What I have learned about VPC on AWS
Amazon-Web-Services ·This is the eighth post of content for preparing yourself for becoming an AWS Solutions Architect Associate.
In this post, we are going to focus on VPCs and networking features within AWS.
As I have done previously let’s look at the similarities and differences to the closest equivalent in Azure. As I go through this section, I will point out some of the similar platforms.
VPC
Virtual Private Cloud that provisions your own network configuration within the AWS datacenter. On Azure, a VPC would be a combination of Resource group and virtual network (VNet).
VPCs are regional and a subnet cannot be on multiple availability zones. Can create public and private subnets. Can create on private network ranges (10.0.0.0, 172.16.0.0, 192.168.0.0) Cannot create a subnet range any larger than /16 and /28 is the smallest.
Network ACL are stateless with allow and deny rules.
Default VPC allows you to immediately deploy instances. All subnets in default VPC have a route to the Internet. Each EC2 instance has a public and a private IP address.
Custom VPC requires additional configuration and routing rules.
VPC peering - connect one VPC to another on the same or different AWS accounts. Peering is a star configuration with no transitive peering.
- VPCs can peer across regions.
- Must do peering of VPC to VPC, cannot connect to another VPC through a peered VPC. This is different from Azure VNet peering that allows you to configure the peering to be transitive.
Custom VPC
When creating a Custom VPC, the following is created:
- Route table
- Network ACL
- Security Group
Subnet and Internet Gateway is not created by default.
Subnets cannot span multiple availability zones.
AWS does reserve 5 IP addresses, same with Azure for network address, VPC router, broadcast, DNS, and one future.
For a subnet to have a public IP address, you need to modify the IP assignment to enable public IP assignment to instances when created.
Internet gateway needs to be created and then attached to a VPC.
- only one Internet gateway can be assigned to one VPC.
After Internet gateway is created, you need to create a Route table for the VPC and configure the route to the Internet. The default Route table for the VPC should be left with it’s default private routing as a best practice.
Route to the Internet is 0.0.0.0/0 associated with the Internet Gateway. Associate the route table to the subnet that you want to make public under Subnet associations.
Security groups do not span VPCs and one security group cannot communicate with another.
Instances can be moved to be associated to different security groups.
NAT
NAT - Network Address Translation
Do not want to make instances public to the Internet, but do need the ability to go out to the Internet to get software updates.
NAT Instances is an EC2 instance and are out of date. Source and destination checks must be disabled for an EC2 NAT instance to work. NAT instances are not highly available or resilient, and can also become a bottleneck to traffic to the Internet. Must be in a public subnet with a route to the Internet. Always behind a security group.
NAT Gateways are used to address this issue. Route table will point 0.0.0.0/0 to the NAT Gateway. Redundant within the availability zone but cannot span AZs. No need to patch. Not associated to a security group and automatically assigned a public IP address.
Best practice is to have multiple NAT Gateways with a AZ independent architecture for high availability.
Network access control lists (ACL) v Security Groups
Network ACLs are associated to the VPC and subnets within that VPC.
- Inbound and outbound rules
- Default rules are DENY / DENY for inbound and outbound.
- Default NACL is assigned to any new subnets on the VPC.
- Association of the subnet can be moved to a custom NACL when it is created.
- Must open ephemeral ports for inbound and outbound NACL rules.
- Each subnet must be associated with a network ACL.
- IP addresses can only be blocked with NACLs, not Security groups.
- Lowest number rule takes priority.
Network access control lists are similar to the rules of a Network Security Group (NSG) within Azure.
Elastic Load Balancers (ELB) and Custom VPCs
- Application (HTTP/HTTPs)
- Network (TCP/TLS)
- Classic
Internet facing or internal load balancers are available. Internet facing load balancer requires an Internet gateway. A minimum of two (2) public subnets are required to create a ELB.
VPC Flow Logs
Amazon CloudWatch logs store all network traffic. Traffic flows can be reviewed at the following levels:
- VPC
- Subnet
- Network interface
Need a log group within CloudWatch to send logs to CloudWatch. Can send logs to a S3 bucket as well.
Network flow logs are similar to NetworkWatcher within Azure Monitor.
Peered VPCs must be within the same AWS account.
Cannot change a flow log configuration once it is created.
Amazon DNS, DHCP traffic is not tracked.
Bastions
Bastion is a special purpose computer that is hardened to withstand attacks and allows access from untrusted devices.
Bastion is configured on a public subnet that allows management ports. Bastion allows connection to the private subnet instances for a management port connnection.
In AWS, Bastion is more of a jump box configuration rather than the Azure Bastion.
Direct Connect
Direct Connect is the cloud service that creates a dedicated connection between the on-premises to the AWS datacenter. Direct and private connection on dedicated ISP connection.
High throughput, stable, reliable connection to AWS.
Connection from the Direct Connect partner cross-connect across the AWS backbone and then connect the last mile to company on-premises with a MPLS connection.
Steps to create Direct Connnect:
- Create a virtual interface in Direct Connect console. The Public Virtual Interface.
- In the VPC console VPN connections, create a Customer Gateway.
- Create a Virtual Private Gateway within your VPC.
- Attach the Virtual Private Gateway to the VPC.
- Select the VPN connections and create a new VPN connection.
- Select the Virtual Private Gateway and the Customer Gateway.
- Once the VPN is available, set up the VPN on the customer gateway or firewall.
Global Accelerator
- similar to Azure front door
- Uses Amazon backbone rather than the Internet
- 2 static IP address assigned or bring your own
- Directs to optimal endpoints
- One or more listeners are used
- Network zone is its own unit like an availability zone
- Endpoint groups are associated by geographic regions
- Configuration is similar to an Azure application gateway
VPC Endpoints
- private connection to connect to resources with PrivateLink
- Traverse traffic without going over the Internet
- Interface endpoint - attach to a resource to communicate to services over Amazon private network
- Gateway endpoint - won’t leave Amazon network. Use instead of a NAT gateway that uses the Internet.
AWS PrivateLink
- VPC to VPC connections through Amazon network
- Specific to a service where peering provides connection to all services. Peering needs many different connections that you need to manage
- Exposes a service to many VPCs through a network load balancer to service VPC and elastic network interface on customer VPC within the PrivateLink connect to the destination customer VPC.
AWS Transit Gateway
- Simplifies network topology
- Similar to Virtual WAN on Azure
- Creates a hub and spoke model
- Regional but used across multiple regions
- Limit how VPCs communicate
- Direct Connect and VPN support
- Only service that supports IP multicast
AWS VPN CloudHub
- Similar to Azure Virtual WAN
- Connect to multiple sites through a single hub and spoke architecture
- Manage multiple sites with VPN
AWS Network costs
- cost optimization
- Inbound traffic is free into the VPC
- Private IP in same AZ is free but you have a resiliency issue is AZ goes down
- There is a cost going across AZs using private IP
- Cost is double when going across the public Internet
- Inter-region costs between VPC incurs an additional costs
Remember:
- Security group - Stateful -ports opened give inbound and outbound
- Network ACL - Stateless - need to create inbound and outbound rules. More like NSG in Azure.
I hope that you are enjoying this information so far. It is helping me to continue to comprehend these services as I prepare for the exam myself. Thank you very much.
Reference links:
What I’ve Learned about IAM on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/03/20/aws-iam
What I’ve Learned about S3 on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/03/20/aws-s3
What I’ve Learned about EC2 on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/03/22/aws-ec2
What I’ve Learned about EBS on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/03/22/aws-ebs
What I’ve Learned about Cloudwatch on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/03/22/aws-cloudwatch
What I’ve Learned about RDS on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/03/22/aws-rds
What I’ve Learned about Route 53 on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/04/01/aws-dns
What I’ve Learned about VPC on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/04/01/aws-vpc
What I’ve Learned about High Availability on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/05/01/aws-ha
What I’ve Learned about Applications on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/05/02/aws-apps
What I’ve Learned about Security on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/05/03/aws-security
What I’ve Learned about Lambda and serverless on AWS
https://captainhyperscaler.github.io/amazon-web-services/2022/05/04/aws-serverless