AWS Solutions Architect Associate (SAA) 2018 – V

Topics covered:
 
 

 

VPC

Currently you can create 200 subnets per VPC
 
The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4. Subnets cannot be larger than the VPC in which they are created.
 
There are no additional charges for creating and using the VPC itself. Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources, including data transfer charges. If you connect your VPC to your corporate datacenter using the optional hardware VPN connection, pricing is per VPN connection-hour (the amount of time you have a VPN connection in the “available” state.) Partial hours are billed as full hours. Data transferred over VPN connections will be charged at standard AWS Data Transfer rates. 
 
In AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC .
 
0 is the network address
1 aws vpc router
2 is reserved by AWS
3 future use of AWS
255 broadcast 
 
How many hosts are available in range of /27?
 
1. Subtract 32 with the mask number : 
 
(32 – 27) = 5
 
2. Raise the number 2 to the power of the answer in Step #1 : 
 
2^ 5 = (2 * 2 * 2 * 2 * 2)
 
= 32
 
CIDR block of 172.0.0.0/27, with a netmask of /27, has an equivalent of 27 usable IP addresses. Take note that a netmask of /27 originally provides you with 32 IP addresses but in AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC which means that you have to always subtract 5 IP addresses, hence 32 – 5 = 27. 
 
Am I charged for network bandwidth between instances in different subnets?
 
If the instances reside in subnets in different Availability Zones, you will be charged $0.01 per GB for data transfer.
 
Can I attach or detach one or more network interfaces to an EC2 instance while it’s running?
 
Yes.
 
 
Can I attach a network interface in one Availability Zone to an instance in another Availability Zone?
 
Network interfaces can only be attached to instances residing in the same Availability Zone.
 
Can I use Elastic Network Interfaces as a way to host multiple websites requiring separate IP addresses on a single instance?
 
Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed
 
How much do VPC peering connections cost?
 
There is no charge for creating VPC peering connections, however, data transfer across peering connections is charged.

Components

 
  • Subnet
  • Internet Gateway
    • An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. 
  • Nat Gateway
    • You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
  • Egress Only Gateway
    • An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances. 
  • Nat Instance
    • You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
  • Customer Gateway
    • An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
  • Virtual private gateway
    • The anchor on the AWS side of the VPN connection is called a virtual private gateway
  • Access Control List
  • SecurityGroups

ACL

aws vpc acl tips

ACLs process strictly by rule number and processes the rules until a matching one is found
Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it.

Nat Gateway vs Nat Instance

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

Peering

A VPC peering connection is a one to one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html

Ranges

Default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC are assigned /20 netblocks within the VPC CIDR range. 
 
Currently, Amazon VPC supports five (5) IP address ranges, one (1) primary and four (4) secondary for IPv4. Each of these ranges can be between /28 (in CIDR notation) and /16 in size. The IP address ranges of your VPC should not overlap with the IP address ranges of your existing network.
 
For IPv6, the VPC is a fixed size of /56 (in CIDR notation). A VPC can have both IPv4 and IPv6 CIDR blocks associated to it.

Difference between EC2-Classic and EC2-VPC

  • EC2-Classic: AWS releases the public and private IPv4 addresses for the instance when you stop the instance, and assign new ones when you restart it.
  • EC2-VPC: The instance retains its private IPv4 addresses and any IPv6 addresses when stop and restart. AWS releases the public IPv4 address and assigns a new one when you restart it.
  • EC2-Classic: AWS disassociates any Elastic IP address that’s associated with the instance. You’re charged for Elastic IP addresses that aren’t associated with an instance. When you restart the instance, you must associate the Elastic IP address with the instance; AWS doesn’t do this automatically.
  • EC2-VPC: The instance retains its associated Elastic IP addresses. You’re charged for any Elastic IP addresses associated with a stopped instance

ClassicLink

What is ClassicLink?
 
Amazon Virtual Private Cloud (VPC) ClassicLink allows EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses. To use ClassicLink, enable it for a VPC in your account, and associate a Security Group from that VPC with an instance in EC2-Classic. All the rules of your VPC Security Group will apply to communications between instances in EC2-Classic and instances in the VPC. 

Elastic IP Addresses

 
You can have one Elastic IP (EIP) address associated with a running instance at no charge. If you associate additional EIPs with that instance, you will be charged for each additional EIP associated with that instance per hour on a pro rata basis. Additional EIPs are only available in Amazon VPC.
 
To ensure efficient use of Elastic IP addresses, we impose a small hourly charge when these IP addresses are not associated with a running instance or when they are associated with a stopped instance or unattached network interface. 

VPN SITE-TO-SITE

is a network connection which allows your VPC to communicate with your on-premises network.

 

vpc vpn diagram

You can create additional VPN connections to other VPCs using the same customer gateway device. You can reuse the same customer gateway IP address for each of those VPN connections.
 
When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. AWS VPN endpoints support rekey and can start renegotiations when phase 1 is about to expire if the customer gateway hasn’t sent any renegotiation traffic.
 
 

Flow LOGs

Allow you to capture information in out of your VPC.

UPDATE

2019

  • VPC Traffic Mirroring: you can now capture and inspect traffic network traffic using this feature. You can detect and filter an unusual pattern of behavior which could indicate an intrusion in your VPC. Monitor packets transmit between source an destination and you can even monitor network packets exchange by resources between different AWS accounts.
  • Shared VPC Supports new services: is a VPC allows other AWS accounts to create applications like ec2 instances, lambda functions into a shared centralized managed VPC. Is ok for companies which segregate in different accounts like production or development. AWS Glue, AWS ElasticMapReduce or Aurora Serverless Database Cluster. 
  • SITE-TO-SITE supports digital certificates: you can ACM to manage and deploy the certificates.
  • VPC FLOWS: now you can include additional metadata like VPC-ID,subnet-ID,subnet-MASK,etc

2018

  •  NLB layer 4 accepts connection coming from AWS VPN
  • Onpremises can access Private Link  by AWS VPN (before just with Direct Connect)
  • Now supports vpc peering inter-region
  • VPCs can now be shared accross AWS Accounts (you can allow other AWS accounts to create resources like ec2,rds in a managed and centralized VPC only in the subnets that they will need. Great for customers with multiple accounts, users of other AWS accounts can access VPC and create resources without manage its own VPC)
  • New Client VPN enables you secure access to on premises or aws with open vpn client installed on your local machine. Fullly managed, highly availalbe, pay as you go service, supports AD as well.
It’s similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links users’ on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from users’ VPC environments, which are already in AWS.
 
AWS PrivateLink enables customers to access services hosted on AWS in a highly available and scalable manner, while keeping all the network traffic within the AWS network. Service users can use this to privately access services powered by PrivateLink from their Amazon Virtual Private Cloud (VPC) or their on-premises, without using public IPs, and without requiring the traffic to traverse across the Internet. Service owners can register their Network Load Balancers to PrivateLink services and provide the services to other AWS customers.

There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.

A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service.

 

CLIENT VPN

UPDATE

2019

  • Now supports MFA for AD: you can now enable MFA for your users using AWS Client VPN and Active Directory. Second layer of defense by prompting user for additional factor, such as verifying a push notification or an email OTP.

 

Direct Connect

 
VPN is a great connectivity option for businesses that are just getting started with AWS. It is quick and easy to setup. Keep in mind, however, that VPN connectivity utilizes the public Internet, which can have unpredictable performance and despite being encrypted, can present security concerns.
 
AWS Direct Connect bypasses the public Internet and establishes a secure, dedicated connection from your infrastructure into AWS. This dedicated connection occurs over a standard 1 GB or 10 GB Ethernet fiber-optic cable with one end of the cable connected to your router and the other to an AWS Direct Connect router. AWS has established these Direct Connect routers in large colocation facilities across the world, providing access to all AWS regions. With established connectivity via AWS Direct Connect, you can access your Amazon VPC and all AWS services.
 
vpn vs directconnect

 

UPDATE

2019

  • Resource-based authorization, Tag-Based Authorization and Tag on Resource Creation
    • You can now define IAM policies to specify fine-grained permissions for AWS Direct Connect and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces improving the security through these two granular access control features.
    • With resource-level authorization, you can configure IAM policies that reference AWS Direct Connect Dedicated and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces specifying the users and actions that are permitted on the resources.
    • Using tag-based permission you can tag a Dedicated connection based on business units and limit control over those resources to the members of that business unit.
    • Tag on resource creation. When new resources are created with tags, the corresponding IAM permissions are automatically applied.

ROUTE53

A brief explanation about SOA

  • The name of the server that supplied the data for the zone.
  • The administrator of the zone.
  • The current version of the data file.
  • The number of seconds a secondary name server should wait before checking for updates.
  • The number of seconds a secondary name server should wait before retrying a failed zone transfer.
  • The maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire.
  • The default number of seconds for the time-to-live file on resource records.

Types of policies in Route53

  • Simple
  • Weighted
  • Latency
  • Failover
  • Geolocation

Weighted Policy

Lets you split your traffic based on different weights assigned previously.

Latency

Allows you to route traffic based on the lowest network latency for your end-user.

Failover Policy

Are used when you want to create an active-passive setup. You should create a health check for your different endpoints.

Alias

Route53’s DNS implementation connects user requests to infrastructure running inside (and outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer, Route53 will route all traffic addressed to your website (e.g. www.example.com) to the load balancer DNS name (e.g. elb1234.elb.amazonaws.com).

Additionally, Route53 supports the alias resource record set, which lets you map your zone apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route53 responds to each request for an alias resource record set with one IP address for the load balancer.

ROA

You can bring part or all of your public IPv4 address range from your on-premises network to your AWS account. You continue to own the address range, but AWS advertises it on the Internet. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers. This is also called “Bring Your Own IP Addresses (BYOIP)”.

To ensure that only you can bring your address range to your AWS account, you must authorize Amazon to advertise the address range and provide proof that you own the address range.

IAM

  • Centralised control of your AWS account
    • IAM is universal. It does not apply to regions.
    • New users has no permissions when first created
    • New users are assigned Access Key ID & Secret Access Key when first created
    • Its different from the password
    • You only see Secret Access Key this time.
  • Granular permissions
  • Identity Federation (Including active directory, Facebook, etc)
  • MFA
  • Provide temporary acces to users/devices and services where necessary
  • Allows you to set up your own password rotation policy
  • Integrated with many AWS services
  • Supports PCI DSS Compliance
  • IAM has
    • Users
    • Groups
      • Group cannot be specified as a principal. Group is not considered an identity and used merely for managing users.
    • Policies
    • Roles

Service Linked Role

servicelinked role is a unique type of IAM role that is linked directly to an AWS serviceServicelinked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. … Or it might require that you use IAM to create or delete the role

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

Leave a Reply

Your email address will not be published. Required fields are marked *