AWS Solution Architect Associate (SAA-C02) Review Material – VPC

Leave a Comment / AWS Review Notes / By

General

  • Calculate no. of IP in a CIDR:
    • x.x.x.x/N – ( 2^ (32 -N)) e.g. 10.10.0.0/31 = (2^1) = 2 IPs
  • Max VPC is 5/region (soft limit i.e. can request AWS to increase)
  • Max 5 CIDR/VPC
  • Min IPs is /28
  • Max IPs is /16
  • Subnets:
    • AWS will reserve 5 IPs (1st 4 and last 1) from the subnets IP range
    • Associated with an AZ
    • Requires an Internet Gateway if we want to make this as a public subnet
  • Internet Gateway (IGW):
    • Attach to only 1 VPC
    • Does not allow inbound traffic
    • Subnet must have a route pointing to IGW for outbound traffic to work
  • Bastion Host/NAT Instance/NAT Gateway
    • Bastion Host
      • access private subnets from the internet
      • it’s just another EC2 instance running in the public subnet that is allowed to SSH to the EC2 instances in the private subnet
      • the private subnet SG must allow connection from this EC2 instance
    • NAT Instance
      • access the internet from the private subnet
      • another EC2 instance with NAT
      • must disable Source/Destination check
      • must have an EIP attached
      • must configure the route table of the private subnet to point to the NAT instance
      • not HA
      • behind a SG
    • NAT Gateway
      • Managed NAT
      • Created on a specific AZ. So must create on every AZ if you have EC2 instances on different AZs.
      • No failover but resilient per AZ
      • 2 connection types:
        • Public – it will need to associate to an EIP
        • Private – can be used to connect to other VPC or on-prem
  • DNS Resolution Option
    • Enabled by default
    • Uses net_cidr_base+2 or 169.254..169.253 as the DNS server
    • If not enabled, can use custom DNS (e.g. Route 53)
  • DNS Host Name
    1. Not enabled by default
    2. If enabled EC2 instance will get a public DNS.
    3. If not enabled EFS alias cannot be resolved.
  • Network Access Control List (NACL)
    • Stateless i.e. inbound rule and outbound rules are independent from each other
    • Attached to a VPC
    • Custom NACL default to deny everything.
    • Supports allow and deny rules
    • Rule are numbered and evaluated from lowest to highest.
    • Can be associated with more than 1 SG. But an SG can only have 1 NACL
  • Security Group (SG)
    • Stateful i.e. automatically allow opposite traffic (e.g. allow inbound port 22 then the return traffic is automatically allowed)
    • Attached to an ENI. So if an EC2 has multiple interfaces then it can have multiple SG.
    • Supports allow rule only. So everything is denied unless specifically allowed.
  • VPC Peering
  • End Points
    • Interface Endpoints
      • an ENI with private IP
      • through this ENI traffic will be routed to the destined service
    • Gateway Endpoints
      • Supports S3 and DynamoDB only
  • Tenancy:
    1. Default
      • instances launched in this VPC use the tenancy attribute specified at launch
    2. Dedicated
      • ensure that instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.

Leave a Comment