Virtual Private Cloud - Kahuna915/Capstone-Cloud-Integration GitHub Wiki

What is a VPC?

A Virtual Private Cloud is a virtual network that a user creates. This virtual network is essentially a traditional network with subnets, gateways, IP Addresses, and some additional features.

VPC Features

Subnets

  • Determine a range of IP addresses for the VPC. A subnet must be in a single Availability Zone. The creation of a public and private subnet is possible within a VPC.

IP addressing

  • IPs can be assigned to EC2 instances, NAT gateways, and Network Load Balancers.

Network Load Balancer

  • A load balancer automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses. Automatically routing traffic to healthy targets and scaling over time to accommodate the majority of workloads - functions on the fourth layer of the OSI model (Transport)
    • Listener: a listener will check for connection requests from clients, using a specific protocol and port configured, and forward requests to a target group.
    • Target Group: Routes requests to one or more registered targets, such as EC2 instances, using the TCP protocol and the specified port number.

Routing

  • With a VPC, routing tables can be created to determine where traffic from the gateway should be directed.
  • If you are using a private subnet, you can create a routing table to direct a specific machine out to the internet using PAT

Gateways and endpoints

  • A gateway will connect the VPC from an internal network to an external network or other internal networks. VPC endpoint can be used to connect AWS services privately, without the use of an internet gateway or NAT device

Peering connections

  • A VPC peering connection is used to route traffic between the resources in two VPS

Traffic Mirroring

  • Traffic Mirroring will copy network traffic from any interface and send it to security and monitoring application for deep analysis

Transit gateway

  • A gateway that acts as a central hub, connecting traffic between VPCs, VPN connections, and AWS Direct Connect Connections.

VPC Flow Logs

  • A Flow Log captures information about the IP traffic going to and from network interfaces.

VPN Connection

  • AWS offers Site-to-Site, Client VPN, VPN cloud hub, and support for third-party software to connect to EC2 instances

Site-to-Site

  • Using an IPsec VPN connection between the VPC and the remote network, a connection can be created. A virtual private gateway or transit gateway provides two VPN endpoints with failover as well as a connection to the VPN.

AWS Client VPN

  • A client-based VPN service that enables secure access to AWS resources on the local network.
  • With the Client VPN, configuring an endpoint to which user can establish a secure TLS connection is possible.

AWS VPN CloudHub

  • If there are multiple Site-to-Site VPN connections, using a Virtual Private Gateway, CloudHub enables remote sites to communicate with each other, and not just with the VPC.

Third Party VPN software

  • Amazon allows for the use of a third-party VPN with the use of an EC2 instance. An EC2 instance will be booted up and configured with the VPN software, and if configured to have a public address, can communicate out and allow for connections to be made from a remote network.

Why a VPC is useful

A VPC for cyber.AWS will be useful for many reasons. For example, creating a VPC can allow us to create a VPN in which students can access their AWS machines. A VPC will also allow for test environments, putting machines on a private subnet so that they can communicate internally but not externally.

  • A VPC can be used to subnet students' workstations. Allowing a class environment to be built all on the same subnet or similar ones.
  • A VPC can be used to create a route from one subnet to the other so students will have to scan the network and find how to pivot for particular classes like Eth Hack.

Elastic IP

An Elastic IP address is a static IPv4 address that can be allocated to your AWS account. The address is yours until it is released and can be assigned to any instance. This address can be associated with a DNS record so that a domain points to an instance.

How to create a VPC

Creating a Site-to-Site VPN