Please enable JavaScript.
Coggle requires JavaScript to display documents.
Amazon VPC (Connectivity (VPN (Customer Gateway (Single device or…
Amazon VPC
Connectivity
Peering
- between VPCs in the same region
- can belong to different accounts
- created via request / accept protocol (1 week to accept)
- no transitive routing
- ip ranges can't overlap
- at most one between two VPCs
VPN
-
Customer Gateway
- Single device or application on-premise
- if CGW supports Border Gateway Control, dynamic routing has to be configured, otherwise static one
- connection initiated from the CGW side
- consists of two separate tunnels
Endpoints
- access to another AWS Service (currently - only S3)
- one service can have multiple endpoints defined, each configured via route tables differently for different subnets
Elastic IP Address
- allocated, then assigned, then released
- paid for allocation time not assignment
- can be reassigned within the same region, different VPCs
- 1-2-1 with elastic network interfaces
-
-
Security
Security Groups
- stateful: response traffic always accepted
- defined on the EC2 level
- only allow rules, no deny rules
- inbound and outbound rules defined separately
- by default no inbound traffic allowed
- changes applied immediatelly
default SG:
- defined on the VPC level
- allows all outbound and internal
- denies all inbound
-
Topology
VPC
-
DHCP options - domain-name-servers
- domain-name
- ntp-servers
- netbios-name-servers
- netbios-node-type
Default VPC: One subnet in each AZ, with the size of /20
Subnet
-
Visibility
Public (traffic directed via IGW)
- Attach IGW to VPC
- add subnet route table entry to send all non-local traffic to IGW (0.0.0.0/0)
- configure NACL / SGs to allow traffic
-
-
Routing
Route Tables
- each one having default 'local' entry for in-VPC communication
- each VPC comes with a default RT that can be modified
- but there can be more than one
- the most specific entry is used when entries overlap
NAT
NAT Instance
- AMI designed to accept traffic from private subnet
- translates to public IP, forwards traffic to IGW
- needs own SG and EIP config
-