In AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC .0 is the network address1 aws vpc router2 is reserved by AWS3 future use of AWS255 broadcast
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
Egress Only Gateway
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
- You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is an anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
Virtual private gateway
The anchor on the AWS side of the VPN connection is called a virtual private gateway
Access Control List
With AWS Network Firewall, you can implement customized rules to prevent your VPCs from accessing unauthorized domains, to block thousands of known-bad IP addresses, or identify malicious activity using signature-based detection. AWS Network Firewall makes firewall activity visible in real-time via CloudWatch metrics and offers increased visibility of network traffic by sending logs to S3, CloudWatch, and Kinesis Firehose. Network Firewall is integrated with AWS Firewall Manager, giving customers who use AWS Organizations a single place to enable and monitor firewall activity across all your VPCs and AWS accounts. Network Firewall is interoperable with your existing security ecosystem, including AWS partners such as CrowdStrike, Palo Alto Networks, and Splunk. You can also import existing rules from community-maintained Suricata rulesets.
Nat Gateway vs Nat Instance
A VPC peering connection is one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.
Difference between EC2-Classic and EC2-VPC
- EC2-Classic: AWS releases the public and private IPv4 addresses for the instance when you stop the instance and assign new ones when you restart it.
- EC2-VPC: The instance retains its private IPv4 addresses and any IPv6 addresses when stop and restart. AWS releases the public IPv4 address and assigns a new one when you restart it.
- EC2-Classic: AWS disassociates any Elastic IP address that’s associated with the instance. You’re charged for Elastic IP addresses that aren’t associated with an instance. When you restart the instance, you must associate the Elastic IP address with the instance; AWS doesn’t do this automatically.
- EC2-VPC: The instance retains its associated Elastic IP addresses. You’re charged for any Elastic IP addresses associated with a stopped instance
ENI vs ENA vs EFA
It’s basically a virtual network card
- A primary private IPv4 address
- One or more secondary IPv4 address
- One Elastic IP address
- One or more IPv6 addresses
- One or more Security Groups
- a Mac address
- a source/destination check flag
- a description
- Single root IO Virtualization (SR-IOV)
- High IO performance and low CPU utilization
- Higher bandwidth
- Higher PPS
- No additional charge
- Used when you need a good performance
- Can be enabled by
- Elastic Network Adapter
- Up to 100 Gbps
- Intel 82599 VirtualFunction
- Up to 10 Gbps
- Old instances
- Elastic Network Adapter
- Used to HPC or machine learning applications
- Allows bypass os kernel and talk directly with EFA device
- Lower and consistent latency and high throughput
- Only Linux
Elastic IP Addresses
is a network connection that allows your VPC to communicate with your on-premises network.
Allow you to capture information out of your VPC.
- You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
- You can tag it
- After creation, you can’t create the configuration
- Not all traffic generated is monitored
- Traffic generated when instances contact their Amazon DNS server. It works if you use your own DNS server
- Traffic generated by a Windows instance for Amazon Windows license activation
- Traffic to and from 169.254.169.254
- DHCP traffic
- Traffic to the reserved IP address for the default router
Is a service in which you create accelerators to improve the availability and performance of your applications for local and global users
Provides you two static IP addresses to associate with your accelerator.
- Static IP address
- DNS Name
- Network Zone
- Endpoint Group
- VPC Traffic Mirroring: you can now capture and inspect traffic network traffic using this feature. You can detect and filter an unusual pattern of behavior that could indicate an intrusion in your VPC. Monitor packets transmit between source and destination and you can even monitor network packets exchange by resources between different AWS accounts.
- Shared VPC Supports new services: is a VPC that allows other AWS accounts to create applications like ec2 instances, lambda functions into a shared centralized managed VPC. Is ok for companies that segregate into different accounts like production or development. AWS Glue, AWS ElasticMapReduce, or Aurora Serverless Database Cluster.
- SITE-TO-SITE supports digital certificates: you can ACM to manage and deploy the certificates.
- VPC FLOWS: now you can include additional metadata like VPC-ID,subnet-ID,subnet-MASK,etc
- NLB layer 4 accepts connections coming from AWS VPN
- On-premises can access Private Link by AWS VPN (before just with Direct Connect)
- Now supports VPC peering inter-region
- VPCs can now be shared across AWS Accounts (you can allow other AWS accounts to create resources like ec2, RDS in a managed and centralized VPC only in the subnets that they will need. Great for customers with multiple accounts, users of other AWS accounts can access VPC and create resources without managing its own VPC)
- New Client VPN enables you secure access to on-premises or AWS with open VPN client installed on your local machine. Fully managed, highly available, pay as you go service, supports AD as well.
- The best way to expose a service VPC to tens, hundreds, or thousands of customers VPCS
- Does not require VPC peering, NAT, gateways, etc
- It does require a Network Load Balancer on service VPC and an ENI on the customer VPC
It’s similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links users’ on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from users’ VPC environments, which are already in AWS.
Allow communication between instances in your VPC and services without availability risks or bandwidth constraints.
A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.
There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.
Endpoints are virtual devices. Horizontally scaled, redundant and highly available.
An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. Supported services:
- Amazon S3
Gateway Load Balancer endpoints is an elastic network interface with a private IP address from the IP address range of your subnet. Gateway Load Balancer endpoints are powered by AWS PrivateLink. This type of endpoint serves as an entry point to intercept traffic and route it to a service that you’ve configured using Gateway Load Balancers, for example, for security inspection. You specify a Gateway Load Balancer endpoint as a target for a route in a route table. Gateway Load Balancer endpoints are supported for endpoint services that are configured for Gateway Load Balancers only.
- Allows you to have transitive peering between thousands of VPCs and on-premises data centers
- Regional basis but possible to use it across multiple regions
- You can use it across multiple AWS accounts with RAM
- You can use route tables to limit which VPCs talk to other ones
- Works with DirectConnect and VPN connections as well
- Supports IP multicast
- If you have multiple sites, each with its own VPN connection you can use CloudHub to connect those sites together
- Low cost, easy manage
- Operates over public Internet but traffic is encrypted
- Now supports MFA for AD: you can now enable MFA for your users using AWS Client VPN and Active Directory. The second layer of defense by prompting the user for additional factors, such as verifying a push notification or an email OTP.
Encrypt traffic over Direct Connect
To connect to services such as EC2 using just Direct Connect you need to create a private virtual interface. However, if you want to encrypt the traffic flowing through Direct Connect, you will need to use the public virtual interface of DX to create a VPN connection that will allow access to AWS services such as S3, EC2, and other services.
To connect to AWS resources that are reachable by a public IP address (such as an Amazon Simple Storage Service bucket) or AWS public endpoints, use a public virtual interface.
To connect to your resources hosted in an Amazon Virtual Private Cloud (Amazon VPC) using their private IP addresses, use a private virtual interface.
If you want to establish a virtual private network (VPN) connection from your company network to an Amazon Virtual Private Cloud (Amazon VPC) over an AWS Direct Connect (DX) connection, you must use a public virtual interface for your DX connection.
Direct Connect Gateway
You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway. A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any public region and access it from all other public regions.
A insurance firm has a VPC in the US East (N. Virginia) region for their head office in New York and another VPC in the US West (N. California) for their regional office in California. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Chicago and both of their VPCs in AWS.
As the SysOps Administrator of the firm, how could you implement this in a cost-effective manner?
The answer will be: Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions.
DirectConnect and VPN as a backup
Imagine that you work in a multinational investment bank that has a hybrid cloud architecture that uses a single 1 Gbps AWS Direct Connect connection to integrate their on-premises network to AWS Cloud. The bank has a total of 10 VPCs which are all connected to their on-premises data center via the same Direct Connect connection that you manage. Based on the recent IT audit, the existing network setup has a single point of failure which needs to be addressed immediately. How you will address that?
With AWS Direct Connect plus VPN, you can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than Internet-based VPN connections.
You can use AWS Direct Connect to establish a dedicated network connection between your network and create a logical connection to public AWS resources, such as an Amazon virtual private gateway IPsec endpoint. This solution combines the AWS-managed benefits of the VPN solution with low latency, increased bandwidth, more consistent benefits of the AWS Direct Connect solution, and an end-to-end, secure IPsec connection.
Establish VPN tunnels from your on-premises data center to each of the 10 VPCs. Terminate each VPN tunnel connection at the virtual private gateway (VGW) of the respective VPC. Configure BGP for route management will be the way to address this requirement.
A government agency has multiple VPCs in various AWS regions across the United States that need to be linked up to an on-premises central office network in Washington, D.C. The central office requires inter-region VPC access over a private network that is dedicated to each region for enhanced security and more predictable data transfer performance. Your team is tasked to quickly build this network mesh and to minimize the management overhead to maintain these connections.
Which of the following options is the most secure, highly available, and durable solution that you should use to set up this kind of interconnectivity?
You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different Regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC. Then, create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway.
With Direct Connect Gateway, you no longer need to establish multiple BGP sessions for each VPC; this reduces your administrative workload as well as the load on your network devices.
- Resource-based authorization, Tag-Based Authorization and Tag on Resource Creation
- You can now define IAM policies to specify fine-grained permissions for AWS Direct Connect and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces improving the security through these two granular access control features.
- With resource-level authorization, you can configure IAM policies that reference AWS Direct Connect Dedicated and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces specifying the users and actions that are permitted on the resources.
- Using tag-based permission you can tag a Dedicated connection based on business units and limit control over those resources to the members of that business unit.
- Tag on resource creation. When new resources are created with tags, the corresponding IAM permissions are automatically applied.
AWS Organization, VPC, and Route53
A solution is needed to simplify the DNS management as there is only one team that manages all the domains and subdomains for the whole organization.
So we want to centralize the DNS management. How achieve that?
Using a central DNS management account design.
On AWS Resource Access Manager (RAM), set up a shared services VPC on your central account. Set up VPC peering from this VPC to each VPC on the other accounts. On Amazon Route 53, create a private hosted zone associated with the shared services VPC. Manage all domains and subdomains on this zone. Programmatically associate the VPCs from other accounts with this hosted zone.
You also can integrate DNS resolution between Resolver and DNS resolvers on your network by configuring forwarding rules. Your network can include any network that is reachable from your VPC, such as the following:
– The VPC itself
– Another peered VPC
– An on-premises network that is connected to AWS with AWS Direct Connect, a VPN, or a network address translation (NAT) gateway
Public hosted zones contain records that specify how you want to route traffic on the internet.
Private hosted zones contain records that specify how you want to route traffic in an Amazon VPC
A brief explanation about SOA
- The name of the server that supplied the data for the zone.
- The administrator of the zone.
- The current version of the data file.
- The number of seconds a secondary name server should wait before checking for updates.
- The number of seconds a secondary name server should wait before retrying a failed zone transfer.
- The maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire.
- The default number of seconds for the time-to-live file on resource records.
ns-1695.awsdns-19.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
Types of policies in Route53
- Geoproximity routing (Traffic Flow)
- Multi Answer routing
Let’s split your traffic based on different weights assigned previously.
- Allows you to route traffic based on the lowest network latency for your end-user.
- Does not guarantee however that users in the same geographic region will be served from the same location
- To use latency-based routing you will have to create latency records for your resources in multiple AWS Regions.
- Use Latency record when your resources in multiple AWS regions and you want to route the traffic to the region that provides the best latency
- Serves traffic based on the geographic location of your users, meaning the location that DNS queries originate from
- Works by mapping IP addresses to locations. Some IP addresses aren’t mapped to geographic locations, so AWS Route53 will receive some DNS queries from locations that can’t identify.
- Use it when you want to route traffic based on the location of your users
- localize your content
- restrict distributions of content only locations in which you have rights
- useful for balancing load across endpoints in a predictable, easy-to-manage way
- Route traffic to your resources based on the geographic location of your users and resources.
- You can route more or less traffic by specifying a value, known as bias.
- To use geo proximity routing, you must use Route53 traffic flow.
- if you want to route traffic to AWS services, you can set the AWS Region where your resource was created
- if you want to route traffic to non-AWS services, you can enter the latitude and longitude of the resource
Are used when you want to create an active-passive setup. You should create a health check for your different endpoints.
Type of Healtchek
Health checks that monitor an endpoint.
Health checks that monitor an endpoint. You can configure a health check that monitors an endpoint that you specify either by IP address or by the domain name. At regular intervals that you specify, Route 53 submits automated requests over the internet to your application, server, or another resource to verify that it’s reachable, available, and functional. Optionally, you can configure the health check to make requests similar to those that your users make, such as requesting a web page from a specific URL.
Health checks that monitor other health checks
Health checks that monitor other health checks (calculated health checks). You can create a health check that monitors whether Route 53 considers other health checks healthy or unhealthy. One situation where this might be useful is when you have multiple resources that perform the same function, such as multiple web servers, and your chief concern is whether some minimum number of your resources are healthy. You can create a health check for each resource without configuring notification for those health checks. Then you can create a health check that monitors the status of the other health checks and that notifies you only when the number of available web resources drops below a specified threshold.
Health checks that monitor CloudWatch alarms.
Health checks that monitor CloudWatch alarms. You can create CloudWatch alarms that monitor the status of CloudWatch metrics, such as the number of throttled read events for an Amazon DynamoDB database or the number of Elastic Load Balancing hosts that are considered healthy. After you create an alarm, you can create a health check that monitors the same data stream that CloudWatch monitors for the alarm.
Route53’s DNS implementation connects user requests to infrastructure running inside (and outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer, Route53 will route all traffic addressed to your website (e.g. www.example.com) to the load balancer DNS name (e.g. elb1234.elb.amazonaws.com).
Additionally, Route53 supports the alias resource record set, which lets you map your zone apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route53 responds to each request for an alias resource record set with one IP address for the load balancer.
You can bring part or all of your public IPv4 address range from your on-premises network to your AWS account. You continue to own the address range, but AWS advertises it on the Internet. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers. This is also called “Bring Your Own IP Addresses (BYOIP)”.
To ensure that only you can bring your address range to your AWS account, you must authorize Amazon to advertise the address range and provide proof that you own the address range.
You can use the Amazon Route 53 console to associate more VPCs with a private hosted zone if you created the hosted zone and the VPCs by using the same AWS account. Additionally, you can associate a VPC from one account with a private hosted zone in a different account.
If you want to associate VPCs that you created by using one account with a private hosted zone that you created by using a different account, you first must authorize the association. In addition, you can’t use the AWS console either to authorize the association or associate the VPCs with the hosted zone.
Note the following:
– If you want to associate multiple VPCs that you created with one account with a hosted zone that you created with a different account, you must submit one authorization request for each VPC.
– When you authorize the association, you must specify the hosted zone ID, so the private hosted zone must already exist.
– You can’t use the Route 53 console either to authorize the association of a VPC with a private hosted zone or to make the association.
Resolv a internal dns name across some VPC and not over Internet
Imagine you are working as a Solutions Architect for a multinational tech company that has multiple VPCs for each of its IT departments. You are instructed to launch a new central database server that can be accessed by the other VPCs of the company using the domain
database.mydomain.com. This server should only be accessible within the associated VPCs since only internal applications will be using the database.
Set up a private hosted zone (since the database server will only be accessed by the associated VPCs and not publicly over the Internet) with the domain name mydomain.com and specify the VPCs that you want to associate with the hosted zone. Create an A record with a value of database.mydomain.com which maps to the IP address of the EC2 instance of your database server. Modify the enableDnsHostNames the attribute of your VPC to
true and the
enableDnsSupport attribute to
true is the correct answer.
enableDnsHostnames - Indicates whether the instances launched in the VPC get public DNS hostnames. If this attribute is
true, instances in the VPC get public DNS hostnames, but only if the
enableDnsSupport attribute is also set to
enableDnsSupport - Indicates whether the DNS resolution is supported for the VPC. If this attribute is
false, the Amazon-provided DNS server in the VPC that resolves public DNS hostnames to IP addresses is not enabled. If this attribute is
true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two ( *.*.*.2 ) will succeed.
What is DNSSec?
Amazon now allows you to enable Domain Name System Security Extensions (DNSSEC) signing for all existing and new public hosted zones, and enable DNSSEC validation for Amazon Route 53 Resolver. Amazon Route 53 DNSSEC provides data origin authentication and data integrity verification for DNS and can help customers meet compliance mandates, such as FedRAMP.
When you enable DNSSEC signing on a hosted zone, Route 53 cryptographically signs each record in that hosted zone. Route 53 manages the zone-signing key, and you can manage the key-signing key in AWS Key Management Service (AWS KMS). Amazon’s domain name registrar, Route 53 Domains, already supports DNSSEC, and customers can now register domains and host their DNS on Route 53 with DNSSEC signing enabled. When you enable DNSSEC validation on the Route 53 Resolver in your VPC, it ensures that DNS responses have not been tampered with in transit. This can prevent DNS Spoofing.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield – Standard and Advanced.
All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
Actions taken by a user, role, or an AWS service in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are recorded as events.CloudTrail is enabled on your AWS account when you create it.CloudTrail focuses on auditing API activity. View events in Event History, where you can view, search and download the past 90 days of activity in your AWS account.
Enable trail multi-region and global services
CloudTrail can be used for the case when you want to monitor multi-region. However, CloudTrail will only cover the activities of the regional services (EC2, S3, RDS etc.) and not for global services such as IAM, CloudFront, AWS WAF, and Route 53.
To achieve this goal, you have to create a new AWS CloudTrail trail in a new S3 bucket using the AWS CLI and also pass both the –is-multi-region-trail and –include-global-service-events parameters then encrypt log files using KMS encryption. Enable Multi-Factor Authentication (MFA) Delete on the S3 bucket and ensure that only authorized users can access the logs by configuring the bucket policies.
- Centralised control of your AWS account
- IAM is universal. It does not apply to regions.
- New users has no permissions when first created
- New users are assigned Access Key ID & Secret Access Key when first created
- Its different from the password
- You only see Secret Access Key this time.
- Granular permissions
- Identity Federation (Including active directory, Facebook, etc)
- Provide temporary acces to users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrated with many AWS services
- Supports PCI DSS Compliance
- IAM has
- Group cannot be specified as a principal. Group is not considered an identity and used merely for managing users.
Service Linked Role
A service–linked role is a unique type of IAM role that is linked directly to an AWS service. Service–linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. … Or it might require that you use IAM to create or delete the role
Active Directory Services compatibles with Microsoft AD
AWS Managed Microfot AD
- AD Domain Controllers (DCs) running Windows Server
- Reachable by your applications in your VPC
- You can add extra DCs for more performance
- You have exclusive access to DCs. No other AWS users will share this DCs.
- You can extend your current AD to on-premises using AD Trust
Share model responsability
- will do backups
- enforce HA
- Instance rotation
- patch, monitor, recover
- you need to create users, groups, GPos
- standard AD tools
- Scale out DCs
- Certificate authorities (LDAP)
Baby brother of AD
- Standalone directory in the cloud
- Basic AD features
- Small = < 500 users
- Large = < 5000 users
- For Linux workloads that need LDAP
- Does not support trust (can’t join on premises AD)
- Best choice when you want to use your current on premises AD with compatible AWS services. Think of it like a Directory Gateway or proxy.
- Avoid caching information in the cloud
- Allow on premises users to log in AWS using AD
- Allow join EC2 instances to your existing AD domain
- Scale accross multiple AD connectors
Active Directory Services NON compatibles with Microsoft AD
- Directory store intented for developers
- Multiple heararchies with millions of objects
- Use cases: org charts, course catalogs, device registries
- Full managed service
Amazon Cognito User pools
- Managed user directory for SasS applications
- Used for sign-in or signed-up for web or mobile
- Works with social media identities