Network

•      VPC

•      CIDR

•      Subnet

•      Route Table

•      Internet GW

•      NAT Device

•      ENI

•      Elastic IP

•      Security Group

•      Network ACL

•      VPC Peering

•      VPC End point

•      Transit GW

https://aws.amazon.com/products/storage/

VPC

•    Virtual Private Cloud

•    Network Isolation

•    IP Range by CIDR

•    Region Service, Multi AZ

•    Divided by Subnet

•    Min /28 = 16 IP addresses

•    Max /64 = 2^16

https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/what-is-amazon-vpc.html https://aws.amazon.com/blogs/architecture/one-to-many-evolving-vpc-design/

Real World VPC

https://aws.amazon.com/blogs/awsforsap/vpc-subnet-zoning-patterns-for-sap-on-aws/

CIDR

•                 Classless Inter Domain Routing

•                 Method for allocating IP addresses and for IP routing

•                 A.B.C.D/E

•                 192.168.0.0/24

•                 256 ip addresses

•                 192.168.0.0 ~ 192.168.0.255 • Reserved IP

https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html https://namu.wiki/w/CIDR

https://en.wikipedia.org/wiki/Classful_network

Subnet

•    Sub network

•    Network isolated by Subnet

•    Private/Public/VPNOnly

•    Assigned to only one AZ

•    3 AZ > 3 Subnet

•    Definded by CIDR

•    Min /28 : 16 IP addresses

•    Reserved IP

https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html /

Reserved IP

•    Subnet with CIDR block 10.0.0.0/24

•    Five IP addresses are reserved • 10.0.0.0: Network address

•    10.0.0.1: the VPC router.

•    10.0.0.2: the DNS server • 10.0.0.3: AWS for future use.

•    10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

https://aws.amazon.com/vpc/faqshttps://docs.aws.amazon.com/vpc/latest/userguide/configur/     e-subnets.html

Default VPC / Non default VPC

•     Default VPC in each AWS RegionCIDR

•     Public subnet in each Availability Zone

•     an internet gateway

•     enable DNS resolution

•     Start launching EC2 into a default VPC

•     Nondefault VPC

•     create your own VPC

•     configure it as you need

https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html

https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html#what-is-default-nondefault

VPC Modification

•    Name

•    IP Range

•    Deletion then New Creation

•    Related VPC routing change

https://aws.amazon.com/vpc/faqs/

https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html

Route Table

•    Subnet has route table

•    if not, use VPC main router table

•    Has Destination, Target

•    Target

•    local, pcx, igw, eigw, nat

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

IGW

•    Internet Gateway

•    Connect to internet

•    Use by adding igw to route table

•    Destination Target

•    10.0.0.0/16 local

•    0.0.0.0/0 igw-xxxx

https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html https://dev.to/aws-builders/cloud-networking-fundamentals-4b48

NAT Device

•     Network Address Translator

•     Translate Private address to public address

•     IPv4

•     Stateful

•     private subnets to connect to the internet

•     Type • NAT Instance

•     Private db > nat instance > igw > internet

•     NAT Gateway

•     Managed service of NAT instance

•     Add nat gateway to private subnet route table

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat.html https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html https://kim-dragon.tistory.com/18

Egress-only Internet Gateway

•    EGW

•    Similar with NAT Gateway

•    IPv6

•    Stateful

•    Outbound Traffic Only

https://medium.com/awesome-cloud/aws-vpc-route-table-overview-intro-getting-started-guide-5b5d65ec875f

ENI

•    Elastic Network Interface

•    A logical networking component

•    A virtual network card

•    Add to instance

•    Attributes

•    MAC Address

•    IP

•    Security Group

https://www.whizlabs.com/blog/elastic-network-interface/

https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/networking-networkmode-awsvpc.html

EIP

•    Elastic IP

•    Assigned from Amazon's pool of public IPv4 addresses

•    Different from Public IP on EC2 instance • Can be changed in case of restart

•    Attached to EC2 or ENI   

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html https://www.looklinux.com/what-is-difference-between-aws-elastic-ip-and-public-ip/ https://documentation.elasticpath.com/cloudops-aws/docs/faq/deployments.html

Security Group

•    Control traffic on instance level

•    Stateful

•    Different from NACL ( Stateless )

•    Assign one or more security group on instance , maximum 5

•    Defined on IP, port, IB/OB traffic ( default OB allow ) • 0.0.0.0/0, All Protocol, All Port

•    Defined by allow only

•    Consider all rules

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html https://www.checkpoint.com/cyber-hub/cloud-security/what-is-aws-security-groups https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html https://aws.amazon.com/ko/blogs/korea/new-descriptions-for-security-group-rules/

Network ACL

•    Allows or denies At the subnet level • specific inbound or outbound traffic

•    Stateless

•    Private VPC, custom NACL default all IB/OB traffic denied

•    priority BY rule number • Match rule, no consider others

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

VPC Peering

•    a networking connection between two VPCs

•    can be in different Regions • inter-Region VPC peering connection

•    1:1 mapping

•    A > B, B > C then A > C ? No • Need to make explicit A > C

https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html https://twwip.com/2020/01/26/how-to-setup-vpc-peering-in-aws/

VPC End Point

•    PrivateLink

•    Interface Endpoint

•    Gateway LB Endpoint

•    Gateway Endpoint

•    S3, DynamoDB

•    Not use privatelink and VPC endpoint

https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html https://blog.nuricloud.com/aws-vpc-endpoint-using-for-s3-ec2-secure-transfer/

Transit Gateway

•     Interconnect between VPCs • Can connect on-premises networks

•     Use DX and VPN

•     Examples

•     Centralized router

•     Isolated VPCs but connect to on-premises

•     Isolated VPCs with shared services like LDAP

•     Peering between VPCs

•     Multicast between VPCS

•     Centralized outbound routing

•     Security Appliance VPC in shared VPCs

•     Blackhole route

https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html https://docs.aws.amazon.com/vpc/latest/tgw/TGW_Scenarios.html

QnA