Please enable JavaScript.
Coggle requires JavaScript to display documents.
Networking - Amazon VPC, AWS Direct Connect, AWS PrivateLink, VPN…
Networking - Amazon VPC
-
Subnet
-
-
-
-
-
-
VPN-only subnet if no traffic routed to Internet Gateway but routed to Virtual Private Gateway (only IPv4)
CIDR blocks
-
10.0.0.0 - 10.255.255.255 (10/8 prefix, VPC must be /16 or smaller)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix, VPC must be /16 or smaller)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix, VPC can be smaller)
-
CIDR of subnet can be same as VPC or smaller (allowed block size is between a /28 netmask and /16 netmask)
-
-
-
-
-
-
-
Route tables
CIDR block added to routing table when associated with VPC (destination = CIDR block, target = local)
-
-
-
-
Route table association = association between a route table and a subnet, internet gateway, or virtual private gateway
-
Gateway route table = route table that's associated with an internet gateway or virtual private gateway
create a gateway route table for fine-grain control over the routing path of traffic entering your VPC
supports routes where the target is local (the default local route), a Gateway Load Balancer endpoint, or an ENI in the VPC that's attached to a middlebox appliance
-
-
-
-
Route propagation allows a virtual private gateway to automatically propagate routes to the route tables
-
Target = the gateway, network interface, or connection through which to send the destination traffic
-
Most specific route that matches the traffic used in route table to determine how to route the traffic (longest prefix match)
Security
Security groups
-
-
Is stateful: return traffic is automatically allowed, regardless of any rules
-
Applies to instance only if SG specified when launching the instance, or SG associated with instance later on
Default SG created when VPC created: allows inbound traffic from all ENIs assigned to same SG, allow all outbound IPv4 (and IPv6) traffic
-
Network ACLs
-
-
-
-
Rules processed in order, starting with lowest numbered rule, when deciding whether to allow traffic
-
-
-
Flow log
-
-
-
Can be created for VPC, subnet or ENI
Type of traffic to capture: accepted, rejected or both
-
-
Shared VPCs
Share one or more subnets from VPC with multiple other accounts that belong to same AWS Organizations structure.
Participants can view, create, modify and delete application resources in subnet(s) shared with them
-
-
VPC owner can create flow log subscriptions at the VPC, subnet, or ENI level for traffic monitoring or troubleshooting
VPC owners are responsible for creating, managing and deleting all VPC-level resources
-
A subnet owner can attach a transit gateway to the subnet, participants cannot
-
Participants cannot launch resources using SGs that are owned by other participants or the VPC owner
-
Benefits
Separation of duties: centrally controlled VPC structure, routing, IP address allocation
Application owners continue to own resources, accounts, and security groups
-
Efficiencies: higher density in subnets, efficient use of VPNs and AWS Direct Connect
-
Costs can be optimized through reuse of NAT gateways, VPC interface endpoints, and intra-Availability Zone traffic
-
VPC Extension
-
-
AWS Outposts brings native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility
Wavelength Zones allow developers to build applications that deliver ultra-low latencies to 5G devices and end users
-
-
AWS Direct Connect
LAGs
-
-
a logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple dedicated connections at a single AWS Direct Connect endpoint, allowing you to treat them as a single, managed connection
-
create a LAG from existing dedicated connections, or provision new dedicated connections
-
-
-
what
-
one end of the cable is connected to your router, the other to an AWS Direct Connect router
create virtual interfaces directly to public AWS services or to Amazon VPC, bypassing internet service providers
-
can use a single connection in a public Region to access public AWS services in all other public Regions
Resiliency Toolkit
-
Maximum Resiliency model (99,99% SLA)
High Resiliency model (99,9% SLA)
-
Classic model, intended for users that have existing connections and want to add additional connections
virtual interfaces
-
public virtual interface = allow AWS services, or AWS customers access to your public networks over the interface instead of traversing the internet
transit virtual interface = access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways
-
-
Direct Connect gateways
-
-
Direct Connect gateway is a globally available resource (create in 1 region, access from all other regions)
-
connections
Dedicated Connection
-
-
you can add a dedicated connection to a link aggregation group (LAG) allowing you to treat multiple connections as a single one
Hosted Connection
-
port speed 50/100/200/300/400/500 Mbps, 1/2/5/10Gbps (cannot be changed after creation)
AWS uses traffic policing on hosted connections, which means that when the traffic rate reaches the configured maximum rate, excess traffic is dropped
AWS PrivateLink
VPC Endpoints
enables private connection from VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
-
Interface endpoint
-
-
-
ENI, so security groups can be applied
-
-
-
-
-
-
VPC Peering
-
a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses
between your own VPCs, or with a VPC in another AWS account
-
Transit Gateways
key concepts
-
-
-
associations
-
each route table can be associated with zero to many attachments and can forward packets to other attachments
route propagation
-
when an attachment is propagated to a transit gateway route table, these routes are installed in the route table
for transit gateway peering attachments, only static routes are supported
AZs
you must enable one or more Availability Zones to be used by the transit gateway to route traffic to resources in the VPC subnets
-
-
appliance mode support = ensures that the transit gateway continues to use the same Availability Zone for that VPC attachment for the lifetime of a flow of traffic between source and destination
-
-
= a network transit hub that you use to interconnect virtual private clouds (VPCs) and on-premises networks
AWS Network Firewall
-
a stateful, managed, network firewall and intrusion detection and prevention service