{"id":7537,"date":"2018-06-04T09:10:38","date_gmt":"2018-06-04T01:10:38","guid":{"rendered":"http:\/\/rmohan.com\/?p=7537"},"modified":"2018-06-04T09:10:38","modified_gmt":"2018-06-04T01:10:38","slug":"vpc-aws","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7537","title":{"rendered":"VPC -AWS"},"content":{"rendered":"<pre>** 1 subnet == 1 AZ.\r\nACL = access control list\r\nSN = subnet\r\nIGW = internet gateway\r\nCIDR - classless inter-domain routing. -where we assign ip ranges\r\nNAT - network adress translation\r\n------------------\r\ninternal ip address ranges\r\n(rfc 1918)\r\n10.0.0.0 -10.255.255.255 (10\/8 prefix)\r\n172.16.0.0 - 172.31.255.255 (172.16\/12 prefix)\r\n192.168.0.0 - 192.168.255.255 (192.168 \/ 16 prefix)\r\nwe will always use a \/16 network adress\r\n--------------------\r\nvpc - virtual private cloud\r\nthink of vpc as a logical data center.\r\nyou provision a section of the aws cloud in a virtual network. you can easily cutomize your network.\r\n\r\nexample - a public-facing subnet for webservers, and private-facing backend db servers with no internet connection.\r\n\r\nyou can create a hardware virtual private network (VPN) between corporate datacenter and VPC to leverage aws as an extens center (hybrid cloud)\r\n--------------\r\nwhat can you do with a VPC?\r\n\r\nlaunch instances into a subnet\r\nassign custom IP ranges in each subnet\r\nconfigure toure tables betwen subnets\r\ncreate internet gateway. only 1 per VPC\r\nbetter security over aws resources\r\nsecurity groups (are stateful - incoming rules are automatically allowed as outgoing)\r\nsubnet ACL (not stateful. everything needs to be configured)\r\n------------------\r\ndefault VPC \r\ndefualt have a route out to the internet\r\neach EC2 has a public and private ip\r\nthe only way to restore a default VPC is to contact aws.\r\n\r\nsecurity groups , ACL , default Route table are created by default.\r\nsubnets and IGW are not created by default.\r\n---------\r\nPeering\r\nconnect one VPC to another using private ip addresses. (not over the internet)\r\ninstances behave as if they are on same network.\r\ncan also peer VPC with other AWS accounts VPC withing a SINGLE REGION\r\nstar configuration - 1 central VPC peers with 4 others. NO TRASITIVE PEERING == the networks must be directly connected.\r\nexample VPC-a is connected to VPC-b and VPC-c. VPC-b and VPC-c cann't talk to each other through VPC-a (transitive). they must be directly peered. \r\nCIDR blocks for the private IP's must be different between peering VPCs - VPC A 10.0.0.0\/16 cant peer to VPC B if it has 10.0.0.0\/24\r\n----------------\r\nNAT \r\nNAT instances - traditional use for allowing an EC2 instance with no internet connection to have access to the internet for updates, install dbs... we use an EC2 instance from the community AMI search for NAT.\r\nremember to disable source\/destination check on the instance.\r\nmust be in a public subnet\r\nin the route table ensure there's a route out to the NAT instance. it's found in the default route table.\r\nthe bandwidth the NAT instance supports depends on the instance type.\r\nto create high availability you need to use autoscaling groups, multiple subnets in different AZ and scripts to automate failover\r\n(lots of work..)\r\nneed to set security group\r\n\r\nNAT gateways - easier access. preferd. scales automatically and no need to set security groups. \r\nif a NAT instance goes down, so does our internet connection. but with NAT gateways aws takes care of that automatically. supports bandwidth up to 10gb\r\n\r\n---------------\r\nbuilding a VPC process (not using the wizard):\r\n\r\n1. start vpc , your VPC, create VPC\r\n2. name, CIDR block (our ip ranges. we used 10.0.0.0\/16), tenancy (shared or dedicated hardware).\r\n3. default route table, ACL, security groups are created\r\n4. subnets-&gt; create -&gt; name, vpc (select the newly created one), AZ , CIDR (we used 10.0.1.0\/24 which will give us 10.0.1.xxx)\r\n5. create anoter subnet -&gt;name , vpc (same as above), AZ(different then above), CIDR (10.0.2.0\/24)\r\n6. internet gateways -&gt;create -&gt;name\r\n7. attach to vpc (select newly created vpc)\r\n8. route tables -&gt; (main route table is private by default)\r\n9. create new table -&gt; name, vpc\r\n10. edit -&gt; add route that is open to the internet\r\n11. subnet associations -&gt; edit -&gt; select a subnet that will be the public one\r\n12. subnets -&gt; selected the public one -&gt; actions -&gt; modify autoassign public ip.\r\n13. deploy 2 EC2 instances. one is a public web server (can use a script). one is a private sql server. (notice for the auto-assign public ip..). for the private instace, set a new security group with ssh-10.0.1.0\/24, mysql\/aurora-10.0.1.0\/24\r\n14. for the mysqlserver add another rule for all ICMP with same ip address - this allows ping.\r\n15. copy the content of the privateKey.pem file.\r\n16. ssh into the web server -&gt; create (echo or nano) new privateKey.pem file and paste the content.\r\n17. chmod 0600 the privteKey.pem file (gives read and write privileges to that file).\r\n18. ssh into sql server using the newly created file.\r\n19. (NAT instace) launch an EC2 instance -&gt; community -&gt; search for nat\r\n20. deploy into our VPC, and put into the public subnet.\r\n21. use a public facing security group\r\n22. actions -&gt; networking -&gt; change source\/destination check-&gt;disable\r\n23. VPC-&gt;route tables -&gt; select the main route (nameless) -&gt; add 0.0.0.0\/0 target- our newly created EC2\r\n (?? associate public subnet )\r\n24. (NAT gateway - replaces steps 19-23) VPC -&gt; NAT gateways -&gt; create -&gt; subnet(public facing), elastic ip(create new EIP)\r\n25. route tables -&gt; main route table -&gt;add 0.0.0.0\/0 target - the newly created gateway.\r\n\r\n--------------\r\nsecurity groups vs NACL:\r\n\r\nsecurity group acts as the first layer of defence. operates at the instance level. stateful\r\nN(network)ACL operates at the subnet level. stateless. denies all traffic by default\r\n\r\na subnet can only be assiciated with one NACL. but an NACL can be assiciated with many subnets.\r\nif you try to add a ACL to a subnet the is already associated with an ACL, the new ACL will just replace the old one.\r\n\r\nrules are evalutaed in numerical order.\r\nthe lowest number rules have precedens over later rules.\r\nexample:\r\nrule 99 blocks my ip\r\nrull 100 allows all ips\r\n==my ip is still blocked.\r\n\r\nyou can't block using a security group\r\n---------------------------------------------\r\nnotes:\r\nwhen setting up an ELB, to get good availability you need  at least two AZ or subnets. So notice if your VPC actually has more then 1 public subnet\r\n\r\nBastion - used to securly administer EC2 instances in private subnets (using ssh or RDP-remote desktop protocal). used instaed of NAT. \r\nfor our purposes, we used the nat-EC2 as a Bastion\r\n\r\nFlow logs - enable you to capture IP traffic flow information for the network interfaces in your resources and log them in cloudWatch.<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>** 1 subnet == 1 AZ. ACL = access control list SN = subnet IGW = internet gateway CIDR &#8211; classless inter-domain routing. -where we assign ip ranges NAT &#8211; network adress translation &#8212;&#8212;&#8212;&#8212;&#8212;&#8212; internal ip address ranges (rfc 1918) 10.0.0.0 -10.255.255.255 (10\/8 prefix) 172.16.0.0 &#8211; 172.31.255.255 (172.16\/12 prefix) 192.168.0.0 &#8211; 192.168.255.255 (192.168 \/ 16 [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7537"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7537"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7537\/revisions"}],"predecessor-version":[{"id":7538,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7537\/revisions\/7538"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}