[AWS Certification + 서버관리 마스터] 3주차 VPC(Virtual Private Cloud)
[Course Outline]
1. IAM & EC2
2. EC2 : Elastic Load Balancing(ELB) & Auto Scaling
3. VPC
4. Database
5. Storage
6. Application Services
7. AWS Well-Architected Framework & DevOps
8. Presentation & Review
- Amazon Virtual Private Cloud(Amazon VPC)는 사용자의 AWS 계정 전용 가상 네트워크이다.
- VPC는 AWS 클라우드에서 다른 가상 네트워크와 논리적으로 분리되어 있다.
[VPC]
- One default VPC per AWS region
- Block sizes must be between a /16 netmask and /28 netmask
- Main CIDR range cannot be modified
- Tenancy: Default (Shared) vs Dedicated (Single)
- By default, a VPC security group, a NACL, a routing table, a route for local
- Carefully choose VPC CIDR range to avoid network address conflict if connecting to other networks through VPN or VPC peering
- Default VPC can be deleted
[Subnet]
- A logical subdivision of an IP network(VPC)
- Reside in an Availability Zone
- Subnet CIDR block can be the same as VPC CIDR block
- Subnet CIDR block cannot be smaller than /28 netmask
- The first four IP addresses and the last IP address in each subnet CIDR block are not available
- https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/what-is-amazon-vpc.html
- Public Subnet mask vs Private Subnet mask? What's the difference?
[Route Table]
- VPC has an implicit router
- VPC automatically comes with the main route table
- Can modify the main table and create a new custom route table
- Each subnet must be associated with a routing table
- If you don't explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table.
- Each route in a table specifies a destination CIDR and a target
- Internet Gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint
- Use the most specific route that matches the traffic to determine how to route the traffic
[Internet Gateway]
- Allows communication between instances in VPC and the Internet
- Horizontally scaled, redundant, and highly available
- Only One Internet Gateway per VPC
[Egress-Only Internet Gateway]
- Allows outbound communication over IPv6 from instances in VPC to the Internet
- Prevents the Internet from initiating an IPv6 connection with instances
- To allow outbound-only Internet communication over IPv4, use a NAT gateway
- Horizontally scaled, redundant, and highly available
- Only One Egress-Only Internet Gateway per VPC
[NAT Gateway]
- Allows outbound communication over IPv6 from instances in VPC to the Internet
- Prevents the Internet from initiating an IPv6 connection with instances
- Horizontally scaled but not redundant and highly available
- Can Create More Than One NAT Gateway Per Subnet
- Require an Elastic IP and an Internet Gateway
[NAT Instance]
- Allows outbound communication over IPv4 from instances in VPC to the internet
- Prevents the internet from initiating an IPv4 connection with instances
- Not horizontally scaled, redundant and highly available
- Can Create More Than One NAT Instance Per Subnet
- Require a Public IP and internet Gateway
- ** Must disable source/destination checks on NAT instances **
- AWS provides custom AMI configured NAT functionality
[Bastion Host]
- Adding the extra layer of security to instances in private and public subnets
[VPC EndPoint]
- Enables instances to privately connect your VPC to supported AWS services and VPC endpoint services powered by Private Link without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
- Instances in VPC do not require public IP addresses to communicate with resources in service
- Traffic between VPC and the other service does not leave the Amazon network
- Horizontally scaled, redundant and highly available
[VPC Peering]
- A networking connection between two VPCs that enables routing traffic between them using private addresses
- Instances in ether VPC can communicate with each other as fi they are within the same network.
- Can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account.
The VPCs can be in different regions
- Not support Transitive routing
[Network ACLs]
- Subnet level firewall for controlling traffic in and out of subnets
- Default nACL allows all inbound and outbound traffic by default
- Custom nACL denies all inbound and outbound traffic by default
- Each subnet must be associated with an nACL
- If you don't explicitly associate a subnet with a particular nACL, the subnet is implicitly associated with the default nACL.
- Contains a numbered list of rules that we evaulate in order, starting with the lowest numbered rule
- Separate inbound and outbound rules
- Stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)
[Network ACLs vs Security Group]
[VPC Flow Logs]
- Capture information about the IP traffic going to and from network interfaces in VPC
- Can be published to Amazon CloudWatch Logs and Amazon S3
- https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/flow-logs.html
[Homework]
Qwiklabs
- Introduction to Amazon Relational Database Service (RDS)
- Introduction to Amazon DynamoDB
- Hosting WordPress Using Amazon S3
- Using Open Data with Amazon S3
Reading
- 기본적으로 인터넷 게이트웨이가 연결되어 있는 VPC
- 퍼블릭 IPv4가 없는 구조
- 인터넷 게이트웨이와 Elastic IP를 설정하여 인터넷 엑세스가 가능하게 만든 구조
- Private Gateway를 VPC와 Custom Gateway를 추가하여 AWS Cloud 확장
- VPC endpoint를 사용하여 internet gateway를 거치지 않고 직접적으로 연결