[AWS Certified Solutions Architect] VPC

요약

** VPC는 Region에 여러개 설정할 수 있으며 여러 AZ에 걸쳐서 설정할 수 있다

** Private Subnet을 외부 인터넷으로 연결하기 위해서는 Bation Hosts/NAT Instance/NAT Gateway를 Public subnet에 설정하고 라우팅테이블을 통해 이들을 Internet Gateway로 연결해주어야함. Bation Hosts/NAT Instance는 인스턴스를 통한 외부연결이기 때문에 Security Group 설정이 필요함. NAT Gateway는 Security Group 설정이 필요없으며 AWS에 의해 관리되고 HA를 지원함.

** Private Subnet을 인터넷을 통하지 않고 AWS서비스에 연결하기 위해서는 Interface Endpoint / Gateway Endpoint(S3, DynamoDB)

PrivateLink란 Endpoint를 통해 자신의 account 및 다른 account에 VPC를 공개하는 것.

** VPC간의 연결 : VPC Peering(1대1), Transit Gateway(Star형 연결)

** VPC를 온프레미스에 연결하가 위해서는 VPN Site to Site(Virtual Priate Gateway, Customer Gateway 설정필요) / Direct Connection이 있음. 전송량은 Direct Connection이 많지만 설정에 한 달정도 걸림. Site to Site의 키워드로는 IPsec이 있음

**다수의 온프레미스 서버를 VPC로 묶을 때는 Cloudhub, 다수의 AWS VPC를 온프레미스로 묶을 때는 Transit Gateway를 Direct Connection Gateway를 통해 연결

 

 

 

​

Private IP

-Big networks :10.0.0.0 – 10.255.255.255 (10.0.0.0/8)

-AWS default VPC range : 172.16.0.0 ~ 172.31.255.255 (172.16.0.0/12)

-Home network : 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

​

VPC : Virtual Private Cloud, can have multiple VPCs in an AWS region

Default : All new AWS accounts have a default VPC, New EC2 instances are launched into the default VPC if no subnet is

specified, have public IPv4 addresses

​

Subnet : AWS reserves 5 IP addresses (first 4 & last 1) in each subnet

​

Internet Gateway : allows resources in a VPC connect to the Internet, scalse horizontally, must be created seperately from VPC, One VPC can only be attached to one IGW and vice versa, route table must be edited

​

Bastion Hosts : bastion is in the public subnet which is then connected to all other private subnets to SSH into our private EC2 instances. only has port 22 traffic from the IP address you need, Security Group must be tightened

​

NAT instance : allows EC2 instances in private subnets to connect to the internet, must be launched in a public subnet, must disable EC2 setting( Source/dstination Check ), must have Elastic IP attached to it, Internet traffic bandwidth depends on EC2 instance type

​

NAT gateway : managed NAT, higher bandwidth, H/A, created in a specific AZ, uses an Elastic IP, Requires Internet GW(Private subnet -> NAT GW -> IGW), Pay per hour for usage and bandwidth, 5~45 Gbps bandwidths, no Security Groups needed

-NAT GW is resilient within a single AZ, must create multiple NAT GW in multi-AZ

​

DNS Resolution : DNS service in VPC

​

** Private VPC는 Private IP를 사용하며 이는 서브넷 내부에서 자동으로 부여된다(해제 불가능) 이를 외부환경과 연결하기 위한 방법으로

Bastion Hosts : Public VPC의 인스턴스로 SSH 연결허용. Securiy Group 설정이 중요함

NAT Instance : Public VPC의 인스턴스로 인터넷 연결허용. Source/dstination Check 해제, Elastic IP 설정 필요, Bandwidth는 인스턴스성능을 따름

NAT Gateway : H/A를 지원하며 사용량 및 Bandwidth에 따라 시간당 요금이 과금됨

이 있으며 인터넷 연결은 NAT을 Internet Gateway로 연결함으로 외부접근이 허용된다. (이 때 route table 설정이 필요함)

​

NACL​ : control traffic from and to subnets, One NACL per subnet, new subnets are assigned the Default NACL

- NACL rules : rules have a number and higher precedence with a lower number, first rule match will drive the decision, last rule is an * and denies a request in case of no rule match, newly created NACLs will deny everything

Stateless: return traffic must be explicitly allowed by rules (think of ephemeral ports)

Supports allow rules and deny rules

​

Ephemeral Ports : response to client port which has been defined when it connects

​

** NACL은 Security Group 과 비교해서 가장 큰 차이점은

1. Subnet level : Security Group 은 Instance level

2. Stateless : 간단하게 설명하면 상태를 기억하지 않는 다는 것으로 Inbound를 허용하여도 해당 정보를 기억하지 않기 때문에 같은 정보를Outbound에서 허용되도록 설정해줘야한다. (Ephemeral Ports) 웹어플리케이션의 경우 Request/Response를 하기 때문에 Inbound(Outbound)가 허용된다면 Outbound(Inbound)는 자동으로 허용된다.(Security Group)

3. Allow/Deny : Stateless의 특징으로 Allow/Deny 설정이 모두 필요함

​

Reachability Analyzer : network diagnostics tool that troubleshoots network connectivity between two endpoints in VPCs

​

Connection in the AWS

VPC peering : Privately connect two VPCs using AWS' network, not transitive, must be establish for each VPC that need to communicate with one another, must update route table in each VPC subnets

​

VPC endpoints : allows you to connect to AWS services using a private network instead of using the public internet

- Interface : provision an ENI as an entry point, supports most AWS services

- Gateway : Provision a gateway, support S3 and DynamoDB

​

** VPC peering 은 VPC간 1대1 연결을 하며 다시 사용이 불가능함. Endpoints는 기타 AWS서비스와의 연결. Endpoints Gateway는 S3와 DynamoDB 와 연결하며 나머지 서비스들은 Interface로 연결

​

Connection between the AWS and On-premises

Site-to-Site VPN : Virtual Private Gateway & Customer Gateway, enable Route Propagation

VPN CloudHub : Provides secure communication between multiple sites(VPN connections), connect multiple VPN connections on the same VGW

Direct Connect : dedicated private connection from a remote network to your VPC, access public resources(S3), and private EC2 on same connection

- Dedicated connections : 1 Gbps~10Gbps / Hosted Connections : 50Mbps, 500Mbps capacity can be added or removed on demand

- Data in transit is not encrypted but is private

AWS PrivateLink : most secure&scalable way to expose a service to 1000s of VPCs, required NLB and ENI or GWLB

Transit Gateway : transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection, IP multicast

​

​

VPC Flow Logs : Capture information about IP traffic going into interfaces -> can go to S3/ CloudWatch Logs, Query VPC flows using Athena on S3 or CloudWatch logs insight

​

Traffic Mirroring : capture and inspect network traffic in your VPC

​

IPv6 : IPv4 cannot be disabled for your VPC and subnets, you can enable IPv6 to operate in dual-stack mode

- if you cannot launch an EC2 instance ->create new IPv4 CIDR in your subnet

 

 

출처 : Udemy Ultimate AWS Certified Solution Architecture Associate 2022