Reason to create a VPC is
1) No Security between two companies
2) IP Address Overlap
3) Management Issues
Take a location ( North Virginia ) and stick to this
Create a VPC ( Name it as vikas-vpc001 )
Subnet 10.1.0.0 ( 65000 ip addresses )
We do not choose ipv6, just choose ipv4
Tenancy - it is not Dedicated , just choose default
If we use Dedicated, we get a Dedicated server
1. The Availability Zones in AWS Region are configured to communicate with EACH other by default
2. The ip addresses in one Availability zone has a chance of overlap with the ip of other availability Zone in the Same Region
Advantage of using a VPC is, it creates a seperate network inside the Data center
There is no communication between the two VPCs by default
The issue with the Security is resolved
IP Address overlap issues is also resolved ( The servers in the different VPCs can use the Same IPs )
Every VPC has an internet gateway
The Mapping with VPC and gateway is 1:1
Communication between Two VPCs:
AWS CIDR Starts at 16 and ends at 28
10.0.0.0/16
When creating the VPC, you will see a default VPC
Ignore that
In AWS VPC, the block sizes should be between /16 and /28 Netmask
We can only create 5 VPCs
We can raise a ticket to create more VPCs
STEP - ENABLE DNS HOST NAMES:
Created in North Virginia
Does it have any availability Zone associated with it ?
If we create a VPC , automatically it maps onto all the Availability zones
Dividing the Big network into multiple networks, is called subnetting
Subnet is Associated with a VPC and an Availability Zone ( important )
What should i do if i want my VPC in other availability zone ?
We create another subnet in other Availability zone in the Same VPC
As all the availability zones are interconnected, we cant use the same IPs
Just Creating a VPC doesnt associate with any availability Zone
Creating a subnet will start associating the VPC with the Availability Zone
The Subnet will be created inside a VPC and we shall have a Availability Zone associated with VPC
Creating Subnets inside the VPC and associating them to a Specific AZ will make the VPC spawn over multiple AZs
The STEPS we are going to do are as follows:
In STEP 2 , Add Enable Automatic IP Assignments
There is a 1:1 Mapping on Internet Gateway to VPC
Routing Table:
The Routing Table defines the communication.
For the Subnets to communicate with Each other We need to add them to the Routing Table
After Creating the Routing Table, we add the Subnets under Subnet Associations
We then have the routes:
1) Local route is used for local communication with in the VPC.
All the Routing tables within the VPC, have a default local ROUTE.
If we want to control or restrict Traffic to Instances within the subnet, we have to use a
Network Access Control or Security Group ( which are virtual firewalls )
2) Will all the communication involve Routing Table for querying ?
Yes.
Routing table is the first HOP of communication
3) If there is more traffic, will routing table querying cause any issues ?
Not that we know of
4) Does the Route Table and IGW have a 1:1 mapping ?
5) Why did the IGW pop up while adding the route in the Route table ?
6) If we have more than one IGW, will we see multiple IGW's pop up ?
7) When tried to create more than 1 IGW, i start seeing Errors
Max # of IGW's has reached
So, just as we have a limit on the # of VPC's , do we also have a limit on the # of IGW's ?
As the VPC and IGW has a 1:1 mapping
While VPC Spans multiple Availability Zones, a Subnet can span only ONE availability Zone.
Every Ec2 instance will have both a Public IP and an Internal IP.
The instances within the VPC will use the Local router
Each subnet in the VPC will take a subnet of the IP's with in the VPC
If we are using the default VPC, we already have a default IGW.
Thats already setup.
All the communication to the internet happens through the IGW ( Internet Gateway )
We can control access to the Subnets and the Resources.
1) Security Groups
Security Groups are defined at per Instance Level.
This is one way of controlling, which access is allowed to Instances.
Which traffic can leave the instances.
Basically it acts as a Firewall
2) NACL. Network Access Control Lists - This is on a Higher Level
This acts at the SUBNET level
Typiccally we use the SG's and
Using NACLs, we control Which traffic will enter the SUBNET.
Using Security Groups, which is more granular and per instance, we use to assign the same SG to multiple instances, if we want to use the same rules.
We can combine both NACL and SG
We control the Routing using the Route Tables
Route Table Controls routing of outgoing Network Requests.
Using Route Table, we can control which traffic is allowed to enter the VPC
which traffic is allowed to leave the VPC
Controlling the Assignment of the public IP's
Will the instances in the VPC will have a public IP ?
It depends on how we set it up.
IF we configure the VPC to have a public IP. it can then have a chance to be accessed from the Internet.
If we configure the subnet to not have a public IP, the Instances in that subnet will not get any public IP.
It can only be accessed through Internal Subnet.
This leads us to the idea of public and private subnet.
We cant create a public or private subnet.
We can change the characteristics of a subnet by allowing it a Route.
We can allow a subnet to not assign any public IPS to the instances you launch into it.
For the other subnet, we can make sure these instances have public IPS.
The benefit of public and private subnets is that,
the public subnet can host our webservers that have to be accessible from the INTERNET.
The private subnet can host our Database that has to be accessible only internally from the webservers with in the VPC.
We can only turnoff the public IP Address.
Some times, we need to make sure that our private subnet instances can reach out to the INTERNET.
Because they should be able to install updates to the software.
We can do this by redirecting it to the NAT Gateway
NAT Gateway is the Network Address Translation.
If we are using a Private subnet, we will disable "Auto Assign public ip " At this subnet level.
So, the instances that are spun up in the subnet will not receive any public IP's.
If we want these hosts to reach out to the internet, they can use the Route to the NAT gateway, that has the public IP.
NATGateway has a public IP.
https://www.youtube.com/watch?v=bGDMeD6kOz0
No comments:
Post a Comment