In AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC .0 is the network address1 aws vpc router2 is reserved by AWS3 future use of AWS255 broadcast
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
Egress Only Gateway
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
- You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
Virtual private gateway
The anchor on the AWS side of the VPN connection is called a virtual private gateway
Access Control List
With AWS Network Firewall, you can implement customized rules to prevent your VPCs from accessing unauthorized domains, to block thousands of known-bad IP addresses, or identify malicious activity using signature-based detection. AWS Network Firewall makes firewall activity visible in real-time via CloudWatch metrics and offers increased visibility of network traffic by sending logs to S3, CloudWatch, and Kinesis Firehose. Network Firewall is integrated with AWS Firewall Manager, giving customers who use AWS Organizations a single place to enable and monitor firewall activity across all your VPCs and AWS accounts. Network Firewall is interoperable with your existing security ecosystem, including AWS partners such as CrowdStrike, Palo Alto Networks, and Splunk. You can also import existing rules from community maintained Suricata rulesets.
Nat Gateway vs Nat Instance
A VPC peering connection is a one to one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.
Difference between EC2-Classic and EC2-VPC
- EC2-Classic: AWS releases the public and private IPv4 addresses for the instance when you stop the instance and assign new ones when you restart it.
- EC2-VPC: The instance retains its private IPv4 addresses and any IPv6 addresses when stop and restart. AWS releases the public IPv4 address and assigns a new one when you restart it.
- EC2-Classic: AWS disassociates any Elastic IP address that’s associated with the instance. You’re charged for Elastic IP addresses that aren’t associated with an instance. When you restart the instance, you must associate the Elastic IP address with the instance; AWS doesn’t do this automatically.
- EC2-VPC: The instance retains its associated Elastic IP addresses. You’re charged for any Elastic IP addresses associated with a stopped instance
ENI vs ENA vs EFA
It’s basically a virtual network card
- A primary private IPv4 address
- One or more secondary IPv4 address
- One Elastic IP address
- One or more IPv6 addresses
- One or more Security Groups
- a Mac address
- a source/destination check flag
- a description
- Single root IO Virtualization (SR-IOV)
- High IO performance and low CPU utilization
- Higher bandwidth
- Higher PPS
- No additional charge
- Used when you need a good performance
- Can be enabled by
- Elastic Network Adapter
- Up to 100 Gbps
- Intel 82599 VirtualFunction
- Up to 10 Gbps
- Old instances
- Elastic Network Adapter
- Used to HPC or machine learning applications
- Allows bypass os kernel and talk directly with EFA device
- Lower and consistent latency and high throughput
- Only Linux
Elastic IP Addresses
is a network connection that allows your VPC to communicate with your on-premises network.
Allow you to capture information out of your VPC.
- You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
- You can tag it
- After creation, you can’t create the configuration
- Not all traffic generated is monitored
- Traffic generated when instances contact their Amazon DNS server. It works if you use your own DNS server
- Traffic generated by a Windows instance for Amazon Windows license activation
- Traffic to and from 169.254.169.254
- DHCP traffic
- Traffic to the reserved IP address for the default router
Is a service in which you create accelerators to improve the availability and performance of your applications for local and global users
Provides you two static IP addresses to associate with your accelerator.
- Static IP address
- DNS Name
- Network Zone
- Endpoint Group
- VPC Traffic Mirroring: you can now capture and inspect traffic network traffic using this feature. You can detect and filter an unusual pattern of behavior that could indicate an intrusion in your VPC. Monitor packets transmit between source and destination and you can even monitor network packets exchange by resources between different AWS accounts.
- Shared VPC Supports new services: is a VPC allows other AWS accounts to create applications like ec2 instances, lambda functions into a shared centralized managed VPC. Is ok for companies that segregate into different accounts like production or development. AWS Glue, AWS ElasticMapReduce, or Aurora Serverless Database Cluster.
- SITE-TO-SITE supports digital certificates: you can ACM to manage and deploy the certificates.
- VPC FLOWS: now you can include additional metadata like VPC-ID,subnet-ID,subnet-MASK,etc
- NLB layer 4 accepts connection coming from AWS VPN
- On-premises can access Private Link by AWS VPN (before just with Direct Connect)
- Now supports VPC peering inter-region
- VPCs can now be shared across AWS Accounts (you can allow other AWS accounts to create resources like ec2, RDS in a managed and centralized VPC only in the subnets that they will need. Great for customers with multiple accounts, users of other AWS accounts can access VPC and create resources without managing its own VPC)
- New Client VPN enables you secure access to on-premises or AWS with open VPN client installed on your local machine. Fully managed, highly available, pay as you go service, supports AD as well.
- The best way to expose a service VPC to tens, hundreds, or thousands of customers VPCS
- Does not require VPC peering, NAT, gateways, etc
- It does require a Network Load Balancer on service VPC and an ENI on the customer VPC
It’s similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links users’ on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from users’ VPC environments, which are already in AWS.
Allow communication between instances in your VPC and services without availability risks or bandwidth constraints.
There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.
Endpoints are virtual devices. Horizontally scaled, redundant and highly available.
An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. Supported services:
- Amazon S3
- Allows you to have transitive peering between thousands of VPCs and on-premises data centers
- Regional basis but possible to use it across multiple regions
- You can use it across multiple AWS accounts with RAM
- You can use route tables to limit which VPCs talk to other ones
- Works with DirectConnect and VPN connections as well
- Supports IP multicast
- If you have multiple sites , each with its own VPN connection you can use CloudHub to connect those sites together
- Low cost, easy manage
- Operates over public Internet but traffic is encrypted
- Now supports MFA for AD: you can now enable MFA for your users using AWS Client VPN and Active Directory. The second layer of defense by prompting the user for additional factors, such as verifying a push notification or an email OTP.
Direct Connect Gateway
You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway. A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any public region and access it from all other public regions.
A leading insurance firm has a VPC in the US East (N. Virginia) region for their head office in New York and another VPC in the US West (N. California) for their regional office in California. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Chicago and both of their VPCs in AWS.
As the SysOps Administrator of the firm, how could you implement this in a cost-effective manner?
Answer will be: Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions.
- Resource-based authorization, Tag-Based Authorization and Tag on Resource Creation
- You can now define IAM policies to specify fine-grained permissions for AWS Direct Connect and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces improving the security through these two granular access control features.
- With resource-level authorization, you can configure IAM policies that reference AWS Direct Connect Dedicated and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces specifying the users and actions that are permitted on the resources.
- Using tag-based permission you can tag a Dedicated connection based on business units and limit control over those resources to the members of that business unit.
- Tag on resource creation. When new resources are created with tags, the corresponding IAM permissions are automatically applied.
A brief explanation about SOA
- The name of the server that supplied the data for the zone.
- The administrator of the zone.
- The current version of the data file.
- The number of seconds a secondary name server should wait before checking for updates.
- The number of seconds a secondary name server should wait before retrying a failed zone transfer.
- The maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire.
- The default number of seconds for the time-to-live file on resource records.
ns-1695.awsdns-19.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
Types of policies in Route53
- Geoproximity routing (Traffic Flow)
- Multi Answer routing
Lets you split your traffic based on different weights assigned previously.
- Allows you to route traffic based on the lowest network latency for your end-user.
- Does not garantee however that users in the same geographic region will be served from the same location
- To use latency-based routing you will have to create latency records for your resources in multiple AWS Regions.
- Use Latency record when you resources in multiple AWS regions and you want to route the traffic to the region that provides best latency
- Serves traffic based on the geographic location of your users, meaning the location that DNS queries originate from
- Works by mapping IP addresses to locations. Some IP addresesses aren’t mapped to geographic locations, so AWS Route53 will receive some DNS queries from locations that can’t identify.
- Use it when you want to route traffic based on the location of your users
- localize your content
- restrict distributions of content only locations in which you have rights
- useful for balancing load across endpoints in a predictable, easy-to-manage way
- Route traffic to your resources based on the geographic location of your users and resources.
- You can route more or less traffic by specifying a value, known as bias.
- To use geoproximity routing, you must use Route53 traffic flow.
- if you want to route traffic to AWS services, you can set the AWS Region where your resource was created
- if you want to route traffic to non-AWS services, you can enter latitude and longitud of the resource
Are used when you want to create an active-passive setup. You should create a health check for your different endpoints.
Type of Healtchek
Health checks that monitor an endpoint.
Health checks that monitor an endpoint. You can configure a health check that monitors an endpoint that you specify either by IP address or by domain name. At regular intervals that you specify, Route 53 submits automated requests over the internet to your application, server, or other resource to verify that it’s reachable, available, and functional. Optionally, you can configure the health check to make requests similar to those that your users make, such as requesting a web page from a specific URL.
Health checks that monitor other health checks
Health checks that monitor other health checks (calculated health checks). You can create a health check that monitors whether Route 53 considers other health checks healthy or unhealthy. One situation where this might be useful is when you have multiple resources that perform the same function, such as multiple web servers, and your chief concern is whether some minimum number of your resources are healthy. You can create a health check for each resource without configuring notification for those health checks. Then you can create a health check that monitors the status of the other health checks and that notifies you only when the number of available web resources drops below a specified threshold.
Health checks that monitor CloudWatch alarms.
Health checks that monitor CloudWatch alarms. You can create CloudWatch alarms that monitor the status of CloudWatch metrics, such as the number of throttled read events for an Amazon DynamoDB database or the number of Elastic Load Balancing hosts that are considered healthy. After you create an alarm, you can create a health check that monitors the same data stream that CloudWatch monitors for the alarm.
Route53’s DNS implementation connects user requests to infrastructure running inside (and outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer, Route53 will route all traffic addressed to your website (e.g. www.example.com) to the load balancer DNS name (e.g. elb1234.elb.amazonaws.com).
Additionally, Route53 supports the alias resource record set, which lets you map your zone apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route53 responds to each request for an alias resource record set with one IP address for the load balancer.
You can bring part or all of your public IPv4 address range from your on-premises network to your AWS account. You continue to own the address range, but AWS advertises it on the Internet. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers. This is also called “Bring Your Own IP Addresses (BYOIP)”.
To ensure that only you can bring your address range to your AWS account, you must authorize Amazon to advertise the address range and provide proof that you own the address range.
- Centralised control of your AWS account
- IAM is universal. It does not apply to regions.
- New users has no permissions when first created
- New users are assigned Access Key ID & Secret Access Key when first created
- Its different from the password
- You only see Secret Access Key this time.
- Granular permissions
- Identity Federation (Including active directory, Facebook, etc)
- Provide temporary acces to users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrated with many AWS services
- Supports PCI DSS Compliance
- IAM has
- Group cannot be specified as a principal. Group is not considered an identity and used merely for managing users.
Service Linked Role
A service–linked role is a unique type of IAM role that is linked directly to an AWS service. Service–linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. … Or it might require that you use IAM to create or delete the role
Active Directory Services compatibles with Microsoft AD
AWS Managed Microfot AD
- AD Domain Controllers (DCs) running Windows Server
- Reachable by your applications in your VPC
- You can add extra DCs for more performance
- You have exclusive access to DCs. No other AWS users will share this DCs.
- You can extend your current AD to on-premises using AD Trust
Share model responsability
- will do backups
- enforce HA
- Instance rotation
- patch, monitor, recover
- you need to create users, groups, GPos
- standard AD tools
- Scale out DCs
- Certificate authorities (LDAP)
Baby brother of AD
- Standalone directory in the cloud
- Basic AD features
- Small = < 500 users
- Large = < 5000 users
- For Linux workloads that need LDAP
- Does not support trust (can’t join on premises AD)
- Best choice when you want to use your current on premises AD with compatible AWS services. Think of it like a Directory Gateway or proxy.
- Avoid caching information in the cloud
- Allow on premises users to log in AWS using AD
- Allow join EC2 instances to your existing AD domain
- Scale accross multiple AD connectors
Active Directory Services NON compatibles with Microsoft AD
- Directory store intented for developers
- Multiple heararchies with millions of objects
- Use cases: org charts, course catalogs, device registries
- Full managed service
Amazon Cognito User pools
- Managed user directory for SasS applications
- Used for sign-in or signed-up for web or mobile
- Works with social media identities