Amazon VPC Concepts: Difference between revisions
(→VPC ID) |
|||
Line 166: | Line 166: | ||
To give a subnet access to internet, add a route with a destination of 0.0.0.0/0 for IPv4 traffic or ::/0 for IPv6 traffic, and a target of the Internet gateway ID (igw-xxxxxxxx). | To give a subnet access to internet, add a route with a destination of 0.0.0.0/0 for IPv4 traffic or ::/0 for IPv6 traffic, and a target of the Internet gateway ID (igw-xxxxxxxx). | ||
Internet Gateway Operations: | |||
* [[Amazon_VPC_Operations#Create_an_Internet_Gateway|Create an Internet Gateway]] | |||
==NAT Gateway== | ==NAT Gateway== | ||
Revision as of 00:04, 10 April 2019
External
Internal
Overview
Amazon VPC provides a logically isolated section of the AWS Cloud where AWS resources run in a private virtual network.
Virtual Private Cloud (VPC)
A VPC is a virtual network dedicated to an AWS account and logically isolated from other virtual networks in the AWS Cloud. It can be thought of as an isolated portion of the AWS Cloud populated with private AWS resources, such as Fargate tasks. The VPC has a primary IP address range, specified as a CIDR Block, such as 10.0.0.0/16 or 10.7.0.0/16. Block sizes must be between /16 netmask and /28 netmask. More details about the CIDR.
A VPN uses subnets, route tables and security groups to segregate and route IP traffic. Each VPN has a default router configured based on the main route table.
A VPC spans all availability zones in a region. A VPC cannot span multiple regions. A subnet can belong to one and only one availability zone.
External access to internet can be provided by configuring an internet gateway. The VPC can be connected to a VPN with a virtual private gateway.
VPC ID
VPC Name
The name of the VPC can be specified by setting the "Name" tag, as shown here.
Primary IP Address Range (CIDR Block)
When the VPC is created, a range of IPv4 addresses in the form of a Classless Inter-Domain Routing (CIDR) block must be provided for the VPC. This is the primary CIDR block for the VPC. Example: 10.0.0.0/16.
Default VPC
Only one VPC per account is the default VPC.
Tenancy
The instance tenancy can be "default" or "dedicated". The default behavior is that instances can be launched with any tenancy. If the tenancy is configured as "dedicated", any instance launched into the VPC automatically has dedicated tenancy, unless it was explicitly launched with the default tenancy. Note that updating instance tenancy from "default" to "dedicated" requires replacement of the VPC.
Elastic Network Interface (ENI)
A VPC cannot be deleted if a network interface attached to it is in use.
Elastic IP Address
An Elastic IP address is a public IPv4 address, which is reachable from the internet. If an EC2 instance is associated with an Elastic IP, that instance can communicate with the internet. With an Elastic IP address, the failure of an instance or a service can be masked by rapidly remapping the address to another instance in the same account.
An elastic IP address seems to be a public routable address from Amazon's pool and logic to adjust VPC routing dynamically: the elastic IPv4 address is accessed through the internet gateway of your VPC.
Think of elastic IP addresses as resources that have to be provisioned and must be released, reused and deleted when they're not needed anymore.
Elastic IP addresses are used by:
DNS
A VPC has the capability to resolve DNS addresses. This capability is configured when the VPC is created, and can be updated without interruption after that. If the option to resolve DNS names is turned on, the Amazon DNS server resolves DNS hostnames for instances deployed in the VPC.
DNS Hostname Generation
Instances launched in a VPC may get hostnames, if the capability is explicitly configured (by default, it is not). The capability can be turned on only if DNS support is enabled.
VPC Operations
Subnet
A subnet is a range of IP addresses in the Virtual Private Cloud (VPC) that can be used to isolate different EC2 resources or ECS services from each other, within the same VPC, or from the Internet. The range of IP addresses in the subnet must be a subset of the VPC primary IP range, otherwise it is said that the subnet is not within range of the VPC CIDR. Block sizes must be between /16 netmask and /28 netmask. The size of the subnet can equal the size of the VPC.
Each subnet has a subnet ID: subnet-53993c24: 172.31.16.0/20.
Subnets enable you to group instances based on security and operational needs. Each subnet can belong to one and only one availability zone, and it cannot span zones.
To enable instances in a subnet to reach the Internet and AWS services, you must add an Internet gateway to the VPC and a route table with a route to the Internet to the subnet. It is also possible to allow an instance hosted in the VPC to initiate outbound connections to the internet over IPv4 but prevent unsolicited inbound connection from the internet, by using a NAT gateway. The IPv6 equivalent is an Egress-only internet gateway.
A subnet has a route table.
Relationship between VPC and Subnets
VPC Main route table and any custom route table contain an unremovable route that allows any subnet to route to any other subnet with the same VPC. The route maps the primary VPC address range to "local".
Subnet ID
Each subnet has a unique ID.
Subnet Types
Regardless of the type of subnet, the internal IPv4 address range of the subnet is always private, it is not routed.
Public Subnet
If a subnet's explicit or implicit route table contain a route, usually 0.0.0.0/0, to an internet gateway, the subnet is known as a public subnet. A subnet can auto-assign public IPv4 address. Does that make it a public subnet?
Private Subnet
If a subnet does not have a route in its explicitly associated route table or, if not implicitly associated, in the VPC main route table to an internet gateway, it is known as a private subnet. Usually the route to the gateway is 0.0.0.0/0.
VPN-Only Subnet
If a subnet does not have a route to an internet gateway, but has its traffic routed to a virtual private gateway for a site-to-site VPN connection, it is known as a VPN-only subnet.
Subnet Security
AWS provides two features that can be used to secure the VPC:
Security Groups
Security groups control inbound and outbound traffic for instances.
Network ACLs
Network ACLs control inbound and outbound traffic for subnets. Each subnet must be associated with a network ACL.
Route Table
A route table is a set of rules, called routes, that are used to determine where network traffic is directed. Each route specifies a destination CIDR and a target - the most specific routes that match are used to determine how to route the traffic. This is called "the longest prefix match" rule. Every route table contains a local route for communication within the VPC over IPv4. If the VPC has more than one IPv4 CIDR block, the route tables contain a local route for each IPv4 CIDR block.
A subnet must be associated with one and only one route table, but one route table can be associated with multiple subnets. If no route table is explicitly associated with the subnet, the subnet is implicitly associated with the VPC main route table. It is said to be implicitly associated because the VPC main route table does not list the subnet amongst those subnets it was explicitly associated with. It does show it in a separated list, with the following caption "the following subnets have not been explicitly associated with any route tables and are therefore associated with the main route table".
The subnet's route table, whichever it is, controls routing for the subnet.
Any route table comes with the a rule similar to:
10.7.0.0/16 -> local
The rule lists the primary IP address range of the VPC, as a CIDR block, with a "local" target. This rule cannot be deleted. This rule means that any subnet will be routed by default to any subnet within the VPC.
CIDR blocks for IPv4 and IPv6 are treated separately. For example, a route with a destination CIDR of 0.0.0.0/0 (all IPv4 addresses) does not automatically include all IPv6 addresses. You must create a route with a destination CIDR of ::/0 for all IPv6 addresses.
VPC Main Route Table
The VPC main route table is the default route table for the VPC - all VPC subnets are implicitly associated with it, unless they are explicitly associated with other route tables. The routes in the main route table can be modified. One way to protect a VPC is to leave the main route table in its original default state, with only the local route, and explicitly associate each new subnet with custom route tables. This gives control over how each subnet routes outbound traffic.
Main Router
The VPC has an implicit, main router configured based on the VPC main route table
Gateways
When an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint is added in the VPC, the route table for any subnet that uses these gateways or connections must be updated.
Internet Gateway
An internet gateway enables communication over the internet. An internet gateway is attached to the VPC.
To give a subnet access to internet, add a route with a destination of 0.0.0.0/0 for IPv4 traffic or ::/0 for IPv6 traffic, and a target of the Internet gateway ID (igw-xxxxxxxx).
Internet Gateway Operations:
NAT Gateway
NAT Gateways provide external access for private subnets. For example, if ECS tasks are running in private subnets, external access needs to be added so the task can pull the associated container images from their corresponding ECR repositories. One way to enable external access, without allowing unsolicited inbound connections is to create and use a NAT gateway. To enable instances in a private subnet to connect to the Internet, you can create a NAT gateway or launch a NAT instance in a public subnet, and then add a route for the private subnet that routes IPv4 Internet traffic (0.0.0.0/0) to the NAT device.
A NAT gateway may have an elastic (routable) IP address but it still need to be deployed behind an internet gateway so that public IP address is routed. That means the NAT must be deployed in a public subnet, has the routing configured to route the elastic IP of the NAT gateway externally to the internet. The private subnets that want unidirectional outbound internet connectivity will route to the NAT gateway. The NAT gateway is reachable over its private IP address, which is routed - and reachable - inside the VPC.
NAT Gateway Operations
Egress Only Internet Gateway
The IPv6 equivalent of NAT gateway.
Virtual Private Gateway
Virtual Private Network (VPN) Connection
A VPN connection enables communication between cooperating networks, such as a VPC and a corporate network.
Security
Security Group
Network Access Control List (ACL)
VPC and DNS
Instances executing in a default VPC are provided with a public and private DNS name, which correspond to the private and public IPv4 addresses of the instance.
Instances executing in a non-default VPC are provided with private DNS names, which correspond to the private IPv4 address of the instance. The instances may be provided with public DNS names, which correspond to the public IPv4 of the instance, if the following configuration attributes are set to true:
enableDnsHostnames
If set to true, the instances launched in this VPC get public DNS names (but only if enableDnsSupport is set to true.
enableDnsSupport
If set to true, the VPC supports DNS resolution.
Private Hosted Zones for VPC
To use private hosted zones, set enableDnsHostnames and enableDnsSupport to true when creating the VPC. Also see: