forked from jtviolet/aws-solutions-architect-associate-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vpc.txt
64 lines (56 loc) · 2.92 KB
/
vpc.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
VPC
- Logically isloated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
- Virtual Data Center in the cloud
- Amazon provides you a default VPC in every region when you create your account
- Can create hardware VPN between corporate datacenter and your VPC, make AWS your extension
What can be done:
- Launch instances into sugnet of choice
- Assign custom IP address range to each subnet
- Configure route tables between subnets
- Create internet gateway and attach it to our VPC, one per VPC
- Better security control over AWS resources
- Instance security groups
- Subnet Access Control Lists (ACLs)
Default VPC Vs. Custom VPC
- Default VPC is user friendly, allows you to immediately deply
- All subnets in default VPC have a route out to the internet
- Each EC2 instance has public and private IP address
VPC Peering
- Allows you to connect one VPC with another via a direct network route using private IP Addresses
- Instances behave as if they were on the same private network
- You can peer VPC's with other AWS accounts as well as with other VPC's in same account
- Peering is in star configuration: 1 central VPC peer with 4 others---no transitive peering
Exam Tips
- Think of VPC as logical datacenter in AWS
- Consists of IGW's (or virtual private gateways), route tables, NACL's, Subnets, Security Groups
- 1 subnet = 1 AZ
- Security Groups are stateful; NACL's are Stateless
- NO TRANSITIVE PEERING
- NAT Instances
- When creating a NAT instance, disable source/destination check on the instance
- NAT instances must be in a public subnet
- There must be a route out of the private subnet to the NAT instance for this to work
- The amount of traffic that NAT instances can support depends on the instance size
- You can create HA using:
- Autoscaling Groups
- Multiple subnets in different AZs
- Script to automate failover
- Behind Security groups
- NAT gateways
- Preferred by the enterprise
- Scale automatically up to 10Gbps
- No need to patch
- Not associated with security groups
- Automatically assigned a public ip address
- Remember to update route tables and point to NAT Gateways
- No need to disable source/destination checks
- More secure than a NAT instance
- Network ACL's
- VPC automatically comes with default network ACL and by default allows all in/outbound traffic
- You can create custom network ACL's. By default each network ACL denies all in/outbound traffic
- each subnet in VPC must be associated with a network ACL, uses default ACL by default
- You can associate network ACL with multiple subnets, however subnet can only associate with one ACL at a time
- Adding subnet to a second ACL will automatically remove it from the previous ACL
- network ACL contains numbered list of rules that is evaluated in order, starting with lowest number
- network ACL always have separate inbound and outbound rules
- network ACL's are stateless