In AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC .0 is the network address1 aws vpc router2 is reserved by AWS3 future use of AWS255 broadcast
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
Egress Only Gateway
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
- You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
Virtual private gateway
The anchor on the AWS side of the VPN connection is called a virtual private gateway
Access Control List
Nat Gateway vs Nat Instance
A VPC peering connection is a one to one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.
Difference between EC2-Classic and EC2-VPC
- EC2-Classic: AWS releases the public and private IPv4 addresses for the instance when you stop the instance, and assign new ones when you restart it.
- EC2-VPC: The instance retains its private IPv4 addresses and any IPv6 addresses when stop and restart. AWS releases the public IPv4 address and assigns a new one when you restart it.
- EC2-Classic: AWS disassociates any Elastic IP address that’s associated with the instance. You’re charged for Elastic IP addresses that aren’t associated with an instance. When you restart the instance, you must associate the Elastic IP address with the instance; AWS doesn’t do this automatically.
- EC2-VPC: The instance retains its associated Elastic IP addresses. You’re charged for any Elastic IP addresses associated with a stopped instance
Elastic IP Addresses
is a network connection which allows your VPC to communicate with your on-premises network.
Allow you to capture information in out of your VPC.
- VPC Traffic Mirroring: you can now capture and inspect traffic network traffic using this feature. You can detect and filter an unusual pattern of behavior which could indicate an intrusion in your VPC. Monitor packets transmit between source an destination and you can even monitor network packets exchange by resources between different AWS accounts.
- Shared VPC Supports new services: is a VPC allows other AWS accounts to create applications like ec2 instances, lambda functions into a shared centralized managed VPC. Is ok for companies which segregate in different accounts like production or development. AWS Glue, AWS ElasticMapReduce or Aurora Serverless Database Cluster.
- SITE-TO-SITE supports digital certificates: you can ACM to manage and deploy the certificates.
- VPC FLOWS: now you can include additional metadata like VPC-ID,subnet-ID,subnet-MASK,etc
- NLB layer 4 accepts connection coming from AWS VPN
- Onpremises can access Private Link by AWS VPN (before just with Direct Connect)
- Now supports vpc peering inter-region
- VPCs can now be shared accross AWS Accounts (you can allow other AWS accounts to create resources like ec2,rds in a managed and centralized VPC only in the subnets that they will need. Great for customers with multiple accounts, users of other AWS accounts can access VPC and create resources without manage its own VPC)
- New Client VPN enables you secure access to on premises or aws with open vpn client installed on your local machine. Fullly managed, highly availalbe, pay as you go service, supports AD as well.
It’s similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links users’ on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from users’ VPC environments, which are already in AWS.
There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.
An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service.
- Now supports MFA for AD: you can now enable MFA for your users using AWS Client VPN and Active Directory. Second layer of defense by prompting user for additional factor, such as verifying a push notification or an email OTP.
- Resource-based authorization, Tag-Based Authorization and Tag on Resource Creation
- You can now define IAM policies to specify fine-grained permissions for AWS Direct Connect and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces improving the security through these two granular access control features.
- With resource-level authorization, you can configure IAM policies that reference AWS Direct Connect Dedicated and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces specifying the users and actions that are permitted on the resources.
- Using tag-based permission you can tag a Dedicated connection based on business units and limit control over those resources to the members of that business unit.
- Tag on resource creation. When new resources are created with tags, the corresponding IAM permissions are automatically applied.
A brief explanation about SOA
- The name of the server that supplied the data for the zone.
- The administrator of the zone.
- The current version of the data file.
- The number of seconds a secondary name server should wait before checking for updates.
- The number of seconds a secondary name server should wait before retrying a failed zone transfer.
- The maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire.
- The default number of seconds for the time-to-live file on resource records.
Types of policies in Route53
Lets you split your traffic based on different weights assigned previously.
Allows you to route traffic based on the lowest network latency for your end-user.
Are used when you want to create an active-passive setup. You should create a health check for your different endpoints.
Route53’s DNS implementation connects user requests to infrastructure running inside (and outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer, Route53 will route all traffic addressed to your website (e.g. www.example.com) to the load balancer DNS name (e.g. elb1234.elb.amazonaws.com).
Additionally, Route53 supports the alias resource record set, which lets you map your zone apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route53 responds to each request for an alias resource record set with one IP address for the load balancer.
You can bring part or all of your public IPv4 address range from your on-premises network to your AWS account. You continue to own the address range, but AWS advertises it on the Internet. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers. This is also called “Bring Your Own IP Addresses (BYOIP)”.
To ensure that only you can bring your address range to your AWS account, you must authorize Amazon to advertise the address range and provide proof that you own the address range.
- Centralised control of your AWS account
- IAM is universal. It does not apply to regions.
- New users has no permissions when first created
- New users are assigned Access Key ID & Secret Access Key when first created
- Its different from the password
- You only see Secret Access Key this time.
- Granular permissions
- Identity Federation (Including active directory, Facebook, etc)
- Provide temporary acces to users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrated with many AWS services
- Supports PCI DSS Compliance
- IAM has
- Group cannot be specified as a principal. Group is not considered an identity and used merely for managing users.
Service Linked Role
A service–linked role is a unique type of IAM role that is linked directly to an AWS service. Service–linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. … Or it might require that you use IAM to create or delete the role