Amazon VPC Concepts: Difference between revisions
(→Subnet) |
|||
| Line 94: | Line 94: | ||
If a subnet does not have a route to an [[#Internet_Gateway|internet gateway]], but has its traffic routed to a virtual private gateway for a site-to-site VPN connection, it is known as a VPN-only subnet. | If a subnet does not have a route to an [[#Internet_Gateway|internet gateway]], but has its traffic routed to a virtual private gateway for a site-to-site VPN connection, it is known as a VPN-only subnet. | ||
==Subnet Security== | |||
{{External|[https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html VPC Security]}} | |||
AWS provides two features that can be used to secure the VPC: | |||
===Security Groups=== | |||
Security groups control inbound and outbound traffic for instances. | |||
===Network ACLs=== | |||
{{External|[https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html Network ACLs]}} | |||
Network ACLs control inbound and outbound traffic for subnets. Each subnet must be associated with a network ACL. | |||
=Route Table= | =Route Table= | ||
Revision as of 03:42, 9 April 2019
External
Internal
Overview
Amazon VPC provides a logically isolated section of the AWS Cloud where AWS resources run in a private virtual network.
Virtual Private Cloud (VPC)
A VPC is a virtual network dedicated to an AWS account and logically isolated from other virtual networks in the AWS Cloud. It can be thought of as an isolated portion of the AWS Cloud populated with private AWS resources, such as Fargate tasks. The VPC has a primary IP address range, specified as a CIDR Block, such as 10.0.0.0/16 or 10.7.0.0/16. Block sizes must be between /16 netmask and /28 netmask. More details about the CIDR.
A VPN uses subnets, route tables and security groups to segregate and route IP traffic. Each VPN has a default router configured based on the main route table.
A VPC spans all availability zones in a region. A VPC cannot span multiple regions. A subnet can belong to one and only one availability zone.
External access to internet can be provided by configuring an internet gateway. The VPC can be connected to a VPN with a virtual private gateway.
VPC ID
Primary IP Address Range (CIDR Block)
When the VPC is created, a range of IPv4 addresses in the form of a Classless Inter-Domain Routing (CIDR) block must be provided for the VPC. This is the primary CIDR block for the VPC. Example: 10.0.0.0/16.
Default VPC
Only one VPC per account is the default VPC.
Tenancy
Elastic Network Interface (ENI)
A VPC cannot be deleted if a network interface attached to it is in use.
Elastic IP Address
An Elastic IP address is a public IPv4 address, which is reachable from the internet. If an EC2 instance is associated with an Elastic IP, that instance can communicate with the internet. With an Elastic IP address, the failure of an instance or a service can be masked by rapidly remapping the address to another instance in the same account.
An elastic IP address seems to be a public routable address from Amazon's pool and logic to adjust VPC routing dynamically: the elastic IPv4 address is accessed through the internet gateway of your VPC.
Elastic IP addresses are used by:
VPC Operations
Subnet
A subnet is a range of IP addresses in the Virtual Private Cloud (VPC) that can be used to isolate different EC2 resources or ECS services from each other, within the same VPC, or from the Internet. The range of IP addresses in the subnet must be a subset of the VPC primary IP range, otherwise it is said that the subnet is not within range of the VPC CIDR. Block sizes must be between /16 netmask and /28 netmask. The size of the subnet can equal the size of the VPC.
Each subnet has a subnet ID: subnet-53993c24: 172.31.16.0/20.
Subnets enable you to group instances based on security and operational needs. Each subnet can belong to one and only one availability zone, and it cannot span zones.
To enable instances in a subnet to reach the Internet and AWS services, you must add an Internet gateway to the VPC and a route table with a route to the Internet to the subnet. It is also possible to allow an instance hosted in the VPC to initiate outbound connections to the internet over IPv4 but prevent unsolicited inbound connection from the internet, by using a NAT gateway. The IPv6 equivalent is an Egress-only internet gateway.
A subnet has a route table.
Relationship between VPC and Subnets
VPC Main route table and any custom route table contain an unremovable route that allows any subnet to route to any other subnet with the same VPC. The route maps the primary VPC address range to "local".
Subnet ID
Each subnet has a unique ID.
Subnet Types
Regardless of the type of subnet, the internal IPv4 address range of the subnet is always private, it is not routed.
Public Subnet
If a subnet's explicit or implicit route table contain a route, usually 0.0.0.0/0, to an internet gateway, the subnet is known as a public subnet. A subnet can auto-assign public IPv4 address. Does that make it a public subnet?
Private Subnet
If a subnet does not have a route in its explicitly associated route table or, if not implicitly associated, in the VPC main route table to an internet gateway, it is known as a private subnet. Usually the route to the gateway is 0.0.0.0/0.
VPN-Only Subnet
If a subnet does not have a route to an internet gateway, but has its traffic routed to a virtual private gateway for a site-to-site VPN connection, it is known as a VPN-only subnet.
Subnet Security
AWS provides two features that can be used to secure the VPC:
Security Groups
Security groups control inbound and outbound traffic for instances.
Network ACLs
Network ACLs control inbound and outbound traffic for subnets. Each subnet must be associated with a network ACL.
Route Table
A subnet must be associated with one and only one route table. If no route table is explicitly associated with the subnet, the subnet is implicitly associated with the VPC main route table. It is said to be implicitly associated because the VPC main route table does not list the subnet amongst those subnets it was explicitly associated with. It does show it in a separated list, with the following caption "the following subnets have not been explicitly associated with any route tables and are therefore associated with the main route table".
Any route table comes with the a rule similar to:
10.7.0.0/16 -> local
The rule lists the primary IP address range of the VPC, as a CIDR block, with a "local" target. This rule cannot be deleted. This rule means that any subnet will be routed by default to any subnet within the VPC.
VPC Main Route Table
The VPC main route table is the default route table for the VPC - all VPC subnets are implicitly associated with it, unless they are explicitly associated with other route tables.
Gateways
Internet Gateway
An internet gateway enables communication over the internet. An internet gateway is attached to the VPC.
Egress Only Internet Gateway
The IPv6 equivalent of NAT gateway.
NAT Gateway
NAT Gateways provide external access for private subnets. For example, if ECS tasks are running in private subnets, external access needs to be added so the task can pull the associated container images from their corresponding ECR repositories. To enable external access, the NAT Gateway needs to be created. Important, the NAT must be part of a publicly routed subnet.
NAT Gateway Operations
Virtual Private Gateway
Virtual Private Network (VPN) Connection
A VPN connection enables communication between cooperating networks, such as a VPC and a corporate network.
Security
Security Group
Network Access Control List (ACL)
VPC and DNS
Instances executing in a default VPC are provided with a public and private DNS name, which correspond to the private and public IPv4 addresses of the instance.
Instances executing in a non-default VPC are provided with private DNS names, which correspond to the private IPv4 address of the instance. The instances may be provided with public DNS names, which correspond to the public IPv4 of the instance, if the following configuration attributes are set to true:
enableDnsHostnames
If set to true, the instances launched in this VPC get public DNS names (but only if enableDnsSupport is set to true.
enableDnsSupport
If set to true, the VPC supports DNS resolution.
Private Hosted Zones for VPC
To use private hosted zones, set enableDnsHostnames and enableDnsSupport to true when creating the VPC. Also see: