Network

VPC (Virtual Private Network)

  • All new account have their default VPC. Default VPC has the interconnectivity and all EC2 instances inside it have public IP address

  • The max CIDR per VPC is 5, min size is /28 (16 IP addresses), max size is /16 (65536 IP addresses)

  • For each subnet, AWS reserves 5 IP address. e.g: for 10.0.0.0/24, 10.0.0.0, 10.0.0.1, 10.0.0.2, 10.0.0.3 and 10.0.0.255 are reserved

Internet Gateway

  • Allow resources to connect to internet

  • Needed to edit route table to define which ip should be passed through the gateway

  • Created separately from VPC

Security Group

  • Act as a firewall of application

  • Contain inbound and outbound rule to manage which kind of traffic can go in or go out (base on the ip ,port, protocol type)

Network Interface

  • It is an interface containing public ip address and private ip address, but also the corresponding subnet that attach to the device

Bastion Host

  • Using the host to connect to EC2 with private subnet

  • The host must be in public subnet

NAT Instance

  • Allow EC2 with private subnet to connect to internet

  • You need to manage EC2 instance and Security groups

NAT Gateways

  • Managed NAT with higher bandwidth and availability

  • Must create multiple NAT gateways in multiple AZs for fault tolerance

Network Access Control List (NACL)

  • NACL is like a firewall which control the traffic from and to the subnet

  • One NACL per subnet

  • Rules: higher number -> lower priority, the last rule is an * and deny the request if no rule is matched

VPC Peering

  • Privately connect 2 VPCs using AWS network

  • Route tables must be updated

VPC Endpoint (Private Link)

  • Using private link instead of public subnet and internet gateway

  • 2 types of endpoint - interface endpoint and gateway endpoint

  • Interface endpoint - Support most of AWS service but not free

  • Gateway endpoint - Free but only support S3 and DynamoDB

Flow Log

  • Help to monitor the connection issue

  • The log data can go to S3, Cloud Watch log, Data Firehose

Site to Site VPN

  • Virtual Private Gateway is needed to be created

  • Public IP is needed

  • VPN CloudHub can be used if needed to provide secure communication between multiple sites

Direct Connect

  • Provide private connection from remote network to VPC

  • Need to set up Virtual Private Gateway on VPC

  • Access public (S3) and private resources on the same connection

  • If needed to setup direct connect to multiple VPC, Direct Connect Gateway is needed

Transit Gateway

  • Having transitive peering between VPCs, on-premise and hub-and-spoke connection

  • Regional resource, can work cross-region

Traffic Mirroring

  • Capture and inspect network traffic in VPC

  • Route the traffic to appliances that you manage

Egress-Only Internet Gateway

  • Support IPv6 only

  • For outbound connection of instance with private subnet

Network Firewall

  • Protect the entire VPC

  • From layer 3 to layer 7 protection

  • Internally, the firewall uses gateway load balancer

Database Migration Service

  • Create EC2 Instance to perform replication tasks

  • Can use schema conversion tool to convert database schema from one engine to another before migration

AWS Backup

  • automate backup across service

  • Supported Service: EC2/EBS, S3, RDS/Aurora/Dynamo DB, Document DB/ Neptune

  • Support cross-region backup

  • Need to create backup plan including backup frequency, window, transition to cold storage

Application Migration Service

  • Simplify the migration from on-premise to aws

PreviousEC2 (Virtual Machine)NextIAM

Last updated

Was this helpful?