Below are the notes I captured while watching the below very good video on VPC
Router and Route table:
- Route table holds the info on how to route
- Router routes based on the route table
Elastic IP
- Static public IP
- Each time we stop and start the EC2 instance, we get dynamic IP
- Alllows to use the same IP
Elastic Network Interface
- The IP is not directly assigned to EC2
- It is the ENI that is attached to EC2
- We can have more than one network interface for an EC2
- Which means we can have more than on1 IP assigned to EC2
Internet Gateway
- It is like a door to VPC for both inbound and outbound
Customer Gateway, VPN Connection, and Virtual Private Gateway
- These 3 together helps in making a connection between on-premise and aws
VPC peering
- Communication between 2 VPCs
- One should send a request and the other should accept it
VPC endpoint
- For eg: S3 endpoints are public endpoints
- If we want to our EC2 to talk to S3 privately without going via internet gateway then we go for VPC endpoint
- We have a VPC interface endpoint too, for talking to other applications within a subnet
NAT Gateway
- Network Address Translation
- This is for allowing the private subnet to talk to the internet gateway for accessing the internet
- The NAT gateway will not allow any inbound request to reach the private subnet, it will just allow the private subnet to access the internet
- Works only for IPV4, for IPV6, we need to use Egress
IP Address and Subnets
- IPV4 is 32 bit
- IPV6 is 128 bit
- IP CIDR Range
- Eg: 10.0.0.0/16 means the first 16 bits of the IP are not going to change
- Eg: 10.0.0.0/8 means the first 8 bits of the IP are not going to change
- The CIDR Range is 10.0.0.0 to 10.255.255.255
- Eg: 10.0.1.15/32 means only one IP
- It is not necessary to be the multiple of 8; Eg: 10.0.0.0/26
- Private IP address range as per RFC1918 standard
- 10.0.0.0 - 10.255.255.255 (10/8)
- 172.16.0.0 - 172.31.255.255 (172.16/12)
- 192.168.0.0 - 192.168.255.255 (192.168/16)
Routing
- Is based on the Route Table definition
- It has information on where the request needs to be routed
- Need to associate a route table for a particular subnet
- Route table defines whether the subnet is a private subnet or a public subnet
- There will be a default route table created in a VPC and that will allow all the local/private access within the VPC
Security Groups
- Default of all SG is allow all outbound, deny all inbound
- Need to edit the inbound and outbound connections
- Applies at instance or individual resource level like EC2, RDS etc
- This is the first level of defense
Network ACL (Access Control List)
- Specify what IPs and Port are allowed inbound and what are for outbound
- Security Group only have allow rules, only the Network ACL we have both allow and deny rules
- Applied at the network level
Flow
Create VPC > Create Internet Gateway and attach to VPC > Create Subnets > Create RouteTables and attach to VPC > Subnets association > Configure Security Groups
No comments:
Post a Comment