AWS Certified Advanced Networking Series: VPC Pt1
I’m sitting for my AWS Certified Advanced Networking Exam & I wanted to share my learning notes with all of you. Hope it will be useful & we might learn a thing or two along the journey.
What is VPC?
virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
VPC Concepts
· virtual network dedicated to your AWS account.
· Subnet is a range of IP Address in the VPC
· Route table contains route to determine where network traffic is directed.
· An internet gateway is a horizontally scaled, redundant, and highly available VPC component for communication between instances in the VPC and Internet. No availability risk or bandwidth constraint.
· VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Traffic remains in AWS network.
Accessing Amazon VPC
AWS Management Console — GUI based Web interface that is used to access VPC.
AWS Command Line Interface (CLI) — Commands based interface for accessing AWS services including VPC
AWS SDK’s — Provides language-specific APIs and takes care of many of the connection details, such as calculating signatures, handling request retries, and error handling.
Query API — Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC, but it requires that your application handle low-level details such as generating the hash to sign the request, and error handling.
Amazon VPC quotas
There are quotas.
Amazon VPC resources
PCI DSS compliance
Amazon VPC supports the processing, storage, and transmission of credit card data by a merchant or service provider and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
How Amazon VPC works
Amazon VPC allows the user to launch AWS Resources into a virtual network. It resembles to traditional network.
Amazon VPC concepts
VPCs and subnets
· virtual private cloud (VPC) is a virtual network dedicated to your AWS Account.
· Logically isolated from other virtual networks.
· Eg: Launch EC2 Instances in VPC
· Subnets is the range of IP Add in the VPC. You can launch AWS resources in the VPC. Public Subnet for internet facing & private subnet for non-internet facing.
· Security can be set using security groups & network access list (ACL)
Benefits of EC2 in VPC
• Assign static private IPv4 addresses to your instances that persist across starts and stops
• Optionally associate an IPv6 CIDR block to your VPC and assign IPv6 addresses to your instances
• Assign multiple IP addresses to your instances
• Define network interfaces, and attach one or more network interfaces to your instances
• Change security group membership for your instances while they’re running
• Control the outbound traffic from your instances (egress filtering) in addition to controlling the
inbound traffic to them (ingress filtering)
• Add an additional layer of access control to your instances in the form of network access control lists (ACL)
• Run your instances on single-tenant hardware
Default and nondefault VPCs
EC2-VPC platform is called default VPC’s as it comes standard when creating the account.
· A Nondefault VPC is when you create your own VPC. Subnets will be called nondefault subnets.
Accessing the internet
· Default VPC includes an internet gateway and each subnet are public subnet.
· Each instance that is created in the default VPC will have private and public IPV4 address.
· Instances communicate Inbound & Outbound with the internet via internet gateway
· Instances created in non-default VPC will only have Private IPV4 address unless assigned Public IPV4 address during launch or modify the subnet’s public IP address attribute. Till then it can only communicate among them and can’t access the internet.
· For IPV4 traffic, NAT Device is used in order to allow instance outbound & prevent inbound connection from the Internet.
· NAT Device uses the Internet Gateway (IGW) to connect to the internet.
Example: Instance in Private Subnet > NAT Device > IGW
IPV6 NAT
· Associate with IPV6 CIDR block with VPC and assign IPV6 address with instances.
· Instance connect to Internet using Internet Gateway.
· Instances can use egress-only network gateway for instance outbound connection to the internet.
· Route table must include route for IPV6 traffic.
Accessing a corporate or home network
· Aimed to connect VPC to on-premise DC using an IPsec AWS Site-to-Site VPN connection.
· Site-to-Site components:-
a) VPC Gateway on Amazon end.
b) Customer Gateway on client end.
Refer to image below as an example.
Components of VPC
IPV4 CIDR Block: IP Range for creating subnet.
Subnet: Assign IP Address to instances.
Internet Gateway: Allow instances to connect to internet.
Route Table: Allow traffic to flow between subnet & internet gateway.
IPV6 Configurations
CIDR
VPC: Amazon automatically assigns the CIDR; you cannot choose the range yourself.
Public Subnet: You can choose the range for your subnet from the range allocated to the VPC. You cannot choose the size of the VPC IPv6 CIDR block.
Private Subnet: You can choose the range for your subnet from the range allocated to the VPC. You cannot choose the size
of the VPC IPv6 CIDR block.
Security Group
must add separate rules to your security group to control inbound and outbound IPv6 traffic for your web server instance.
Network ACL
Must add separate rules to your network ACL to control inbound and outbound IPv6 traffic.
VPC & Subnets
Subnet 1: subnet’s traffic is routed to an internet gateway & is known as a public subnet. Requires public IPv4 address or an Elastic IP address (IPv4) for internet communication.
Subnet 2: Private subnet.
Subnet 3: This is a VPN-only subnet. Traffic routed to a virtual private gateway for a Site-to-Site VPN connection. Currently IPv6 traffic is not supported over a Site-to-Site VPN connection.
Extending your VPC resources to AWS Local Zones
To reduce latency AWS resources such as compute, storage, db and other storages are located closer to users where no AWS Region exists today.
Extend VPC Region by creating a new subnet that has a Local Zone assignment.
When a subnet is created in a Local Zone, the VPC will be extended to that Local Zone.
A network border group is a unique set of Availability Zones or Local Zones from where AWS advertises
public IP addresses.
When you create a VPC that has IPv6 addresses, you can choose to assign a set of Amazon-provided
public IP addresses to the VPC and also set a network border group for the addresses that limits the
addresses to the group. When you set a network border group, the IP addresses cannot move between
network border groups. The us-west-2 network border group contains the four US West (Oregon)
Availability Zones. The us-west-2-lax-1 network border group contains the Los Angeles Local Zones.
The following rules apply to Local Zones:
• The Local Zone subnets follow the same routing rules as Availability Zone subnet, including route
tables, security groups, and Network ACLs.
• You can assign Local Zones to subnets using the Amazon VPC Console, AWS CLI or API.
• You must provision public IP addresses for use in a Local Zone. When you allocate addresses, you
can specify the location from which the IP address is advertised. We refer to this as a network border
group and you can set this parameter to limit the address to this location. After you provision the IP
addresses, you cannot move them between the Local Zone and the parent region (for example, from
us-west-2-lax-1a to us-west-2).
• You can request the IPv6 Amazon-provided IP addresses and associate them with the network border
group for a new or existing VPC.
Subnets in AWS Outposts
· offers you the same AWS hardware infrastructure, services, APIs, and tools to build and run your applications on premises and in the cloud.
· Suitable for workloads that needs low latency to on-premises applications or systems.
· Suitable for workloads that need to store and process data locally.
· Available in all AZ’s in an AWS Region. Will associated with VPC’s created in the region & AZ’s.
· The subnets must reside in one Outpost location.
· A local gateway handles the network connectivity between your VPC and on-premises networks. For information about local gateways, see Local Gateways in the AWS Outposts User Guide.
· If your account is associated with AWS Outposts, you assign the subnet to an Outpost by specifying the Outpost ARN when you create the subnet.
· By default, every subnet that you create in a VPC associated with an Outpost inherits the main VPC route table, including the local gateway route. You can also explicitly associate a custom route table with the subnets in your VPC and have a local gateway as a next-hop target for all traffic that needs to be routed to the on-premises network.
VPC and subnet sizing
· Supports IPv4 & IPv6 addressing
· has different CIDR block size quotas for each
· By default, all VPCs and subnets must have IPv4 CIDR blocks
VPC and subnet sizing for IPv4
· When creating a VPC it is a must to specify an IPv4 CIDR block
· allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).
· A secondary CIDR block can be associate.
· It is possible to create publicly routable CIDR block outside of the private IPv4 address ranges.
· Can create more than one subnet CIDR block but must not overlap. For example, if you create a VPC with CIDR block 10.0.0.0/24, it supports 256 IP addresses. You can break this CIDR block into two subnets, each supporting 128 IP addresses. One subnet uses CIDR block 10.0.0.0/25 (for addresses 10.0.0.0–10.0.0.127) and the other uses CIDR block 10.0.0.128/25 (for addresses 10.0.0.128–10.0.0.255).
· The first four IP addresses and the last IP address in each subnet CIDR block are not available to use.
· For example, in a subnet with CIDR block 10.0.0.0/24. The following five IP addresses are reserved:
• 10.0.0.0: Network address.
• 10.0.0.1: Reserved by AWS for the VPC router.
• 10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC.
For more information, see Amazon DNS server (p. 259).
• 10.0.0.3: Reserved by AWS for future use.
- 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.
Adding IPv4 CIDR blocks to a VPC
· When a secondary IPv4 CIDR blocks is associated a route is automatically added to your VPC route tables to enable routing within the VPC.
To add a CIDR block to your VPC, the following rules apply:
· Allowed block size between /16 and /28
· must not overlap with any existing CIDR block that is associated with the VPC
· cannot increase or decrease the size of an existing CIDR block.
· Cannot exceed 5 CIDR blocks (IPV4) & 1 CIDR block (IPV6). Cannot go more than 200 entries in route table in VPC. 50 Routes per route table (non-propagated routes) (Can be increased to 1000 each for IPv4 & IP6)
· The CIDR block must not be the same or larger than the CIDR range of a route in any of the VPC route tables. For example, in a VPC where the primary CIDR block is 10.2.0.0/16, you want to associate a secondary CIDR block in the 10.0.0.0/16 range. You already have a route with a destination of 10.0.0.0/24 to a virtual private gateway, therefore you cannot associate a CIDR block of the same range or larger. However, you can associate a CIDR block of 10.0.0.0/25 or smaller.
· If VPC for ClassicLink, you can associate CIDR blocks from the 10.0.0.0/16 and 10.1.0.0/16 ranges, but you cannot associate any other CIDR block from the 10.0.0.0/8 range.
· Rules for IPV4 CIDR Block which is part of VPC Peering.
· Active: Can add CIDR Block to VPC as long it does not overlap with a CIDR block of the peer VPC.
· Pending-acceptance: Requester cannot add CIDR block if CIDR block is overlapping accepter VPC. Either accepter must accept it or requester must delete & recreate the VPC again. Accepter can add CIDR blocks. However if secondary CIDR block overlaps with requester VPC then VPC peering connection request fails and cannot be accepted.
· If Direct Connect Gateway is used with Multiple VPC; Associated VPC must not overlap CIDR Blocks. When new CIDR block is added ensure it does not overlap with an existing CIDR block of any other associated VPC.
States of when adding & removing CIDR Block: associating, associated, disassociating, disassociated, failing, failed.
· It is possible to disassociate a CIDR block that you’ve associated with your VPC. The original CIDR Block which is created with the VPC cannot be disassociated. Use this command to view
“aws ec2 describe-vpcs — vpc-id (VPC Name)”
VPC and subnet sizing for IPv6
· Associate a single IPv6 CIDR block with an existing VPC in your account or when create a new VPC.
· CIDR block is a fixed prefix length of /56.
· Request an IPv6 CIDR block from Amazon’s pool of IPv6 addresses.
· When associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block with an existing subnet in your VPC, or when you create a new subnet.
· A subnet’s IPv6 CIDR block is a fixed prefix length of /64.
· For example, you create a VPC and specify that you want to associate an Amazon-provided IPv6 CIDR block with the VPC. Amazon assigns the following IPv6 CIDR block to your VPC: 2001:db8:1234:1a00::/56. You cannot choose the range of IP addresses yourself. You can create a subnet and associate an IPv6 CIDR block from this range; for example, 2001:db8:1234:1a00::/64.
· Disassociate IPv6 CIDR block from a subnet & Pv6 CIDR block from a VPC. After disassociating IPv6 CIDR block from a VPC cannot expect to receive the same CIDR if you associate an IPv6 CIDR block with your VPC again later.
· first four IPv6 addresses and the last IPv6 address in each subnet CIDR block are not available for use and cannot be assigned to an instance. For example, in a subnet with CIDR block
· 2001:db8:1234:1a00/64, the following five IP addresses are reserved:
· 2001:db8:1234:1a00::
· 2001:db8:1234:1a00::1
· 2001:db8:1234:1a00::2
· 2001:db8:1234:1a00::3
· 2001:db8:1234:1a00:ffff:ffff:ffff:fff
Subnet routing
· Subnet must be associated with route table which allows routes for outbound traffic leaving the subnet.
· Each created subnet is automatically associated with the main route table for the VPC.
· Allowed to change the contents and association of the main route table.
Subnet security
· Security groups & network ACL
· Security groups control inbound and outbound traffic for your instances
· Network ACLs control inbound and outbound traffic for your subnets.
· By design, each subnet must be associated with a network ACL.
· Every subnet that is created will be automatically associated with the VPC’s default network ACL. However it is allowed to change the contents of the default network ACL.
· Allowed to create a flow log on your VPC or subnet to capture the traffic that flows to and from the network interfaces in your VPC or subnet.
· Allowed to create a flow log on an individual network interface.
Default VPC and default subnets
Default VPC components
This will be executed by Amazon on behalf of the account owner.
• Create a VPC with a size /16 IPv4 CIDR block (172.31.0.0/16). This provides up to 65,536 private
IPv4 addresses.
• Create a size /20 default subnet in each Availability Zone. This provides up to 4,096 addresses per
subnet, a few of which are reserved for our use.
• Create an internet gateway and connect it to your default VPC.
• Create a default security group and associate it with your default VPC.
• Create a default network access control list (ACL) and associate it with your default VPC.
• Associate the default DHCP options set for your AWS account with your default VPC.
Note: IAM policies do not apply to these actions because you do not perform these actions. For example, if you have an IAM policy that denies the ability to call CreateInternetGateway, and then you call CreateDefaultVpc, the internet gateway in the default VPC is still created.
Default Subnets
· It is a Public Subnet since all traffic which is destined to internet is via internet gateway.
· Convert into private subnet by removing from the destination 0.0.0.0/0 to the internet gateway.
· No EC2 instance will be able to access the internet if its under the private subnet.
· Instances launched will receive both public & private IPv4 address, & both public & private DNS hostnames.
· Instances launched in non-default subnets in default VPC don’t receive public IPv4 address or DNS hostnames.
· Possible to change your subnet’s default public IP addressing behavior.
· When new AZ is added to a region AWS will automatically create new subnet in this AZ for the default VPC within few days.
Part 2 of this series will the rest of the notes covering VPC. I will post the questions as well in a separate post as a review study.
