Learning AWS VPC

Sources

• Video - 2 Hours
• Course Notes
• https://aws-ia.github.io/cfn-ps-aws-vpc/#_architecture
• https://www.eksworkshop.com/

VPC - CIDR Blocks

The most important thing of CIDR blocks of a VPC is that they shouldn't intersect. As long as they don't intersect you can create VPC Peering Connection.

Next consideration is to use a subnet masks that allow for enough networks and hosts.

VPC #1 - 10.0.0.0/16

• Subnet A - 10.0.1.0/24 (256 Hosts Available, use 22 for 4000)
• Subnet B - 10.0.2.0/24 (256 Hosts Available)

VPC #2 - 10.1.0.0/16

• Subnet A - 10.1.1.0/24 (256 Hosts Available)
• Subnet B - 10.1.2.0/24 (256 Hosts Available)

https://youtu.be/g2JOHLHh4rI?si=S_asDVYDYSmjYd8z&t=1288

VPC Gateway

https://youtu.be/g2JOHLHh4rI?feature=shared&t=924

• Only 1 VPC Gateway per VPC
• Main Router Table
  • Destination 0.0.0.0/0 has a Target that matches the Internet Gateway ID
  • This routes any traffic that doesn't match a local destination to the Internet.

(LAB) Create VPC & Subnets

https://youtu.be/g2JOHLHh4rI?si=iFHUBroGSXjNcn5Y&t=1790

• Create 1 VPC
• Create 4 Subnets
• Create 2 Route Tables
• Associate Route Tables with Subnets
• Create and Attach 1 VPC Gateway
• Add Route to VPC Gateway

# Create VPC
Name: MyVPC
IPv4 CIDR Block: 10.0.0.0/16

# Create Subnets

Name: Public-1A
Availability Zone: us-east-1a
IPv4 CIDR Block: 10.0.1.0/24

Name: Public-1B
Availability Zone: us-east-1b
IPv4 CIDR Block: 10.0.2.0/24

Name: Private-1A
Availability Zone: us-east-1a
IPv4 CIDR Block: 10.0.3.0/24

Name: Private-1B
Availability Zone: us-east-1b
IPv4 CIDR Block: 10.0.4.0/24

# Create private route table

Name: Private-RT
VPC: MyVPC
Subnet associations: Private-1A, Private-1B

# Create Internet Gateway

Name: MyIGW
VPC: MyVPC

Security Groups and Network ACLs

https://youtu.be/g2JOHLHh4rI?si=PS6U6iBYAgYCAUgp&t=2802

• Security Groups

  • Apply to EC2 Instances
  • In any subnet
  • Rules can use ips or Security Group Ids
  • Allow Rules Only
  • Stateful Firewall
  • Outbound Rules Created Dynamically from allowed inbound Traffic
  • Best Practices are to Layer Access

• Network ACLs

  • Apply to Subnets
  • Allow and Deny Rules (First Rule Wins)
  • Stateless Firewall
  • Outbound rules must be specified

VPC Peering

https://youtu.be/g2JOHLHh4rI?si=sspP1hXzPeIrUpIz&t=4020

VPC Endpoint & Gateway Endpoint

Connect to public AWS services using private network.

https://youtu.be/g2JOHLHh4rI?feature=shared&t=4939

AWS's VPC CNI for EKS

https://aws.github.io/aws-eks-best-practices/networking/vpc-cni/

https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html

https://www.youtube.com/watch?v=RBE3yk2UlYA