Virtual Private Cloud (VPC) Flashcards
What is a virutal private cloud (VPC)?
VPCs can be thought of as a virutal data center in the cloud. It’s a logically isolated part of AWS Cloud where you can define your own network .
You have complete control of virtual network, including your own IP address range, security, subnets, route tables and network gateways.
So essentially it’s a fully customizable network
Are VPCs setup automatically?
Yes, every AWS account in each regions have a default VPC that is setup automatically.
When you create your fully customizable Network what does the architecture typically look like?
In the fully customizable network you can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
The architecutre typicall has 3 tiers to it:
The Web tier:
here you have web servers that need to be public-facing (meaning they are internet accessible, so people from the internet can access the wbeservers). People from the internet can acces them port 80 (HTTP) or 443 (HTTPS).
The application tier:
This is the application servers, and they usually perform somekind of business logic like rendering an image.
They are in a private sub-net and can speak to only the web tier and database tier.
The database tier:
The database is part of a private subnet and can only speak to the application tier.
Can you use AWS Cloud as an extension of your corporate data center?
Yes, you can create a Virutal private network (VPN) connection between your corporate data center and your VPC to achieve this goal.
What is the smallest and largest network size you can have with AWS VPC?
The smallest network size is 10.0.0.0/28 which gives you 16 IP addresses.
The largest network size i 10.0.0.0/16 which gives you 65,536
What would a typical Network diagram look like when creating a VPC.
The outer layer is our region.
So we can for instance deploy our region to us-east-1.
Then within the region you can create the vpc where you choose your IP range (10.0.0.0, 172.16.0.0 or 192.168.0.0).
When the VPC is created there will be created automatically a router -_> route tabel –> network Acess Control Lists (ACL).
Then we can create our public subnet, where we inside the subnet can create an instance (this could be a web server for instance) and a security group.
To make the instance in the public subnet available to the internet we attach an internet gateway.
What can you do with a VPC?
- Launch instances into a subnet
- Assign custom IP address ranges in each subnet
- Configure route tables between subnets
- Create internet gateway and attach it to our VPC
- Much better security control over your AWS resources
- Use subnet network access control lists. this can used to block specific IP addresses for instance.
What are the main differences between the default VPC adn Custom VPC
Default
- Is more user friendly due to not much setup
- All subnets have a route out to the internet
- Each EC2 instance has both a public and private IP address.
Custom
- Fully customizable to each of your needs
- Takes time to set up.
When you create a subnet how many availability zones can it be in?
1 subnet is always in 1 availability zone
When you create a VPC what elements are created by default?
Route tabel, Access control list (ACL) and security groups
What is best practice when naming sub-nets?
When creating a subnet you want to name it:
<ip> - <available>
and example would be:
10.0.1.0/24 - is-east-1a
</available></ip>
How many internet gateways can you attach to VPC?
You can only have one internet gateway attached to each VPC.
When you create a default VPC it will automatically have an internet gateway attached to it, and thus you can’t create an extra internet gateway for the default VPC for instance.
What is a subnet?
Subnets are larger networks broken down to smaller more manageable networks.
Connected devices/instances within a subnet share a common IP address identifier (or unique network number) that enables them to communicate with eachother.
For instance. If the network number is 192.168.1 Each device in that subnet will have that number in their IP address. For instance we can have four devices in the subnet that has the ip addresses :
Device 1: 192.168.1.10
Device 2: 192.168.1.11
Device 3: 192.168.1.12
Device 4: 192.168.1.13
Because they all share the same network number in their ip addresses we know they are in the same subnet and can communicate with eachother.
IN AWS VPC subnet is a range of IP addresses in your VPC.
What is a route table?
A route table contains a set of rules, called routes, that determine where network traffic (or packed data) from your subnet or gateway is directed.
The main purpose of a routing table is to help routers make effective routing decisions.
What is a network access control list (ACL)?
A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level.
You can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC.
What is a security group
A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.
The security group acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the security group rules.
What is a network address translation (NAT) gateway
NAT gateways is a way to enable instances in a private subnet to connect to the internet or other AWS services while preventing the inernet from initating a connection with those instances.
Private subnets doesn’t have a route to the internet through the route table. Which means they can’t connect to the internet, but the internet can’t connect to the private subnet either.
The NAT gateway is in your public subnet, which has access to the internet. So if your private subnet needs access to the internet (maybe for a database update for instance).
So your private subnet connects to public subnet by a NAT gateway and can use the public subnets route tabel and internmet gateway to gain access to the internet, without the internet getting a direct connection to the private subnet.
What are 5 facts to remember about NAT Gateways?
- They are redundant inside the availability zone
- They start a 5 gigabits per second (Gbps) and scales to 45 Gbps.
- You don’t need to patch NAT gateways since Amazon handles that for you, and NAT gateways are just a collection of EC2 instances provided by Amazon.
- They are not associated with Security groups so you don’t have to open op ports etc., for you NAT gateway.
- They are automatically assigned a public IP address.
Which ports are used different communication protocols?
- SSH uses port 22
- RDP uses port 3389
- HTTP uses port 80
- HTTPS uses port 443
How do you debug connectivity issues?
- Start with the route table. Do you even have a route out and into the internet to begin with?
- Check the Network ACL. Are you blocking traffic you shouldn’t?
- Check the security groups. Same as ACL are you blocking traffic you shouldn’t?
What are the default seetings for security groups regarding traffic that is blocked, and how do you let traffic in?
By default all traffic is blocked by the security groups.
If you want to let everything in you open up 0.0.0.0/0 to let all ip address ranges in, and to communicate to the EC2 instances you need to open up the corrects ports like 443 if you communicate by HTTPS.
What is meant by Security groups are statefull?
Statefull refers to the fact that responses from requests that are sent by your instances are allowed to flow in regardles of inbound security group rules.
The same goes the otherway around. Responses to the inbound trafic that comes from your instance’s request are allowed to flow out, regardless of the outbound rules of your security group.
What is the default ACL seetings for the default ACL that comes with your VPC, and the custom ACL you can create?
The default ACL allows all outbound and inbound traffic.
The custom ACL denies all inbound and outbound traffic until you add rules.
Must each subnet in your VPC be associated with a network ACL?
Yes, a subnet must always be associated with a network ACL. If you don’t explicity associate a subnet with a network ACL the subnet is automatically associated with the default ACL.
