AWS学习笔记——Chapter3 Virtual Private Cloud

前注：
学习书籍

Index

• Virtual Private Cloud
  • • 1. Amazon VPC组件与术语

    • (1) Amazon VPC

      • (2)网络分组
      • (3)路由表
      • (4)互联网网关
      • (5)网络地址转换(NAT)
      • (6)仅出接口互联网网关
      • (7)弹性网络接口(ENI)
      • (8)弹性IP地址
      • (9)安全组
      • (10)网络访问控制列表(NACL)
      • (11)亚马逊VPC互操作性
      • (12)VPC端点
      • (13)DNS与VPC集成
      • (14)VPC选项集配置
      • (15)VPC连接指南
        ]

    • 2. Default VPC

Virtual Private Cloud

You can do the following things by having a virtual private network:

Currently, some applications are hosted in the public cloud within a VPC subnet, while others are hosted on-premises.

· Create multiple subnets within VPC.

An approach to establishing a public subnet involves supplying it with Internet access, which allows resources to remain isolated from the Internet by incorporating a private subnet.

Establish dedicated connectivity between your company’s data center and VPN through the use of Direct Connect.

Suppose you require managing several virtual private networks (VPCs). It allows for the creation of multiple VPCs and their interconnection via VPC peering. This approach enables resource sharing across various VPCs and associated user accounts.

· Connect to resources such as S3 using a VPC endpoint.

1. Amazon VPC Components and Terminology

(1) Amazon VPC

The primary step in establishing a Virtual Private Cloud (VPC) involves assigning an IP address range through the deployment of a Classless Inter-Domain Routing (CIDR) block.

VPC employs both IPv4 and IPv6. A CIDR block for IPv6 is not mandatory, however, it is necessary to have an IPv4 CIDR block.

Once you create a VPC, you can’t alter the size of it.

A virtual private network (VPC) is confined to a single geographic region, implying that it cannot span across multiple regions. Inside such a network, all available zones (AZs) must be allocated within the region where the network resides.

(2) Subnet

A subnet is abbreviated as a subnetwork, known as a partitioning scheme in an IP network.

Among the most prevalent types of internet networks are public internet networks, private networks, and VPN exclusively used in VPN environments.

Public subnet: designed as a system for resources requiring internet connectivity.

Private subnet: dedicated to resources that do not require being connected to the Internet.

VPC-only subnet: established when you intend to interact with your enterprise data center.

Each subnet is designated to a particular Arizona (AZ). When dealing with multiple AZs, allocate a separate subnet for each. Similarly, each virtual private network (VPC) is assigned to a specific geographic region. To manage multiple regions, establish distinct VPN configurations for each.

When configuring multiple subnets within a Virtual Private Cloud (VPC), it is imperative that each subnet's CIDR block does not overlap with those of other subnets within the same VPC.

Table CIDR Block and Available IP Addresses

For any subnet of AWS reservations, the first four and the last allocated IP addresses are designated for internal use within the network, while these addresses are not available for your reserved usage.

(3) Route Table

A routing information structure represents a network topology and comprises a collection of routing instructions referred to as entries, which manage how network data flow is routed.

Every subnet requires a routing table always, however it is possible to link several subnets to the same routing table.

Upon creating a subnet and failing to associate it with any other route tables, it will automatically be associated with the default route table of the VPC.

A VLAN-based default VPC routing table (referred to as the primary routing table) is generated automatically when a VPN is established. No modification is allowed.

In such a scenario, it is advisable to maintain the main VPC route table's original configuration, incorporating solely local routing information, while allocating dedicated routing tables for each subnet established.

A target if localized implies only localized traffic flows within the virtual private cloud, and other traffic is prohibited.

(4) Internet Gateway

An Internet Gateway (IG), commonly known as a Virtual Private Network (VPN), is a crucial component that enables communication between the VPC and the Internet.

An IG supports both IPv4 and IPv6 traffic.

Register an Instagram account: when integrated into your routing table, it will streamline your network setup process.

He/they can take an Integrated Gateway (IG) within their Virtual Private Cloud (VPC) to ensure that all subnets within this VPC become accessible to the Internet, provided they properly configure it into their subnet's routing table.

Only if an In-Net Group (ING) is configured in the route table for an Amazon VPC, it prevents you from making all subnets from being accessible to the Internet.

(5) Network Address Translation (NAT)

By employing a NAT device, you can allow instances within a private subnet to interact with the Internet, but this does not imply that the Internet is capable of establishing connections with these instances.

该网络地址转换设备通过将流量从私有子网内的工作stations传输至互联网，并随后返回响应至这些工作stations。

When network traffic traverses the Internet, the original IPv4 address is mapped to the NAT device's assigned address; likewise, when response traffic destined for these instances arrives, the NAT device converts the source IP address back to their respective private IPv4 addresses.

NAT devices can be used only for IPv4 traffic.

Two types of NAT devices:

NAT instances

Through the use of a NAT-assigned instance within its own private subnet, you can have an instance initiating outbound traffic towards the Internet or towards another AWS service.

The NAT instance serves as a single-point-of-failure element. If it fails, the database server within the private subnet can no longer establish internet connectivity.

NAT gateways

While carrying out equivalent functions to those carried out by a NAT instance, this method does not share its inherent limitations.

When configuring a NAT gateway, you must configure an elastic IP address and ensure its association with the gateway.

After the creation of a NAT gateway, it is established in a particular availability zone (AZ) as an extra measure.

A NAT gateway is superior to a NAT instance because it offers superior availability and maintains an optimal bandwidth.

(6) Egress-only Internet Gateway

An egress-only Inside Gateway (IG) serves as a component within your VPC network, akin to NAT gateways, allowing communication with the Internet for IPv6 traffic.

Only实现进出流量控制, 这表明该技术阻止互联网发起IPv6连接到您的实例.

A NAT gateway manages IPv4 traffic, while an Egress-only gateway manages IPv6 traffic. 仅就功能划分而言，二者之间并无显著差异。

(7) Elastic Network Interface (ENI)

ENI provides you with the capacity to offer capability to create one or more networks and link them to your instance.

The ENI supports attaching or detaching from any instance at any time, and also the ability to reattach it to another instance.

Moving ENI from one instance to another, all the traffic is forwarded to the new instance, and its attributes are transferred as well.

An ENI具有以下属性: MAC地址, 公共IPv4地址, IPv6地址(至少一个), 主 IPv4 地址, 次 IPv4 地址(至少一个), 弹性 IPv4 地址(每个主 IPv4 地址上最多一个), 安全组(至少一个多), 来源/目的检查标志和描述.

It is impossible to alter the default network interface of any instance. It is also referred to as a primary network interface, commonly abbreviated as etho.

The count of ENIs you can connect to a specific device varies depending on the type of that device.

ENI has no impact on the network bandwidth of an instance, thus it cannot be utilized to augment or multiply the network bandwidth.

(8) Elastic IP Address

An elastic IP (EIP) address serves the purpose of providing dedicated IP addresses for cloud-based applications.

Rather than repeatedly adjusting the IP addresses of all applications, another approach is to acquire a弹性IP (EIP) for your EC2 instance and map this EIP to your application.

An EIP is a static IP address.

An EIP supports only IPv4 and does not support IPv6.

A public IPv4 address is designated as an EIP if it can be accessed over the Internet.

Three steps to use an EIP:

· Allocate one EIP to your account from the console.

· Associate the EIP either with your instance or with a network interface.

· Start using it.

(9) Security Group

A security group specifies the traffic flows that are permitted within and outside a specific instance unit. (per-instance basis, not subnet-based)

It is possible to connect up to five different security group instances to each virtual machine. However, this restriction is not fixed and can be increased through a support request.

一个安全组是状态ful的，并由IP地址、端口以及协议构成。

Can only specify allow rules, the way of deny is to not allow.

Upon making any modifications to a security group, the modifications are promptly reflected within the instance upon being implemented.

The security group exhibits a stateful nature. If you initiate a request from your instance's perspective, the reciprocal action permits traffic flow.

Security groups are created by default with no incoming traffic permitted and all outbound traffic permitted.

Amazon VPC always includes a default security group. It is not possible to delete this default grouping but allows modification of its policies.

(10)Network Access Control List (NACL)

An NACL functions as a layer of security, specifically designed to act as a firewall within the subnet. It can be optionally configured to provide such protection.

An NACL instance is state-free and consists of an IP address, port, protocol, and permitted/forbidden for a network segment.

VPC includes a default NACL that can be adjusted, allowing all inbound and outbound IPv4 and IPv6 traffic (if applicable).

这个定制的NACL会阻止所有来自外部和内部的流量……直到你为默认规则添加了相应的策略。

The network association capability (AnNACL) is capable of associating with multiple subnet instances, but each subnet is limited to just one AnNACL at any given time.

NACLs comprise a numbered set of rules. Rules are determined beginning with the least numbered rule and will apply without regard to any higher-numbered rule that might conflict.

Each NACL instance has separate inbound and outbound rules, allowing or denying traffic individually.

NACL enforces security protocols. Users are able to configure individual protocols based on their standard protocol numbers, allowing them to set their incoming and outgoing traffic policies.

Differences between NACLs and security groups:

A security group is limited to being applied at the instance level, while an NACL is applicable at the subnet level. Consequently, when there are ten instances within a subnet, NACL rules will encompass all ten instances.

A security group functions are stateful in nature (returned traffic is permitted by default), in contrast to an NACL, which does not have state and explicitly denies returned traffic.

A security group only supports allow rules; you cannot explicitly specify a deny rule. An NACL allows both allow and deny rules.

In a security group, all rules are required to be assessed prior to determining whether to allow traffic, whereas in NACLs rule numbers are given precedence.

(11)Amazon VPC Peering

注

VPC peering can be done only for VPCs within a region.

You are able to interact with several virtual private networks within your account, as well as those belonging to other organizations.

VPC Peering does not act as any type of gateway or VPN service; it depends on specialized hardware.

There is no sole point of failure, and bandwidth limitation arises as a result of the system's internal infrastructure.

A single VPC establishes a direct link with another single VPC, representing a 1:1 interconnection.
For instance, VPC A establishes direct links with both VPC B and VPC C individually. However, it cannot establish mutual connections between B and C through A.

Three steps to peer VPC A and B:

The administrator of Virtual Private Cloud A initiates a request to Virtual Private Cloud B for establishing a new VPC. Upon receiving this request, the administrator of Virtual Private Cloud B is required to confirm the formation and activation of a peering connection between Virtual Private Clouds A and B.

Notes:

The CIDR block cannot overlap.

VPC A and B can be part of the same account or a different account.

The administrator of each Virtual Private Cloud (VPC) must configure routes in at least one of their VPC's route tables, mapped to the designated IP range of another VPC.

Updating the security group rules associated with your instance is necessary to ensure that traffic from a peered VPC can reach your instance. Similarly, modifying your VPC connection may be necessary to enable DNS hostname resolution.

(12)Amazon VPC Endpoint

The VPC endpoint offers the capability to connect to both VPC and AWS services running outside of it via a private link. As a result, data traffic remains entirely within the Amazon network.

Unless you choose not to utilize the VPC endpoint, you are required to connect it to these services through the Internet or your corporate data center.

The VPC endpoint is indeed a virtual device. Utilizing it effectively does not require a public IPv4 address, an Internet gateway, a NAT device or gate, or a virtual private gateway within your VPC.

Currently, the VPC endpoint is only accessible through S3 and DynamoDB. Additional services will become available shortly.

VPC端点被使用后，您将大幅减少成本。由于EC2和S3通过端点连接，在不产生数据传输费用的情况下实现了无缝集成。

Two steps to configure a VPC endpoint:

明确配置VPC和相关服务，并确保策略被分配到该端点，并为该端点指定将使用的路由表

Configure one or more route tables to manage the routing of traffic related to your VPC and another service.

(13)DNS and VPC

DNS servers act as a central registry for domain names, maintaining a database that maps these names to their corresponding IP addresses.

A DNS hostname represents a unique identifier for a computer within the context of domain naming systems. It consists of two components: the hostname and the domain name.

Amazon offers DNS servers, which are utilized to resolve the addresses of any running instance within a VPC.

There are two primary DNS attributes that determine if an instance can have a public DNS hostname. When both attributes are true, the instance obtains a public DNS hostname. Conversely, if either attribute is false, the instance does not obtain a public DNS hostname.

You are also able to deploy your own DNS server and establish a new set of DHCP configurations within the VPC network.

(14)DHCP Option Sets

The Dynamic Host Configuration Protocol (DHCP) configuration options are defined for instances within your Virtual Private Cloud (VPC), encompassing details such as the default domain name and DNS server.

AWS suggests that you set up a DHCP options set for your AWS Directory Service system and link it to the VPC where your directory resides. This enables any computers in that VPC to use specified domains and AWS DNS nameserver(s) to resolve their domain names.

For your VPC, Amazon will automatically generate and link a DHCP option set. Additionally, it configures two options within this set: one defaulting to AmazonProvidedDNS (an Amazon DNS server) and the other as the region-specific domain name of your area.

Every VPC must have only one DHCP option set assigned to it.

Once you create a DHCP option set, you can’t modify it.

If you require specifying diverse DHCP options, you must establish a new DHCP option configuration.

After registering a new DHCP option set, newly launched instances within a VPC will automatically adopt the configurations from the updated DHCP option set. Currently operational instances within a VPC will inherit the enhanced network settings upon renewal of their DHCP lease.

The configuration field within DHCP is designed to store essential details, including: domain name servers; domain names; network time servers; network biose servers; and network node types.

(15)Connecting to a VPC

Two terms:

Virtual private gateway:

A virtual private gateway acts as a central hub for routing traffic between different networks, specifically within the Amazon region during a VPN connection.

Customer gateway:

A customer gateway is a hardware device, which can also function as a software application at the endpoint of your corporate data center or the VPN connection.

Four main private connectivity options:

AWS hardware VPN

AWS Direct Connect

VPN CloudHub

Software VPN

(16)VPC Flow Logs

Amazon VPC 流量日志（Flow Logs）有助于您追踪网络接口之间往来的入站和出站 IP 地址信息，在您的虚拟专用云（VPC）中进行记录和分析.

Flow log data is stored using Amazon CloudWatch logs.

2. Default VPC

Default VPC: In every account, a VPC is created in each region by default.

Within a standard VPC setup, EC2 instances within their default subnets are configured to use public IP addresses and private IP addresses that are regulated by security groups.

The default VPC comes precreated with the following features:

Dynamic private IP;

Dynamic public IP;

AWS-provided DNS names;

Private DNS name;

Public DNS name.

You can also do the following in the default VPC:

Create additional subnets and change routing rules;

Create additional network controls (security groups, NACLs, routing);

Set hardware VPN options between corporate networks.