- VPC stands for Virtual Private Cloud
- The VPC can be considered as the starting point for all architecture in AWS
- Creating a VPC necessitates determining which ip ranges are currently in use by the organization being designed for
- To determine how many ranges a business will require, determine the number of regions the business will operate in
- The ip range is known as a CIDR block
- CIDR stands for Classless Inter-Domain Routing
- This is an advancement over the formerly used classful addressing
- The CIDR block is determined based on what size the VPC will be
- The CIDR block looks like an ip address with a slash and a number (1.1.1.1/8)
- The slash indicates the subnet mask used to determine the network portion
- The default AWS CIDR block is 172.31.0.0/16
- The default should be avoided whenever possible
- VPC sizing is based on various factors, including number of subnets, total ip’s, ip’s per subnet, number of availability zones the VPC will use
- Services run from subnets in the VPC, not directly from the VPC itself
- Subnets are created and run from one AZ
- One AZ can have multiple subnets
- DNS can be used in VPC
- DNS is provided by Rte. 53
- DHCP can be applied to a VPC by the DHCP options set
- The options set is created with each VPC
- DHCP options sets can also be created
- The created options set cannot be edited
- This controls things like DNS and NTP servers
- The options set can auto assign Public IPv4
- The options set can auto assign IPV6
- Internet gateways enable data to enter from and exit to the AWS public zone on the public internet
- There is a VPC router that is part of every VPC; there is a default version and can be created
- A VPC has a main route table connected with it
- Custom route tables can be created: this dissociates the default route table
- A subnet can only have one route table associated with it
- A route table can be associated with multiple subnets
- A route table is simply a list of routes
- The VPC uses the route table to verify destination addresses
- IGW stands for Internet Gateway
- The internet gateway enable for private ip addresses to be associated with public ip addresses for the purposes of routing traffic into and out of the VPC
- This helps preserve security inside the VPC
- Bastion hosts are another security feature connected to VPC’s
- The Bastion host serves as the single point of focus for traffic entering and leaving the VPC
- The combination of the VPC router, Internet Gateway and Bastion host work together
- NACL means Network Access Control List
- The NACL is a firewall that surrounds the VPC subnet
- It is associated directly with the subnet, not any specific resource
- The NACL is formed of an inbound set of rules and an outbound set of rules
- These inbound and outbound set of rules regulate data moving into the VPC
- SG stands for Security Group
- Security groups operate at a higher level than NACL’s
- Integrates closely with products and services
- It acts as a boundary that filters internet traffic
- NAT stands for Network Address Translation
- This is a process for giving a resource outgoing only access to the internet
- This is the AWS implementation available in a VPC
- NAT is a set of processes for remapping source or destination ip’s
- Internet Gateways use static NAT
- When packets leave Internet Gateways, NAT adjusts private ip addresses to public
- When packets enter Internet Gateways, NAT adjust the public ip addresses to private
- NAT uses IP masquerading which hides many private IP’s behind one public IP
Like this:
Like Loading...
Related
Published by pauldparadis
Working towards cloud networking security as a profession.
View more posts
