Skip to content

Latest commit

 

History

History
286 lines (249 loc) · 13.7 KB

vpc.md

File metadata and controls

286 lines (249 loc) · 13.7 KB

Introduction to VPC

  • Think of a AWS VPC as your own personal data centre
  • Gives you complete control over your virtual networking environment.

Core Components

  • Internet Gateway (IGW)
  • Virtual Private Gateway (VPN Gateway)
  • Routing Tables
  • Network Access Control Lists (NACLs) - Stateless
  • Security Groups (SG) Stateful
  • Public Subnets
  • Private Subnets
  • Nat Gateway
  • Customer Gateway
  • VPC Endpoints
  • VPC Peering

Key Features

  • VPCs are Region Specific they do not span regions
  • You can create 5 VPC per region
  • Every region comes with a default VPC
  • You can have 200 subnets per VPC
  • You can use IPv4 Cidr Blocks (the address of the VPC)
  • Cost nothing: VPC's, Route Tables, Nacls, Internet Gateways, Security Groups and Subnets, VPC Peering
  • Some things cost money: eg. NAT Gateway, VPC Endpoints, VPN Gateway, Cutomer Gateway
  • DNS hostnames (should your instance have domain)

Default VPC

  • Craete a VPC with a szie/16 IPv4 CIDR block (172.31.0.0./16)
  • Create a size /20 default subnet in each AZ
  • Create an Internet Gateway and connect it to your default VPC
  • Create a default security group and associate it with your default VPC
  • Create a default network access control list (NACL) and associate it with your default VPC
  • Associate the default DHCP options set for your AWS account with your default VPC
  • when you create a VPC, it automatically has a main route table

VPC Peering

  • VPC Peering allows to connect one VPC with another over a direct network route using private IP addresses

  • Instances on peered VPCs behave just like they are on the same network

  • Connect VPCs across same or different AWS accounts and regions

  • Peering uses a Star Configuration: 1 Central VPC - 4 other VPCs

  • No Transitive Peering (peering must take place directly between VPCs)

    • Needs a one to one connect to immediate VPC

  • No Overlapping CIDR Blocks

Route Tables

  • Route Tables are used to determine where network traffic is directed

  • Each subnet in your VPC must be associated with a route table

  • A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table

Internet Gateway (IGW)

  • The Internet Gateway allows your VPC access to the Internet

  • IGW does two things:

    1. Provide a target in your VPC route tables for internet-routable traffic
    2. Perform network address translation (NAT) for instances that have been assigned public IPv4 addresses

  • To route out to the internet you need to add in your route tables you need to add a route

  • To the internet gateway and set the Destination to be 0.0.0.0/0

Bastion/Jumpbox

  • Bastions are EC2 instances which are security harden.

  • They are designed to help you gain access to your EC2 instances via SSH or RCP that are in a private subnet

  • They are also known as Jump boxes because you are jumping from one box to access another.

  • NAT Gateways/Instances are only intended for EC2 instances to gain outbound access to the internet for things such as security updates .

  • NATs cannot/should not be used as Bastions

  • System Manager's Sessions Manager replaces the need for Bastions

Direct Connect

  • AWS Direct Connect is the AWS Solution for establishing dedicated network connections from on-premises locations to AWS

  • Very fast network lower Bandwidth 50M-500M or Higher bandwidth 1GB or 10GB

  • Helps reduce network costs and increase bandwidth throughput (great for high traffic networks)

  • Provides a more consistent network experience than a typical internet based connection(reliable and secure)

VPC Endpoints

  • { Think of a secret tunnel where you don't have tp leave the AWS network}

  • VPC Endpoints allow you to privately connect your VPC to other AWS services, and VPC endpoint services

  • There are two types of VPC Endpoints

    1. Interface endpoints
    2. Gateway Endpoints

  • Eliminates the need for an Internet Gateway, NAT device, VPN connection or AWS Direct Connect connections

  • Instances in the VPC do not require a public IP address to communicate with service resources

  • Traffic between your VPC and other services does not leave the AWS network

  • Horizontally scaled,redundant and highly available VPC component

  • Allows secure communication between instances and services without adding availability risks or bandwidth constraints on your traffic

Interface Endpoints

  • Interface Endpoints are ELastic Network Interfaces (ENI) with a private IP address. They serve as an entry point for traffic going to a supported service
    • Interface Endpoints are powered by AWS PrivateLink
    • Access services hosted on AWS easily and securely by keeping your network traffic within the AWS network
      • ~$7.5/mo
        • Pricing per VPC endpoint per AZ ($/hour) 0.01
        • Pricing per GB data processed ($) 0.01
  • Interface Endpoints support the following AWS services
    • API GATeway
    • CloudFormation
    • CloudWatch
    • Kinesis
    • SageMaker
    • CodeBuild
    • AWS COnfig
    • EC2 API
    • ELB API
    • AWS KMS
    • Secrets Manager
    • Security Token Service
    • Service Catalog
    • SNS -SQS
    • Systems Manager
    • Marketplace Partner Services
    • Endpoint Services in other AWS accounts

VPC Gateway Endpoints

  • A Gateway Endpoint is a gateway that is a target for a specific route in your route table, used for traffic destined for a supported AWS service.
  • To create a Gateway Endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection
  • AWS Gateway Endpoint currently supports 2 services
    • Amazon S3
    • DynamoDB

VPC Flow Logs

  • VPC FLow Logs allow you to capture IP Traffic information in-and-out of Network Interfaces withinn your VPC

  • Network Interfaces within your VPC

  • Flow Logs can be created for

    1. VPC
    2. Subnets
    3. Network Interface

  • All log data is stored using Amazon Cloudwatch Logs

  • After a Flow Log is created it can be viewed in details within CloudWatch Logs

  • [version][account-id][interface-id][srcaddr][dstaddr][srcport][destport][protocol][packets][bytes][start][end][action][log-status]

  • 2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

    • Version The VPC flow logs version
    • account- id The AWS account ID for the flow log
    • interface-id The ID of the network interface for which the traffic is recorded
    • srcaddr The source IPv4 or Ipv6 address. The IPv4 address of the netwrok interface is always its private Ipv4 address
    • dstaddr The destination IPv4 or Ipv6 address. The IPv4 address of the netwrok interface is always its private IPv4 address
    • srcport The source port of the traffic
    • dstport The destination port of the traffic
    • protocol The IANA protocol number of the traffic. For more information, see assigned Internet Protocol Numbers.
    • Packets The number of packets transferred during the capture window
    • Bytes The number of bytes transferred during the capture window
    • start The time, in Unix Seconds of the start of the capture window
    • end The time, in Unix seconds, of the end of the capture window
    • action The action associated with the traffic
      • ACCEPT: The recorded traffic was permitted by the security groups or network ACls
      • REJECT: The recorded traffic was not permitted by the security groups or network ACls
    • log-status The logging status of the flow log
      • OK: Data is logging normally to the chosen destinations
      • NODATA: There was no network traffic to or from the network interface during the capture window
      • SKIPDATA: SOme flow log records were skipped during the capture window. This may be because of an internal capacity constraint or an internal error

NACLs

  • Network Access Control List (NACLs)

  • An (optional) layer of Security that acts as a firewall for controlling traffic in and out of subnet(s) .

  • NACLs acts as a virtual firewall at the subnet level

  • VPCs automatically get a default NACL

  • Subnets are associated with NACLs. Subnets can only belong to a single NACL

  • Each NACL contains a set of rules that can allow or deny traffic into (inbound) and out of (outbound)

  • Rule # determines the order of evaluation. From lowest to highest. The highest rule # can be 32766 and its recommended to work in 10 or 100 increments.

  • You can allow or deny traffic. You could block a single IP address (You can't do this without Security Groups)

  • Use Case

    • We determine there is a malicious actor at a specific IP address is trying to access our instances so we block their IP

    • We never need to SSH into instances so we add a DENY for these subnets. This is just an additional measure in case our security groups SSH port was left open .

Security Groups

  • Security Groups

    • A virtual firewall that controls the traffic to and from EC2 Instances

  • Security Groups are associated with Ec2 instances

  • Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) Ec2 instances.

  • There are no 'Deny' rules. All traffic is blocked by default unless a rule specifically allows it.

  • Multiple Instances across multiple subnets can belong to a Security Group.

  • Use Case:

    • You can specify the source to be an IP range or a specific ip (/32 is a specific IP address)
    • You can specify the source to be another security group
    • An instance can belong to multiple Security Groups, and rules are permissive (instead of restrictive) Meaning if you have one Security group which has no allow and you add an allow to another than it will allow.

  • Limits:

    • You can have upto 10,000 Security Groups in a Region (default is 2,500)
    • You can have 60 inbound rules and 60 outbound rules per security Group -16 Security Groups per Elastic Network Interface (ENI) (default is 5)

NACL v/s Security Groups

Site to Site VPN , Virtual Private Gateway and Customer Gateway

  • Virtual Private Gateway (VGW)
    • VPN concentrator on the AWS side of the VPN connection
    • VGW is created and attached to the VPC from which you want to create Site-to-Site VPN connection
  • Customer Gateway Device (On-Premises)
    • What IP address to use?
      • Public Internet-routable IP address for your Customer Gateway device
      • If it's behind a NAT device that's enabled for NAT traversal (NAT-T), use the public IP address of the NAT device
      - Important Step: enable Route Propagation for the Virtual Private Gateway in the route table that is associated with your subnets - If you need to ping your EC2 instances from on-premises, make sure you add the ICMP protocol on the inbound of your security groups

Secrets Manager

  • Helps to manage, retrieve and rotate database credentials, application credentials, OAuth tokens, API keys and other secrets throughout their lifecycles
  • Helps to improve security posture , because you no longer need hard-coded credentials in application source code.
    • Storing the credentials in Secrets Manager helps to avoid possible compromise by anyone who can inspect the application or the components.
    • Replace hard-coded credentials with a runtime call to the Secrets Manager service to retrieve credentials with a runtime call to the Secrets Manager service to retrieve credentials dynamically when you need them.