In this AWS VPC Cheat Sheet, we will be covering below topics of VPC.
- CIDR, Subnet, Bastion Host
- Internet Gateway, NAT Instance, NAT Gateway
- Network Access Control List (NACL)
- VPC Peering, VPC Endpoint
- AWS Site-to-Site VPN, AWS Direct Connect
- AWS VPN CloudHub, Transit Gateway
- VPC – Traffic Mirroring, Egress Only Internet Gateway, AWS Network Firewall
AWS VPC Cheat Sheet:
Octects: IP subnet=1st Octect.2nd Octect.3rd Octect.4th Octect
/32: no octect can change
/24: Last octect can be change
/16: last two octect can change
/8: last 3 octect can change
/0: all octect can change
AWS reserves 5 IP address (first four and last one) in subnet.
If CIDR is 10.0.0.0/24 then 10.0.0.0 = Network Address, 10.0.0.1=for VPC peering, 10.0.0.2=For amazon provided DNS, 10.0.0.3= For future use and 10.0.0.254= Network Broadcast Address.
If you need 29 IP addresses, then you can’t use /27. i.e 2*2*2*2*2=32 – 5(reserved IP)=27 <29. So we will need to use /26 i.e. 2*2*2*2*2*2=64- 5(reserved IP)=59 >29.
Internet Gateway (IGW): Allows EC2 in VPC to connect to the internet. Scales horizontally and highly available. One VPC can have only 1 IGW.
Bastion Host: is used to SSH into our private EC2 instances. Bastion hosts is in public subnet which connects to all other private subnet. Bastion hosts security group must allow inbound from the internet on port 22. Also SG of EC2 instances in private subnet must allow SG of the bastion host or private IP of bastion host.
NAT Instance (outdated): NAT-Network Address Translation. Allows EC2 instances in private subnet to connect to internet. Must have Elastic IP attached to it. Must be launched in public subnet. Must disable EC2 setting called source/destination check. Route Table must be configured to route traffic from private subnet to NAT Instances.
NAT Gateway (New): AWS managed NAT, higher bandwidth, high availability and no administration needed. NAT GW created in specific AZ, uses Elastic IP. Can’t be used by EC2 instances in the same subnet. It requires IGW. No security groups to manage. NAT GW is resilient within single AZ. Must create multiple NAT GW for multiple AZ for fault tolerance. No cross-AZ failover needed.
Network Access Control List (NACL): like firewall which controls traffic from and to subnet. One NACL per subnet. Newly created NACL will deny everything. NACL is great way of blocking a specific IP address at subnet level. Default NACL – accepts everything inbound and outbound with the subnet it is associated with.
VPC Peering: Privately connects two VPC using AWS network. Must not have overlapping CIDR. VPC peering connections is not transitive. Must update route table in each VPC subnet to ensure each EC2 instances can communicate with each other. We can create VPC peering in different account or region.
VPC Endpoints (AWS Private Links): VPC endpoints allows you to connect to AWS services using private network. It removes the need of IGW and NAT GW to connect to AWS Services.
Gateway Endpoints: free, supports both S3 and DynamoDB.
Interface Gateway Endpoints: powered by AWS private link. Supports most of AWS services. $ per hour + $ per GB data proceeds.
VPC Flow Logs: Captures information about specific IP traffic going into your interfaces. VPC flow logs, subnet flow logs and ENI flow logs. Helps to monitor and troubleshoot connectivity issues. Query VPC flow logs using Athena on S3 or cloud watch logs insights.
AWS site-to-site VPN: Need to setup customer gateway on data center and virtual private gateway on VPC. Site-to-site VPN goes over network.
Customer Gateway: Software applications or physical devices on customer side of VPN connections.
Virtual private Gateway: VPN concentration on AWS side for VPN connections. VGW is created and attached to the VPC from where you want to create site-to-site connections.
AWS VPN Cloud Hub: provide secure connection between multiple sites if you have multiple VPN connection. Low-cost hub and spoke modes for primary and secondary network. To set it up, connect multiple VPN connections on same VGW.
Direct Connect (DX): provides a dedicated private connections from a remote network to your VPC. Dedicated connection must be setup between data center and AWS direct connect locations. Supports both IPV4 and IPV6. Requires around 1 month to setup.
Direct Connect Gateway: need to setup direct connect to one or more VPC in many different region then you must use Direct Connect Gateway.
Direct Connect – Connection Types:
Dedicated Connections: 1 GBPS, 10 GBPS and 100 GBPS.
Physical ethernal port. Request is made to AWS and then completed by AWS direct connection partners.
Hosted Connections: 50 MBPS, 500 MBPS and 10 GBPS. Connects requests are made via AWS Direct Connect Partners. Capacity can be added or removed.
Transit Gateway: used for transitive peering between thousands of VPC and on-premises. Hub and spoke connections. Supports multicast IP. Works with direct connect GW and VPN connections. Route tables limits which VPC can talk with other VPC. Share cross account using RAM (Resource Access Manager).
site-to-site VPN ECMP: ECMP – Equal cost multi path routing. It is a routing strategy to allow forward packets to multiple best path.
VPC Trafic Mirroring: allows you to capture and inspects network traffic in your VPC. Capture traffics from ENI and to ENI or NLB.
Egress-Only Internet Gateway: Used for only IPV4. Similar to NAT GW but for only IPV6. Allows instances in your VPC to outbound connections over IPV6. Must update route table.
AWS Network Firewall: Protects your entire amazon VPC. Layer 3 to layer 7 protection. Internally AWS Network Firewall uses AWS Gateway Load Balancers. Rules can be centrally managed across account by AWS firewall managers to apply to many VPC. Fine grain controls, supports 1000 of rules.
Traffic filtering: allow, drop or alter for traffic that matches rules
Active flow inspection: to protect against network threats with intrusion-prevention capabilities.
Network protection on AWS:
- VPC Security Groups
- AWS WAF
- AWS Shield standard and Advance
- AWS Firewall Manager
- AWS Network Firewall