VIRTUAL PRIVATE CLOUD (VPC) BASICS
VPC Sizing and Structure - PART1 (11:48)
VPC Considerations
Global Architecture
IP Ranges to Avoid
VPC - More Considerations
/00_LEARNINGAIDS/VPCSizing-1.png)
VPC Sizing
/00_LEARNINGAIDS/VPCSizing-2.png)
VPC Structure
VPC Sizing and Structure - PART2 (11:16)
/00_LEARNINGAIDS/VPCStucture-1.png)
VPC Design - End State
Custom VPCs - PART1 - THEORY (10:10)
/00_LEARNINGAIDS/CustomVPC.png)
VPC Design - Basic
Custom VPC: Overview
Custom VPC: IP address
Custom VPC: DNS in the VPC
[DEMO] Custom VPCs - PART2 - DEMO (5:40)
VPC Subnets (10:42)
VPC Subnets
how many subnets an az can have?
An AZ can have many subnets.
how many azs a subnet can have?
A subnet can only be in an AZ.
Subnet IP Addressing
VPC Subnets - Auto Assign IP & DHCP
[DEMO] Implement multi-tier VPC subnets (15:24)
| No. | Subnet Name | Subnet Address | CIDR | AZ | IPv6 | Host Address Range | Broadcast Address |
|---|---|---|---|---|---|---|---|
| 1 | sb-reserved-A | 10.16.0.0 | 10.16.0.0/20 | AZ-A | 00 | 10.16.0.1 - 10.16.15.254 | 10.16.15.255 |
| 2 | sb-db-A | 10.16.16.0 | 10.16.16.0/20 | AZ-A | 01 | 10.16.16.1 - 10.16.31.254 | 10.16.31.255 |
| 3 | sb-app-A | 10.16.32.0 | 10.16.32.0/20 | AZ-A | 02 | 10.16.32.1 - 10.16.47.254 | 10.16.47.255 |
| 4 | sb-web-A | 10.16.48.0 | 10.16.48.0/20 | AZ-A | 03 | 10.16.48.1 - 10.16.63.254 | 10.16.63.255 |
| 5 | sb-reserved-B | 10.16.64.0 | 10.16.64.0/20 | AZ-B | 04 | 10.16.64.1 - 10.16.79.254 | 10.16.79.255 |
| 6 | sb-db-B | 10.16.80.0 | 10.16.80.0/20 | AZ-B | 05 | 10.16.80.1 - 10.16.95.254 | 10.16.95.255 |
| 7 | sb-app-B | 10.16.96.0 | 10.16.96.0/20 | AZ-B | 06 | 10.16.96.1 - 10.16.111.254 | 10.16.111.255 |
| 8 | sb-web-B | 10.16.112.0 | 10.16.112.0/20 | AZ-B | 07 | 10.16.112.1 - 10.16.127.254 | 10.16.127.255 |
| 9 | sb-reserved-C | 10.16.128.0 | 10.16.128.0/20 | AZ-C | 08 | 10.16.128.1 - 10.16.143.254 | 10.16.143.255 |
| 10 | sb-db-C | 10.16.144.0 | 10.16.144.0/20 | AZ-C | 09 | 10.16.144.1 - 10.16.159.254 | 10.16.159.255 |
| 11 | sb-app-C | 10.16.160.0 | 10.16.160.0/20 | AZ-C | 0A | 10.16.160.1 - 10.16.175.254 | 10.16.175.255 |
| 12 | sb-web-C | 10.16.176.0 | 10.16.176.0/20 | AZ-C | 0B | 10.16.176.1 - 10.16.191.254 | 10.16.191.255 |
| 13 | 10.16.192.0 | 10.16.192.0/20 | 10.16.192.1 - 10.16.207.254 | 10.16.207.255 | |||
| 14 | 10.16.208.0 | 10.16.208.0/20 | 10.16.208.1 - 10.16.223.254 | 10.16.223.255 | |||
| 15 | 10.16.224.0 | 10.16.224.0/20 | 10.16.224.1 - 10.16.239.254 | 10.16.239.255 | |||
| 16 | 10.16.240.0 | 10.16.240.0/20 | 10.16.240.1 - 10.16.255.254 | 10.16.255.255 |
VPC Routing, Internet Gateway & Bastion Hosts (17:35)
VPC Router
Route Tables
how many subnets a route table can be associated with?
A Route Table can be associated with many subnets.
how many route tables a subnet can be associated with?
A subnet can be attached with only ONE Route Table.
Internat Gateway (IGW)
Using an IGW
/00_LEARNINGAIDS/IGW.png)
IPv4 Addresses with an IGW - Outbound Traffic
/00_LEARNINGAIDS/IGW-2.png)
IPv4 Addresses with an IGW - Inbound Traffic
Bastion Host / Jumpbox
[DEMO] Configuring A4l public subnets and Jumpbox - PART1 (13:45)
[DEMO] Configuring A4l public subnets and Jumpbox - PART2 (11:45)
Stateful vs Stateless Firewalls (14:04)
/00_LEARNINGAIDS/StatefulvsStateless-1.png)
TCP
/00_LEARNINGAIDS/StatefulvsStateless-2.png)
Every “Connection” has 2 parts: REQUEST & RESPONSE
/00_LEARNINGAIDS/StatefulvsStateless-3.png)
Directionality (Inbound or Outbound) depends on perspective (Client/Server)
/00_LEARNINGAIDS/StatefulvsStateless-4.png)
With Stateless Firewall, a connection needs 2 rules (1 IN, 1 OUT) to go through
with stateless firewall, ephemeral port is not the well known port (e.g. 443, 80)
/00_LEARNINGAIDS/StatefulvsStateless-5.png)
Stateful firewall is intelligent enough to identify the REQUEST and RESPONSE components of a connection as being related
/00_LEARNINGAIDS/StatefulvsStateless-6.png)
Network Access Control Lists (NACLs) (12:38)
/00_LEARNINGAIDS/NACL-1.png)
NACLs filter traffic across the subnet’s boundary
what is nacl?
A set of rules grouped into:
- INBOUND rules 👉 match traffic ENTERING the subnet
- OUTBOUND rules 👉 match traffic LEAVING the subnet
what does nacl do?
NACLs filter traffic across the subnet’s boundary.
how are nacl's rules processed?
NACL’s rules are process in order:
- Lowest rule number first. 🤏1️⃣
- Once a match occurs, processing STOPS. 🛑
- If nothing else matched,
*is process 👈 implicit DENY ❌
/00_LEARNINGAIDS/NACL-2.png)
NACLs are stateless firewall
/00_LEARNINGAIDS/NACL-3.png)
Rule-pairs (app port & ephemeral port) are needed on each NACL for each communication type which occurs:
- 🔄️ within a VPC
- ➡️ to a VPC
- ⬅️ from a VPC
/00_LEARNINGAIDS/NACL-4.png)
Default NACL - The NACL created with a VPC
what does default nacl do?
Default NACL does NOTHING. It has an ALLOW ALL rule.
/00_LEARNINGAIDS/NACL-5.png)
Custom NACL DENIED ALL traffic after created
NACL - Summary
which aws resources can be use with nacls?
NACLS can only be used with subnets.
how many subnets a nacl can be associated with?
A NACL can be associated with MANY subnets.
how many nacls a subnet can have?
A subnet can only have ONE (1) NACL.
Security Groups (SG) (11:48)
__learn.cant.png)
Security Group (SG) is STATEFUL firewall
which type of rules a sg can have?
SG can only have ALLOW rule.
👉 SG can’t block specific bad actors 😈
can sg deny a traffic?
No. SG can’t deny traffic. It can’t block bad actors.
Because SG only support ALLOW rules.
which kind of sources does sg rules support?
SG rules supports:
- CIDR blocks
- Many AWS logical resources:
- Other SGs
- Itself 🤯
- Prefix Lists 📃
to which, the sgs are attached to?
SGs are attached to ENI, not the instances.
/00_LEARNINGAIDS/SG-1.png)
SG is applied to all traffic entering or leaving the ENI
/00_LEARNINGAIDS/SG-2.png)
An SG reference applies to anything which has the SG attached
/00_LEARNINGAIDS/SG-3.png)
With SG reference, any new instances uses a SG has that SG reference ALLOW rule
/00_LEARNINGAIDS/SG-4.png)
With SG Self reference, the instances can scale easily
Network Address Translation (NAT) & NAT Gateway - PART1 (13:43)
aws internet gateway (aws igw) is a nat (static nat)
what can nat can be used for?
- IP masquerading 👺: hiding CIDR blocks behind one IP.
- Gives Private CIDR block outgoing internet access.
NAT Architecture - Example
Routing a package from an instance in a private subnet …
… through the NAT Gateway (in a public subnet) …
… through the Internet Gateway, then to the Public Internet.
NAT Gateways run from a public subnet, uses Elastic IPs
what level of resilient nat gateway is?
NAT Gateway is an AZ resilient service.
how to have the region resilience for nat gateways?
NATGW in each AZ, and Route Tables in each AZ targets that NATGW.
Network Address Translation (NAT) & NAT Gateway - PART2 (11:08)
VPC Design - NATGW Full Resilience
NAT Instance vs NAT Gateway
what is nat instance?
NAT Gateway and IPv6
which kind of ip version can nat gateway work with?
NAT Gateway only works with IPv4, it doesn’t work with IPv6.
All IPv6 addresses in AWS are publicly routable. The IGW works with IPv6 directly without the NAT Gateway.