AWS 4 NAT Gateway

AWS Solutions:

AWS Payment Card Industry Security Standards

Amazon reserves  first 3  ip addresses
It uses them internally
Subnet 10.1.1.0/24
It reserves  10.1.1.(1-3)
We can use from 10.1.1.(4-254)


When we create a Route Table, it has got an association with VPC
VPC can have any number of Routes

When we have a subnet connected to Internet Gateway, it is called a Public Subnet
If the subnet doesnt have any connection to Internet Gateway, it is called a Private Subnet


Flow of path:

EC2 instance is in the Subnet
It will ask the Subnet where to go

As subnet is associated with a Routing table, which has routes in it.
This routing table will tell the EC2 where to go and what to do.

The routes are seperate for different destinations
except for the local for all other traffic , we select the Internet Gateway as the Target.





Lets consider the following CASE:
Webserver
Database Server






The Above Architecture is very dangerous and not advisable

So what we do is, we use a separate Subnet for the Database.





By Default there is communication and connection between the Database and the Application server
The two subnets, which are in the SAME VPC


Example of a Production deployment:





We have a Management VPC which is connected to the Production VPC for easy management

In The Production VPC Application Subnet is separate from Database Subnet.
There is a DMZ Subnet, which has only Database and a NAT Gateway is associated with the subnet

We usually create a Management host/ Jump server is a Management Subnet and then use this Subnet to connect to the other Subnets.

We can not directly connect to the NAT Gateway.




The below is the only path we can have




If we associate the Subnet in the Routing table that has access to the IGW, it can then access
IGW directly and doesnt need the NAT gateway




So along with the private subnet, we also need to create a Routing Table.
We associate the NAT gateway to the  Subnet that has IGW connected
We add a route to the NAT gateway in our DB routing Table





To Access the DB server from our laptop is not possible as it is in a private subnet without any association with IGW

We have to first login to a server in the Subnet1 which is associated with IGW ( using the public ip)

Once we login, we then do a ping to DB server to check if its reachable and it should be as it belongs to the same subnet.

Once this is done, we then copy over the private key  .pem  file onto the bastion/jump/any server that is in subnet1
We then change the permissions of this file to 400
Then we login using ssh -i  key.pem  ec2-user@private-db-ip

Final Implementation Diagram:





So , All the traffic that needs to go out has to go through the NAT gateway.




Inbound Traffic and outbound traffic 




Outbound Traffic:

All the outbound traffic from both the public and private subnets has to go through IGW

AWS 3 VPC IGW Routing ( Security Groups )

VPC is the mother of all

For outbound communication we need a IGW
VPC:IGW = 1:1
Enable DNS Hostnames while creating the VPC

A VPC can have any number of routes

After creating the VPC, we create the subnets
Subnets should be created in separate Availability zone in the same Region

We can have multiple Routing Tables inside a VPC:

A Routing table has got to be attached to a VPC

A VPC can have any number of routing tables

A subnet should be associated in the routing table , for the traffic to be route

A subnet should not be present in multiple routing tables.

1) Create a VPC ( Enable Default Hostnames )

2) Create the subnets and associate to the VPC ( Enable Auto Enable IP Addresses )

    a) The subnets in the same VPC should have a different CIDR

    b) All the Avaliability Zones in the VPC are interconnected

    c) Even though the subnet is configured for a different Avaiilability Zone

3) Create a InternetGateway - if we want our traffic to go out

4) Create a Routing Table and associate the subnets to this routing table , also create the route

5) Create Security Groups ( All Traffic ) Virtual Firewall

6) Created Key pair

7) Created EC2 instance 

8) Created Elastic IP and assigned to EC2 instance ( Because auto assign public ip was not enabled )

9) Converted ppem to ppk ( only for windows )

Routing Table:

The Instance in the subnet checks where it is going in the Routing Table

This is in the destination field.

If the traffic is going to 10.1.0.0/16 , it says local, which means it uses the local router in the VPC

0.0.0.0/0  means,  Any where,  So for this route, All the traffic except the local, use the Gateway that is attached to this route.

Which here in our case will be  IGW. ( Not NAT or VPGW - These two are different )

Security Groups:

By Default , we will have a  Routing Table and security Group

We will not be using them

Security groups are virtual firewalls

We control the INBOUND Traffic 

For outbound, we do not control.

TERMS to learn

VLAN
gateway
subnet
subnetmask
IPV4
IPV6

Route
Routing Table
NAT
8.8.8.8

VXLAN

AWS 2 VPC

VPC is Virtual private Cloud

Reason to create a VPC is
1) No Security between two companies
2) IP Address Overlap
3) Management Issues


Take a location ( North Virginia ) and stick to this


Create a VPC ( Name it as  vikas-vpc001 )
Subnet  10.1.0.0 ( 65000  ip addresses )

We do not choose ipv6, just choose  ipv4

Tenancy - it is not Dedicated , just choose default
                 If we use Dedicated, we get a Dedicated server


1. The Availability Zones in AWS  Region are configured to communicate with EACH other by default
2. The ip addresses in one Availability zone has a chance of overlap with the ip of other availability Zone in the Same Region

Advantage of using a VPC is, it creates a seperate network inside the Data center


There is no communication between the two VPCs by default

The issue with the Security is resolved

IP Address overlap issues is also resolved ( The servers in the different VPCs can use the Same IPs )


Every VPC has an internet gateway
The Mapping with VPC and gateway is 1:1


Communication between Two VPCs:







AWS  CIDR Starts at 16 and ends at 28

10.0.0.0/16


When creating the VPC, you will see a default VPC
Ignore that

In AWS VPC, the block sizes should be between /16 and /28  Netmask

We can only create 5 VPCs
We can raise a ticket to create more VPCs


STEP - ENABLE DNS HOST NAMES:

Created in North Virginia

Does it have any availability Zone associated with it ?

If we create a VPC , automatically it maps onto all the Availability zones

Dividing the Big network into multiple networks, is called subnetting



Subnet is Associated with a VPC and an Availability Zone ( important )
What should i do if i want my VPC in other availability zone ?

We create another subnet in other Availability zone in the Same VPC
As all the availability zones are interconnected, we cant use the same IPs





Just Creating a VPC doesnt associate with any availability Zone
Creating a subnet will start associating the VPC with the Availability Zone

The Subnet will be created inside a VPC and we shall have a Availability Zone associated with VPC





Creating Subnets inside the VPC and associating them to a Specific AZ will make the VPC spawn over multiple AZs




The STEPS we are going to do are as follows:







In STEP 2 ,   Add   Enable Automatic IP Assignments






There is a 1:1  Mapping on Internet Gateway to VPC


Routing Table:





The Routing Table defines the communication.

For the Subnets to communicate with Each other We need to add them to the Routing Table

After Creating the Routing Table, we add the Subnets under Subnet Associations



We then have the routes:

1) Local route is used for local communication with in the VPC.
   All the Routing tables within the VPC, have a default local  ROUTE.
   If we want to control or restrict  Traffic to Instances within the subnet, we have to use a
   Network Access Control or  Security Group ( which are virtual firewalls )

2) Will all the communication involve Routing Table for querying ?
    Yes.
    Routing table is the first HOP of communication

3) If there is more traffic, will routing table querying cause any issues ?
Not that we know of

4) Does the Route Table and  IGW have a 1:1  mapping ?

5) Why did the  IGW pop up while adding the route in the Route table ?

6) If we have more than one IGW, will we see multiple IGW's pop up ?



7) When tried to create more than 1 IGW, i start seeing Errors

Max # of IGW's has reached












So, just as we have a limit on the # of VPC's , do we also have a limit on the # of IGW's ?


As the VPC and IGW has a 1:1  mapping



While VPC  Spans multiple Availability Zones, a Subnet can span only  ONE availability Zone.


Every Ec2 instance will have both a  Public IP and an Internal IP.

The instances within the VPC will use the Local router

Each subnet in the VPC will take a subnet of the IP's with in the VPC

If we are using the default VPC,  we already have a default  IGW.
Thats already setup.

All the communication to the internet happens through the  IGW ( Internet Gateway )


We can control access to the  Subnets and the Resources.

1) Security Groups

Security Groups are defined at per Instance Level.
This is one way of controlling, which access is allowed to Instances.
Which traffic can leave the instances.


Basically it acts as  a Firewall

2)  NACL.  Network Access Control Lists - This is on a Higher Level

This acts at the SUBNET level

Typiccally we use the SG's   and

Using NACLs, we control  Which traffic will enter the SUBNET.
Using  Security Groups, which is more granular and per instance, we use to assign the same SG to multiple instances, if we want to use the same rules.

We can combine both  NACL and SG

We control the Routing using the Route Tables
Route Table Controls routing of outgoing Network Requests.


Using Route Table, we can control which traffic is allowed to enter the VPC
                                                         which traffic is allowed to leave the VPC


Controlling the Assignment of the public IP's

Will the instances in the VPC will have a public IP ?

It depends on how we set it up.

IF we configure the VPC to have a public IP. it can then have a chance to be accessed from the Internet.

If we configure the subnet to not have a public IP, the Instances in that subnet will not get any public IP.

It can only be accessed through Internal  Subnet.

This leads us to the idea of public and private subnet.

We cant create a public or private subnet.
We can change the characteristics of a subnet by allowing it a Route.

We can allow  a subnet to not assign any public IPS to the instances you launch into it.



For the other subnet, we can make sure these instances have public IPS.

The benefit of public and private subnets is that,
the    public subnet can host our webservers that have to be accessible from the INTERNET.

The private subnet can host our Database that has to be accessible only internally from the webservers with in the VPC.

We can only turnoff the public IP Address.









Some times, we need to make sure that our private subnet instances can reach out to the INTERNET.

Because they should be able to install updates to the software.

We can do this by redirecting it to the NAT Gateway

NAT Gateway is the  Network Address Translation.

If we are using a Private subnet, we will disable "Auto Assign public ip " At this subnet level.
So, the instances that are spun up in the subnet will not receive any public IP's.

If we want these hosts to reach out to the internet, they can use the Route to the NAT gateway, that has the public IP.
NATGateway has a public IP.


https://www.youtube.com/watch?v=bGDMeD6kOz0

AWS 2 Networking

Internal communication happens on L2 Layer ( MAC to MAC using a switch )
From one ip to another IP , we need a Router as the communication is happening between two networks




Check your MAC Address:





By using private IPS and NAT, the same range of ips can be used by different companies.





The world only knows about public IPS.
They are are not aware of the internal IPs, which are private
So, there is no question of conflict.

The Network will be divided into multiple Subnetworks

Classless Inter Domain Routing    based on the  Number at the END

A subnet mask hides, or "masks," the network part of a system's IP address and leaves only the host part as the machine identifier. A common subnet mask for a Class C IP address is 255.255.255.0. Each section of the subnet mask can contain a number from 0 to 256, just like an IP address.

1 What is the use of subnet mask?

It is called a subnet mask because it is used to identify network address of an IP address by perfoming a bitwise AND operation on the netmask. A Subnet mask is a 32-bit number that masks an IP address, and divides the IP address into network address and host address.

2 What is Gateway in networking?

A gateway is a hardware device that acts as a "gate" between two networks. It may be a router, firewall, server, or other device that enables traffic to flow in and out of the network. While a gateway protects the nodes within network, it also a node itself.

3 Is the Default Gateway the same as the IP address?

It is used to identify your computer. Default gateway is the address of your router/ modem. It is common for all the devices connected to same network. Your IP address is unique to your computer on your local network (but is probably not how Internet hosts see you due to address translation).

4 Is broadcast the same as Gateway?

One is the broadcast address and the other is the default gateway. ... A broadcastaddress is the one that is used by one host to communicated to another host on thesame network whereas the default gateway is this address that is used by all hosts to communicate with hosts outside the network/subnet.

The CIDR #  is  the / number
This number refers to the Network bits

10.1.0.0 /16
This refers that The first two octets belong to the Network


VPC with the subnetwork:

AWS 1

Every Region has got multiple Available Zones
The Available zone in a region are connected to each other by default



Every Region has got more than 1 availability zones


Each availability zone is a separate Data center

While designing an Application , we usually deploy it in more than one availability zone.



The list of Tasks to be done to setup an Account: