VPC Video

Link: https://www.youtube.com/watch?v=jZAvKgqlrjY

Steps to create an Internet Connected VPC

  1. Choosing an address range
  2. Creating subnets in Availability Zones
  3. Creating a route to the internet
  4. Authorizing traffic to/from the VPC

Choosing an IP address range

  • Think of sending a letter. You need to know where to send it to
  • CIDR notation
    • Used to denote a range of IP addresses
      • 172.31.0.0/16
      • When converted to 32 bit number, we hold the top 16 bits steady
  • Recommended RFC1918 range
    • denotes private ip address ranges
  • Recommended: /16
    • 65,536 addresses
  • Avoid ranges that overlap with other networks to which you might connect
    • Other VPCs
    • On premise data center

Subnets and Availability Zones

  • VPC is across an entire region
    • Then broken down into availability zones
      • eu-west-1a - 172.31.0.0/24
      • eu-west-1b - 172.31.1.0/24
      • eu-west-1c - 172.31.2.0/24
  • Subnets are limited to one AZ each
    • when you launch a new resource, provide a subnet you want to use
  • At least /24 subnets (251 addresses)
  • Create multiple AZ per VPC through multiple subnets
  • You can resize your VPC later on

IPv6 in your VPC

  • Can have a dual-stack VPC by adding an IPv6 CIDR
  • Fixed sizes for VPC and subnets
    • /56 VPC
    • /64 Subnets

Routing in your VPC

  • Route tables contain rules for which packets go where
  • Your VPC has a default route table
  • But, you can assign different route tables to different subnets
  • If the traffic is for inside my VPC, keep it locally
  • To connect to the internet, create an Internet Gateway
    • Send traffic to the internet gateway to send to internet
    • Everything that isn't destined for the VPC or more specific routes, send to the internet gateway (internet)

Network Security in your VPC: Security Groups

  • In a security group, the members in that group share a common purpose
  • Have the web servers allow traffic from the internet
    • Source is port 80 for any ip
  • But only allow traffic FROM the web servers to our backend servers
    • Source is the security group for the web server
  • Follow the principle of least privilege
  • VPC allows creation of egress (send) as well as ingress (take in)

Routing by subnet

  • web servers in a public subnet that have a route to the internet
  • Backend servers in a private subnet (no route to the internet)
  • You would want to create a public and private subnets in each AZ

Outbound-only internet access: NAT gateway

  • Network Address Translation (NAT)
    • Highly available virtual device
  • Put a public IP on the NAT gateway
  • Route traffic from the private subnet to the NAT gateway
  • For IPv6, use an Egress only internet gateway

Route Tables

  • A route table contains a set of rules, called routes, that are used to determine where network traffic is directed
  • Each subnet in your VPC must be associated with a route table
    • The table controls the routing for the subnet
  • A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table
  • Default Route Limit per VPC is 200
  • Route Tables
  • If you do not explicitly associate a subnet with a route table, is it implicitly associated with the main route table (default route table)

Extras

VPC Security Comparison