AWS Solution Architect Associate (SAA-C02) Review Material – VPC

Leave a Comment / AWS Review Notes / By

General

  • Calculate no. of IP in a CIDR:
    • x.x.x.x/N – ( 2^ (32 -N)) e.g. 10.10.0.0/31 = (2^1) = 2 IPs
  • Max VPC is 5/region (soft limit i.e. can request AWS to increase)
  • Max 5 CIDR/VPC
  • Min IPs is /28
  • Max IPs is /16
  • Subnets:
    • AWS will reserve 5 IPs (1st 4 and last 1) from the subnets IP range
    • Associated with an AZ
    • Requires an Internet Gateway if we want to make this as a public subnet
  • Internet Gateway (IGW):
    • Attach to only 1 VPC
    • Does not allow inbound traffic
    • Subnet must have a route pointing to IGW for outbound traffic to work
  • Bastion Host/NAT Instance/NAT Gateway
    • Bastion Host
      • access private subnets from the internet
      • it’s just another EC2 instance running in the public subnet that is allowed to SSH to the EC2 instances in the private subnet
      • the private subnet SG must allow connection from this EC2 instance
    • NAT Instance
      • access the internet from the private subnet
      • another EC2 instance with NAT
      • must disable Source/Destination check
      • must have an EIP attached
      • must configure the route table of the private subnet to point to the NAT instance
      • not HA
      • behind a SG
    • NAT Gateway
      • Managed NAT
      • Created on a specific AZ. So must create on every AZ if you have EC2 instances on different AZs.
      • No failover but resilient per AZ
      • 2 connection types:
        • Public – it will need to associate to an EIP
        • Private – can be used to connect to other VPC or on-prem
    • DNS Resolution Option
      • Enabled by default
      • Uses net_cidr_base+2 or 169.254..169.253 as the DNS server
      • If not enabled, can use custom DNS (e.g. Route 53)
    • DNS Host Name
      1. Not enabled by default
      2. If enabled EC2 instance will get a public DNS.
      3. If not enabled EFS alias cannot be resolved.
    • Network Access Control List (NACL)
      • Stateless i.e. inbound rule and outbound rules are independent from each other
      • Attached to a VPC
      • Custom NACL default to deny everything.
      • Supports allow and deny rules
      • Rule are numbered and evaluated from lowest to highest.
      • Can be associated with more than 1 SG. But an SG can only have 1 NACL
    • Security Group (SG)
      • Stateful i.e. automatically allow opposite traffic (e.g. allow inbound port 22 then the return traffic is automatically allowed)
      • Attached to an ENI. So if an EC2 has multiple interfaces then it can have multiple SG.
      • Supports allow rule only. So everything is denied unless specifically allowed.
    • VPC Peering
    • End Points
      • Interface Endpoints
        • an ENI with private IP
        • through this ENI traffic will be routed to the destined service
      • Gateway Endpoints
        • Supports S3 and DynamoDB only

Leave a Comment

Your email address will not be published. Required fields are marked *