Following from the previous article….
DHCP options sets
Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains configuration parameters, including the domain name, domain name server, and the netbios-node-type.
domain-name-servers: This defaults to AmazonProvidedDNS.
domain-name: It defaults to the internal Amazon domain name for the region.
- AmazonProvidedDNS is the Amazon DNS server.
- Enabled, it allows Amazon EC2 instances to resolve domain names for destinations on the Internet and in a VPC peer in the same region.
- The DHCP option sets of a VPC allow to change how host and domain names are assigned to Amazon EC2 resources.
- To assign own domain name to the instances, create a custom DHCP option set and assign it to own VPC.
- Configure the following values within a DHCP option set:
domain-name-servers: The IP addresses of up to four domain name servers, separated by commas.
domain-name: Specify the desired domain name (for example, mycompany.com).
ntp-servers: The IP addresses of up to four Network Time Protocol (NTP) servers, separated by commas.
netbios-name-servers: The IP addresses of up to four NetBIOS name servers, separated by commas.
netbios-node-type: Set this value to 2.
-Each VPC must have exactly one DHCP option set assigned to it.
Amazon Domain Name Service (DNS) Server
- standard mechanism to resolve a hostname to an IP address.
- It is integrated in Amazon DNS
- DNS service and Amazon EC2 hostname resolution is enabled by default when VPC is created using console wizard.
- The attribute enableDnsSupport determines whether the Amazon DNS server is enabled.
- The attribute enableDnsHostnames determines whether Amazon EC2 instances receive hostnames.
- runs on a reserved IP address at the base of the VPC IPv4 CIDR range, plus two. For example, the DNS server for a VPC using 172.16.0.0/16 is available from 172.16.0.2. The Amazon DNS server is also available at 169.254.169.253.
- Can be integrate with Amazon Route 53 private hosted zones and AWS Directory Service.
- If EC2 DHCP option is using Amazon DNS Server it will be assigned a private Fully Qualified Domain Name (FQDN) for the instance IPv4 address.
- If a public IPv4 address is assigned to the instance, a public FQDN is assigned as well.
- When instances within the VPC query the Amazon DNS server using the public FQDN of another instance within the VPC, the Amazon DNS server returns in the private IPv4 address.
- Enable this behaviour between VPC peers in the same region.
- Some AWS Cloud services, including Amazon EMR, require instances to resolve their own FQDN.
Each EC2 instance limits the number of packets that can be sent to the Amazon-provided DNS server to a maximum of 1024 packets per second per network interface. This quota cannot be increased. The number of DNS queries per second supported by the Amazon-provided DNS server varies by the type of query, size of response, and protocol in use
-A connection between two VPC’s that enables it to route traffic between them privately.
-Instances in either VPC are able communicate with each other as if they are in the same network.
-VPC Peering can be established between own VPC’s, with VPC in another account or VPC in a different AWS Region.
Elastic IP addresses
Static, Public IPV4 address designed for dynamic cloud computing.
It can be associated with any instance or network interface for any VPC in the account.
Remap address to another instance in the VPC to mask failure if instance.
advantage of associating the Elastic IP address with the network interface instead of directly with the instance is that you can move all the attributes of the network interface from one instance to another in a single step.
There is no support for IPv6.
Elastic IP address basics
Basic information about Elastic IP address.
· First allocate an Elastic IP address for use in a VPC, and then associate it with an instance in the VPC (it can be assigned to only one instance at a time).
· An Elastic IP address is a property of network interfaces. Associate an Elastic IP address with an instance by updating the network interface attached to the instance.
· If associating an Elastic IP address with the eth0 network interface of an instance, its current public IPv4 address (if it had one) is released to the EC2-VPC public IP address pool. If disassociating the Elastic IP address, the eth0 network interface is automatically assigned a new public IPv4 address within a few minutes. This doesn’t apply if a second network interface is attached to the instance.
· There are differences between an Elastic IP address that is used in a VPC the ones used in EC2- Classic.
· Elastic IP add can be moved from one instance to another and can be in the same VPC or other VPC but not in EC2-Classic.
· Elastic IP addresses remain associated with AWS account until explicitly release them.
· A small hourly charge is imposed when it is not in use even if it is attached to a stopped instance or unattached network instance.
· Elastic IP address is limited to 5 only. Use NAT to conserve them.
· Elastic IP address is accessed using the IGW. Site-to-Site VPN will not be able reach Elastic IP address as it uses VGW traffic that traverses a virtual private gateway.
· Tag an Elastic IP address that’s allocated for use in a VPC; however, cost allocation tags are not supported. If Elastic IP address is recover, tags are not recovered.
· Move an Elastic IP address that is allocated for use in the EC2-Classic platform to the VPC platform.
· Amazon can provide Elastic IP address or use own IP address. Those provided by Amazon will be able to associate the Elastic IP addresses with a network border group. This is the location from which we advertise the CIDR block.
· This allows to link EC2-Classic instance to a VPC in the account within the same region.
· This allows you to associate the VPC security groups with the EC2-Classic instance, enabling communication between EC2-Classic instance and instances in own VPC using private IPv4 addresses.
· ClassicLink removes the need to make use of public IPv4 addresses or Elastic IP addresses to enable communication between instances in these platforms.
· ClassicLink is available to all users with accounts that support the EC2-Classic platform, and can be used with any EC2-Classic instance.
· There is no additional charge for using ClassicLink. Standard charges for data transfer and instance hour usage apply.
VPC endpoints and VPC endpoint services (AWS PrivateLink)
- Allows to privately connect VPC to supported AWS services and VPC endpoint service without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
- Instances does not require public IP Addresses to communicate with resources in the service.
- Traffic between VPC and the other service does not leave the Amazon network.
- Endpoints are virtual devices.
- Horizontally scaled, redundant, and highly available VPC components.
- allow communication between instances in the VPC and services without imposing availability risks or bandwidth constraints on the network traffic.
VPC endpoints concepts
Endpoint service — Your own application in your VPC. Other AWS principals can create a connection from their VPC to your endpoint service.
• Gateway endpoint — It is a gateway that is specified as a target for a route in the route table for traffic destined to a supported AWS service.
• Interface endpoint — Is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
Working with VPC endpoints
Create, access, and manage VPC endpoints using any of the following:
• AWS Management Console — Provides a web interface that is used to access VPC endpoints.
• AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including Amazon VPC. The AWS CLI is supported on Windows, macOS, and Linux.
• AWS SDKs — Provide language-specific APIs. The AWS SDKs take care of many of the connection details, such as calculating signatures, handling request retries, and handling errors.
• Query API — Provides low-level API actions that can be called using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC. However, it requires that the application to handle low-level details such as generating the hash to sign the request and handling errors.
Interface endpoints support Amazon Kinesis Streams, Elastic Load Balancing API, Amazon EC2 API, Amazon EC2 Systems Manager (SSM), AWS Service Catalog, Endpoint services hosted by other accounts, and supported Marketplace partner services.
Note: Services cannot initiate requests to resources in own VPC through the endpoint. An endpoint only returns responses to traffic that is initiated from resources in own VPC. Before integrating services and an endpoint, review the service-specific VPC endpoint documentation for any service-specific configuration and limitations.
Private DNS for interface endpoints
- When creating an interface endpoint an endpoint-specific DNS hostnames is created that is used to communicate with the service.
- For AWS services and AWS Marketplace Partner services, the private DNS option (enabled by default) associates a private hosted zone with the VPC.
- The hosted zone contains a record set for the default DNS name for the service (for example, ec2.useast-1.amazonaws.com) that resolves to the private IP addresses of the endpoint network interfaces in your VPC.
- This enables you to make requests to the service using its default DNS hostname instead of the endpoint-specific DNS hostnames. For example, if your existing applications make requests to an WS service, they can continue to make requests through the interface endpoint without requiring any configuration changes.
In the example shown in the following diagram, there is an interface endpoint for Amazon Kinesis Data Streams and an endpoint network interface in subnet 2. Private DNS for the interface endpoint is not enabled. The route tables for the subnets has the following routes.
- Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using the endpoint-specific DNS hostname. Instances in subnet 1 can communicate with Amazon Kinesis Data Streams over public IP address space (since it has internet gateway) in the AWS Region using its default DNS name.
- In the next diagram, private DNS for the endpoint has been enabled. Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using either the default DNS hostname or the endpoint-specific DNS hostname.
To use private DNS, set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. IAM users must have permission to work with hosted zones.