AWS - VPC

最後更新: 2020-11-26

目錄

 

 


VPC

VPC (Virtual Private Cloud)

 * Enables you to launch AWS resources into a virtual network that you've defined

 => logically isolated section of the AWS

 * A VPC spans all of the Availability Zones(AZ) in the Region.

+ public-facing subnet for your webservers( public subnets))
+ databases or application servers in a private-facing subnet with no Internet access.
+ access control lists
+ VPN connection between your corporate datacenter (IPsec ) ( VPN Connection-hour )
+ Assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC
+ Attach one or more Amazon Elastic IP addresses to any instance in your VPC

AZ

AZ(Availability Zone)

 * Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones.

 * Each subnet must reside entirely within one AZ and cannot span zones.

 * When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.

Console Items

https://console.aws.amazon.com/vpc

VIRTUAL PRIVATE CLOUD

  • Your VPCs
  • Subnets
  • Route Tables
  • Internet Gateways
  • DHCP Options Sets
  • Elastic IPs

SECURITY

  • Network ACLs
  • Security Groups

Feature

<1> Connect to the Internet using Network Address Translation (private subnets)

<2> Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.

<3> Connect to Amazon S3 without using an internet gateway or NAT, and control what buckets, requests, users, or groups are allowed through a VPC Endpoint for S3.

<4> create a Hardware VPN (IPsec) connection between your corporate datacenter and your VPC

Usage

1) Create VPC

default - Your instance runs on shared hardware.

dedicated - Your instance runs on single-tenant hardware.($)

adding or removing subnets,

attaching network gateways,

changing the default route table

modifying the network ACLs.

Price

$0.05 per VPN Connection-hour

How do instances without EIPs access the Internet?

a. EIPs

b. their traffic through a NAT instance to access the Internet.

c. instances can route their Internet traffic down the Virtual Private Gateway to your existing datacenter.

 


Can I remove the dynamic public IP on instance without Termination it?

 

假設 VM 會自動取得 Public IP

1. Create an Elastic IP

2. Assign the Elastic IP to the host owning the public ip that you want to release (the ip is released at this step)

3. Disassociate the ip address from the Elasic IP management screen

--- OR ---

1. Create an Elastic IP

2. Assign the Elastic IP to new NIC

3. Assign NIC to Instance

4. Disassociate the EIP ip address from the NIC

 

 


VPC DNS Attributes

 

DNS hostnames(enableDnsHostnames)

Indicates whether instances with public IP addresses get corresponding public DNS hostnames.

enableDnsSupport 同為 true 時才生效

DNS resolution(enableDnsSupport)

If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address,

or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.

Keep this option disabled if you're using a custom DNS server in the DHCP Options set,

If both attributes are set to true, the following occurs:

Instances with a public IP address receive corresponding public DNS hostnames.

The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.

If either or both of the attributes is set to false, the following occurs:

Instances with a public IP address do not receive corresponding public DNS hostnames.

The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.

Remark

Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set.

If you are not using the Amazon Route 53 Resolver server,

your custom domain name servers must resolve the hostname as appropriate.

  * By default, both attributes are set to true in a default VPC or a VPC created by the VPC wizard.

 


Subnet

 

Public Subnet

A subnet that has a route table with a route to the internet gateway

If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet.

CIDR block

The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC),

  or a subset of the CIDR block for the VPC (for multiple subnets).

The CIDR blocks of the subnets cannot overlap.

The allowed block size is between a /28 netmask and /16 netmask.

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use

ie.

10.0.0.0
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.255

Local Zones

A Local Zone is an extension of an AWS Region in geographic proximity to your users. Local Zones have their own connections to the internet and support AWS Direct Connect, so resources created in a Local Zone can serve local users with low-latency communications.

To use a Local Zone, you must first enable it.

Options

Set "Auto-assign Public IP"

Subnet & Route Table

A subnet can only be associated with one route table at a time.

Any subnet not explicitly associated with a table is implicitly associated with the main route table by default.

 


Route Table

 

Explicit subnet associations

If you create a new subnet in this VPC, it's automatically implicitly associated with the main route table

Explicit association between Subnet-2 and Route Table-B

Subnet-1 --- Table-A(Main)

Subnet-2 --- Table-B

 


NAT gateways / instances

 

NAT gateways 的限制

  • Choose the Elastic IP address to associate with a NAT gateway at creation
  • Security groups cannot be associated with a NAT gateway
  • Not supported Port forwarding
  • Does not support fragmentation for the TCP and ICMP protocols

NAT instances

  • Use an Elastic IP address

Enable NAT instances

 * Disabling source/destination checks

Each EC2 instance performs source/destination checks by default.

A NAT instance must be able to send and receive traffic when the source or destination is not itself.

Therefore, you must disable source/destination checks on the NAT instance.

Select Your Instances > Click Actions Button > Networking > Change Source/Dest Check > Yes, Disable

 


Internet Gateways

 

Increasing the quota on "VPCs per Region" = Increasing internet gateways per Region

 

 

 


Flow log

 

Format: parquet

Apache Parquet is an open source, column-oriented data file format designed for efficient data storage and retrieval.
efficient data compression and encoding schemes

Viewer

https://github.com/mukunku/ParquetViewer

v2.3.7
 * .Net 6
 * ability to export (aka "Save As") to an .xls Excel file.
v2.3.6
.Net 4.7.2

 

 

 

Creative Commons license icon Creative Commons license icon