Welcome to the world of Virtual Private Cloud(VPC). In this article, I am just going to talk about all VPC components which helpful for your SAA-02 Exam. Here, VPC divided into three parts. First two-part, I describe the theoretical concept of VPC. In the final part, I will show the hands-on/simulation of VPC. This is the second part of VPC concepts. In the first part, I already described half of the VPC concept. In this part, I describe the rest of the VPC concept.
Implied Route and Route Table:
→ It is a central routing function.
→ It connects the different AZ together and connects the VPC to the internet gateway.
→ You can have up to 200 Route Table per VPC.
→ Each Subnet must be associated with only one route table at any time given.
→ If you don’t specify a Subnet to the Route Table association, the Subnet will be associated with the default Route Table.
→ You can also edit the main Route Table. If you need but you can’t delete the main Route Table.
→ However, you can make a custom Route Table and manually make it the main Route Table then you can delete the former main Route Table, as it no longer the main Route Table.
→ You can associate multiple Subnet with the same Route Table.
→ An Internet Gateway is a virtual router that connects a VPC to the internet.
→ Default VPC is already attached with an Internet Gateway.
→ If you create a new VPC then you must attach an Internet Gateway.
→ Ensure that your Subnet Route Table points to the Internet Gateway.
→ It performed NAT Gateway between you and public IPv4 address.
You can use a Network Address Translation Gateway to enable instances in a private Subnet to connect the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
→ You are charged for creating and using a NAT Gateway hourly usage and processing rates apply Amazon EC2 charges data transfer also apply.
→ To create a NAT Gateway, you must specify the public Subnet in which the NAT Gateway should reside.
→ You must also specify an Elastic IP address to associate with NAT Gateway when you create it.
→ No need to assign the public IP address to your private instances.
→ It is a virtual Firewall works of ENI level.
→ Up to 5 Security Groups per EC2 Instance interface can be applied.
→ Can Only have permit rules, cann’t have denied rule.
→ Stateful, Return traffic off allowed inbound traffic is allowed even if there are no rules to allow it.
Network ACL :
→ It is a function performed on the Implied Router.
→ NACL is an optional layer of security for your VPC that acts as a Firewall for controlling traffic in and out of one or more Subnets.
→ Your VPC automatically comes with a modifiable default Network ACL by default. It allows all inbound and outbound IPv4 traffic and if applicable IPv6 traffic.
→ You can create a custom Network ACL and associate it with a Subnet by default. Each custom inbound and outbound traffic until you add rules.
→ Each Subnet in your VPC must be associated with a Network ACL if you don’t explicitly associate a Subnet with Network ACL. The Subnet is automatically associated with the default Network ACL.
→ You can associate Network ACL with multiple Subnet can be associated with only one Network ACL at a time. When you associate a Network ACL with Subnet previous Subnet is removed.
→ A Network ACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule.
→ The highest number that you can use for a start 32766. Recommended that you start by creating rules with rule numbers that a multiple of 100. So that you can insert a new rule where you need it later.
→ Its functions at the Subnet Level.
→ NACL is stateless, outbound traffic for allowed inbound traffic must be explicitly allowed too.
→ You can have the permit and deny rules in NACL.
Difference between Security Groups and NACL :
→ Operates at the instance level
→ Supports allow rules only
→ Is stateful: Return traffic is automatically allowed, regardless of any rules
→ We evaluate all rules before deciding whether to allow traffic.
→ Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on
2. Network ACL:
→ Operates at the subnet level.
→ Supports allow rules and deny rules.
→ Is stateless: Return traffic must be explicitly allowed by rules.
→ We process rules in order, starting with the lowest numbered rule when deciding whether to allow traffic.
→ Automatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive).
A VPC Peering Connection is a networking connection between two VPC that enables you to route traffic between them using a private IPv4 address or IPv6.
→ Instance either VPC can communicate with each other as if they are within the same network.
→ You can create a VPC Peering Connection between your own VPC or with a VPC in another AWS Account. The VPC can be in a different regions.