Scribd
Upload
22 views27 pages

VPC

The document outlines the structure and components of AWS Virtual Private Cloud (VPC) networking, including isolation, segmentation, routing, and gateway devices. It details the differences between public and private IP addresses, CIDR notation, and the types of gateways like Internet Gateway and NAT Gateway. Additionally, it covers VPC peering, endpoints, and the management of IP addresses within AWS infrastructure.

Uploaded by

aws.vp2024
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
22 views27 pages

VPC

The document outlines the structure and components of AWS Virtual Private Cloud (VPC) networking, including isolation, segmentation, routing, and gateway devices. It details the differences between public and private IP addresses, CIDR notation, and the types of gateways like Internet Gateway and NAT Gateway. Additionally, it covers VPC peering, endpoints, and the management of IP addresses within AWS infrastructure.

Uploaded by

aws.vp2024
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 27

NETWORKIP LAN -- V Physical networking

COMMUNICWITHIN THINTERNET VPN


ISOLATIONTest, Prod, Dev, Staging
SEGMENTAPUBLIC, PRAPPS, DATABASE, WEB
FILTERING
ROUTING Route Tables - Routes / Rules -- NAT GW, IGW, Proxy…etc
Peering
Endpoints

AWS Virtual NetResembles a physical network


Isolated Network -- VPC - Virtual Private Network - Customer own / dedicated network -- Log
Post Dec 2 From 2014 - AWS Account -- Default VPC / Subnets / Route Tables / Gateway devices..etc

Per RegionDefault VP 1 per Regi 172.31.0.065536*


Per AZ / DaDefault Su 1 per AZ 172.31.0.0Each AZ will have its own Subnet
Default GaTraffic to I Internet G 1 per Region
dedicated network -- Logical isolation
/ Gateway devices..etc
Public IP Address Private IP Address
Internet connectivity Intranet / Local / Within AWS VPC
Public - Internet Private - Intranet
Registered IP Not-Registered / Specific Range
Purchased IP / Not Free Free
Not secure More Secure
Used Externally Used Internally
Unique Non-Unique; Can be used in different private networks
Assigned by ISP Assigned by DHCP / Router

ICANN IANA - Global 5 Regional Registries


NIC - Network Information CenteAFRNIC - African
ARIN - AntaAmerican Registry for Internet Numbers (ARIN)
APNIC - AsiEast Asia, South Asia, South East Asia, Oceania
LACNIC - Latin America and Carribean
RIPE NCC -- Reseaux IP Europeans Network Coordination Ce
ISP - NSP - Internet Service Provider

RFC 1918 - Intranet / AWS VPC


-
Private IP Address Range 10.0.0.0 - 10.255.255.255 (10/8 Large to Very Large
172.16.0.0 - 172.31.255.255 (172 Medium to Large -- Default
192.168.0.0 - 192.168.255.255 (Small to Medium -- Home /
AWS - Public IP Range - Document - https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.
Public IP Elastic IP Address Permanent / Static Public IP address
Dynamic IP address TemporaryEC2 - Default - Public
BYO-IP Bring Your ARIN, APNIC, RIPE NCC
Service Managed - AWS mangedAmazon RDS, ECS, Workspaces..etc

Free of Cost - AWS VPC, Subnet, Route table…etc


Chargeable - EIP, NAT GW, Network access analyser, Reachability analyzer…etc

IP v4 IP v6
32 Bits - 4 Octets 128 Bits - 8 Groups of 4 hexadecimal digits
2 power 32 -- 4.3 Billion IP addr 2 power 128 -- 3400 Trillion Ips
VPC 5 CIDR range -- Adjustable 5 CIDR range -- Quota10.0.0.0/24
CIDR Range -- /16 to /28 /44 to /64 - /4 increments
Address Semanual / Automated - IPAM BYOIP / Amazon Automatic / EIP
Gateway To access internet - IG IG / Egress only IG (Outbound only connecitivity)
EIP Supported Default -- Static IP (EIP)
NAT GW Supported Supported
EC2 Supported for all instance typesSelective Instance Types
Mandatory Optional

10.0.0.0 Network AdNetwork ID


10.0.0.1 Default Gateway / VPC Router
10.0.0.2 Default - Reservations - Network Service 1
10.0.0.3 Default - Reservations - Network Service 2
10.0.0.255 Broadcast Broadcast ID
ent private networks

nternet Numbers (ARIN)


South East Asia, Oceania

s Network Coordination Center -- Europe, Central Asia,West Asia, Russia…

arge to Very Large


Medium to Large -- Default AWS
mall to Medium -- Home / Café /
/userguide/aws-ip-ranges.html#aws-ip-download

analyzer…etc

mal digits

10.0.2.0/24

y connecitivity)
VPC

Subnet

Route Tables

Internet Gateway

CIDR

2 Options

DHCP Options
Virtual Private Cloud - AWS Virtual Network -- Customer dedicated network
Default VPC - AWS Created
Non-Default VPC - Customer Created
A VPC is an isolated portion of the AWS Cloud populated by AWS objects, such as Amazon EC2 instanc
Default VPC - Public ip address auto assign
Public Subnet
Private Subnet
Minimum CIDR - /28
CIDR block size must be between /16 and /28
Routing
Default route -- Local Route (Within AWS VPC) / Internet -- IGW (0.0.0.0/0)

Middleboxes Routes / Network Virtual Appliances

Gateway to Public Internet


Each VPC in a region will have 1 IGW

Classless Inter-Domain Routing Value - Notation -- IP Address Range / Network Mask

VPC Only
VPC and associated components - NAT GW, Endpoints, …etc

DHCP Server options / Scope Options


Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information

DNS Servers
NTP server
NetBIOS servers
Domain Name
NetBIOS Node Type
Default VPC
Default Subnets
Default Gateway

Non-default VPC - Public IP Disabled


Default subnets - Default Route Table -- Internet Gateway -- Internet Connectivity
Doesn’t have internet gateway directly attached

Internet -- Internet Gateway


On Premises - Virtual Private Gateway - VPN
NAT GW / EOIG (Egress (Outbound) Only Internet Gateway

Amazon Managed -- As a Service -- HA, Redundancy, Scali


1 to 1 mapping

10.0.0.10
3 periods - dot

n to hosts on a TCP/IP network. The options field of a DHCP message contains configuration parameters.

NetBIOS Network Basic Input Output System -- Legacy -- Session La


1 per Region 172.31.0.0/16 65536*
1 per AZ 172.31.0.0/20 Each AZ will have its own Subnet
Traffic to Internet - Bidirectional Internet Gateway 1 per Region

Connectivity

Bidirectional
vate Gateway - VPN
Outbound) Only Internet Gateway -- IPv6)

Service -- HA, Redundancy, Scaling..

10.0.0.0/24

3.108.40.105 192.168.10.16
13.127.139.243

configuration parameters.

.VR@kPYkF-i6kUqwXuP@qF!68uiACt*3

put System -- Legacy -- Session Layers TCP/IP DNS


wn Subnet
Stan-vpc-02 192.168.10.0/24
Web Tier
30 Servers
50 IP Addresses
2 power n 64
CIDR Value /26
AWS Reserved 5 Ips
Usable IP's 59 IP's
Network ID 192.168.10.0 /26
Network ID 192.168.10.0
Default GW 192.168.10.1
NW Res 1 192.168.10.2
NW Res 2 192.168.10.3
First Usable IP 192.168.10.4
192.168.10.5

Last Usable IP 192.168.10.62


Broadcast ID 192.168.10.63
32 Bits - 8bits.8bits.8bits.8bits
Subnet Mask 255.255.255.192
CIDR Value 8bits.8bits.8bits.2bits
/26

128 64
IP v4 32 Bits 4 Octets
App Tier DB Tier 2 power n IP Addresses CIDR Value
20 Servers 10 Servers 2 power 0 1 /32
30 IPs 20 Ips 2 power 1 2 /31
64 32 2 power 2 4 /30
/26 /27 2 power 3 8 /29
5 Ips 5 Ips 2 power 4 16 /28
59 IP's 27 IP's 2 power 5 32 /27
192.168.10.64 /26 192.168.10.128 /27 2 power 6 64 /26
192.168.10.64 192.168.10.128 2 power 7 128 /25
192.168.10.65 192.168.10.129 2 power 8 256 /24
192.168.10.66 192.168.10.130 2 power 9 512 /23
192.168.10.67 192.168.10.131
192.168.10.68 192.168.10.132
192.168.10.69 192.168.10.133 /16

192.168.10.126 192.168.10.158
192.168.10.127 192.168.10.159

255.255.255.192 255.255.255.224
8bits.8bits.8bits.2bits 8bits.8bits.8bits.3bits
/26 /27

32 16 8 4 2 1
4 x 8 Bits
AWS

30 bits - Network Bits; Host Bits - 2 Bits


3 IP Addresses
11 IP Addresses
27 IP addresses

65536 IP Addresses
Route Gets automatically created along with VPC creation..
Tables Main
Custom Route tables created by customers for different requirements

Subnet --- Route Tables -- Integrate…


Subnets without explicit associations Follow the route defined in the main route table

Routes Rules How the traffic should flow


0.0.0.0/0 (Internet) IGW
Subnet (IP Range) Gateway / Local

2 Options for VM to connect to internet Internet gateway (RT) + Public IP


NAT Gateway + Private IP

Subnet Rules containing routes for IGW, VPN, NAT GW..


Association

Edge Network Virtual Firewall Route table to route the traffic via particular e
Assocation

200 Route Adjustable


Per VPC Tables
50 routes Adjustable
per RT
nternet gateway (RT) + Public IP (Instance)
AT Gateway + Private IP

Assocaite the routes table with the appropriate subnets

route the traffic via particular edge appliances


NAT GW A highly available, managed Network Address Translation (NAT) service that instances in p
Private subnets systems can be allowed to connect internet for receiving updates or access
Cannot be used for receiving incoming requests -- Only outgoing traffic towards Internet / O
NAT GW NAT Instance
Managed Se Customer created Solution
High AvailaEC2 instancSource NAT The source / destination check ensures that the
Redundancy SPOF --Single InstanceLot of AMI's are available with NAT feature pre-installed an
Up to 45 GInstance Type -- EC2 Network interface speed
MaintenancCustomer managed
Cost - CharCheaper than NAT GW in most cases
Elastic IP Elastic IP
Purpose buBastion Server / Multi purposed system
Port Forwarding
Security grSG Integration - Outbound port / range
NACL integNACL integration
VPC flow loVPC flow logs
CloudwatchCloudwatch - Monitoring

NAT Gateway or NAT Instance should have to be created in the public subnet -- Elastic IP / P

NAT GW + Network Firewall for URL whitelisting


NAT Instance with Squid proxy or NW Firewall for whitelisting

50,000 simultaneous connections..

TCP / UDP / ICMP Protocols

Source NATSource machine IP - ge


NAT GW - Public IP -- Internet logs
ervice that instances in private subnets can use to connect to services in other VPCs, on-premises networks, or t
ceiving updates or accessing websites
raffic towards Internet / On premises

n check ensures that the instance is the source or destination of all the traffic it sends and receives. Each EC2 in
T feature pre-installed and configured

blic subnet -- Elastic IP / Public IP


n-premises networks, or the internet.

and receives. Each EC2 instance performs source and destination checks by default
Internet G Enabling traffic for your EC2 instances towards Internet
Bidirectional - Incoming / Outgoing
Ipv4 and I NAT - IPV4 only supported

Managed Service / Instances - AWS


High Availability - No availability risks / constraints
Redundancy Autoscaling - Horizontal scaling - Multiple AZ
No bandwidth constraints -- Network traffic
Maintenance and Mgmt - AWS
Cost - Free of Charge
Data Trasnfer out of a region is chargeable

Internet Gateway attached subnets -- Public Subnets


Subnets without IG attached - Private Subnets

Local MachiDNAT - Destination IP is hidden


SNAT
Egress Only Internet GW Only for IPv6 subnets / instances
EOIG
Managed Service / Instances - AWS
High Availability - No availability risks / constraints
Redundancy / Resiliency
No bandwidth constraints -- Network traffic
Maintenance and Mgmt - AWS
Chargeable
Data Trasnfer out of a region is chargeable

Stateful gateway -- Request and response will be ful


Security groups cannot be integrated
NACL integration
VPC flow logs
Cloudwatch - Monitoring
instances

ances - AWS
vailability risks / constraints

nts -- Network traffic

region is chargeable

quest and response will be fulfilled


be integrated
VPC PeerinInterconnecting multiple VPC's with a region or a account between regions
A VPC peering connection is a networking connection between two VPCs that enables you to route tra
same account or different account
Local VNET Peering - within Region
Global VNET Peering - Between Regions
AWS ManageThere is no Single point of failure
Routing the traffic between the systems via AWS Backbone network
NO Bandwidth constraints / Bottleneck -- Unlimited speed
Low Latency
Next Hop -- In same region or another region

Bidirectional connection - acceptance

VPC can be peered with mutliple VPC's


Finance deAccess all resources
we can restrict access in a particular direction
Transitivit VPC A Trusts VPC B, VPC B trusts VPC C
VPC A should get peered with VPC C explicitly

Traffic can be for both IPV4 and IPV6 systems / instances


enables you to route traffic between them privately.
Endpoints Allows direct private / aws back Avoids public internet
There are three types of VPC endpoints – Interface endpoints, Gateway Load Balancer endp

Interface endpoints and Gateway Load Balancer endpoints are powered by AWS PrivateLink
Interface endpoints are typically accessed using the public or private DNS name associated

Eliminates the need of having a internet gateway / NAT GW / Isntance / VPN connection
Instances doesn’t need a public IP address
Traffic doe Think like a secure channel.. AWS network

Managed Service / Instances - AWS


High Availability - No availability risks / constraints
Redundancy Horizontal Scaling -- Autoscaling
No bandwidth constraints -- Network traffic
Maintenance and Mgmt - AWS

Gateway En Gets created and associated at the VPC level Route tables
Interface Endpoints - Interface endpoint -- Sits in the subnet and need to be created for eac
ENI created -- Elastic Network Interface
Security Group integration -- Port, Protocol, Source / destination
Private IP as well private DNS name will get assigned - Private DNS zo
eway Load Balancer endpoints, and Gateway endpoints.

wered by AWS PrivateLink, and use an Elastic Network Interface (ENI) as an entry point for traffic destined to the
ate DNS name associated with the service, while Gateway endpoints and Gateway Load Balancer endpoints serv

nce / VPN connection

oute tables
need to be created for each AZ

Source / destination
assigned - Private DNS zone…
for traffic destined to the service.
d Balancer endpoints serve as a target for a route in your route table for traffic destined for the service.
d for the service.

You might also like