Friday, 10 July 2020

VPC Part 1

What is VPC


1. Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined.
2.This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Amazon VPC concepts

The following are the key concepts for VPCs:
  • Virtual private cloud (VPC) — A virtual network dedicated to your AWS account.
  • Subnet — A range of IP addresses in your VPC.
  • Route table — A set of rules, called routes, that are used to determine where network traffic is directed.
  • Internet gateway — A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.
  • VPC endpoint — Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Accessing VPC

  • Amazon web console
  • AWS CLI
  • AWS SDKs
  • AWS Query API

How VPC Works

  • Enables you to launch AWS resources into a virtual network that you've defined. 
  • This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

VPC Contents

subnets

A subnet is range of IP address in your VPC.
You can launch AWS resources to your specified subnet
Public subnet: If you want to connect AWS resources to Internet , you can opt this.
Private subnet: If you don't to connect AWS resources to Internet , you can opt this.

We can provide security by using multiple layers of security including security groups and Network Access Control lists(NACLs).

VPC Types

Default VPC
1.Which will be created by AWS
2. You can delete or create VPC as default VPC

How to check Default VPC
1.Login to AWS console
2.Search for VPC under services
3.Select and it will navigate to the below screen



Default VPC will have the below, these are created by AWS.

1.Subnets
2.Route table
3.Internet Gateway
4.Network ACLs
Since We have default VPC and subnets , we can create EC2 instances without thinking or having knowledge of VPCs.

 Usage of the Default VPC

  • Add additional nondefault subnets.
  • Modify the main route table.
  • Add additional route tables.
  • Associate additional security groups.
  • Update the rules of the default security group.
  • Add AWS Site-to-Site VPN connections.
  • Add more IPv4 CIDR blocks.

Default Subnets:

  • Which are created by AWS 
  • You can launch EC2 into a subnet without selecting anything while creating EC2.
  • The default subnet is connected to Default route table which is connected to Internet.
  • So, When you launch EC2 in default subnet , your EC2 will get internet access by default.
  • You can make a default subnet into a private subnet by removing the route from the destination 0.0.0.0/0 to the internet gateway
  • Default subnets will get private IPV4 address and public IPV4 address.
  • These subnets will be created the number of availability zones which are in region, based on the count AWS will create default subnets.For ex Mumbai region has 3 AZs , default subnets will be 3.
  • In case in future any new AZs will be created default subnet will be created by AWS.
  • When you create a default subnet, it is created with a size /20 IPv4 CIDR block in the next available contiguous space in your default VPC.

Default subnet conditions

  • You cannot specify the CIDR block yourself.
  • You cannot restore a previous default subnet that you deleted.
  • You can have only one default subnet per Availability Zone.
  • You cannot create a default subnet in a nondefault VPC.

Creating default subnet using AWS CLI
aws ec2 create-default-subnet --availability-zone us-east-2a

{ "Subnet": { "AvailabilityZone": "us-east-2a", "Tags": [], "AvailableIpAddressCount": 4091, "DefaultForAz": true, "Ipv6CidrBlockAssociationSet": [], "VpcId": "vpc-1a2b3c4d", "State": "available", "MapPublicIpOnLaunch": true, "SubnetId": "subnet-1122aabb", "CidrBlock": "172.31.32.0/20", "AssignIpv6AddressOnCreation": false } }

Route Tables

  • It contains set of rules called routes , that are used to determine where network traffic from your VPC is directed.
  • By default all the subnets are connected to default route table
  • If you want to provide separate route to your subnet , you can create custom route table and connect your subnet to it.
  • This route table will allow you to connect with Internet gateway if its public subnet.
  • Each route in a route table specifies the range of IP addresses where you want the traffic to go (the destination) and the gateway, network interface, or connection through which to send the traffic (the target).
  • A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.

Main Route table:It will come with default VPC and it allows communication with other subnets which are not associated with any custom route table.

Custom Route table: A root table that you create for your VPC.

Edge Association: A route table that associates with your inbound VPC traffic  to an appliance,You associate a route table with internet gateway or virtual private gateway.
Route table association: The association between route table and subnet, Internet gateway or virtual private gateway.
Subnet route table: A route table which is associated with subnet.
Gateway Route table:A route table which is associated with Internet gateway or virtual private gateway.
Destination: Means where your network traffic should go ,  For example, an external corporate network with a 172.16.0.0/12 CIDR.
Propagation: Where your virtual private gateway propagates to your route to the root table.
Target:The gateway, network interface, or connection through which to send the destination traffic; for example, an internet gateway.
Local route: A default route for communication within the VPC.

Eggress -Only Internet gateways
  • It provides traffic from your subnet(instances) to Intenet using IPV6 address.
  • IPv6 addresses are globally unique, and are therefore public by default. 
  • If you want your instance to be able to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway.
  • To do this, create an egress-only internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only internet gateway. 
An egress-only internet gateway is stateful: it forwards traffic from the instances in the subnet to the internet or other AWS services, and then sends the response back to the instances.

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)