Note: The day before the exam, you should be able to build out your own VPC from memory
What is subnet?
- logical subdivision of an IP network
- the practice of dividing a network into two or more network
Why do we want to subnet a network?
- Security
- Organization
- Each subnet for a specific department
- Performance
Router in a subnet, allow all subnet talk to each other.
Control access from to network to network.
Single point of administration, no matter what to do, must go to router
How?
- By apply subnet mask
Benefit
IP 10.1.1.2 with subnet 255.255.255.0 knows that it can directly talk to 10.1.1.x by looking at subnet
If 10.1.1.2 want to talk to 10.1.x.x, it must go outside this subnet
https://www.youtube.com/watch?v=IDLrt-yppbI
Virtual/Logical data centre in the cloud
Consist of IGWs (internet gate way) or Virtual Private Gateways, Route table, Network ACL, Subnet, SG
Can launch AWS resources in a virtual network, subnet that you define
Assign custom IP address ranges in each subnet
Configure route tables between subnets
Create internet gateway and attach it to our VPC
Much better security control over AWS resources
Instance security groups
Subnet network access control lists (ACLs)
1 Subnet = 1 Availability Zone, however multiple subnet in the same AZ is ok, 1 subnet cannot spread multiple AZ
- 10.0.0.0: us-east-1a
- 10.1.0.0: us-east-1b
- For example, create a public-facing subnet for web server that has access to the Internet
- Backend system such as database or application server in a private-facing subnet with no Internet access
- Apply multiple layers or security: Security Groups (Stateful), Network ACL (Stateless, allow rules, deny rules, create inbound, does not automatically create outbound rule)
- User friendly, allow immediately deploy instance
- all subnet in default VPC have a route out to the internet
- each EC2 instance has both public/private IP address
- connect one VPC with another via a direct network route using private IP address
- instances behave as if they were on the same private network
- can peer VPC with other AWS accounts as well as with other VPC in the same account
- Peering is a star configuration, no transitive peering
- From B to C, can go through A, must setup a peering directly from B → C
- can peer between region
After create a new VPC, it will automatically create Route table, Network ACL, SG
Diagram is like below
Create 2 subnet, one for webserver (public purpose), one for database (private purpose)
Create Internet Gateway, then attach to VPC
Can only 1 Internet Gateway attach to 1 VPC
Create a second Route Table as Public Route table, this newly created is not Main (subnet not automatically associated - got security practice)
Add routes rule: 0.0.0.0/0 route out to internet gateway
Associate 10.0.1.0 subnet to Public route
Now, for eg if SSH from Web server instance to db instance, it not works, because SG not allow
→ Add SG, allow inbound rules ssh, ICMP, HTTP, MYSQL ...
→ There is more secure way to SSH into private instance → Bastion
The above private instance, how to connect install updates, install stuff from internet?
NAT: Network Address Translation
Enable EC2 instances, subnet able to go out in the internet and download software, so we need a way to communicate with IGW, however we don't want to make our subnet public
In the real world, usually use NAT Gateway.
NAT Instance: individual EC2 instance
NAT Gateway: highly available gateway allow private subnet communicate to internet
-
EC2 → Community AMIs → Search NAT
-
EC2 instance have source/dest check, only allow traffic it send/receive
- A NAT instance however act as a bridge between private subnet and outside internet
- → disable this check
-
To allow private instance to talk to NAT
- In main route table (the route private instance is using) add a route 0.0.0.0/0 target is NAT instance, allow to go to internet
SSH to public webserver
From there, SSH to private instance
yum update works!
However, if NAT instance got hang up, if it die, ... not reliable, need more HA
A feature that capture information about the IP traffic going to and from network in your VPC
Stored in CloudWatch Logs
Logs can be created at 3 levels
- VPC
- Subnet
- Network Interface Level
Special purpose computer designed and configured to withstand attacks
Hosts a single application and all other services are removed or limited to reduce threat
The reason is its location and purpose, which is either outside firewall or DMZ and usually involves access from untrusted networks or computers
- A NAT Gateway or NAT instance is used to provide internet traffic to EC2 instances in a private subnets
- A Bastion is used to securely administer EC2 instances (Using SSH or RDP)
- Cannot use NAT Gateway as a Bastion host
A cloud service that makes it easy to establish a dedicated network connection from your premises to AWS
Can establish private connectivity between AWS and your datacenter, office ..
Use for high throughput workloads, need a stable and reliable secure connection
Setting up Direct Connect
- Create virtual interface in Direct Connect console, this is a Public Virtual Interface
- In VPC console, go to VPN connections, create a Customer Gateway
- Create a Virtual Private Gateway
- Attach the Virtual Private Gateway to the desired VPC
- Select VPN Connections and create new VPN Connection
- Select Virtual Private Gateway and the Customer Gateway
- Once the VPN is available, set up the VPN on the customer gateway or firewall
Includes the following components
- Static IP Addresses
- Accelerator
- direct traffic to optimal endpoints over AWS global network
- Each accelerator includes one or more listeners
- DNS Name
- When create Accelerator it will assign a default DNS name xxxx.awsglobalaccelerator.com that points to the static IP addresses above
- Network Zone
- similar to AWS AZ
- Listener
- processes inbound connections from clients to GA based on ports and protocol
- Endpoint Group
- associated with a specific AWS Region
- can control traffic using traffic dials
- let you do testing or blue/green deployment
- Endpoint
- Network LB, ALB, EC2 instance or Elastic IP addresses
- Have endpoint weight as well
Privately connect your VPC to supported AWS services
VPC endpoint services powered by PrivateLink without requiring an IGW, NAT, VPN connection or AWS Direct Connect connection
Instances in your VPC do not require IP addresses to communicate with resources in the services
Traffic between VPC and other service does not leave Amz network
Endpoint are virtual devices, horizontally scaled, highly avail
2 types of endpoints
- Interface Endpoints
- elastic network interface with a private IP address that serves as an entry point
- basically attach an ENI to EC2 instance, allow that instance to communicate (directly, privately) to Amazon (supported) services, using Amz internal network, no need to traverse out to the Internet
- Gateway Endpoints
- like NAT Gateway
- support s3, dynamo db
Before GW endpoint: communicate to S3 by NAT, traverse out to the Internet
After GW endpoint: communicate with VPC Gateway
- US-EAST-1A in your AWS account can be a completely different AZ to US-EAST-1A in another AWS account, the AZ's are randomize
- Amz always reserve 5 IP Addresses within your subnets
- SG can't span VPCs
- The amount of traffic that NAT instances can support depends on the instance size. If you are bottlenecking, increase the instance size
- Can create HA using Autoscalling Groups, multiple subnets in different AZs, and a script to automate failover
- But this setup is a pain tho
- behind a Security Group
- NAT Gateway
- redundant inside AZ
- preferred by enterprise
- starts at 5GBPs and scales currently to 45Gbps
- no need patching OS
- not associated to any SG
- automatically assigned a public IP address
- remember to update route table
- no need to disable source/dest check
- should design that NAT Gateway indepent for each AZ
- When create VPC, Network ACL created by default
- This default ACL allows all outbound and inbound traffic
- Can create custom ACL, by default each custom ACL denies all inbound and outbound
- Add subnet to VPC, it will be associated with default Network ACL
- Can associate subnet with another ACL, it will remove subnet in the previous ACL, only associated with 1 ACL
- Network ACL can have multiple subnet associated to it
- Make any changes in network rule, those changes take effect immediately
- Rule are evaluate in numerical order
- Block IP address using ACL not SG
- Cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
- You can tag flow logs
- After create a flow log, cannot change its configuration (eg: associate a different IAM role with the flow log)
- Not all IP traffic is monitor
- Traffic when connect to Amz DNS server
- Trafffic generated by windows instance for Amz windows license activation
- Traffic to and from 169.254.169.254 for instance metadata
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
- Be default, any user-created VPC subnet WILL NOT automatically assign public ipv4 address
- the only subnet does this is the default VPC subnet auto created by AWS
- Until recently customer were not permitted to conduct pen test without AWS engagement, however that has changed, there are still conditions though
- Instances in a new subnets in a custom VPC can communicate with each other across AZ
- True/False?
- By default how many VPCs allowed in each AWS region?
- 5