From eb4640c5962409e5b0f1f85ed44fa67ae24862cd Mon Sep 17 00:00:00 2001 From: Kanani Nirav Date: Sat, 21 Dec 2024 18:01:51 +0900 Subject: [PATCH] [Modify/Add] Add VPC Doc. --- README.md | 2 + sections/vpc.md | 144 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) create mode 100644 sections/vpc.md diff --git a/README.md b/README.md index e587c27..a30e1dc 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ - Amazon SQS - Simple Queue Service, Amazon Kinesis, Amazon SNS, Amazon MQ - [Cloud Monitoring](./sections/cloud_monitoring.md) - Amazon CloudWatch, AWS CloudTrail, AWS X-Ray, Amazon CodeGuru, AWS Status - Service Health Dashboard, AWS Personal Health Dashboard +- [VPC](./sections/vpc.md) + - VPC & Subnets Primer, Internet Gateway & NAT Gateways, Network ACL & Security Groups, VPC Flow Logs, VPC Peering, VPC Endpoints, Site to Site VPN & Direct Connect, Transit Gateway ## Practice Exams ( dumps ) diff --git a/sections/vpc.md b/sections/vpc.md new file mode 100644 index 0000000..67f94fe --- /dev/null +++ b/sections/vpc.md @@ -0,0 +1,144 @@ +# VPC + +- [VPC](#vpc) + - [VPC \& Subnets Primer](#vpc--subnets-primer) + - [Internet Gateway (IGW)](#internet-gateway-igw) + - [NAT Gateway](#nat-gateway) + - [NAT Gateway vs NAT Instance](#nat-gateway-vs-nat-instance) + - [Network ACL \& Security Groups](#network-acl--security-groups) + - [Network ACLs vs Security Groups](#network-acls-vs-security-groups) + - [VPC Flow Logs](#vpc-flow-logs) + - [VPC Peering](#vpc-peering) + - [VPC Endpoints](#vpc-endpoints) + - [Site to Site VPN \& Direct Connect](#site-to-site-vpn--direct-connect) + - [Transit Gateway](#transit-gateway) + - [VPC Summary](#vpc-summary) + +## VPC & Subnets Primer + +- VPC -Virtual Private Cloud: private network to deploy your resources (regional resource) +- Subnets allow you to partition your network inside your VPC (Availability Zone resource) +- A public subnet is a subnet that is accessible from the internet +- A private subnet is a subnet that is not accessible from the internet +- To define access to the internet and between subnets, we use Route Tables. + +## Internet Gateway (IGW) + +- Connects a VPC to the internet. +- Allows instances in the VPC to directly communicate with the internet. +- Essential for a public subnet in a VPC to send/receive traffic to/from the internet. + +## NAT Gateway + +- Allows instances in a private subnet to initiate outbound traffic to the internet. +- Prevents unsolicited inbound traffic from reaching those instances. +- Used for scenarios where instances need to download patches, updates, etc., but should not be directly accessed from the internet. +- Managed by AWS + +## NAT Gateway vs NAT Instance + +| Attribute | NAT gateway | NAT instance | +| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Availability | Highly available. NAT gateways in each Availability Zone are implemented with redundancy. Create a NAT gateway in each Availability Zone to ensure zone-independent architecture. | Use a script to manage failover between instances. | +| Bandwidth | Scale up to 100 Gbps. | Depends on the bandwidth of the instance type. | +| Maintenance | Managed by AWS. You do not need to perform any maintenance. | Managed by you, for example, by installing software updates or operating system patches on the instance. | +| Performance | Software is optimized for handling NAT traffic. | A generic AMI that's configured to perform NAT. | +| Cost | Charged depending on the number of NAT gateways you use, duration of usage, and amount of data that you send through the NAT gateways. | Charged depending on the number of NAT instances that you use, duration of usage, and instance type and size. | +| Type and size | Uniform offering; you don’t need to decide on the type or size. | Choose a suitable instance type and size, according to your predicted workload. | +| Public IP addresses | Choose the Elastic IP address to associate with a public NAT gateway at creation. | Use an Elastic IP address or a public IP address with a NAT instance. You can change the public IP address at any time by associating a new Elastic IP address with the instance. | +| Private IP addresses | Automatically selected from the subnet's IP address range when you create the gateway. | Assign a specific private IP address from the subnet's IP address range when you launch the instance. | +| Security groups | You cannot associate security groups with NAT gateways. You can associate them with the resources behind the NAT gateway to control inbound and outbound traffic. | Associate with your NAT instance and the resources behind your NAT instance to control inbound and outbound traffic. | +| Network ACLs | Use a network ACL to control the traffic to and from the subnet in which your NAT gateway resides. | Use a network ACL to control the traffic to and from the subnet in which your NAT instance resides. | +| Flow logs | Use flow logs to capture the traffic. | Use flow logs to capture the traffic. | +| Port forwarding | Not supported. | Manually customize the configuration to support port forwarding. | +| Bastion servers | Not supported. | Use as a bastion server. | +| Traffic metrics | View CloudWatch metrics for the NAT gateway. | View CloudWatch metrics for the instance. | +| Timeout behavior | When a connection times out, a NAT gateway returns an RST packet to any resources behind the NAT gateway that attempt to continue the connection (it does not send a FIN packet). | When a connection times out, a NAT instance sends a FIN packet to resources behind the NAT instance to close the connection. | +| IP fragmentation | Supports forwarding of IP fragmented packets for the UDP protocol.
Does not support fragmentation for the TCP and ICMP protocols. Fragmented packets for these protocols will get dropped.
| Supports reassembly of IP fragmented packets for the UDP, TCP, and ICMP protocols. | + +## Network ACL & Security Groups + +- NACL (Network ACL) + - A firewall which controls traffic from and to subnet + - Can have ALLOW and DENY rules + - Are attached at the Subnet level + - Rules only include IP addresses +- Security Groups + - A firewall that controls traffic to and from an ENI / an EC2 Instance + - Can have only ALLOW rules + - Rules include IP addresses and other security groups + +### Network ACLs vs Security Groups + +| Security Group | Network ACL | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | +| Operates at the instance level | Operates at the subnet level | +| Supports allow rules only | Supports allow rules and deny rules | +| Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless: Return traffic must be explicitly allowed by rules | +| We evaluate all rules before deciding whether to allow traffic | We process rules in number order when deciding whether to allow traffic | +| Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on | Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group) | + + + +## VPC Flow Logs + +- Capture information about IP traffic going into your interfaces: + - VPC Flow Logs + - Subnet Flow Logs + - Elastic Network Interface Flow Logs +- Helps to monitor & troubleshoot connectivity issues. Example: + - Subnets to internet + - Subnets to subnets + - Internet to subnets +- Captures network information from AWS managed interfaces too: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc… +- VPC Flow logs data can go to S3 / CloudWatch Logs + +## VPC Peering + +- Allows direct network connectivity between two VPCs. +- VPCs can be in the same AWS account or different accounts. +- Ensures private, high-speed communication between VPCs without routing traffic through the internet. +- Make them behave as if they were in the same network +- Must not have overlapping CIDR (IP address range) + +## VPC Endpoints + +- Endpoints allow you to connect to AWS Services using a private network instead of the public www network +- This gives you enhanced security and lower latency to access AWS services +- VPC Endpoint Gateway: S3 & DynamoDB +- VPC Endpoint Interface: the rest + +## Site to Site VPN & Direct Connect + +- Site to Site VPN + - Connect an on-premises VPN to AWS + - The connection is automatically encrypted + - Goes over the public internet + - On-premises: must use a Customer Gateway (CGW) + - AWS: must use a Virtual Private Gateway (VGW) +- Direct Connect (DX) + - Establish a physical connection between on-premises and AWS + - The connection is private, secure and fast + - Goes over a private network + - Takes at least a month to establish + +## Transit Gateway + +- AWS Transit Gateway allows you to connect different Amazon VPCs and on-premise networks through a centralized routing service. +- It can connect thousands of VPCs and on-premises networks through a single gateway, thus it has advanced security and routing features such as monitoring traffic on your network connections and defining routing policies. +- Provides a simple and scalable solution for managing large numbers of VPCs and network connections in your organization. + +## VPC Summary + +- VPC: Virtual Private Cloud +- Subnets:Tied to an AZ, network partition of the VPC +- Internet Gateway: at the VPC level, provide Internet Access +- NAT Gateway / Instances: give internet access to private subnets +- NACL: Stateless, subnet rules for inbound and outbound +- Security Groups: Stateful, operate at the EC2 instance level or ENI +- VPC Peering: Connect two VPC with non overlapping IP ranges, nontransitive +- VPC Endpoints: Provide private access to AWS Services within VPC +- VPC Flow Logs: network traffic logs +- Site to Site VPN: VPN over public internet between on-premises DC and AWS +- Direct Connect: direct private connection to AWS +- Transit Gateway: Connect thousands of VPC and on-premises networks together