What is CIDR - IPv4?
- CIDR = Classless Inter-Domain Routing, a method for allocating IP addresses
Subnet Mask
- XX.XX.XX.XX -> Is the Base IP
- the value after the “/” is the subnet
- 32/ = No IP can change
- 24/ = The last IP can change
- 16/ = The last 2 IP’s can change
- 8/ = The last 3 IP’s can change
- 0/ = All the IP’s can change
What is Internet Gateway?(IGW)
- Allows resources in a VPC to connect to the internet.
- Must be created separately from a VPC
- One VPC can only be attached to one IGW and vice versa
- Internet Gateway on their own do not allow Internet access
- Route tables must also be edited.
What is Bastion Hosts?
- We use a Bastion Host to SSH into our private EC2 instances
Example
- When your EC2 instance is in a Private Subnet and you want to ssh to
it, you connect to a Bastion host in the Public Subnet and then connect
to the EC2 in the Private Subnet.
What is a NAT Intsance?
P294
- NAT = Network Address Translation
- Allows EC2 instances in private subnet to connect to the internet
- Must be launches in a public subnet
- Must have Elastic IP attached to it
- Route Tables must be configured to route traffic from private to the NAT instance
What is NAT Gateway?
- AWS managed NAT, higher bandwidth,high availability, no administration
- NATGW is created in a specific Availability Zone, uses an Elastic IP
- Required an IGW (Private Subnet => NATGW=>IGW)
What is NACL(Network Access Control List)
- NACL are like a firewall which control traffic from and to subnet
- One NACL per subnet, new subnet are siggned the DEFAULT NACL
- You define NACL Rules:
- Rules have number(1-32766)
- First rule match will drive the decision - Newly created NACL will deny everything
- NACL are great way of blocking specific IP address at the subnet level
- The Default NACL accepts everything inbound/outbound with the subnet its associated with
- NACL is stateless
What is VPC Reachability Analyzer?
- A network diagnostic tool that troubleshoots network connectivity between two endpoints in your VPC
- It used the network configuration to determine if two endpoints are reachable.
What is VPC Peering
- Privately connect two VPCs using AWS network.
- Make them behave as if they were in the same network.
- You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other.
What is VPC Endpoints (AWS PrivateLink)
P306
- VPC Endpoint allows you to connect to AWS services using a private network instead of using the public Internet. Because AWS is exposed to the public, it allows you to connect privately.
What 2 VPC Endpoints do you get?
1) Interface Endpoints
- Provisions an ENI(private IP address) as an entry point
- Supports most AWS services.
2) Gateway Endpoints
- Provisions a gateway and must be used as a target in a route table
- Supports both S3 and DynamoDB
What is VPC Flow Logs?
- Capture information abut IP traffic going into your interfaces:
> VCP flow logs
> Subnet Flow Logs
> Elastic Network Interface Flow Logs - Helps to minitor & troubleshoot connectivity issues
How to create a VPN connection between your VPC on AWS and on-premis site?
1) Virtual Private Gateway (VGW)
- VPN connector on AWS side.
2) Customer Gateway (CGW)
- Software application or physical device on customer/on-premise side of the VPN connection.
Important steps:
- Make sure to enable Route Propagation for the Virtual Private Gateway.
- If you need to ping your EC2 instances from on-premises, make sure you add the ICMP protocol on the inbound of your security groups.
What is AWS VPN CloudHub?
- Provide secure communication between multiple sites, if you have multiple VPN connections.
What is Direct Connect (DX)
p332
- Provided a dedicated private connection from a remote network to your VPC.
- Dedicated connection must be setup between your DC AWS Direct Connect locations
- You need to setup a Virtual Private Gateway on your VPC
What two resiliency do you get for direct connect?
1) High Resilliency
- One connection for multiple locations
2)Maximum Resiliency
- Having 2 or more connections at a location
What can you use as a backup when you use Direct Connect as a primary connection?
You can make use of Site-toSite VPN.
What is Transit Gateway?
- When you have multiple VPC’s and you want to connect them all together.
- Support IP Multicast
What is Egress-only Internet Gateway?
- Similar to a Nat Gateway but only used for IPv6
VPC Section Summary
Goto P341
What is AWS Network Firewall?
- Protects your entire Amazon VPC
- From layer 3 to layer 7 protection
- Any network data can be inspected
-
Section3: Getting started with AWS4
-
Section4: IAM & AWS CLI11
-
Notes1
-
Section 5: EC2 Fundamentals9
-
Section6: EC28
-
Section7: EC2 Instance Storage8
-
Section8: High Availability and scaling7
-
Section9: AWS Fundamentals:RDS + Aurora + ElastiCache10
-
Section10: Route 535
-
Section 12: Amazon S3 Introduction4
-
Section13: AWS SDK,IAM Roles & Policies1
-
Section 14: Advance Amazon S3 & Athena5
-
Section 15: CloudFront & AWS Global Accelerator4
-
Section 16: AWS Storage Extras15
-
Section 17: Decoupling applications:SQS,SNS,Kinesis,Active MQ8
-
Section 18: Containers on AWS:ECS, Fargate , ECR & EKS5
-
Section 19: Serverles overviews from a Solution Arhitect perspective4
-
Section 20: Serverless Solution Architecture Discussion1
-
Section 21: Databases in AWS13
-
Section 23: Identity and Access Management(IAM)5
-
Section 24: AWS Security & Encryption9
-
Section 25: Networking - VPC21
-
Section 29:Disaster Recovery & migrations8
-
Section 30: More Solution Architectures11
-
Section 32: Whitepapers and architectures1
