AWS - VPC

 

 


VPC

VPC (Virtual Private Cloud)

 * Enables you to launch AWS resources into a virtual network that you've defined

 => logically isolated section of the AWS

 * A VPC spans all of the Availability Zones(AZ) in the Region.

+ public-facing subnet for your webservers( public subnets))
+ databases or application servers in a private-facing subnet with no Internet access.
+ access control lists
+ VPN connection between your corporate datacenter (IPsec ) ( VPN Connection-hour )
+ Assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC
+ Attach one or more Amazon Elastic IP addresses to any instance in your VPC

AZ

AZ(Availability Zone)

 * Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones.

 * Each subnet must reside entirely within one AZ and cannot span zones.

 * When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.

Console Items

https://console.aws.amazon.com/vpc

VIRTUAL PRIVATE CLOUD

  • Your VPCs
  • Subnets
  • Route Tables
  • Internet Gateways
  • DHCP Options Sets
  • Elastic IPs

SECURITY

  • Network ACLs
  • Security Groups

Feature

<1> Connect to the Internet using Network Address Translation (private subnets)

<2> Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.

<3> Connect to Amazon S3 without using an internet gateway or NAT, and control what buckets, requests, users, or groups are allowed through a VPC Endpoint for S3.

<4> create a Hardware VPN (IPsec) connection between your corporate datacenter and your VPC

Usage

1) Create VPC

default - Your instance runs on shared hardware.

dedicated - Your instance runs on single-tenant hardware.($)

adding or removing subnets,

attaching network gateways,

changing the default route table

modifying the network ACLs.

Price

$0.05 per VPN Connection-hour

How do instances without EIPs access the Internet?

a. EIPs

b. their traffic through a NAT instance to access the Internet.

c. instances can route their Internet traffic down the Virtual Private Gateway to your existing datacenter.

 


Can I remove the dynamic public IP on instance without Termination it?

 

假設 VM 會自動取得 Public IP

1. Create an Elastic IP

2. Assign the Elastic IP to the host owning the public ip that you want to release (the ip is released at this step)

3. Disassociate the ip address from the Elasic IP management screen

--- OR ---

1. Create an Elastic IP

2. Assign the Elastic IP to new NIC

3. Assign NIC to Instance

4. Disassociate the EIP ip address from the NIC

 

 


VPC DNS Attributes

 

DNS hostnames(enableDnsHostnames)

Indicates whether instances with public IP addresses get corresponding public DNS hostnames.

enableDnsSupport 同為 true 時才生效

DNS resolution(enableDnsSupport)

If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address,

or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.

Keep this option disabled if you're using a custom DNS server in the DHCP Options set,

If both attributes are set to true, the following occurs:

Instances with a public IP address receive corresponding public DNS hostnames.

The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.

If either or both of the attributes is set to false, the following occurs:

Instances with a public IP address do not receive corresponding public DNS hostnames.

The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.

Remark

Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set.

If you are not using the Amazon Route 53 Resolver server,

your custom domain name servers must resolve the hostname as appropriate.

  * By default, both attributes are set to true in a default VPC or a VPC created by the VPC wizard.