Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Virtual Private Cloud

Amazon Virtual Private Cloud

Pierre GOUDJO

January 20, 2022
Tweet

More Decks by Pierre GOUDJO

Other Decks in Technology

Transcript

  1. At the time, all EC2 instances ran in a single

    fl at network shared with other customers
  2. Network Access Control List ALLOW/DENY Rules Inbound Rule # Type

    Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Support ALLOW and DENY rules
  3. Network Access Control List Stateless Inbound Rule # Type Protocol

    Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW * All ipv4 All All 0.0.0.0/0 DENY Return traf fi c must be explicitly allowed
  4. Network Access Control List Rule processing order Inbound Rule #

    Type Protocol Port Range Source Allow/Deny 100 HTTP TCP 80 0.0.0.0/0 ALLOW 110 HTTPS TCP 443 0.0.0.0/0 ALLOW 120 HTTP TCP 80 0.0.0.0/0 DENY * All ipv4 All All 0.0.0.0/0 DENY Rules are processed in order. Rule 120 won’t be applied
  5. Network Access Control List Default NACL Inbound Rule # Type

    Protocol Port Range Source Allow/Deny 100 ALL IPv4 ALL ALL 0.0.0.0/0 ALLOW * ALL IPv4 ALL ALL 0.0.0.0/0 DENY Outbound Rule # Type Protocol Port Range Source Allow/Deny 100 ALL IPv4 ALL ALL 0.0.0.0/0 ALLOW * ALL IPv4 ALL ALL 0.0.0.0/0 DENY All traf fi c allowed
  6. Security group acts as a firewall for your instance to

    control inbound and outbound traffic
  7. Security groups Only ALLOW rules Inbound Type Protocol Port Range

    Source HTTP TCP 80 0.0.0.0/0 Outbound Type Protocol Port Range Source ALL IPv4 ALL ALL 0.0.0.0/0 ONLY ALLOW Rules
  8. Security groups Stateful Inbound Type Protocol Port Range Source HTTP

    TCP 80 0.0.0.0/0 Outbound Type Protocol Port Range Destination SSH TCP 22 10.0.0.1/32 No need to specify a mirror rule as request sent from instance is automatically allowed to fl ow out
  9. Capture info about IP traf fi c going to and

    from network interfaces in the VPC
  10. A flow log can be created for an entire VPC,

    a subnet or an individual network interface
  11. Internet Gateway • Allows communication between your VPC and the

    internet • Highly available, scalable, redundant • One per VPC • Support IPv6 and IPv4
  12. Router and Route table • VPC has an implicit router

    • Route tables control where network tra ffi c is directed • Each subnet is associated with a route table either • Explicitly with a dedicated route table • Implicitly with the VPC main route table • Each route speci fi es a destination (IP) and a target (local, internet gateway, NAT devices, another VPC…)
  13. NAT Gateway • Provides internet access to resources in private

    subnet • External services cannot initiate connection with those instances • Can scale from 5Gbps up to 45Gbps • Not supported for IPv6 tra ffi c • Can be monitored with CloudWatch
  14. NAT instance • EC2 instance that can do NAT translation

    • Not recommended anymore as Amazon doesn’t provide support for NAT AMI • Not supported for IPv6 tra ffi c
  15. Egress-only internet gateways • Allow outbound tra ffi c over

    IPv6 from instance in your VPC to internet • Prevent internet from initiating an IPv6 connection to your instances • IPv6 only
  16. DHCP Options Sets • options fi eld of DHCP message

    contains con fi guration parameters like domain name, domain name server, netbios-node-type, etc… • A VPC can have a maximum of one DHCP options set associated • DHCP option set cannot be modi fi ed after creation • DHCP options supported • domain-name-servers: up to 4 DNS servers or AmazonProvidedDNS • domain-name • ntp-servers: default to None, can use Amazon Time Sync Service at 169.254.169.123 • netbios-name-servers • netbios-node-type
  17. Instance IP Addressing • Amazon EC2 and VPC support IPv4

    and IPv6 • By default, IPv4 is used. Can’t be disabled • Multiple private addresses can be assigned to a single network interface. The number depends on the instance type
  18. Elastic Network Interface • Represents a virtual network card •

    Can be attach to/detach from an EC2 instance • The card can be in a di ff erent subnet than the EC2 instance (dual-homed) • One public IPv4 address • One MAC address • Can achieve multicast with an overlay network and a ENI
  19. Elastic IP • Static, public IPv4 address • Can be

    associated with any instance or network interface in any VPC • Can be remapped to another instance • Can have one at no charge when associated with a running instance • Pay for additional or no associated one
  20. Network Firewall • Network fi rewall and intrusion detection •

    Deep packet inspection on egress and ingress tra ff i c • Stateful protocol inspection • Compatible with Suricata (IPS) rules
  21. VPC endpoints — AWS PrivateLink • Tra ff i c

    between your VPC and the resources doesn’t leave AWS network • 2 types: • Gateway endpoints for S3 and DynamoDB resources • Interface endpoints for some AWS services (PrivateLink) and third-parties AWS partners
  22. VPC peering • Networking connection between two VPCs • Instances

    in either VPC can communicate with each other as if they are in the same network
  23. Transit Gateway • Hub and spoke design for connecting VPCs

    • Transit Gateway is a Regional resource and can connect thousands of VPCs within the same AWS Region • Transit Gateway vs VPC Peering • Lower cost • No bandwidth limits • Latency • Security Groups compatibility
  24. Direct Connect • Links your internal network to an AWS

    Direct connect location • You can create virtual interfaces directly to public AWS services or AWS VPC, bypassing internet service providers • It is possible to use a AWS Direct connection to access multiple regions or accounts
  25. VPN • 2 o ff ers: • AWS Client VPN:

    fully managed VPN service. • Allow users to securely connect to AWS resources or on-premises networks. • Site-to-Site VPN: create secure connection between your data center and your AWS resources. • Allow secure connection of VPC and on-premises networks