Saturday, September 15, 2018

VPC


AWS is easy and straight forward

VPC is virtual private cloud

We have subnets inside a VPC
These subnets have routes attached to them.


We associate a Subnet with a VPC
A VPC can have any number of Subnets

Routes are important

 If we see the routing Tables , Select one from the list
0.0.0.0  is attached to the internet gateway and all the 4 subnets are attached to this Routing table
We attach the Subnets to the routing tables


Public Subnet:

The routing table that the subnet is attached to has a route to the internet gateway.

Private Subnet:

In a private subnet , the route will not be there to Internet Gateway
It will be there to NAT gateway.


Usually DB has a different VLAN
They will not be in the same VLAN


We do not want the DB to be part of the Subnet that is directly going to the Internet
This is not SAFE

We would have a different subnet

We name this subnet as  Artifactory-DB-Private  ( 10.1.10.0/24)     Example CIDR


The Artifactory App can easily connect to the DB without any issues

But now the question is ,  if the DB wants to go to the internet, its a private subnet and it doesnt have the access to the Internet

I can add a route to the internetgateway and make it give it a connection.
Instead of saying its a private subnet, it becomes a public subnet as it has connection to internet.



So as per the requirement, the DB should be in a private subnet, but it should be able to reach the internet

We are going to deploy a NAT gateway.

When we create a NAT gateway, it asks to select a subnet.

So as per the Traditional wisdom, we think we need to associate the Private subnet with the NAT.
But this will not work, as this has crashed .

READ the Documentation:

What it says is,  the NAT gateway, before allowing DB to the internet, you need to select public subnet.


Before allowing DB to connect to the internet, NAT gateway should go to the internet.
So, we need to select a Public Subnet that will be attached to the NAT gateway.


So now we have the NAT gateway attached to the public subnet ( AKA  Artifactory Public subnet )

Now, what about the Artifactory Private Subnet

We are going to create a new routing table,  attach Artifactory Private Subnet .
Then we are going to add a route to the NAT gateway


PATH:
The Private subnet uses the New routing table that connect to the NAT
This NAT that has got the connection to the  Public subnet, a.k.a  the subnet that has access to the internet is  the path  the private subnet takes to reach the internet.


The NAT controls the traffic. Its only Egress , but no Ingress.

The NAT says the DB is secure.
But we need to manage the DB, So we use a Jump server in the public subnet

From the web/internet we login to the jump server and then manage the DB.






The above diagram shows the routing of traffic from the internet.



Now for the DB EC2 host , we shall create a security group.
The Jump servers IP address will be added to the security groups access list.
















at No comments:
Subscribe to: Posts (Atom)

netstat

A copy from there - TCP Connection States 
 Following is a brief explanation of this handshake. In this context the "client" is ...

  • CIDR
    Source: https://www.youtube.com/watch?v=m7osap3K_MU&list=PLjrF25Df7idwxvJzLpECBc2rZjQLOazgV&index=3 CIDR Notation Classness int...
  • AWS 10
  • AWS 6 NACL , Security Groups and End points
    NACL is stateless SG is stateful Total # of ports are 0-65000 Dynamic ports are from  49152 to 65535 If we do not open the outboun...