Virtual Private Cloud (VPC) Flashcards
What is an AWS VPC?
o A Private Network within AWS, which can be configured to be Private, Public or a mix of the 2
o Regional (can’t span Regions or AZs), Highly Available, Isolated from other VPSs by default
o Subnets: maximum /16 (65,536 IPs); minimum /28 (16 IPs)
How does the Default VPC work?
o Required for some services, used as default for most: best practice is not to use for Production
o Pre-configured with all required network/security
o Configured using a /16 CIDR block (172.31.0.0/16)
o It also contains a /20 public subnet in each AZ (4091 IPs per AZ), allocating a public IP by default
o Attached internet gateway with a ‘main’ route table, sending all IPv4 traffic to the IG using a 0.0.0.0/0 route
o Default DHCP option set attached (protocol that allows resources within a network to auto-configure themselves)
o Security Group: Default – all from itself, all outbound
o NACL: Default – allow all inbound and outbound
How does the Custom VPC work?
o Can be designed and configured in any valid way
o You need to allocate IP ranges, create subnets, provision gateways and networking, and design and implement security
o Remember that when subnetting, you can only break down nets in 2s (2 / 4 / 8 / 16 / 32 / …). So if you need 6 subnets, you will need to create 8
How does VPC Routing work?
Every VPC has a virtual routing device called the VPC Router
It has an interface in any VPC subnet know as ‘subnet+1’ (e.g. for 10.0.1.0/24, this would be 10.0.1.1/32)
The router is highly available, scalable and it controls data entering and leaving the VPC and its subnets
Each VPC has a main route table, which is allocated to all subnets in the VPC by default. A subnet must have one route table
Additional custom route tables can be created and associated with subnets, but only one route table (RT) per subnet
A RT controls what the VPC router does with traffic leaving a subnet
An Internet Gateway (IG) is created and attached to a VCP (1:1). It can route traffic for Public IPs to and from the internet. The IG is performing Static NAT (Network Address Translation): it translates the private IP address to a public IP address
Important: in AWS, no internal product has a public IP address – it is the IG that does the translation
What are Routes and Route Tables?
A RT is a collection of routes that are used when traffic from a subnet arrives at the VPC router
Every RT has a local route, which matches the CIDR of the VPC and lets traffic be routed between subnets (can’t be changed / deleted)
A route contains a destination and a target. Traffic is forwarded to the target if its destination matches the route destination
If multiple routes apply, the most specific is chosen: a /32 is chosen before a /24, before a /16
Default routes (0.0.0.0/0 for v4 and ::0 for v6) can be added that match any traffic not already matched
Targets can be IPs or AWS networking gateways / objects
What are the 3 actions necessary to make a subnet public?
A subnet is a public subnet if (1) it is configured to allocate public IPs, (2) if the VPC has an associated IG and (3) if that subnet has a default route to that IG
What is a Bastion Host?
o A Bastion Host (also called JumpBox) is a host that sits on the perimeter of a VPC
o It functions as an entry point to the VPC for trusted admins; it is used to provide access to private resources (without providing direct public access to the resources themselves)
o Allows for updates or configuration tweaks remotely, while allowing the VPC to stay private and protected
o Generally connected to via SSH (Linux) or RDP (Windows)
o Bastion Hosts must be kept updated, and security hardened and audited regularly
o Multi-factor authentication, ID federation, and/or IP blocks
What are NAT, NAT Instances and NAT Gateways?
o There are cases where all resources inside a VPC will require internet access (for example, to run software updates)
o Network Address Translation (NAT) is a method of remapping source IPs or destination IPs of packets. It can be used as a:
Static NAT: A private IP is mapped to a public IP (it is what IGWs do)
Dynamic NAT: A range of private addresses are mapped onto one or more public addresses (used by your home router and NAT gateways) it enables multiple private instances to access the internet, using public address(es) of the NAT Gateway (Private instance NATGW IGW Internet)
o NAT Gateways needs to be provisioned inside a public subnet, and they need to be given a static, elastic IP address
o NAT GW are not highly available by design, as they need to be placed inside a single subnet inside a single AZ – if high availability is required, a NAT GW needs to be created in each AZ;
o NAT GW scale well with load
What are NACLs?
Operate at Layer 4 of the OSI model (TCP/UDP and below)
A subnet has to be associated with a NACL – either the VPC default or a custom NACL
NACLs only impact traffic crossing the boundary of a subnet
NACLs are collections of rules that explicitly allow or deny traffic based on its protocol, port range and source/destination
Rules are processed in number order, lowest first. When a match is found, action is taken and processing stops
The * rule is processed last, and is an implicit deny
NACLs have 2 sets of rules: inbound / outbound
What are Ephemeral Ports?
When a Client initiates communication with a Server, it is to a well-known port on that Server (e.g. tcp/443)
The response is from that well-known port to an ephemeral port on the Client – the Client decides the port
NACLs are stateless, they have to consider both initiating and response traffic – state is a session-layer concept
