[Modified / Added] VPC doc
This commit is contained in:
kananinirav
@@ -16,6 +16,7 @@
|
|||||||
- [Global Infrastructure](sections/global_infrastructure.md)
|
- [Global Infrastructure](sections/global_infrastructure.md)
|
||||||
- [Cloud Integration](sections/cloud_integration.md)
|
- [Cloud Integration](sections/cloud_integration.md)
|
||||||
- [Cloud Monitoring](sections/cloud_monitoring.md)
|
- [Cloud Monitoring](sections/cloud_monitoring.md)
|
||||||
|
- [VPC](sections/vpc.md)
|
||||||
|
|
||||||
### Contributors
|
### Contributors
|
||||||
|
|
||||||
|
|||||||
113
sections/vpc.md
Normal file
113
sections/vpc.md
Normal file
@@ -0,0 +1,113 @@
|
|||||||
|
# VPC
|
||||||
|
|
||||||
|
- [VPC](#vpc)
|
||||||
|
- [VPC & Subnets Primer](#vpc--subnets-primer)
|
||||||
|
- [Internet Gateway & NAT Gateways](#internet-gateway--nat-gateways)
|
||||||
|
- [Network ACL & Security Groups](#network-acl--security-groups)
|
||||||
|
- [Network ACLs vs Security Groups](#network-acls-vs-security-groups)
|
||||||
|
- [VPC Flow Logs](#vpc-flow-logs)
|
||||||
|
- [VPC Peering](#vpc-peering)
|
||||||
|
- [VPC Endpoints](#vpc-endpoints)
|
||||||
|
- [Site to Site VPN & Direct Connect](#site-to-site-vpn--direct-connect)
|
||||||
|
- [Transit Gateway](#transit-gateway)
|
||||||
|
- [VPC Summary](#vpc-summary)
|
||||||
|
|
||||||
|
## VPC & Subnets Primer
|
||||||
|
|
||||||
|
- VPC -Virtual Private Cloud: private network to deploy your resources (regional resource)
|
||||||
|
- Subnets allow you to partition your network inside your VPC (Availability Zone resource)
|
||||||
|
- A public subnet is a subnet that is accessible from the internet
|
||||||
|
- A private subnet is a subnet that is not accessible from the internet
|
||||||
|
- To define access to the internet and between subnets, we use Route Tables.
|
||||||
|
|
||||||
|
## Internet Gateway & NAT Gateways
|
||||||
|
|
||||||
|
- Internet Gateways helps our VPC instances connect with the internet
|
||||||
|
- Public Subnets have a route to the internet gateway.
|
||||||
|
- NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private
|
||||||
|
|
||||||
|
## Network ACL & Security Groups
|
||||||
|
|
||||||
|
- NACL (Network ACL)
|
||||||
|
- A firewall which controls traffic from and to subnet
|
||||||
|
- Can have ALLOW and DENY rules
|
||||||
|
- Are attached at the Subnet level
|
||||||
|
- Rules only include IP addresses
|
||||||
|
- Security Groups
|
||||||
|
- A firewall that controls traffic to and from an ENI / an EC2 Instance
|
||||||
|
- Can have only ALLOW rules
|
||||||
|
- Rules include IP addresses and other security groups
|
||||||
|
|
||||||
|
### Network ACLs vs Security Groups
|
||||||
|
|
||||||
|
| Security Group | Network ACL |
|
||||||
|
| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
|
| Operates at the instance level | Operates at the subnet level |
|
||||||
|
| Supports allow rules only | Supports allow rules and deny rules |
|
||||||
|
| Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless: Return traffic must be explicitly allowed by rules |
|
||||||
|
| We evaluate all rules before deciding whether to allow traffic | We process rules in number order when deciding whether to allow traffic |
|
||||||
|
| Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on | Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group) |
|
||||||
|
|
||||||
|
<https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html>
|
||||||
|
|
||||||
|
## VPC Flow Logs
|
||||||
|
|
||||||
|
- Capture information about IP traffic going into your interfaces:
|
||||||
|
- VPC Flow Logs
|
||||||
|
- Subnet Flow Logs
|
||||||
|
- Elastic Network Interface Flow Logs
|
||||||
|
- Helps to monitor & troubleshoot connectivity issues. Example:
|
||||||
|
- Subnets to internet
|
||||||
|
- Subnets to subnets
|
||||||
|
- Internet to subnets
|
||||||
|
- Captures network information from AWS managed interfaces too: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc…
|
||||||
|
- VPC Flow logs data can go to S3 / CloudWatch Logs
|
||||||
|
|
||||||
|
## VPC Peering
|
||||||
|
|
||||||
|
- Connect two VPC, privately using AWS’ network
|
||||||
|
- Make them behave as if they were in the same network
|
||||||
|
- Must not have overlapping CIDR (IP address range)
|
||||||
|
- VPC Peering connection is not transitive (must be established for each VPC that need to communicate with one another)
|
||||||
|
|
||||||
|
## VPC Endpoints
|
||||||
|
|
||||||
|
- Endpoints allow you to connect to AWS Services using a private network instead of the public www network
|
||||||
|
- This gives you enhanced security and lower latency to access AWS services
|
||||||
|
- VPC Endpoint Gateway: S3 & DynamoDB
|
||||||
|
- VPC Endpoint Interface: the rest
|
||||||
|
|
||||||
|
## Site to Site VPN & Direct Connect
|
||||||
|
|
||||||
|
- Site to Site VPN
|
||||||
|
- Connect an on-premises VPN to AWS
|
||||||
|
- The connection is automatically encrypted
|
||||||
|
- Goes over the public internet
|
||||||
|
- On-premises: must use a Customer Gateway (CGW)
|
||||||
|
- AWS: must use a Virtual Private Gateway (VGW)
|
||||||
|
- Direct Connect (DX)
|
||||||
|
- Establish a physical connection between on-premises and AWS
|
||||||
|
- The connection is private, secure and fast
|
||||||
|
- Goes over a private network
|
||||||
|
- Takes at least a month to establish
|
||||||
|
|
||||||
|
## Transit Gateway
|
||||||
|
|
||||||
|
- For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
|
||||||
|
- One single Gateway to provide this functionality
|
||||||
|
- Works with Direct Connect Gateway, VPN connections
|
||||||
|
|
||||||
|
## VPC Summary
|
||||||
|
|
||||||
|
- VPC: Virtual Private Cloud
|
||||||
|
- Subnets:Tied to an AZ, network partition of the VPC
|
||||||
|
- Internet Gateway: at the VPC level, provide Internet Access
|
||||||
|
- NAT Gateway / Instances: give internet access to private subnets
|
||||||
|
- NACL: Stateless, subnet rules for inbound and outbound
|
||||||
|
- Security Groups: Stateful, operate at the EC2 instance level or ENI
|
||||||
|
- VPC Peering: Connect two VPC with non overlapping IP ranges, nontransitive
|
||||||
|
- VPC Endpoints: Provide private access to AWS Services within VPC
|
||||||
|
- VPC Flow Logs: network traffic logs
|
||||||
|
- Site to Site VPN: VPN over public internet between on-premises DC and AWS
|
||||||
|
- Direct Connect: direct private connection to AWS
|
||||||
|
- Transit Gateway: Connect thousands of VPC and on-premises networks together
|
||||||
Reference in New Issue
Block a user