AWS Certified Advanced Networking Series: VPC Pt2
In this Part-2 I’m sharing about Subnets, IP Addressing, Private & Public IPV4, IPV6 & a little bit on security before I touch on it next.
Deleting your default subnets and default VPC
· default subnet or default VPC can be deleted.
· If deleting default subnets or default VPC; there must be another subnet in another VPC to launch the instance & can’t launch instances into EC-2 Classic.
· Alternatively, nondefault subnet in a VPC can be marked as a default subnet by contacting AWS Support. To make changes provide AWS account ID, the region, and the subnet ID.
· To ensure the subnets works modify the subnet attribute to assign public IP addresses to instances that are launched in that subnet.
Only one default subnet per Availability Zone & cannot create a default subnet in a nondefault VPC.
Creating a default subnet
· Can be created in a AZ that does not have one
· Let’s say there are not enough IP Address to create a size /20 CIDR Block then add a second CIDR Block to the VPC.
· If using IPV6 CIDR Block with default VPC the new default subnet does not automatically receive it. Solve it by associating an IPv6 CIDR block with the default subnet after creating it.
IP Addressing in your VPC
· Amazon EC2 and Amazon VPC support the IPv4 and IPv6 addressing protocols.
· By default, Amazon EC2 and Amazon VPC use the IPv4 addressing protocol.
· When creating VPC, IPV4 CIDR Block must be assigned.
· Private IPV4 address are not reachable over the internet or other AWS Services with public endpoints. To do so it is important to assign a globally unique public IPv4 address to the instance.
· IPV6 CIDR Block can be associated with VPC, subnets and to the resources. IPv6 addresses are public and reachable over the Internet.
*Attach an Internet Gateway to the VPC to ensure the instances can communicate with the internet.
· VPC can operate in dual-stack mode: resources can communicate over IPv4, or IPv6, or both.
IPv4 and IPv6 addresses are independent of each other; routing and security must be configured separately for IPv4 and IPv6.
Private IPv4 addresses
· not reachable over the Internet.
· When Instance is launched a primary private IPv4 address from the subnet is assigned to the default network interface (eth0) of the instance.
· Each instance will be given a private(internal) DNS Hostname that resolves to the private IP Address of the instance.
· The primary private address can be chosen by the account holder or allow AWS to select it.
· A secondary Private IP Address can be added to the instances running in the VPC. This can be reassigned primary private IPv4 address.
· A private IP address remains associated with the network interface when the instance is stopped and restarted and is released when the instance is terminated.
Public IPv4 addresses
· There is an attribute in subnets that determines whether a network interface created in the subnet automatically receives a public IPv4 address.
· If this attribute is enabled, then a public IP address will be assigned to the primary network interface (eth0) when an instance is launched in that subnet. This IP Address is mapped to the primary private IP address through network address translation (NAT).
· Control whether the instance receives a public IP address by doing the following:
• Modify the public IP address attribute of the subnet.
• Enable or disable the public IP addressing feature during instance launch. This overrides the
subnet’s public IP addressing attribute.
· Public IP Address is assigned from Amazon’s pool & it is not associated with your account. When the IP Address is disassociated from the instance it will be released back to into the pool & be not available to use by the instance. Public IP address cannot be manually associated or disassociated.
· Elastic IP can be used if require persistent public IP. This IP can be assigned to and
removed from instances as when its necessary.
· For VPC’s that support DNS Hostnames each instance will be given a public DNS Hostname & a public IP or Elastic IP.
· Can be associated using IPv6 CIDR block with VPC and subnets.
· The instance in a VPC receives an IPv6 address if an IPv6 CIDR block is associated with the VPC & subnet, and if one of the following is true:
• The subnet is configured to automatically assign an IPv6 address to the primary network interface of
an instance during launch.
• Manually assign an IPv6 address to your instance during launch.
• Assign an IPv6 address to your instance after launch.
• Assign an IPv6 address to a network interface in the same subnet, and attach the network
interface to your instance after launch.
· When instance receives IPv6 address during launch, the address is associated with the primary network interface (eth0) of the instance. It can be disassociated from the primary network interface. It does not support IPv6 DNS hostnames for your instance.
· IPv6 persists when instance stops & start. It also releases the IPv6 address when instances are terminated. It only can be reassigned after it has been unassigned from another network interface.
· Additional IPv6 address can be assigned to the network interface of the instance. The number of IPv6 address & network interface can support depends on the type of instance being used.
· IPv6 addresses are globally unique, and therefore reachable over the Internet. It can be controlled by whether instances are reachable via their IPv6 addresses by controlling the routing in the subnet, or by using security group and network ACL rules.
IP addressing behavior for your subnet
· Subnets have a modifiable attribute to assign either IPv4 or IPv6 to the primary network interface & other network interface that is created when instance is launched in the subnet. However, this attribute can be override for a specific instance during launch.
Security in Amazon Virtual Private Cloud
· Cloud security is the highest priority
· Security is shared responsibility between AWS & Account Holder.
· Shared responsibility model describes this as security of the cloud and security in the cloud:
Security of the cloud — AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides with services that can be use securely. Third-party auditors regularly test and verify the effectiveness of AWS security as part of the AWS Compliance Programs.
Security in the cloud — Account holder responsibility is determined by the AWS service that is used. Account holder is also responsible for other factors including the sensitivity of the data, the company’s requirements, and applicable laws and regulations.