Networking & VPC's
VPCs
Amazon Virtual Private Networks (VPCs) enable you to provision an isolated section of the AWS Cloud. Within a VPC, you can organize your resources into subnets. A subnet is a section of a VPC that can contain resources such as Amazon EC2 instances. Internet Gateways: are a connection between a VPC and the internet.
Virtual Private Gateways are used tp access private resources in a VPC. Enables you to establish a virtual private network (VPN) connection between your VPC and a private network.
AWS Direct Connection enables you to establish a dedicated private connection between your data centre and a VPC. This connection helps you to reduce network costs and increase the amount of bandwidth.
VPC & Subnets
- VPC is a private network to deploy your resources (regional resource)
- Subnets allow you to partition your network inside your VPC (Availability Zone resource)
- A public subnet is a subnet that is accessible from the internet
- A private subnet is a subnet that is not accessible from the internet
- To define access to the internet and between subnets, we use Route Tables.
Internet Gateway & NAT Gateways
- Internet Gateways helps our VPC instances connect with the internet
- Public Subnets have a route to the internet gateway.
- NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private
VPC Security
Subnets and Network Access Control Lists (NACLs)
The VPC component that checks packet permissions for Network Traffic in a VPCs subnets is the network access control list (ACL). Network Access Control Lists (ACLs) are virtual firewall that controls inbound and outbound traffic at the subnet level.
Network ACL's perform Stateless Packet Filtering. They remember nothing and check packets that cross the subnet border each way (inbound and outbound). They are the VPC component that checks packet permissions for an Amazon EC2 instance is a security group.
- Each AWS account includes a default network ACL.
- By default, your account's default network ACL allows all inbound and outbound traffic.
- All ACL's have an explicit deny rule. This rule ensures that if a packet does not match any of the other rules in the list, the packet is denied.
Security Groups
Security Groups are virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance. By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic to allow or deny. If you have multiple Amazon EC2 instances within a subnet, you can associate the same security group or use different security groups for each instance. Security groups, as opposed to Network ACLs, perform Stateful Packet Filtering. They remember previous decisions made for incoming packets.
- These are a firewall that controls traffic to and from an ENI / an EC2 Instance
- Can have only ALLOW rules
- Rules include IP addresses and other security groups
Network ACLs vs Security Groups
Security Group | Network ACL |
---|---|
Operates at the instance level | Operates at the subnet level |
Supports allow rules only | Supports allow rules and deny rules |
Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless: Return traffic must be explicitly allowed by rules |
We evaluate all rules before deciding whether to allow traffic | We process rules in number order when deciding whether to allow traffic |
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on | Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group) |
See more in the docs (opens in a new tab)
VPC Flow Logs
- Capture information about IP traffic going into your interfaces:
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface Flow Logs
- Helps to monitor & troubleshoot connectivity issues. Example:
- Subnets to internet
- Subnets to subnets
- Internet to subnets
- Captures network information from AWS managed interfaces too: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc…
- VPC Flow logs data can go to S3 / CloudWatch Logs
VPC Peering
- Connect two VPC, privately using AWS’ network
- Make them behave as if they were in the same network
- Must not have overlapping CIDR (IP address range)
- VPC Peering connection is not transitive (must be established for each VPC that need to communicate with one another)
VPC Endpoints
- Endpoints allow you to connect to AWS Services using a private network instead of the public www network
- This gives you enhanced security and lower latency to access AWS services
- VPC Endpoint Gateway: S3 & DynamoDB
- VPC Endpoint Interface: the rest
Site to Site VPN & Direct Connect
- Site to Site VPN
- Connect an on-premises VPN to AWS
- The connection is automatically encrypted
- Goes over the public internet
- On-premises: must use a Customer Gateway (CGW)
- AWS: must use a Virtual Private Gateway (VGW)
- Direct Connect (DX)
- Establish a physical connection between on-premises and AWS
- The connection is private, secure and fast
- Goes over a private network
- Takes at least a month to establish
Transit Gateway
- For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
- One single Gateway to provide this functionality
- Works with Direct Connect Gateway, VPN connections
VPC Summary
- VPC: Virtual Private Cloud
- Subnets: Tied to an AZ, network partition of the VPC
- Internet Gateway: at the VPC level, provide Internet Access
- NAT Gateway / Instances: give internet access to private subnets
- NACL: Stateless, subnet rules for inbound and outbound
- Security Groups: Stateful, operate at the EC2 instance level or ENI
- VPC Peering: Connect two VPC with non overlapping IP ranges, nontransitive
- VPC Endpoints: Provide private access to AWS Services within VPC
- VPC Flow Logs: network traffic logs
- Site to Site VPN: VPN over public internet between on-premises DC and AWS
- Direct Connect: direct private connection to AWS
- Transit Gateway: Connect thousands of VPC and on-premises networks together
Global Networking
Domain Name Systems (DNS) resolution is the process of translating a domain name to an IP address. Amazon Route 53 is a DNS web service, and it connects users requests to infrastructure running in AWS. It can route users to infrastructure outside of AWS.You can register new domain names directly in Route53. You can read more here.