最後更新: 2020-11-26
目錄
VPC
VPC (Virtual Private Cloud)
* Enables you to launch AWS resources into a virtual network that you've defined
=> logically isolated section of the AWS
* A VPC spans all of the Availability Zones(AZ) in the Region.
+ public-facing subnet for your webservers( public subnets))
+ databases or application servers in a private-facing subnet with no Internet access.
+ access control lists
+ VPN connection between your corporate datacenter (IPsec ) ( VPN Connection-hour )
+ Assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC
+ Attach one or more Amazon Elastic IP addresses to any instance in your VPC
AZ
AZ(Availability Zone)
* Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones.
* Each subnet must reside entirely within one AZ and cannot span zones.
* When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.
Console Items
https://console.aws.amazon.com/vpc
VIRTUAL PRIVATE CLOUD
- Your VPCs
- Subnets
- Route Tables
- Internet Gateways
- DHCP Options Sets
- Elastic IPs
SECURITY
- Network ACLs
- Security Groups
Feature
<1> Connect to the Internet using Network Address Translation (private subnets)
<2> Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.
<3> Connect to Amazon S3 without using an internet gateway or NAT, and control what buckets, requests, users, or groups are allowed through a VPC Endpoint for S3.
<4> create a Hardware VPN (IPsec) connection between your corporate datacenter and your VPC
Usage
1) Create VPC
default - Your instance runs on shared hardware.
dedicated - Your instance runs on single-tenant hardware.($)
adding or removing subnets,
attaching network gateways,
changing the default route table
modifying the network ACLs.
Price
$0.05 per VPN Connection-hour
How do instances without EIPs access the Internet?
a. EIPs
b. their traffic through a NAT instance to access the Internet.
c. instances can route their Internet traffic down the Virtual Private Gateway to your existing datacenter.
Can I remove the dynamic public IP on instance without Termination it?
假設 VM 會自動取得 Public IP
1. Create an Elastic IP
2. Assign the Elastic IP to the host owning the public ip that you want to release (the ip is released at this step)
3. Disassociate the ip address from the Elasic IP management screen
--- OR ---
1. Create an Elastic IP
2. Assign the Elastic IP to new NIC
3. Assign NIC to Instance
4. Disassociate the EIP ip address from the NIC
VPC DNS Attributes
DNS hostnames(enableDnsHostnames)
Indicates whether instances with public IP addresses get corresponding public DNS hostnames.
enableDnsSupport 同為 true 時才生效
DNS resolution(enableDnsSupport)
If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address,
or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.
Keep this option disabled if you're using a custom DNS server in the DHCP Options set,
If both attributes are set to true, the following occurs:
Instances with a public IP address receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.
If either or both of the attributes is set to false, the following occurs:
Instances with a public IP address do not receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.
Remark
Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set.
If you are not using the Amazon Route 53 Resolver server,
your custom domain name servers must resolve the hostname as appropriate.
* By default, both attributes are set to true in a default VPC or a VPC created by the VPC wizard.
Subnet
Public Subnet
A subnet that has a route table with a route to the internet gateway
If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet.
CIDR block
The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC),
or a subset of the CIDR block for the VPC (for multiple subnets).
The CIDR blocks of the subnets cannot overlap.
The allowed block size is between a /28 netmask and /16 netmask.
The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use
ie.
10.0.0.0 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.255
Local Zones
A Local Zone is an extension of an AWS Region in geographic proximity to your users. Local Zones have their own connections to the internet and support AWS Direct Connect, so resources created in a Local Zone can serve local users with low-latency communications.
To use a Local Zone, you must first enable it.
Options
Set "Auto-assign Public IP"
Subnet & Route Table
A subnet can only be associated with one route table at a time.
Any subnet not explicitly associated with a table is implicitly associated with the main route table by default.
Route Table
Explicit subnet associations
If you create a new subnet in this VPC, it's automatically implicitly associated with the main route table
Explicit association between Subnet-2 and Route Table-B
Subnet-1 --- Table-A(Main) Subnet-2 --- Table-B
NAT gateways / instances
NAT gateways 的限制
- Choose the Elastic IP address to associate with a NAT gateway at creation
- Security groups cannot be associated with a NAT gateway
- Not supported Port forwarding
- Does not support fragmentation for the TCP and ICMP protocols
NAT instances
- Use an Elastic IP address
Enable NAT instances
* Disabling source/destination checks
Each EC2 instance performs source/destination checks by default.
A NAT instance must be able to send and receive traffic when the source or destination is not itself.
Therefore, you must disable source/destination checks on the NAT instance.
Select Your Instances > Click Actions Button > Networking > Change Source/Dest Check > Yes, Disable
Internet Gateways
Increasing the quota on "VPCs per Region" = Increasing internet gateways per Region
Flow log
Format: parquet
Apache Parquet is an open source, column-oriented data file format designed for efficient data storage and retrieval.
efficient data compression and encoding schemes
Viewer
https://github.com/mukunku/ParquetViewer
v2.3.7
* .Net 6
* ability to export (aka "Save As") to an .xls Excel file.
v2.3.6
.Net 4.7.2