What is VPC?
VPC stands for virtual private cloud
AWS VPC is logically isolated AWS environment in the amazon cloud.
It’s like a virtual datacentre in amazon cloud.
You have complete control over your virtual networking environment
We can define and control of networking related parameters
We can define ourselves public subnet for application server and private subnet for data base server.
There is lot of option/ services to secure our own VPC in Amazon cloud.
Default VPC have in Each regions once you deleted default VPN we can’t able to create our end with the help of AWS support we will create default VPC.
We have to create up to five VPCs in a region
Components of Amazon VPC
VPC:
A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud.
CIDR:
Classless Inter-Domain Routing
www.CIDR.xyz
Subnet:
- Subnet is a segmented piece of a larger network;
- Subnets are a logical partition of an IP network into multiple. Subnet used to allow communicate with each other network.
- Subnetwork is a smaller network inside a large network. Subnetting makes network routing much more efficient.
Internet gateway will connect directly from internet.
We can connect our own VPC through internet gateway
We can use to private subnet to access internet
Routing Table:
Depending upon router configuration traffic will redirect to route table
A route table contains a set of rules, called routes that are used to determine where network traffic from your subnet or gateway is directed.
Depending upon router configuration traffic will redirect to route table
A route table contains a set of rules, called routes that are used to determine where network traffic from your subnet or gateway is directed.
A route table specifies how packets are forwarded between the subnets within your VPC, the internet, and your VPN connection.
Note: basically private subnet is not connected in internet; it’s isolated in private subnet so we need to access internet for update so we need to configure NAT Instance or NAT Gateway
NAT instance:
Bastion instances:
Bastion instance is used to securely administer EC2 instances (Using SSH or RDP) in private subnets.
Its act like a jump boxes.
There are 2 types of service to allow access internet in private subnet
Note: basically private subnet is not connected in internet; it’s isolated in private subnet so we need to access internet for update so we need to configure NAT Instance or NAT Gateway
NAT instance:
- Nat Instance is used EC2 instance in private subnets to connect to the internet, other VPCs, or on-premises networks.
- NAT instance need to create Nat EC2 instance in community AMI.
- When Creating a NAT instance, Disable source/destination check on the Instance.
- NAT instances must be in a public subnet
- There must be a route out of the private subnet to the NAT instance, in order for this to work.
- The Amount of traffic that NAT instances can support depends on the instance size. If you are bottle necking, increase the instance size.
- You can use NAT instance, you can create high availability autoscaling groups, multiple subnets in different AZs, and a script to automate fail over.
Nat Gateway:
- Nat Gateway is used EC2 instance in private subnets to connect to the internet, other VPCs, or on-premises networks.
- Need to create NAT Gateway with Elastic IP
- A highly available, private subnet to access the Internet.
- Preferred by the enterprise
- Scale automatically up to 10Gbps
- No Need to patch
- No associated with security groups
- Once you create NAT Gateway automatically assigned a public IP address
- Remember to update you route table
- More secure than a NAT Instance
Bastion instances:
Bastion instance is used to securely administer EC2 instances (Using SSH or RDP) in private subnets.
Its act like a jump boxes.
VPN Gateway:
VPN gate way from VPN to access our own VPC
Router:
Traffic redirected to router
Routing Table:
Depending upon router configuration traffic will redirect to route table
Network ACL:
Network ACL will check traffic allowed or not, if allowed and will go to respective subnet (Private/Public)
EC2 instance – Security group
Security group based on instance level
VPC Flow Logs
VPC Flow Logs use to capture information about the IP traffic in your VPC
All flow logs have been stored on amazon CloudWatch; we can view and retrieve its data in amazon CloudWatch Logs
VPC Level ,subnet Level, network interface level we can take flow log.
Types of creating Flow Logs:
VPC Level – capture all traffic in VPC Level
Subnet Level – capture all traffic in subnet level
Network interface Level - capture all traffic in NIC level
VPC Endpoint:
VPC Endpoint used to communicate between private instances to AWS resources without send traffic to the internet.
VPC endpoint used to privately connect AWS services without internet gateway/ Nat gateway
There have two types of endpoint interface end point and gateway endpoint
Interface end point – associated with security group and configure inside of subnet
Gateway Endpoint – associated with a route table and configure inside of VPC
Post a Comment