Please enable JavaScript.
Coggle requires JavaScript to display documents.
Summary VPC (NAT Gateway (high availablility (If you share one NATG among…
Summary VPC
NAT Gateway
Route from private to Gateway
not behind an SG
redundant inside the AZ
preferred by enterprise
no need to patch
not associated with an SG
automatically assigned a public IP Address
Traffic start at 5Gbps and scales to 45Gbps
update your route tables
no need to disable source/dest checks
high availablility
create NAT in each AZ
configure routing resources uses the NATG in the same AZ
If you share one NATG among resources
if the AZ goes down --> NATG goes down --> all resources lost
Network Access Control List (ACL)
VPC creation creates a default one that allows all traffic in/outbound
custom ACL creation deny all traffic by default
each subnet have to have an ACL associated
if subnet has no specific ACL assigned it gets the default one
can block IP address (SG can not)
ACLs can be associated with multiple SN
subnets can only have one ACL
rules are numbered, lowest first
first rule that match will be executed (block or allow in same ACL possible)
separated inbound and outbound
stateless
NAT instance
have to disable source/destination checks
must be in a public subnet
route from private subnet to Instance in order to work
traffic depends on the instance type
if bottleneck increase instance type
high availability with
autoscaling groups
mutliple subnets in different AZ
script for automate failover
behind a SG (it is an instance)
VPC consists of
IGWs
Route Tables
Network Access Control Lists
Security Groups
Subnets
Creation of VPC
default Route Table
default Network Access Control List
(NACL)
default Security Group
no subnet
no default IGW
flow logs
can not enable it for peered VPC unless they are in the same account
can not change config after creation
can not tag a flow log
not all traffic is monitored
Amazon DNS
Windows INstance activiation
Traffic meta data for instances 169.254.169.254
DHCP Traffic
DirectConnect
high throuput
stable and reliable secure connection
connects your DC to AWS
ELB
need at least 2 subnets to establish a loadbalance
VPC Endpoints
see tree (does not leave amazon network)
Endpoint Gateway
Endpoint Interface
logical data center
1SN = 1 AZ
SGs are stateful
ACLs are stateless
NO Transitive Peering
AZ name is randomized for each VPC
Amazon Reserves 5 IP Addresses within subnets
can have only one IGW per VPC
SG cannot span VPCs
Bastion is ssh/rdp for your private subnet (jump box
NAT is used for internet traffic to EC2 instances in private subnets
can not use a NAT Gateway as Bastion
SG evaluate all Rules to decide
ACL first match wins