Saturday, September 12, 2020

Amazon VPC & Networking [Part 1]

 Amazon VPC & Networking:

  • CIDR (Classless Inter Domain Routing) IPv4:

    • CIDR is used for AWS networking.

    • Security group rules (allow 0.0.0.0/0).

    • CIDR Example: 0.0.0.0/0 & 192.0.10.0/8.

    • They help defining the IP address Range:

      • 192.0.0.1/32 → This means only one IP. 

      • 0.0.0.0/0 → This means all the IP’s.

      • 192.0.0.0/26 →192.0.0.0 to 192.0.0.63 (total 64 Ip’s). 

    • How CIDR is calculated:

    • There are two components in CIDR Base IP & Subnet Mask

      • 0.0.0.0/0 ⇒ 0.0.0.0 is base ip & /0 is subnet mask.

      • The base ip represents an ip contained in the range

      • The subnet mask represents how many bits can change in IP

    • The subnet mask allows parts of the underlying IP to get additional next values from the base ip.

      • 0.0.0.0/32 = 2^0 = 1

      • 0.0.0.0/31 = 2^1 = 2

      • 0.0.0.0/28 = 2^(32-28) = 2^4 = 16 IP’s

      • 0.0.0.0/24 = 2^(32-24) = 2^8 = 256 IP’s: Range [0.0.0.0 to 0.0.0.255] last class of IP 

      • 0.0.0.0/16 = 2^(32-16) = 2^16 = 65536 IP’s Range [0.0.0.0 to 0.0.255.255] last two classes of IP

      • 0.0.0.0/8 = 2^(32-8) = 2^24 = 16777216 IPs Range [0.0.0.0 to 0.255.255.255] last three classes of IP

      • 0.0.0.0./0 = 2^(32-0) = 2^32 = 4294967296 IPs Range [0.0.0.0 to 255.255.255.255] all four classes of IP’s

    • Private IP’s vs Public IP’s (IPv4)

      • The IANA (Internet Assigned Numbers Authority) established certain blocks of IPv4 addresses for the use of private and public addresses.

      • Meaning certain private IP’s are reserved and rest are made public 

      • Allowed private IP ranges:

        • 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) 

        • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) => default AWS VPC

        • 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) => home network

    • All the rest IP’s are public


Default VPC Virtual Private Cloud:

  • All New accounts have default VPCs

  • The new instances are created in default VPC if no subnet is provided.

  • The default VPC has internet connectivity and all instances have public IP.

  • We also get a public & a private DNS.

  • The default CIDR of VPC is 172.16.0.0/16

  • The VPC is associated with the default subnets.

    • Eg: If Region A has 3 AZ then 3 Subnets in each AZ. 

    • Each subnet has non overlapping CIDRs

  • Default VPC comes with following four set of services:

    • Subnet

    • Route Table

    • Internet Gateway

    • Network ACL

  • You can have multiple VPC in a region (Max 5 VPC → Soft limit).

  • Raise a support ticket to increase the limit

  • Max CIDR per VPC = 5 

    • Min size /28 = 16 IP’s 

    • Max Size /16 = 65536 IP’s

  • Since VPC is private only private IP range is allowed (172.16.0.0, 192.168.0.0, 10.0.0.0).

  • VPC CIDR should not overlap with your other network

    • Ex: corporate network is in 10.0.0.0/8 than VPC CIDR should not be in that range.

  • IMPORTANT: The only range we can choose in VPC is between /16 to /28


Subnet

  • AWS reserves 5 IP address every time you create a subnet

  • First 4 & last 1 are reserved every time.

  • Ex: 10.0.0.0/24 

    • 10.0.0.0 is reserved for Network Address

    • 10.0.0.1 is reserved by AWS for VPC router

    • 10.0.0.2 is reserved by AWS for mapping to Amazon-provided DNS

    • 10.0.0.3 is reserved by AWS for future use.

    • 10.0.0.255 Network broadcast address. AWS doesn’t support broadcast in VPC, therefore it's reserved.

  • Exam Tip: 

    • If you need 29 IPs address for your EC2 instances, you can’t create a subnet of size /27 (32 IP’s) [32-5=27 < 29]

    • You will need to choose /26 = 64 IP’s [64-5=59 >29 ]


Internet Gateway:

  • Internet Gateway helps our VPC instances to get connected to the internet

  • It scales horizontally and is HA and redundant 

  • Must be created separately from VPC 

  • Internet Gateway is also NAT for the instances that have public IP4V

  • Internet Gateway does not allow their own internet, we will also need a route table.

  • One Internet Gateway per VPC 


Route Table:

  • The route table controls the ingress traffic. 

  • 0.0.0.0/0  with an internet gateway helps to connect to internet.


NAT Instance (Network Address Translation):

(Outdated but in exam topic):

  • Allow instances in private subnet to connect to the internet

  • The NAT Instance must be launched in a public subnet and must.

  • Must disable the EC2 Flag: Source/Destination check.

  • Must have Elastic IP attached to it.

  • Route table must be configured to route traffic from private to NAT instance.

Note: Search for NAT OS while selecting OS.



NAT Gateway:

  • AWS Managed NAT, higher bandwidth, better quality and no admin.

  • Pay by the hour for usage & bandwidth.

  • NAT is created in a specific AZ, uses an EIP.

  • Cannot be used by the instance in the same subnet (Only from other subnets).

  • Requires an Internet Gateway (Private Subnet ⇒ NAT ⇒IGW).

  • 5GBPS of bandwidth which will automatically scale up to 45GBPS.

  • No Security Groups needs to be managed/required.


NAT Gateway HA:


Attribute 

NAT gateway

NAT instance

Availability

Highly available. NAT gateways in each Availability Zone are implemented with redundancy. Create a NAT gateway in each Availability Zone to ensure zone independent architecture

Use a script to manage failover between instances

Bandwidth

Scale up to 45MBPS

Depends on instance bandwidth

Performance

Software is optimized to handle the NAT traffic

A generic Amazon Linux AMI that's configured to perform NAT.

Cost

Charged depending on the number of NAT gateways you use, duration of usage, and amount of data that you send through the NAT gateways.

Charged depending on the number of NAT instances that you use, duration of usage, and instance type and size.

//TODO 
















DNS Resolution in VPC:

  • enableDnsSupport (=DNS Resolution Setting)

  • Default is true 

  • Helps decide if DNS resolution is supported for the VPC.

  • If enableDnsSupport=true than queries to AWS DNS server at 169.254.169.253 IP.

  • enableDnsHostname (=DNS Hostname Setting).

  • By default it's false when you create a new VPC (for default VPC it is set to True).

  • Won’t do anything if enableDnsSupport=false, it requires the enableDnsSupport=true.

  • If it is set to true then assign a public hostname to EC2 Instance if it is public.

  • If you use custom DNS Hostnames in a private zone in Route53 then both this flag needs to be set to true.


Network ACL & Security Group:

  • The Network ACL is at subnet level, so the allowing/denying is done at subnet level.

  • Unlike the Security group it has deny rule as well.

  • Security Group is Stateful & NACL is Stateless.

  • If inbound rule is defined in Security Group then that rule is automatically added in Outbound rule

  • NACL are like firewalls which control the traffic from & to subnet.

  • The Default NACL allows everything outbound and everything inbound. (Does not restrict anything).

  • One NACL per subnet and new subnets are assigned to default NACL by default.


Defining NACL:

  • Rules have a number from 1-32766 and higher precedence with lower numbers.

  • Eg: #100 allow <IP> & #200 deny <IP>, the IP will be allowed since precedence is given to a lower number.

  • Last rule is an asterisk (*) and denies the request if no match is found.

  • AWS recommends adding rules by increment of 100.

  • Newly created NACL will deny everything.

  • NACL is a great way of blocking any specific IP at the subnet level.

  • https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Terraform Cheat Sheet [WIP]

Installing Terraform 

  • Storage Comparison
     
  • Route 53
      Route 53: It is managed DNS (Domain Name Service) DNS is a collection of rules & records which helps client to reach a server through ...
  • AWS ECS - Task Definition Example
     {    "containerDefinitions": [        {           "command": [             "/bin/sh -c \"echo '<html...