AWS VPC - Cheat Sheet

Virtual Private Cloud

VPC --> A virtual private network that can be compared with having your own data center inside AWS. An isolated section where you can launch resources with complete control of the virtual network environment.

VPC

Key Concepts:

  • Subnet: A range of IPs inside your VPC (public and private).
  • Route table: A set of rules called "routes" that define where the network traffic goes.
  • Internet Gateway: A gateway attached to your VPC that enables communication of your resource to the Internet.
  • VPC endpoint: Privately connect your VPC to other AWS services, powered by a Private Link.
  • CIDR block: A route aggregation methodology, classless, based on the mask.
  • NAT Gateway: Gateway to enable Internet access to resources in Private Subnets, but preventing "the Internet" to initialize connections to them.

What we can do with a VPC?

  • Launch instances in a Subnet of our choose.
  • Assign custom Subnets IP addresses.
  • Configure route tables.
  • Create an Internet Gateway (IGW) and attach to your VPC.
  • Much better security control over resources.
  • Instance Security Groups.
  • Access control lists.

*you can only have one IGW attached to a VPC

Subnets:

VPC span in all the AZs in the region where they were created, you can put one or more Subnets in each AZ. Each Subnet must reside in one AZ.

  • Private Subnet: A Subnet that has no route to IGW. Instances don't have public IPv4 addresses.
  • Public Subnet: A Subnet that has a route to IGW in the routing table. An instance in a Public Subnet must have an IPv4 address to connect to the Internet.
  • VPN-only Subnet: A Subnet that doesn't have a connection to the Internet, but has attached a virtual private gateway for a site-to-site VPN connection.
  • Route tables: A set of rules called routes that define where the network traffic goes. You can specify the Route Table for a Subnet, if you don't, it will be associated with the default route table.

*Amazon always reserve 5 IP addresses within your Subnets.

Connection:

Internet gateway: (IGW) allows communication through the Internet using the AWS network edge. IGW must be attached to the VPC and there must be a route defined in the Route Table.

Site-to-site connection: Consists of two tunnels (VPNs) between Private Virtual Gateway or a Transit Gateway and a Customer Gateway.

Transit Gateway: This is a virtual link to connect your VPCs and On-premises networks. You can connect VPCs, SD-WAN network appliances, AWS Direct Connect Gateway, peering connections to another Transit Gateway, VPN connection.
MTU:1500 bytes for VPC and 8500 MTU between the other services.

Private Link: Connect your VPC to other AWS-supported services, also services hosted by other AWS accounts, and AWS Marketplace services. Everything without going through the Internet. To use Private Link you must create a VPC Endpoint.

VPC Endpoint: Enables you to connect to your VPC other AWS services powered by Private Link, without going to the Internet. No IGW, NATGW, VPN, or Direct Connect required.
Types of endpoints:

  • Gateway Endpoint: An endpoint for S3 and DynamoDB. You must attach a policy to allow access to all or some services. Then it works as a target in the Route table of the Subnet that you want to grant access to those services.
  • Interface Endpoint: An Elastic Network Interface (ENI) with an IP address of your Subnet. Works as an entry point to supported AWS service traffic.
  • Gateway Load Balancer endpoint: A ENI with an IP in the range of your Subnet. Acts as an entry point to intercept traffic (layer 3), works in combination with Elastic Load Balancer.

VPC Peering: Connects two VPCs, enabling to route traffic between them privately. You can connect VPCs in your own account or with other accounts. VPCs can be in other regions (inter-region VPC peering).

  • Communication between non-overlapping CIDR block only.
  • No edge-to-edge routing (You can't reach, Direct connect, Internet connections, VPC endpoints, etc.).

NAT instance: An EC2 instances that works as a NAT gateway.

  • When creating a NAT instance, disable Source/destination check.
  • NAT instance must be in a Public Subnet.
  • There must be a route in the Private Subnet to the NAT instance.
  • The amount of traffic depends on the Ec2 instance size used.
  • You can create High Availability using Autoscaling groups, multiple subnets in different AZs and a script automatic fail over for the NAT instance.
  • Must be behind a security group.

NAT gateway --> A complete gateway that woks for many instances.

  • Redundancy inside Availability Zone.
  • Start at 5Gbps and scales up to 48Gbps.
  • No need patch or updates.
  • Automatic IP addresses.
  • Not associated with Security Groups.

Networking & Security

Security Groups: Works at the instance level and control inbound and outbound traffic. Only allow rules (not deny rules), you can filter traffic based on protocols and ports number. There are inbound and outbound rules. Security groups are stateful. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

  • Default Security Group names start with "sg- "
  • Security groups can be used in the VPC where were created.
  • You can change rules in default Security Groups but, you can't delete them.

Network Access Control List (NACL): Control traffic at the Subnet level. Each Subnet must be associated with 1 NACL, but an NACL can be associated with multiple subnets. The rules are evaluated in order starting with the lower number. NACL is stateless, it means that is not implicit that responses to inbound traffic will be allowed and vice-versa.

NACL vs SG:

  • When you create a new NACL it deny everything, the one created by default allows everything.
  • The usage of ephemeral ports on NACL is because we need open ports for the sessions with different clients.
  • In NACL the inbound/outbound rules are applied in chronological order.
  • We can have multiple Subnets associations on NACLs
  • You can block IP addresses in NACLs, not in Security Groups
  • NACL are stateless, SG are stateful.

Flow logs: Capture traffic logs going in/out your interfaces inside VPC. You can create flow logs for VPC, Subnets, or Networks Interfaces. Help you control the rules behavior of Security Groups and Network Access Control Lists. Flow logs can be published on CloudWatch logs and S3.

Traffic Mirroring: Copy traffic from an Elastic Network Interface (ENI) of an EC2 instance to a monitoring appliance.

DNS: Instances in VPCs are provided with Private and Public DNS names for IPv4 addresses.

Other important stuff:

Direct Connect: A service that bypasses the Internet using a direct connection between your On-premises network and AWS services or VPC.

Global Accelerator: Improve the performance of applications creating acceleration. An accelerator directs traffic to optimal endpoints over AWS global network.

  • By default it provides two static IP addresses that you associate with your accelerator, alternatively you can bring your own.
  • Global Accelerator assigns each accelerator a default DNS that point to static IP addresses.
  • Network zone service. The static IP addresses for the accelerator from a unique Subnet (similar to AZs) --> 2 IP addresses
  • Listener processes inbound connection to accelerator based on port and protocol (TCP & UPD protocols)
  • Endpoints groups are associated with AWS regions, you can adjust the % of traffic (setting the traffic dial).
  • Endpoints (EC2 instances, load balancers, IP addresses) can be configured with different weights.

17