AWS Networking and Content Delivery Services Cheat SheetVirtual private cloud – VPC
This helps to define a logically isolated virtual network within AWS
Control IP addressing using CIDR blocks, from a minimum of /28 up to a maximum size of /16 blocks
Supports IPv4 and IPv6 address
Once created, cannot be extended
This can be extended by associating secondary IPv4 blocks to VPC
ComponentsInternet gateway provides access to the Internet
Virtual gateway (VGW), which allows access to the on-premises data centre via VPN and Direct Connect connections, is available
VPC can only have one IGW or VGW
Route tables determine network traffic routing starting from the subnet
Ability to create a subnet using VPC CIDR block
A Network Address Translation (NAT Server) server provides outbound Internet access to EC2 instances within private subnets.
Elastic IP addresses can be static, persistent public IP addresses
The VPC will assign a Private IP address to instances that are launched there. It can also have a Public or Elastic IP address.
Security Groups and NACLs are used to define security
Flow logs – Capture information about IP traffic going to and fro network interfaces in your VPC
Instances shared can be launched on shared tenancy by default.
Dedicated allows instances can be launched on dedicated hardware
Route Tablesdefines rules (also known as routes) that determine where network traffic from a subnet would be routed
Each VPC can have multiple custom routes tables created.
Each route table contains a local routing that allows communication within a VPC. This route cannot be changed or deleted
Route priority is determined by matching the traffic to the most specific route in a route table.
Subnetsmap to AZs, but do not span across AZs
a CIDR range that represents a fraction of the entire VPC
CIDR ranges can not overlap between subnets within a VPC.
AWS reserves 5 IP addresses per subnet – the first 4 and the last 5.
Each subnet is associated to a route table that defines its behavior. Public subnets – Inbound/Outbound Internet connectivity via IGW
Private subnets – Outbound Internet connectivity via a NAT or VGW
Protected Subnets – No outbound connectivity, used for regulated workloads
Elastic Network Interface (ENI). A default ENI (eth0) is attached to an instance that cannot be detached from one or more secondary detachable ENIs. (eth1–ethn).
has associated primary private, one or multiple secondary private, public and Elastic IP addresses, security groups, the MAC address, source/destination check-flag attributes, and security groups
An ENI from one subnet can be attached in a different subnet to an instance in another subnet, in a same AZ or the same VPC
An ENI member can be removed from a security group.
Applications with special licensing requirements can be made with the pre-allocated Mac Address
Security Groups vs. NACLs – Network Access Control ListsStateful or Stateless
At instance level vs At subnet level
Only allows Allow rule vs Allows both Allow & Deny rules
Evaluated as a whole vs. Evaluated in a defined order
Elastic IP is a static IP address that is used for cloud computing.
It is associated with an AWS Account, not a specific instance
Can be remapped from an instance to another
If the instance or instance is not linked is subject to a charge for non-usage
NATallows internet access for instances in the private subnets.
Performs both the function of address translation (PAT), and port address translation.
Needs source/destination flag to be disabled because it is not the destination of the traffic for NAT Instance.
AWS managed NAT services such as NAT gateway provide better availability and higher bandwidth while requiring less administrative effort.
These are not supported for IPv6 traffic
NAT Gateway supports private NAT using fixed private IPs.
Only Egress-Only Internet GatewaysOutbound communication over IPv6 via instances in the VP