Blog

AWS VPC

VPC – Virtual Private Cloud
One subnet = one Availability Zone
Hourly rate is free to use VPC but pay for VPN, NAT Gateway
Use a NAT Gateway or NAT instance to allow outbound traffic for a private subnet, but prevent the instance from receiving inbound traffic
VPC Subnet can only be associated with one route table at a time
VPC automatically come with default network ACL, by default allow all outbound / inbound traffic.  NOTE 1 subnet can be associated with any one network ACL at a time.

  • logical data centers in AWS
  • VPC can span multiple AZ, but can’t span multiple regions, PEER VPC, but no Transitive Peering
  • Custom VPC has to be /16 can’t go higher then that /8 is not allowed. Minimum is /28
  • When you create Custom VPC it creates default security group, default network ACL and default route table., it doesn’t create default Subnet
  • One Subnet == one AZ, you can have security group spanning multiple AZ, ACL’s span across AZ (assign sg and ACL to two different subnets)
  • any CIDR block 5 reserved IPs (.0, .1, .2, .3, .255) so for CIRD block /24: 2^8 – 5 = 256 – 5 = 251 available IP address space
  • when you create internet gateway, by default its detached, attach it to VPC then, only 1 IGW per VPC
  • When you create a VPC Default Routetable (Main Routable) is created where the default Routes are,
  • 0.0.0.0/16 Local <— all subnets inside VPC will be able to talk to each other but Don’t touch Main route table
  • Create another routetable for route out to internet (0.0.0.0/0 IGW) <— route out to the internet
  • Last thing you associate this new route table to one of the subnet which will make it public. (you can enable auto assign public IP for the public subnet)
  • 1 subnet can have 1 routetable
  • ICMP protocol  is for ping / monitor

NAT instance and NAT gateway: 

  • NAT Instance –
    • disable source / destination check., always behind security group, must be in public subnet, must have an EIP, ,must be a route out of the private subnet to NAT
    • Increase the instance size if bottleneck
    • Change the main route table – add a route (0.0.0.0/0 NAT Instance target)
    • NAT Instance is a single point of failover (put it behind a ASG- Auto Scaling Group),
  • NAT gateway
    • – released in 2016 – amazon handled
    • Amazon maintains it for you, no need to handle yourself. (security patches applied by AWS)
    • You can just create the gateway and assign EIP (put it in public subnet) (automatically assigned)
    • Change the main route table – add a route (0.0.0.0/0 NAT gateway target)
    • No need for disable source/destination check or no need to put it behind a security group – it handles it for you.
    • Highly available / redundancy no need for ASG.NAT gateways are little bit costly – always use it in production scale automatically up to 10Gbps

ACL vs SG:
Security groups :

  • SG are statefull – any inbound rule , applies to outbound as well (Only Allow rules)
  • by default all inbound deny, all outbound allow
  • can span across AZ

 

ACL are stateless –

  • For default ACL, all inbound and outbound rules are allowed by default – associated with all subnets in VPC by default
  • for Custom ACL, all inbound and outbound traffic is denied by default – not associated with any subnet
  • 1 subnet is only associated with ACL. granular rules for ACLs, numbered rules (recommended steps of 100)
  • rule no. 99 takes precedence over rule no. 100 (if 99 is blocked and 100 is allowed) 99 will be executed.
  • Can SPAN across AZ
  • Ephemeral port – 1024 – 65535 should be allowed to take traffic.
  • if you want to BLOCK IP address then must use ACL, because security group doesn’t have deny

Bastion –

  • keep it in public subnet to allow SSH / RDP into instances into private subnets (High availability – Bation in two public subnets and also ASG – Route 53 running Health checks on those Bastion)

VPC Flowlogs –

  • to capture all the traffic information into logs – logs everything (create IAM role and create cloud watch log group – and log stream)

VPC Cleanup: can’t delete VPC if you have active running instance or ELB is running

5 VPC per region

Route table required for a subnet to control flow of traffic

AWS direct connect provides a dedicated private connection

A public IP address is required for an instance to be accessed from the Internet!

200 Subnets per VPC

 

VPC STEPS

STEP 1:
Create VPC – example name – awatersonVPC
IPv4 CIDR block: 10.0.0.0/16
IPv6 CIDR block: Can use Amazon provided for more options later if you want
After creation a new route table is created, default security group, and default Network ACLs!  These are not created: Subnet, Internet Gateway.

STEP 2:
Create Subnet 1:
Name tag – 10.0.1.0-US-EAST-1A (name is based on IP and Availability Zone)
VPC: Select the one you created
AZ: Select one
IPv4 CIDR block: 10.0.1.0/24 – 256 IP addresses but only 251 usable

Create Subnet 2:
Name tag – 10.0.2.0-US-EAST-1B
VPC: select the one you created
AZ: Select one
IPv4 CIDR block: 10.0.2.0/24

STEP 3:
Add Internet Gateway for Internet connectivity
Internet Gateway – create – name tag = MYIGW
Default detached – you need to attach to your VPC: You cannot have multiple IG attached to a VPC

STEP 4:
Route tables: main route table has a way out to the Internet
Create a new table – Name Tag = MYInternetRouteOut – Choose VPC
Go to route table – routes – edit – add another route: Destination 0.0.0.0/0 target IGW
Allows all traffic associated with this route a public subnet
For IPv6 destination ::/0 Target IGW
Now associate a subnet – Subnet Association – pick on of the ones 1A will be the public one and 1b the private
Test the EC2 instance or look at subnets to see if public IP is assigned
If not (by default it is not) go to subnet actions – modify auto-assign IP settings – check enable!  Give public IPv4 address

STEP 5:
Create EC2 instance for testing – In public subnet.  You may need to create a new security group.  Name web-dmz add protocols, SSH, http.  Example – ssh 0.0.0.0/0 and http 0.0.0.0/0, ::/0
Choose a key pair for ssh
Launch a second instance into the private subnet.  Default security group should not be open to the world.

STEP 6:
Create new security group
Name: M-RDS-SG
Add to your VPC
SSH 22 10.0.1.0/24   -(public subnet)
MYSQL 3306 10.0.1.0/24
HTTP same
HTTPS same
ALL ICMP – 0-65535

STEP 7:
Create NAT Gateway: choose your public subnet – create new elastic IP – take 10-15 min to provision
Edit default route table: Routes remove blackhole if one is there
Add rule: 0.0.0.0/0 target NAT Gateway – give you a route out

STEP 8:
Network ACL
Create new – nametage – MyWebNACL – your VPC: only one VPC cannont span VPCs
Default Inbound / Outbound denied rules: Add rule 100 http TCP 80 0.0.0.0/0
Inboud – add https and SSH
Outboud – Add http 80, https 443, custom TCP rule is ephemeral ports 1024-65535
Subnet Association – public subnet (a subnet can only be associated with on network access control list)

STEP 9:
Try to connect to private EC2 instance see here: https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

Step 10:
Clean Up and delete VPC
1. Remove EC2 instances
2. Delete NAT Gateway – takes time
3. Detach Internet Gateway from VPC – delete after
4. Delete endpoint
5. Delete VPC.

Related Posts

AWS RDS

Amazon Relational Database Service (Amazon RDS) Amazon RDS supports Amazon Aurora, MySQL, MariaDB, Oracle, SQL…

AWS Lambda

Lambda - server less application - lets you run code without provisioning or managing servers. …

Back To Top