VPC Basics

Question 1

How many classes of addresses are in the IPv4 format?

What are the ranges?

Answer 1

There are 3 classes:

○ Class A - 0.0.0.0 to 127.255.255.255.255

○ Class B - 128.0.0.0 - 191.255.255.255

Class C - 192.0.0.0 - 225.255.255.255

Question 2

Can multiple entities use the same private IP address space?

Answer 2

Yes - so long as the overlapping IP’s remain within their intern network and do not get advertised or communicate over the internet.

Question 3

What address class is the default VPC in AWS configured with?

Answer 3

Class B - 172.16.0.0

Question 4

What is CIDR?

Answer 4

Classless Inter-Domain Routing – this method allows you to create networks of any size within the respective network range and the notation is the IP address followed by a “slash” i.e 10.10.0.0 /16.

Question 5

REVIEW: CIDR Notation

• notation is the IP address followed by the /xx which tells you the size of the network. The “slash” is called the PREFIX.
• the BIGGER the prefix, the smaller the network and the SMALLER the prefix the larger the network
• a /16 network is a lot bigger than a /17 network and so on
• prefix /0 means “all IP addresses” and prefix /32 means one single usable IP
• the most common ranges are /8, /16, /24, /32

Answer 5

• Each time you increase the prefix, you are creating MORE networks but SMALLER networks
• Each time it goes up, it’s a multiple of TWO: from /16 to /17 it creates 2 more networks, from /16 to /18 it creates 4 more, from /16 to /19 it creates 8, and so on….

→ If you’re given a 10.0.0.0/16 network, the “16” means that the first 2 octets are fixed (network address) and last 2 octets are yours to play around with for hosts - each octet has EIGHT bits so 16 = 2

○ If you wanted to cut the /16 in half, you could create 2 x /17 networks which would be:

		1. 10.0.0.0 to 10.0.127.255
		2. 10.0.128.0 - 10.0.255.255

*** All we’ve done is take the last 2 octets (which are ours to play around with) and cut it in half… the “10.0.x.x” portion stays fixed.

Question 6

What is the difference in notation between IPv4 and IPv6?

Answer 6

v4 is Octets and v6 is Hextets

An octet is 8 bits whereas a hextet is 16 bits.

There are FOUR octets in IPv4 and EIGHT hextets in IPv6

Question 7

REVIEW: IPv6

→ You can replace the HEXTETS full of 0’s with just a single 0, or you can simply put double colons “ :: “ if there are multiple hextets of 0’s in a row.

→ A hextet is 16 bits instead of 8 (like in IPv4) + IPv6 addresses are much longer i.e 2 x octets = 8 Hextets where each Hextet is 16 bits

Answer 7

Example:

→ 2001:db8:1234::/48 is the address
○ The network part is everything in front of the “ :: “ because each /48 means 3 x sets of Hextets which we see in the address (48 bits where each Hextet is 16 bits)

○ The rest of the address (after the “1234”) is the HOST part of the network. This would look like:

** 2001:db8:1234:0000:0000:0000:0000.0000 or 2001:db8:1234:ffff:ffff:ffff:ffff

** There are a total of EIGHT hextets in an IPv6 address

Question 8

What are big things to consider when designing a VPC?

Answer 8

• what size should the VPC be?
• are there any networks that CANT be used?
• what is future growth like?
• what kind of structure do we need? Tiers/Resiliency/AZs/etc.

Question 9

What is the VPC minimum of and maximum network sizes?

Review - when you are given a VPC by AWS, you’re always allocated 1 x Primary Private IPv4 CIDR address by default. The smallest or largest it can be are the answer to the above question.

Answer 9

Min = /28 (16 usable IP addresses)
Max = /16 (65456 usable IP addresses)

Question 10

REVIEW: Adrian Advice When Creating VPCs

Answer 10

– Personal preference is to use the 10.x.y.z range

– Avoid common ranges such as 10.0.x.x … it’s better to avoid 10.0.x.x through 10.10.x.x just to play it safe since everyone uses those. Basically, just start start at 10.16.0.0.

– the Private Block of IP’s (10.x.x.x) is the primary method for IP comms from VPC’s by default. Public IP’s are used when you need to make resources public, or communicate with the internet/public AWS zone, or allow communication to the VPC from the outside

– When designing, you want to reserve 2+ network ranges with can be used in EACH region in EACH AWS account that your business uses.

§ Example: Your business has 3 x regions in the US, a region in Europe, and a region in Australia with a total of 4 x AWS accounts –> you want 2 x ranges per region for each of the 4 accounts, so that would be –> 2 x 5(regions) = 10 … 10 x 4 (accounts) = a total of 40 IP Ranges that the business can use

** this is IDEAL but not mandatory.

– Each subnet is contained in exactly ONE Availability Zone. When creating VPCs you also have to figure out how many AZ’s your VPC will need/use. Best practice is to accommodate for 3 x AZ’s and then have an extra 4th AZ as a spare (just for potential growth of that VPC).

Question 11

How big is a “Micro Size” VPC?

Answer 11

This is a /24.

A /24 gives us 8 x subnets to work with that have 27 hosts in each for a total of 216 hosts.

Question 12

How big is an “Extra Large” VPC?

Answer 12

This is a /16.

A /16 gives us 16 subnets to work with, each with 4091 hosts for a total of 65456 hosts.

Question 13

Are VPC’s a global service?

Answer 13

False - they are regionally isolated/regionally resilient; they only operate our of the AZ’s of the region that they are created in.

Unless there is an explicit config allowing or denying traffic, nothing can get in or out of the localized zone.

Question 14

What is a benefit of VPC’s being regionalized?

Answer 14

This effectively limits the blast radius - If a VPC vulnerability is exploited, only that VPC and potentially anything connected to it is affected - the threat cannot move about your AWS environment.

Question 15

Are VPC’s single or multi-tenant?

Answer 15

They can be either on shared HW or or on dedicated HW, with dedicated obviously being much more expensive.

If you don’t make the designation, they the VPC will default to shared HW.

Question 16

Quick Summary:

Upon creation, a VPC has a pool of private IPv4 addresses and can also use (optionally) public IP addresses to use/allocate to the hosts/services/apps/whatever that’s running within the VPC.

You don’t just “launch AWS services” into a VPC. All services use subnets that have IP addresses allocated to them i.e VPC services run from a subnet, not directly from the VPC.

Answer 16

You can also assign IPv6 addresses by assigning a /56 IPv6 CIDR Range.. This can be a good practice to start using as more of the world converts to IPv6.

For IPv6, the range is either allocated by AWS (most circumstances) or you can use your own if you own them.

IPv6 allocated addresses are all publicly routable by default - no need to worry about the distinction between public/private and you still have to explicitly allow connectivity from the outside so they are secure.

Question 17

Do subnets start off as Public or Private when they are first created?

Answer 17

They start off as private. You must input some configuration in order to make them public.

Question 18

Are VPC Subnets Region or AZ resilient?

Answer 18

AZ Resilient.

If the AZ fails, the subnet fails, and therefore any of the services that are only running in that one subnet also fail.

To achieve HA, we place different components of a service into different subnets in different AZ’s within the region.

Question 19

How many AZ’s can a subnet be in?

Answer 19

ONE subnet = ONE AZ

A subnet can’t span across multiple AZs. ONE AZ can have many subnets however.

Question 20

Where are VPC’s segmented/isolated?

Answer 20

VPCs are segmented/isolated at the perimeter of the VPC.

Subnets within the same VPC can communicate with each other by default. If communication needs to happen externally, it will have to be configured.

Question 21

What are the (5) “reserved” IP addresses in a VPC Subnet that can’t be used.

Answer 21

1. Network Address - the FIRST address of any subnet i.e where the network starts
2. Network +1 Address - the first IP address after the network address; this is used by the VPC Router
3. Network +2 address - the next address after the VPC Router address (aka the 3rd host address); this is reserved for the VPC DNS
4. Network +3 address - the next address after the DNS address; it has no use yet today but is reserved for future requirements
5. Broadcast Address - the LAST IP in every subnet is reserved for the broadcast address, even though broadcasting isn’t supported in a VPC

Question 22

What does the Routing GW do? (RGW)

Is it resilient?

Answer 22

The routing GW runs in every VPC - takes up the Network+1 address.

The routing GW controls how subnet traffic gets routed when it leaves the VPC by way of the Route Table.

It is AZ resilient i.e runs in every AZ that a VPC takes up.

Question 23

REVIEW:

What is a Route Table?

A route table is a list of routes that’s associated to ONE subnet at any given time i.e every subnet has ONE route table, but a route table can be associated to multiple subnets.

Summary - RT’s are attached to zero or more subnets, every subnet has an RT (Main RT by default if not specified), and RT’s can be attached to many subnets but every subnet has exactly ONE RT (Main or Custom).

Answer 23

→ The destination address for a particular route in the VPC’s RT could either be a single IP address or the address for the entire network

→ An entire network could be a “catch all” match where if no specific route matches, it’ll just go to the “catch all” network i.e like a default GW concept

→ If there are multiple routes to a given network, the VPC Routers goes with the higher the prefix value i.e the higher prefix, the more specific the route = the higher the priority the route has.

** the only exception to the higher prefix rule is that LOCAL routes are always preferred i.e routes within the same VPC; Local Route Target **

Question 24

What does an Internet GW do? (IGW)

Is it resilient?

Answer 24

This is an add-on feature within a VPC. The IGW connects a private VPC (default state) to the public internet.

It is regionally resilient meaning there is ONE IGW for every Region. 1 x IGW covers all the AZs within that region.

Question 25

How many VPCs can an IGW be connected to at a given time?

Who manages it? How do you turn it on/start using it?

Answer 25

ONE IGW for every VPC.

This is a managed service by AWS so you don’t have to do anything, simply turn it on.

Once turned on you simply create a route within the VPC route table as a “catch all” or default route to the IGW. This basically says “any traffic that doesn’t match to any internal destinations, kick it out to the internet.”

Question 26

What is a NACL?

How are the rules processed?

Answer 26

Network ACL.

They are essentially act like FW’s that surround VPC subnets and are used when traffic is leaving/entering a subnet.

There is an IB and OB set of rules.

→ Once a specific rule set (IB v OB) has been selected, the rules within that set are processed in order - the rule with the lowest Rule# is the one that’s processed first i.e has the highest priority.

Example - Rule 3 get’s processed before Rule 23.

Question 27

What makes using NACLs especially challenging?

Answer 27

Ephemeral Ports.

When you send out a request to create a connection to a service/instance, there must be an OB rule to allow this. The response comes back on a “well-known” or Ephemeral Port. This response also requires an OB rule on that service AND an IB rule on the requester side.

This scales terribly.

Question 28

NACLs and Security Groups: which is stateful and which is stateless?

Answer 28

NACL - are stateless: the initiation and response are viewed as 2 different rule sets.

SG - stateful meaning they do not see 2 different streams for every communication, only one.

Question 29

What is a Security Group (SG)?

Answer 29

Security Groups: similar to NACLs, they are boundaries which can filter traffic but they are attached/assigned to AWS resources themselves instead of the subnets that the resources operate in.

Question 30

NACL and SG Rules Review:

NACLs have an IMPLICIT DENY at the end of their rule set by default. If no rule is matched, traffic is denied.

They also have Rule 100 by default, which is IMPLICIT ALLOW - this is above the implicit deny but it can be removed.

NACLs can also have an EXPLICIT DENY i.e deny something very specific.

Answer 30

SG’s also have an IMPLICIT DENY but they do NOT have an Explicit Deny option.

If you want to deny something specifically, you have to use a NACL on top of the SG.

Security groups are tied to an instance whereas Network ACLs are tied to the subnet. i.e. Network Access control lists are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL.

Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Question 31

What is the difference between Static and Dynamic NAT?

Answer 31

Static NAT = 1:1 public to private IP mapping

Dynamic NAT: IP masquerading; many IP’s (CIDR block) behind a single public IP.

Question 32

What are the 2 methods to deploy NAT functions in AWS?

Answer 32

NAT Instance (NAT running on an EC2) and NAT Gateway.

The NAT GW is much more popular.

Question 33

REVIEW - NAT GW Flow:

→ The NAT GW will keep records of the resource sending traffic (source/dest/port numbers/etc.) so that it can uniquely identify the sender when the traffic returns

○ This record is called a “Translation Table”
○ The source IP address is then changed to it’s own (NAT GW) IP address

Answer 33

The traffic is then moved from the NAT GW to the IGW via the VPC Router (in the example that the NAT GW is sitting inside a Web VPC); the VPC Router is what contains the RT that sends traffic on it’s way.

→ The NAT GW’s job is to allow multiple Private IP addresses to masquerade behind the one public IP address that it has

○ Takes all the incoming packets from all the instances that it covers and records all of the info about communication and then changes the source address to it’s own before sending the traffic on it’s way

Question 34

When do you only need a IGW versus needing a combo of IGW and NAT GW?

Answer 34

If you need to give an instance it’s own public IPv4 address, then you only need the IGW.

If you need to give multiple private instances outgoing internet access/AWS public zone, then you need the NAT GW + IGW together.

Question 35

Is a NAT GW Region or AZ resilient?

Answer 35

AZ - if your VPC is being used in multiple AZ’s , you must have a NAT GW in each AZ.

Question 36

Does IPv6 require NAT?

Answer 36

No. We use NAT because of IPv4 address exhaustion.

IPv6 address is automatically publicly routable. The IGW works with all IPv6 addresses directly i.e no need for a NAT GW.

Question 37

EXAM TIPS:

→ Network ACLs:
○ They are stateless - the initiation and response are seen as 2 different transactions

○ Only impact traffic that crosses the subnet border - enters or leaves the subnet; if you have 2 x VPCs in the same subnet, then the NACLs do not apply.. they can talk by default

○ Used to explicitly ALLOW or DENY traffic

○ Block on IP’s, Networks, Ports, and Protocols - they have no visibility into logical resources

○ Can only be assigned to subnets NOT resources

○ Can use NACLs in conjunction with other Security features (like Security Groups)

○ ONE subnet = ONE NACL at a time; starts off as default ACL but will be associated to the one your create

○ Rules are processed in order with the lowest Rule # first and the Rule with the * last

Answer 37

→ SGs:
○ Stateful - initiation and response traffic is viewed the same thing

○ Can filter based on AWS logical resources - like EC2, or other SGs, or the SG itself

○ NO EXPLICIT DENY

→ Default to SGs everywhere unless you are using an AWS product that doesn’t support SGs, or you need to add a NACL on top of an SG

→ If your traffic is not crossing the boundary of a subnet - you must then use an SG if you want to enforce any kind of rule

Ex - if 2 x VPCs are in the same subnet