Amazon VPC

Amazon VPC

• Virtual Private Cloud
• 논리적으로 격리된 가상 네트워크에서 AWS 리소스를 시작할 수 있음
  • 리소스 배치, 연결 및 보안을 포함하여 가상 네트워킹 환경을 완전히 제어할 수 있음
• 자체 데이터 센터에서 운영하는 기존 네트워크와 아주 유사한 가상 네트워크
• All new AWS accounts have a default VPC
• New EC2 instances are launched into the default VPC if no subnet is specified
• Default VPC has Internet connectivity and all EC2 instances inside it have public IPv4 addresses
• We also get a public and private IPv4 DNS names

---

Understanding CIDR - IPv4

• Classless Inter-Domain Routing - a method for allocating IP addresses
• Used in Security Groups rules and AWS networking in general
• Consists of two components
  • Base IP : represents an IP contained in the range
  • Subnet Mask : defines how many bits can change in the IP
    • allows part of the underlying IP to get additional next values from the base IP

---

Public vs Private IP (IPv4)

• The Internet Assigned Numbers Authority established certain blocks of IPv4 addresses for the use of private and public addresses
• Private IP can only allow certain values :
  • 10.0.0.0 - 10.255.255.255 (1.0.0.0.0/8) in big networks
  • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) <- aws default vpc in that range
  • 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) <- home networks
• All the rest of the IP addresses on the Internet are Public

---

VPC in AWS - IPv4

• You can have multiple VPCs in an AWS region (max.5 per region - soft limit)
• Max. CIDR per VPC is 5, for each CIDR:
  • Min size is /28
  • Max size is /16
• Because VPC is private, only the Private Ipv4 ranges are allowed
• Your VPC CIDR should not overlap with your other networks

---

VPC - Subnet (IPv4)

• AWS reserves 5 IP addresses in each subnet
• These 5 IP addresses are not available for use and can't be assigned to an EC2 instance

---

Internet Gateway

• Allow resources in a VPC connect to the Internet
• It scales horizontally and is highly available and redundant
• Must be created seprately from a VPC
• One VPC can only be attached to one IGW and vice versa
• Internet Gateways on their own do not allow Internet access
• Route tables must also be edited

---

Bastion Hosts

• We can use a Bastion Host to SSH into our private EC2 instances
• The bastion is in the public subnet which is then connected to all other private subnets
• Bastion Host security group must allow inbound from the Internet on port 22 from restricted CIDR, for example the public CIDR of your corporation
• Security Group of the EC2 Instances must allow the Security Group of the Bastion Host, or the private IP of the Bastion host

---

NAT Instance (outdated, but still at the exam)

• NAT = Network Address Translation
• Allows EC2 instances in private subnets to connect to the Internet
• Must be launched in a public subnet
• Must disable EC2 setting : Source / destination Check
• Must have Elastic IP attached to it
• Route Tables must be configured to route traffic from private subnets to the NAT Instance

---

NAT Gateway

• AWS-managed NAT, higher bandwidth, high availability, no administration
  • High Availability
    • NAT Gateway is resilient within a single Availability Zone
    • Must create multiple NAT Gateways in multiple AZs for fault-tolerance
    • There is no cross-AZ failover needed because if an AZ goes down it doesn't need NAT
• Pay per hour for usage and bandwidth
• NATGW is created in a specific Availability Zone, uses an Elastic IP
• Can't be used by EC2 instance in the subnet
• Requires an IGW
• 5 Gbps of bandwidth with automatic scaling up to 100Gbps
• No Security Groups to manage / required

---

Network Access Control List

• NACL are like a firewall which control traffic from and to subents
• One NACL per subnet, new subnets are assigned the Default NACL
  • Default NACL
    • Accepts everything inbound/outbound with the subnets it's associated with
    • Do NOT modify the Default NACL, instead create custom NACLs
• Newly created NACLs will deny everything
• NACL are a great way of blocking a specific IP address at the subnet level
• Ephemeral Ports
  • For any two endpoints to establish a connection, they must use ports
  • Clients connect to a defined port, and expect a response on an ephemeral port
  • Different Operating Systems use different port ranges

---

VPC Peering

• Privately connect two VPCs using AWS' network
• Make them behave as if they were in the same network
• Must not have overlapping CIDRs
• VPC Peering connection is NOT transitive 
• You must update route tables in each VPC's subnets to ensure EC2 instances can communicate with each other
• You can create VPC Peering connection between VPCs in different AWS accounts/regions
• You can reference a security group in a peered VPC

---

VPC Endpoints (AWS PrivateLink)

• Every AWS service is publicly exposed
• VPC Endpoints allows you to connect to AWS services using a private network instead of using the public Internet
• They're redundant and scale horizontally
• They remove the need of IGW, NATAGW to access AWS Services
• Interface Endpoints
  • Provisions an ENI as an entry point
  • Supports most AWS services
  • $ per hour + $ per GB of data processed
• Gateway Endpoints
  • Provisions a gateway and must be used as a target in a route table
  • Supports both S3 and DyanmoDB
  • Free
• Gateway or Interface Enpoint for S3?
  • Gateway is most likely going to be perferred all the time at the exam
  • Interface is preferred when required from on-premises, a differentVPC of a different region

---

VPC Flow Logs

• Caputre information about IP traffic going into your interface :
  • VPC Flow Logs
  • Subnet Flow Logs
  • Elastic Network Interface Flow Logs
• Helps to monitor & troubleshoot connectivity issues
• Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
• Capture network information from AWS manged interfaces too

---

AWS Site-to-Site VPN

• Virtual Private Gateway
  • VPN concentrator on the AWS side of the VPN connection
  • VGW is created and attached to the VPC from which you want to create the site-to-site VPN connection
• Customer Gateway
  • Software application or physical device on customer side of the VPN connection

---

AWS VPN CloudHub

• Provide secure communication between multiple sites, if you have multiple VPN connections
• Low-cost hub-and-spoke model for primary or secondary network connectivity between different locations (VPN only)
• It's a VPN connection so it goes over the public Internet
• To set it up, connect multiple VPN connections on the same VGW, setup dynamic routing and configure route tables

---

Direct Connect

• Provides a dedicated private connection from a remote network to your VPC
• Dedicated connection must be setup between your DC and AWS Direct Connect locations
• You need to setup a Virtual Private Gateway on your VPC
  • If you want to setup a Direct Connect to one or more VPC in many different regions, you must use a Direct Connect Gateway
• Access public resources(S3) and private(EC2) on same connection
• Supports both IPv4 and IPv6
• Connection Types
  • Dedicated Connections : 1 Gbps, 10 Gbps and 100 Gbps capacity
    • Physical ethernet port dedicated to a customer
    • Request made to AWS first, then completed by AWS Direct Connect Partners
  • Hosted Connections: 50 Mbps, 500 Mbps, to 10 Gbps
    • Connection requests are made via AWS Direct Connect Partners
    • Capacity can be added or removed on demand
    • 1,2,5,10 Gbps available at select AWS Direct Connect Partners
  • Lead times are often longer than 1 month to establish a new connection
• Encryption
  • Data in transit is not encrypted but is private
  • AWS Direct Connect + VPN provides an IPsec-encrypted private connection
  • Good for an extra level of security, but slightly more complex to put in place
• Site-to-Site VPN connection as a backup
  • In case Direct Connect fails, you can set up a backup Direct Connect connection, or a Site-to-site VPN connection

---

Transit Gateway

• For having transitive peering between thousands of VPC and on-premises, hub-and-spoke connection
• Regional resource, can work cross-region
• Share cross-account using Resource Access Manager
• You can peer Transit Gateways across regions
• Route Tables : limit which VPC can talk with otherVPC
• Works with Direct Connect Gateway, VPN connections
• Supports IP Multicast
• Site-to-Site VPN ECMP
  • ECMP  = Equal-cost multi-path routing
  • Routing strategy to allow to forward a packet over multiple best path
  • Use case :
    • create multiple Site-to-Site VPN connections to increase the bandwidth of your connection to AWS

---

VPC - Traffic Mirroring

• Allows you to capture and inspect network traffic in your VPC
• Route the traffic to security appliances that you manage
• Capture the traffic
  • From - ENIS
  • To - an ENI or a Network Load Balancer
• Capture all packets or capture the packets of your interest
• Source and Target can be in the same VPC or different VPCs (VPC Peering)
• Use cases :
  • content inspection
  • threat monitoring
  • troubleshooting

---

What is IPv6?

• IPv4 designed to provide 4.3 Billion addresses
• IPv6 is the successor of IPv4
• Every IPv6 address in AWS in public and Internet-routable
• IPv6 in VPC
  • IPv4 cannot be disabled for your VPC and subnets
  • You can enable IPv6 to operate in dual-stack mode
  • Your EC2 instances will get at least a private internal IPv4 and a public IPv6
  • They can communicate using either IPv4 or IPv6 to the internet through an Internet Gateway
• IPv6 Troubleshooting
  • IPv4 cannot be disabled for your VPC and subnets
  • So, if you cannot launch an EC2 instance in your subnet
    • Its' not because it cannot accquire an IPv6
    • It's because there are no available IPv4 in your subnet
• Egress-only Internet Gateway
  • Used for IPv6 only
  • Allows instances in yourVPC outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances
  • You must update the Route Tables

---

Network Protection on AWS

• To protect newtork on AWS
  • Network Access Control Lists
  • Amazon VPC security groups
  • AWS WAF
  • AWS Shield & AWS Shield Advanced
  • AWS Firewall Manager

---

AWS Network Firewall

• Protect your entrire Amazon VPC
• From Layer 3 to Layer 7 protection
• Any direction, you can inspect
  • VPC to VPC traffic
  • Outbound to internet
  • Inbound to internet
  • To/from Direct Connect & Site-to-Site VPN
• Internally, the AWS Network Firewall uses the AWS Gateway Load Balancer
• Rules can be centrally managed cross-account by AWS Firewall Manager to apply to many VPCs
• Traffic filtering : Allow, drop or alert for the traffic that matches the rules
• Active flow inspection to protect against network threats with instrusion-prevention capabilites
• Send logs of rule matches to Amazon S3, CloudWatch Logs, Kinesis Data Firehose