
• The bastion is in the public subnet which is then connected to all other private subnets
• Basion Host security group must be tighened
• Exam Tip: Makesure the bastion host only has port 22 traffic from the IP address you need not from the security groups of your other EC2 instances

  NAT Instance (outdated, but still at the exam)

• NAT = Network Address Translation
• Allows EC2 instances in private subnet to connect to the Internet
• Must be launched in a public subnet
• Must disable EC2 setting: Source / destination Check
• Must have Elastic IP attached to it
• Route Tables must be configured to route traffic from private subnets to the NAT instance

  NAT Instance

  

  NAT Instance – Comments

• Pre-configured Amazon Linux AMI is available
  • Reached the end of standard support on December 31, 2020
• Not highly available / resilient setup out of the box
  • You need to create an ASG in multi-AZ + resilient user-data script
• Internet traffic bandwidth depends on EC2 instance type
• You must manage Security Groups & Rules:
  • Inbound:
    • Allow HTTP / HTTPS traffic coming from Private Subnets
    • Allow SSH from your home network (access is provided through Internet Gateway)
  • Outbound:
    • Allow HTTP / HTTPS traffic to the Internet

      NAT Gateway

• AWS-managed NAT, higher bandwidth, high availability, no administration
• Pay per hour for usage and bandwidth
• NATGW is created in a specific Availability Zone, uses an Elastic IP
• Can’t be used by EC2 instance in the same subnet (only from other subnets)
• Requires an IGW (Private Subnet => NATGW => IGW)
• 5 Gbps of bandwidth with automatic scaling up to 45 Gbps
• No Security Groups to manage / required

  NAT Gateway with High Availability

• NAT Gateway is resilient within a single Availability Zone
• Must create multiple NAT Gateways in multiple AZs for fault-teolerance
• There is no cross-AZ failover needed because if an AZ goes down it doesn’t need NAT

  NAT Gateway vs. NAT Instance

  

  DNS Resolution in VPC

• DNS Resolution (enableDnsSupport)
  • Decides if DNS resolution from Route 53 Resolver server is supported for the VPC
  • True (default): it queries the Amazon Provider DNS Server at 169.254.169.253 or the reserved IP address at the base of the VPC Ipv4 network range plus two

    DNS Resolution in VPC

• DNS Hostnames (enableDnsHostnames)
  • By default
    • True => default VPC
    • False => newly created VPCs
  • Won’t do anything unless enableDnsSupport=true
  • If True, assigns public hostname to EC2 instance if it has a public IPv4

    DNS Resolution in VPC

• If you use custom DNS domain names in a Private Hosted Zone in Route 53, you must set both these attributes (enableDnsSupport & enableDnsHostname) to true

  Security Groups & NACLs

  Incoming Request

  

  Outgoing Request

  

  Network Access Control List (NACL)

• NACL are like a firewall which control traffic from and to subnet
• One NACL per subnet, new subnets are assigned the Default NACL
• You define NACL Rules:
  • Rules have a number (1-32766), higher precedence with a lower number
  • First rule match will drive the decision
  • Example: if you define #100 ALLOW 10.0.0.10/32 and #200 DENY 10.0.0.10/32, the IP address will be allowed because 100 has a higher precedence over 200
  • The last rule is an asterisk (*) and denies a request in case of no rule match
  • AWS recommends adding rules by increment of 100
• Newly created NACLs will deny everything
• NACL are a great way of blocking a specific IP address at the subnet level

  NACLs

  

• default NACLs
  • Accepts everything inbound/outbound with the subnets it’s associated with
  • Do NOT modify the Default NACL, instead create custom NACLs

    Ephemeral Ports

• For any two endpoints to establish a connection, they must use ports
• Clients connect to a defined port, and expect a response on an ephemeral port
• Different Operating Systems use different port ranges, examples:
  • IANA & MS Windows 10 -> 49152 - 65535
  • Many Linux Kernels -> 32768 - 60999

    NACL with Ephemeral Ports

    

    Create NACL rules for each target subnets CIDR

    

    Security Group vs. NACLs

    

    VPC – Reachability Analyzer

• A network diagnostics tool that troubleshoots network connectivity between two endpoints in your VPC(s)
• It builds a model of the network configuration, then checks the reachability based on these configurations (it doesn’t send packets)
• When the destination is
  • Reachable - It proceduces hop by hop details of the virtual network path
  • Not reachable - It identifies the blocking components
• Use cases: troubleshoot connectivity issues, ensure network configuration is as intended…

  VPC Peering

• Privately connect two VPCs using AWS network
• Make them behave as if they were in the same network
• Must not have overlapping CIDRs
• VPC Peering connection is NOT transitive (must be established for each VPC that need to communicate with one another)
• You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other

  VPC Peering – Good to know

• You can create VPC Peering connection between VPCs in different AWS accounts/regions
• You can reference a security group in a peered VPC (works cross – same region)

  VPC Peering

  

  VPC Endpoints

  

  VPC Endpoints (AWS PrivateLink)

• Every AWS service is publicly exposed (public URL)
• VPC Endpoints (powered by AWS PrivateLink) allows you to connect to AWS services using a private network instead of using the public Internet
• They’re redudant and scale horizontally
• They remove the need of IGW, NATGW,… to access AWS Services
• In case of issues
  • Check DNS Setting Resolution in your VPC
  • Check Route Tables

    Types of Endpoints

• Interface Endpoints
  • Provisions an ENI (private IP address) as an entry point (must attach a Security Group)
  • Supports most AWS services
• Gateway endpoints
  • Provisions a gateway and must be used as a target in a route table
  • Supports both S3 and DynamoDB

    VPC Flow Logs

• Capture information about IP traffic going into your interfaces:
  • VPC Flow Logs
  • Subnet Flow Logs
  • Elastic Network Interface (ENI) FLow Logs
• Helps To monitor & troubleshoot connectivity issues
• Flow logs data can go to S3 / CLoudWatch Logs
• Captures network information from AWS managed interfaces too: ELB, RDS, ElastiCache, Redshift, Workspaces, NATGW, Transit Gateway…

  VPC Flow Logs

  

  VPC Flow Logs Syntax

  

• srcaddr & dstaddr: help identify problematic IP
• srcport & dstport: help identify problematic ports
• Action: success or failure of the request due to security group / NACL
• Can be used for analytics on usage patterns, or malicious behavior
• Query VPC flow logs using Athena on S3 or CloudWatch Logs Insights
• Flow Logs examples: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html

  VPC Flow Logs – Troubleshoot SG & NACL issues

• Incoming Requests
  • Inbound REJECT => NACL or SG
  • Inbound ACCEPT, Outbound REJECT => NACL
• Outgoing Requests
  • Outbound REJECT => NACL or SG
  • Outbound ACCEPT, Inbound REJECT => NACL

    AWS Site-to-Site VPN

    

    AWS Site-to-Site VPN

• Virtual Private Gateway (VGW)
  • VPN concentrator on the AWS side of the VPN connection
  • VGW is created and attached to the VPC from which you want to create the Site-to-site VPN connection
  • Possibility to customize the ASN (Autonomous System Number)
• Customer Gateway (CGW)
  • Software application or physical device on customer side of the VPN connection
  • https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html

    Site-to-site VPN connections

• Customer Gateway Device (On-premises)
  • What IP address to use?
    • Public Internet routable IP address for your customer gateway device
    • If it’s behind a NAt device that’s enabled for NAT traversal (NAT-T), use the public IP address of the NAT device
• Important step: enable Route Propagation for the virtual private gateway in the route table that is associated with your subnets
• If you need to ping your EC2 instances from on-premise, make sure you ad the ICMP protocol on the inbound of your security groups

  AWS VPN CloudHub

• Provide secure communication between multiple sites, if you have multiple VPN connections
• Low cost hub and spoke model for primary or secondary network connectivity between diffrent locations (VPN only)
• It’s a VPN connection so it goes over the public internet
• To set it up, connect multiple VPN connections on the sam VGW, setup dynamic routing and configure route tables

  Direct Connect (DX)

• Provides a dedicated private connection from a remote network to your VPC
• Dedicated connection must be setup between your DC and AWS Direct Connect locations
• You need to setup a Virtual Private Gateway on your VPC
• Access Public resources (S3) and private (EC2) on same connection
• Use Cases:
  • Increase bandwidth thoughtput - working with large data sets - lower cost
  • More consistent network experience - application using real-time data feeds
  • Hybrid environments (on-prem + cloud)
• Supports both IPv4 and IPv6

  Direct Connect Diagram

  

  Direct Connect Gateway

• If you want to setup a Direct Connect to one or more VPC in many different regions (same account), you must use a Direct Connect Gateway

  Direct Connect – Connection Types

• Dedicated Connections: 1Gbps and 10 Gps capacity
  • Physical ethernet port dedicated to a customer
  • Request made to AWS first, then completed by AWS Direct Connect Partners
• Hosted Connection: 50Mbs, 500 Mbps, to 10 Gbps
• Connection requests are made via AWS Direct Connect Partners
• Capacity can be added or removed on demand
• 1, , 5, 10 Gbps available at select AWS Direct Connect Partners
• Lead times are often longer than 1 month to establish a new connection

  Direct Connect – Encryption

• Data in transit is not encrypted but is private
• AWS Direct Connect + VPN provides an IPsec-encrypted private connection
• Good for an extra level of security, but slightly more complex to put in place

  Direct Connect - Resiliency

• High Resiliency for Critical Workloads
• Maximum Resiliency for Critical Workloads

  Exposing services in your VPC to other VPC

• Option 1: make it public
  • Goes through the public www
  • Tough to manage access
• Option 2: VPC peering
  • Must create many perring relations
  • Open the whole network

    AWS PrivateLink (VPC Endpoint Services)

• Most secure & scalable way to expose a service to 1000s of VPC (own or other accounts)
• Does not require VPC peering, internet gateway, NAT, route tables…
• Requires a network load balancer (Service VPC) and ENI (Customer VPC) or GWLB
• If the NLB is in multiple AZ, and the ENIs in multiple AZ, the solution is fault tolerant!

  AWS Private Link & ECS

  

  EC2-Classic & AWS ClassicLink (deprecated)

• EC2-Classic: instances run in a single network shared with other customers
• AmazonVPC: your instances run logically isolated to your AWS account
• ClassicLink allows you to link EC2-Classic instances to a VPC in your account
  • Must associate a security group
  • ENables communication using privte Upv3 addressess
  • Removes the need to make use of public IPv4 addressess or Elastic IP addresses
• Likely to be distractors at the exam

  Network topologies can become complicated

  

  Transit Gateway

• For having transitive peering between thousands of VPC and on-premise, hub and spoke (star) connection
• Regional resource, can work cross region
• Share cross-account using Resource Access Manager (RAM)
• You can peer Transit Gateway across regions
• Route Tables: limit which VPC can talk with other VPC
• Works with ** Direct Connect Gateway, VPn connections**
• Supports Ip Multicast (not suppoerted by any other AWS service)

  Transit Gateway: Site-to-Site VPN ECMP

• ECMP = Equal - cost multi path routing
• Routing strategy to allow to forward a packet over multiple best path
• Use case: create multiple Site to site VPN connections to increase the bandwidth of your connection to AWS

  Transit Gateway: throughput with ECMP

  

  Transit Gateway – Share Direct Connect between multiple accounts