AWS Solutions Architect/training/Section 5: Advanced Amazon VPC: Difference between revisions
No edit summary |
Section 5 videos 45-53 notes |
||
| Line 25: | Line 25: | ||
class C network numbers.</ref> | class C network numbers.</ref> | ||
**https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html | **https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html | ||
**Solarwinds has an interactive (not obvious) calculator https://www.solarwinds.com/free-tools/advanced-subnet-calculator and there's a similar calculator at https://www.site24x7.com/tools/ipv4-subnetcalculator.html | **Solarwinds has an interactive (not obvious) calculator https://www.solarwinds.com/free-tools/advanced-subnet-calculator and there's a similar calculator at https://www.site24x7.com/tools/ipv4-subnetcalculator.html | ||
*45. [HOL] Create a Custom VPC | *45. [HOL] Create a Custom VPC | ||
**Sometimes when using the AWS console, they will give you the equivalent AWS CLI commands to execute the same action. e.g. <code>aws ec2 attach-internet-gateway --vpc-id "vpc-0a00177c33db94123" --internet-gateway-id "igw-0daed3800abd56791" --region us-east-1</code> | |||
*46. VPC Routing Deep Dive | *46. VPC Routing Deep Dive | ||
**Routing between "local" cloud resources and an identical local (private) IP address connected via VPG to on-premises data center | |||
**Routing when you want all return traffic from the Internet to pass through a security appliance | |||
*47. Security Groups and Network ACLs | *47. Security Groups and Network ACLs | ||
**Security Groups can be applied to instances in any subnet | |||
**SG has an implicit DENY | |||
**Network ACLs are at the network level (subnet) | |||
**Network ACLs are numbered, and processed in order, so an '''explicit''' DENY would be ignored (not reached) if an earlier ALLOW permitted the traffic. | |||
*48. [HOL] Configure Security Groups and NACLs | *48. [HOL] Configure Security Groups and NACLs | ||
*49. NAT Gateways and NAT Instances | *49. NAT Gateways and NAT Instances | ||
**A NAT Gateway would be created in a '''public''' subnet, and be used to allow outbound traffic from instances on a private subnet (e.g. to download software and patches). | |||
**The route for the NAT Gateway needs to be in the '''private''' subnet. | |||
**A NAT Gateway is a managed service whereas a NAT Instance is your own managed instance. The managed is automatically scalable and offers some other advantages, but you'll pay for the privilege. A NAT instance can double as a bastion host (or "jump host" for SSH), but since you're managing it, you'll need to do the extra work for "features". | |||
*50. [HOL] Private Subnet with NAT Gateway | *50. [HOL] Private Subnet with NAT Gateway | ||
*51. Using IPv6 in a VPC | *51. Using IPv6 in a VPC | ||
**AWS assigns a /56 IPv6 address range to your VPC | |||
**Subnets receive a /64 address range allowing 18 million trillion addresses. | |||
**A hexadecimal pair (00 - FF) is assigned for each subnet, providing for 256/64 subnets e.g. 2406:da1c:f7b:ae00::/56 | |||
**You can have an "Egress-only" Internet Gateway to allow IPv6 traffic outbound but not inbound. | |||
*52. [HOL] Configure IPv6 | *52. [HOL] Configure IPv6 | ||
**test with <code>ping6</code> or <code>ping -6</code> | |||
*53. VPC Peering | *53. VPC Peering | ||
**enables routing using private IPv4 or IPv6 addresses. | |||
**CIDR blocks cannot overlap - which is another argument against using IPv4 for anything | |||
**Is not transitive, so each VPC must establish peering to every other VPC that you want to route to. IOW, you need to setup and manage the entire mesh of networking. | |||
*54. [HOL] Configure VPC Peering | *54. [HOL] Configure VPC Peering | ||
*55. VPC Endpoints | *55. VPC Endpoints | ||