Monday, October 22, 2018

AWS 4 NAT Gateway


AWS Solutions:

AWS Payment Card Industry Security Standards

Amazon reserves  first 3  ip addresses
It uses them internally
Subnet 10.1.1.0/24
It reserves  10.1.1.(1-3)
We can use from 10.1.1.(4-254)


When we create a Route Table, it has got an association with VPC
VPC can have any number of Routes

When we have a subnet connected to Internet Gateway, it is called a Public Subnet
If the subnet doesnt have any connection to Internet Gateway, it is called a Private Subnet


Flow of path:

EC2 instance is in the Subnet
It will ask the Subnet where to go

As subnet is associated with a Routing table, which has routes in it.
This routing table will tell the EC2 where to go and what to do.

The routes are seperate for different destinations
except for the local for all other traffic , we select the Internet Gateway as the Target.





Lets consider the following CASE:
Webserver
Database Server






The Above Architecture is very dangerous and not advisable

So what we do is, we use a separate Subnet for the Database.





By Default there is communication and connection between the Database and the Application server
The two subnets, which are in the SAME VPC


Example of a Production deployment:





We have a Management VPC which is connected to the Production VPC for easy management

In The Production VPC Application Subnet is separate from Database Subnet.
There is a DMZ Subnet, which has only Database and a NAT Gateway is associated with the subnet

We usually create a Management host/ Jump server is a Management Subnet and then use this Subnet to connect to the other Subnets.

We can not directly connect to the NAT Gateway.




The below is the only path we can have




If we associate the Subnet in the Routing table that has access to the IGW, it can then access
IGW directly and doesnt need the NAT gateway




So along with the private subnet, we also need to create a Routing Table.
We associate the NAT gateway to the  Subnet that has IGW connected
We add a route to the NAT gateway in our DB routing Table





To Access the DB server from our laptop is not possible as it is in a private subnet without any association with IGW

We have to first login to a server in the Subnet1 which is associated with IGW ( using the public ip)

Once we login, we then do a ping to DB server to check if its reachable and it should be as it belongs to the same subnet.

Once this is done, we then copy over the private key  .pem  file onto the bastion/jump/any server that is in subnet1
We then change the permissions of this file to 400
Then we login using ssh -i  key.pem  ec2-user@private-db-ip

Final Implementation Diagram:





So , All the traffic that needs to go out has to go through the NAT gateway.




Inbound Traffic and outbound traffic 




Outbound Traffic:

All the outbound traffic from both the public and private subnets has to go through IGW












at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

netstat

A copy from there - TCP Connection States 
 Following is a brief explanation of this handshake. In this context the "client" is ...

  • CIDR
    Source: https://www.youtube.com/watch?v=m7osap3K_MU&list=PLjrF25Df7idwxvJzLpECBc2rZjQLOazgV&index=3 CIDR Notation Classness int...
  • AWS 10
  • AWS 6 NACL , Security Groups and End points
    NACL is stateless SG is stateful Total # of ports are 0-65000 Dynamic ports are from  49152 to 65535 If we do not open the outboun...