VPC - kimschles/schlesinger-knowledge GitHub Wiki

Virtual Private Network

A VPC is private subsection of AWS or GCP that you control. You decide who can access the resources you put in your VPC.

All info from these notes is from a presentation by Sarah Zelechoski: An Introduction to Amazon VPC: Private Islands for Rent

New materials!

A VPC is like renting a private island from Amazon.

VPC

  • Self-contained: You get a CIDR of your choosing
  • You can customize your subnet structure, routing and security

Region

  • Like the part of the earth where the island resides
  • In AWS, you select a region that is in one geographical area
  • There are multiple datacenters
  • You can have the datacenter close to you or your customers
  • A VPC lives in one region

Internet Gateway

  • This is like the channel that takes you from your island to the ocean
  • All communication with the internet happens through IGW
  • One IGW per VPC
  • Public subnets use as default gateway
  • Private subnets use a NAT gateway to send traffic to the IGW

Subnets

Public Subnet

  • Like the shallow water around the island
    • Instances have public IP
    • Traffic will flow directly to the IGW
    • Can interface with instances inside
    • Houses all ingress points to your VPC
    • Security is important! Minimize your footprint

DMZ

  • Like the guest cabanas
  • VPN appliance

Bastion Host

  • Like the helipad
  • An ingress point that is an alternative VPN
  • Access prive instances
    • SSH for Admins
    • Tunnel for automation tools
  • Needs strict security
    • Restrict ports
    • SSH user-specific keys

Elastic Load Balancer

  • Like the arrival jetty where vistors come and walk onto the island
  • Public interface
  • Gateway to your applications and services
  • Expose different ports outside vs. inside
  • SSL and SSL termination
  • High availability and failover

NAT

  • Private Egrees
  • Maps a private network to a public address
  • Allows information from the private subnet to go out to the internet
  • Often used to reach out for git, apt/yum

Private Subnet

  • Instances only have private addresses
  • Ingress is through an ELB
  • Egress ithrough a NAT gateway
  • You can lock it down more through:
    • Networks ACLs
    • Security Groups

Routing Tables

  • Like a Concierge: showing people different places
  • How traffic gets from place to place
  • VPC CIDR is local by default
  • You need private and public routing tables
    • Public: 0.0.0.0/0 is attached to your IGW
    • Private: 0.0.0.0/0 is attached to your NAT Gatewat
  • There is one route table associated with a subnet
  • The can be many subnets with the same route table

Network ACLs

  • Like a front gate
  • Controls access to a subnet
  • Default allows all users

Security Groups

  • Like a door lock
  • Instance based (like each instance is a door)
  • Associated with a network interface
  • Ingress and egress
    • tcp, udp, icmp ports
    • SG or specific CIDR
  • Stateful
  • Principle of least privilege
  • Port-based or role-based

Advanced Topics