AWS Certified Solutions Architect – Associate (SAA-C02) – Virtual Private Cloud

Virtual Private Cloud (VPC)

• A virtual network dedicated to your AWS account
  • The term “virtual” = “not really”
• It is logically isolated from other virtual networks in the AWS Cloud
  • A personal data center in the could
• VPN connections can be made to the VPC
• You can launch your AWS resources, such as Amazon EC2 instances, into your VPC
• You can create endpoints within the VPC to connect to other resources
  • The endpoint can be controlled with policies
    • Use these to connect to AWS Services outside of the VPC
      • E.g. S3 Bucket or Glacier

A VPC is like a data center in the cloud. Connections to the VPC can be secured with a VPN protocol. Subnets can be withing VPC and made private or public. Multiple VPC can be interconnected with VPC peering.

VPC Provisions

• Applications run in the VPC or on-premises utilizing AWS components
• Subnets can be created in the VPC e.g. 192.168.1.X + 192.168.2.X etc.
  • Public subnets –> DMZ like –> public-facing
  • Private subnets –> internal only
• Direct Connect can provide VPN connectivity
• Multiple VPCs can be connected to one account
  • VPC peering
• A logical construct for the entire private network

VPN – Virtual Private Network
DMZ – Demilitarized Zone
Endpoint – as in for a service

The Default VPC

• Created by default for the root account
  • One in each region
• Amazon recommends not to delete VPC even when unused

VPC Features

• Dynamic private IP
• Dynamic public IP
• AWS provisioned DNS names
• Private/ public DNS names

Configuring DHCP

• Dynamic Host Configuration Protocol
  • Provides a standard for passing config info to host on a TPC/IP network
• DHCP Options for the VPC are configured in the DHCP Options Sets
• The DNS domain name can be configured in the Options Set
• DHCP will be used to provide dynamic addresses when required within the VPC

Elastic IP (EIP)

• Public IP addresses from the VPC region;
• Permanently allocated to your account until released
  • The account is billed until the release
• Network interfaces consume EIPs
• Elastic Network Interfaces (ENIs) use EIPs
• EIPs can be moved between instances in the same region
• Managing EIPs is vital for cost management

Elastic Network Interface (ENI)

• Virtual network interface (virtual network card) attached to an EC2 instance
• Only available within the VPC
  • Associated with a subnet
• Allows dual-homing; one connection on a private + one on a public subnet
• One public address and multiple private addresses
• Multiple ENIs connected to a single instance allow for dual-homing

Endpoint

• AWS endpoints connect VPCs to AWS (Managed) Services
• Policies can be enforced on different endpoints
• Creating an endpoint: specify the VPC, specify the Service, specify the Policy and Rout Table — select not build per se
  • Services are specified based on region and Service Name

VPC Peering

• Connects one VPC to another
• Many possible scenarios, including:
  • Management VPC > Production VPC
  • Development VPC > Production VPC
  • Corporate VPC > Partner VPC
• VPC Peering is not transitive (access to secondary connected VPSs is not automatic)

Creating VPC Peers

• Initiating VPC creates and sends a request to the receiving VPC
  • Owner role required
  • IP CIDR block in each VPC must not overlap
    • Never use the same CIDR block in a different VPC
• Receiving VPC accepts the request
  • Owner role required
• Each VPC needs a defined route to the other VPC
  • May require routing table modifications
• Security group rules setup
  • May require changes for the VPC peers
  • Security group in AWS is like FW defining in/out rules

VPC Security

Security Group Overview

• Acts as a firewall for storage security
  • Assigned to an EC2 instance in a VPC
  • Applies to instances, not subnets
• Defines allowed traffic flows
  • Ingress (entrance)
  • Egress (exit)
• Supports only allow rules – deny is implicit;
• Stateful processing is used
• Closed to open system – starts as deny all

Network Access Control Lists (NACLs)

• Applied on subnets
• Stateless processing
• Supports both allow and deny rules
• Rule number defines the precedence
  • The lowest number rule first
  • The first match applies // order of evaluation matters

Network Address Translation (NAT)

• Used to interconnect private and public networks
• NAT translates between private and public IP addresses
• NAT is implemented on a private and public subnet
  • EIP associated with NAT instance for the public-facing site
• Instances in the private subnet connect through the NAT instance to connect to the Internet
• NAT can be implemented using a dedicated NAT instance or AWS NAT Gateway

NAT Gateway – works more like traditional NAT service/ appliance

Virtual Private Gateway (VPG)

• Connects local network to the VPC
• VPG is the VPN concentrator
• VPG is the gateway on the AWS side inside an instance

Customer Gateway

• Physical device or software applications on the customer side
• Anchor on the customer side
  • Connects to the VPG
• VPG + CGW = VPN connection

Other Gateways

• AWS hardware VPN
• AWS Direct Connect
  • DirectConnect bypasses traditional ISP Internet connection and connects straight into AWS
• VPN CloudHub
  •  Secure communication between multiple AWS sites
• Software VPN
  • L2TP – Layered 2 Tunneling Protocol
  • IPSec – security authentication encryption within the L2TP tunnel

VPN Configuration Options

• Split Tunnel Support
  • Gives flexibility for routing traffic across the VPN, specifically for the traffic going out to the Internet
• Certification based authentication

Links

Amazon Virtual Private Cloud Documentation

AWS Virtual Private Network Documentation