VPC Concepts For Your SAA-02 Exam Part-02

Welcome to the world of Virtual Private Cloud(VPC). In this article, I am just going to talk about all VPC components which helpful for your SAA-02 Exam. Here, VPC divided into three parts. First two-part, I describe the theoretical concept of VPC. In the final part, I will show the hands-on/simulation of VPC. This is the second part of VPC concepts. In the first part, I already described half of the VPC concept. In this part, I describe the rest of the VPC concept.

Implied Route and Route Table:

→ It is a central routing function.

→ It connects the different AZ together and connects the VPC to the internet gateway.

→ You can have up to 200 Route Table per VPC.

→ Each Subnet must be associated with only one route table at any time given.

→ If you don’t specify a Subnet to the Route Table association, the Subnet will be associated with the default Route Table.

→ You can also edit the main Route Table. If you need but you can’t delete the main Route Table.

→ However, you can make a custom Route Table and manually make it the main Route Table then you can delete the former main Route Table, as it no longer the main Route Table.

→ You can associate multiple Subnet with the same Route Table.

Internet Gateway:

→ An Internet Gateway is a virtual router that connects a VPC to the internet.

→ Default VPC is already attached with an Internet Gateway.

→ If you create a new VPC then you must attach an Internet Gateway.

→ Ensure that your Subnet Route Table points to the Internet Gateway.

→ It performed NAT Gateway between you and public IPv4 address.

NAT Gateway:

→ You are charged for creating and using a NAT Gateway hourly usage and processing rates apply Amazon EC2 charges data transfer also apply.

→ To create a NAT Gateway, you must specify the public Subnet in which the NAT Gateway should reside.

→ You must also specify an Elastic IP address to associate with NAT Gateway when you create it.

→ No need to assign the public IP address to your private instances.

Security Groups:

→ It is a virtual Firewall works of ENI level.

→ Up to 5 Security Groups per EC2 Instance interface can be applied.

→ Can Only have permit rules, cann’t have denied rule.

→ Stateful, Return traffic off allowed inbound traffic is allowed even if there are no rules to allow it.

AWS Security Group Diagram

Network ACL :

→ It is a function performed on the Implied Router.

→ NACL is an optional layer of security for your VPC that acts as a Firewall for controlling traffic in and out of one or more Subnets.

→ Your VPC automatically comes with a modifiable default Network ACL by default. It allows all inbound and outbound IPv4 traffic and if applicable IPv6 traffic.

→ You can create a custom Network ACL and associate it with a Subnet by default. Each custom inbound and outbound traffic until you add rules.

→ Each Subnet in your VPC must be associated with a Network ACL if you don’t explicitly associate a Subnet with Network ACL. The Subnet is automatically associated with the default Network ACL.

→ You can associate Network ACL with multiple Subnet can be associated with only one Network ACL at a time. When you associate a Network ACL with Subnet previous Subnet is removed.

→ A Network ACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule.

→ The highest number that you can use for a start 32766. Recommended that you start by creating rules with rule numbers that a multiple of 100. So that you can insert a new rule where you need it later.

→ Its functions at the Subnet Level.

→ NACL is stateless, outbound traffic for allowed inbound traffic must be explicitly allowed too.

→ You can have the permit and deny rules in NACL.

Difference between Security Groups and NACL :

1.Security Group:

→ Operates at the instance level

→ Supports allow rules only

→ Is stateful: Return traffic is automatically allowed, regardless of any rules

→ We evaluate all rules before deciding whether to allow traffic.

→ Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

2. Network ACL:

→ Operates at the subnet level.

→ Supports allow rules and deny rules.

→ Is stateless: Return traffic must be explicitly allowed by rules.

→ We process rules in order, starting with the lowest numbered rule when deciding whether to allow traffic.

→ Automatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive).

VPC Peering:

→ Instance either VPC can communicate with each other as if they are within the same network.

→ You can create a VPC Peering Connection between your own VPC or with a VPC in another AWS Account. The VPC can be in a different regions.

VPC Peering system

Aws Solution Architect

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store