Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

VPC Revision

  1. Home
  3. AWS Certified Advanced Networking Specialty Exam
  5. VPC Revision

Here, we will learn about VPC Revision.

  • A virtual network which is isolated and define  by customer
  • VPC is the network layer for EC2
  • Creation needs IPv4 address range CIDR
    • address range should not overlap with other networks
  • Components
  • Subnets
    • 1st four IPs and last IP address in a subnet are reserved by AWS
    • Public, Private, VPN
  • Route tables
    • Determine where traffic is sent and applied to all subnets
    • Default route called local route
    • VPC has an implicit router
    • VPC automatically comes with a main route table
    • Each subnet must e associated with a route table. Subnets will use the main route table if not assigned
    • Can replace main route table with custom table
    • Route table enlists destination CIDR and target
  • Internet Gateways
    • horizontally scaled
    • redundant
    • highly available
    • provides a target for internet traffic
    • Creation
      • Attach and IGW
      • Then for non local (0.0.0.0) traffic, instantiate a subnet route table
      • configure network ACL and Security Groups
      • For sending and receiving traffic via IGW, public IP address is needed by the instance
  • DHCP Options
    • Name servers
    • domain name
    • NTP servers
    • Netbios name servers
    • Netbios node type
  • Elastic IP Addresses (EIP)
    • Allocate then assign them
    • Specific to region
    • 1 to 1 relationship with  network interfaces
    • can move EIPs
    • Stays with account until explicitly release
  • Elastic Network Interfaces (ENI)
    • virtual network interface you can assign to an instance
    • associate with a subnet
    • instance can be dual homed
  • Virtual data center in the cloud
  • A maximum of 5 VPCs in a AWS region is allowed. It can also be increased
  • subnets present in the default VPC have an attached IGW
  • Multiple IGW’s can be created, but only a single IGW can be attached to a VPC.. No exceptions
  • Again, You can only have 1 Internet gateway per VPC
  • Both public and private IP address are present with EC2 instance
  • If you delete the default VPC, the only way to get it back is to submit a support ticket
  • This answer is correct for the current iteration of tests, however AWS has now crated a mechanism in the console that allows you to recreate a default VPC
  • By default when you create a VPC, a default main routing table automatically gets created as well.
  • Subnets are associated with single AZ only and not multiple AZ’s
  • largest CIDR block  for a VPC is /16
  • smallest CIDR block  for a VPC is /28
  • AWS reserves 3 IP addresses in every subnet, as
    • x.x.x.0 – Always subnet network address and is never usable
    • x.x.x.1 – Reserved by AWS for the VPC router
    • x.x.x.2 – Reserved by AWS for subnet DNS
    • x.x.x.3 – Reserved by AWS for future use
    • x.x.x.255 – Always subnet broadcast address and is never usable.
  • 169.254.169.253 – Amazon DNS
  • By default all traffic between subnets is allowed
  • By default not all subnets have access to the Internet. Either an Internet Gateway or NAT gateway is required for private subnets
  • security group can span to multiple AZ’s
  • Security Groups are stateful (Don’t need to open inbound and outbound, if inbound is allowed, outbound is auto allowed)
  • Network Access Control Lists (NACLs) are stateless (Must define both inbound and outbound rules)
  • Hardware VPN connection can be made amongst corporate data center and VPC. Thus, AWS acts as extension of corporate data center

VPC Components

Various objects are

  • A Virtual Private Cloud: logically isolated virtual network in AWS whose  IP address space can be selected.
  • Subnet: segment of  VPC’s IP address range to place groups of isolated resources.
    • segment of an VPC’s IP address range to launch EC2 instances, Amazon RDS databases, and other AWS resources.
    • smallest subnet is a /28 (or 16 IP addresses).
    • AWS reserves first four IP addresses and the last IP address of every subnet for internal networking purposes.
  • Internet Gateway: VPC side of connection to Internet.
  • NAT Gateway: NAT service for resources in a private subnet to access Internet.
  • Virtual private gateway: VPC side of a VPN connection.
  • Peering Connection: enables to route traffic via private IP addresses between two peered VPCs.
  • VPC Endpoints: private connectivity to services hosted in AWS, from within VPC without using an Internet Gateway/ VPN/ NAT devices/ firewall proxies.
  • Egress-only Internet Gateway: stateful gateway to provide egress only access for IPv6 traffic from VPC to Internet.
  • Route tables
    • A logical construct within VPC having set of rules (or routes) applied to subnet and used to determine where network traffic is directed.
    • With route table EC2 instances in different subnets in a VPC to communicate with each other.
    • Route table has default route called local route, to communication within Amazon VPC, and this route cannot be modified or removed.
  • Dynamic Host Configuration Protocol or DHCP, option can set –
    • DHCP passes configuration information to hosts on a TCP/IP network like domain name, domain name server, and the netbios-node-type.
    • AWS automatically creates and associates a DHCP option set for the Amazon VPC upon creation and sets two options:
      • domain-name-servers (defaulted to AmazonProvidedDNS)
      • domain-name (defaulted to the domain name for your region).
    • AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
  • Security groups
    • A virtual stateful firewall controlling inbound and outbound network traffic to AWS resources and EC2 instances.
    • All Amazon EC2 instances must be launched into a security group.
    • If not specified at launch, then instance will be in default security group for VPC, which allows communication between all resources within security group, allows all outbound traffic, and denies all other traffic.
  • Network Access Control Lists (ACLs)
    • Acts as stateless firewall on a subnet level.
    • It is a group of rules  which are numbered
    • AWS evaluates the list from lowest numbered to highest
    • Rule evaluation to allow/deny traffic in or out of any associated subnet.
    • Amazon VPCs have modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic.

Optional Components of Amazon VPC

Internet Gateways (IGWs)
  • A horizontally scaled, redundant, and highly available Amazon VPC component for communication between instances in VPC and Internet.
  • It gives a target in VPC route tables for Internet-routable traffic
  • performs network address translation for instances having public IP addresses.
  • EC2 instances in VPC are aware of only their private IP addresses.
  • For traffic from instance to Internet
    • IGW translates reply address to instance’s public IP address also called EIP address
    • Also store mapping between instance private IP address and public IP address
Elastic IP (EIP) addresses
  • AWS manages a pool of public IP addresses in each region
  • Can be associated to resources in VPCs
  • It is a static, public IP address in pool for region
  • can allocate it to account (pull from the pool)
  • Can release them (return to the pool).
  • It is a set of IP addresses that remain fixed while the underlying infrastructure may change over time.
Elastic Network Interfaces (ENIs)
  • A virtual network interface that can attach to an instance in an Amazon VPC.
  • ENIs are only available within an VPC
  • They are associated with a subnet upon creation.
Endpoints
  • It allows to create a private connection between VPC and another AWS service without access over Internet or NAT instance, VPN connection, or AWS Direct Connect.
  • multiple endpoints can be created for single service
VPC Revision

Learn more about VPC here.

Menu