VPC & Route53 – AWS Developer Certified Exam Notes

  • Route5S is a global service, no region
  • Route53 Routing Policies
    • Simple
      • This is the default routing policy when you create a new record set. This is most commonly used when you have a single resource that performs a given function for your domain
    • Weighted
      • Weighted Routing Policies allows you to split your traffic based on different weights assigned.
      • For example you can set 10% of your traffic go to US-EAST-1 and 90% to go to US-WEST-1
    • Latency
      • Latency based routing allows you to route traffic based on the lowest network latency for your end user (ie which region will give them the fastest response time)
      • To use latency-based routing you create a latency resource record set fr the Amazon EC2 (or ELB) resource in each region that hosts your website. When Amazon Route53 receives a query for your site, it selects a latency resource record set for the region that gives the user the lowest latency.
    •  Failover
      • Failover routing policies are used when you want to create an active/passive set up. For example you may want your primary site to be in EU-WEST-2 and your secondary DR Site in AP-SOUTHEAST-2
      • Route53 will monitor the health of your primary site using a health check
      • A health check monitors the health of your endpoints
    •  Geolocation
      • Geolocation routing lets you choose where your traffic will be sent based on the geographic location of your users (ie the location from which DNS queries originate). For example, you might want all queries from Europe to be routed to a fleet of EC2 instances that are specifically configured for your European customers. These servers may have the local language of your European customers and all prices are displayed in Euros
  • ELB don’t have pre-defined IPv4 addresses, you resolve to them using a DNS name
  • Amazon Virtual Private Network lets you provision a logically isolated section of the Amazon Web Services Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route table and network gateway
    Untitled Diagram
  • One subnet always equal to ONE AZ
  • One Internet Gateway can be attached to ONLY ONE VPC
  • What can you do with VPC?
    • Launch instances into a subnet of your choosing
    • Assign custom IP address ranges in each subnet
    • Configure route tables between subnets
    • Create internet gateway and attach it to our VPC
    • Instance security groups
    • Subnet network access control lists (ACLs)
  • Default VPC is user friendly, allowing you to immediately deploy instances
  • All Subnets in default VPC have a route out to the internet
  • Each EC2 instance has both a public and private address
  • If you delete the default VPC the only way to get it back is to contact AWS
  • VPC Peering allows you to connect one VPC with another via a direct network route using private IP addresses
  • Instances behave as if they were on the same private network
  • Peering is a star configuration, ie 1 central VPC peers with 2 others. NO TRANSITIVE PEERING !!!
    Untitled Diagram-3
  • If we want VPC C to talk to VPC A we need to create a peering, it cannot talk to VPC B through VPC A (transitive peering 😃 )
  • Security Groups are stateful, Network Access Control Lists are stateless
  • While creating a VPC you need to specify a CIDR (Classless Inter-Domain Rooting) block format to specify your VPC’s IP address range
  • When a VPC is first created it does create a Route table, Network ACLs and a Security Group
  • When you create a VPC, we recommend that you specify a CIDR block from the private IP address ranges as specified in RFC-1918:
    • – (10/8 prefix)
    • – (172.16/12 prefix)
    • – (192.168/16 prefix)
  • The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to any instance. For example with CIDR block the following five IP addresses are reserved:
  • Using NAT Gateway
    Untitled Diagram-2
  • NAT Gateway Vs; NAT Instances
  • When creating a NAT instance, Disable Source/ Destination check on the Instance
  • NAT instance must be in a public subnet
  • There must be a route out of the private subnet to the NAT instance, in order for this to work
  • The amount of traffic that NAT instances supports, depends on the instance size. If you are bottlenecking, increase the instance size
  • You an create high availability using Autoscaling Groups, multiple subnets in different AZ’s and a script to automate failover
  • Always Behind a Security Group
  • NAT Gateways:
    • Scale automatically up to 10Gbps
    • No need to patch
    • Not associated with security groups
    • Automatically assigned a public IP address
    • Remember update  your route tables
    • No need to disable Source/Destination checks
  • Security Groups Vs Network ACLs
    • Security Group is stateful: Return traffic is automatically allowed, regardless of any rules
    • Network ACL is stateless: Return traffic must be explicitly allowed by rules
    • Required to put denied rules first
      Screen Shot 2017-12-19 at 23.16.11
  • Your VPC automatically comes a default network ACL and by default it allows all outbound and inbound traffic
  • You can create a custom network ACL. By default, each custom network ACL denies all inbound and outbound traffic until you add rules
  • IPv6 is not supported for VPC
  • Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL
  • You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the  previous association is removed
  • A network ACL contains a numbered list of rules that is evaluated in order, starting with the lowest numbered rule
  • A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic
  • Network ACLs are stateless, responses to allowed inbound traffic are subject to the rules for outbound traffic
  • You can connect your VPC to remote networks by using a VPN connection
  • The bastion host needs a minimum configuration and a public IP address
  • Instances without public IP addresses can route their traffic through a NAT instance or a NAT gateway to access the internet
  • The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances
  • You can create 200 subnets per VPC
  • NAT Vs Bastion
    • A NAT instance is used to provide internet traffic to EC2 instances in private subnets
    • A Bastion is used to securely administer EC2 instances (using SSH or RDP) in private subnets.
  • Flow logs enable you to capture IP traffic flow information for the network interfaces in your resources (Possible to associate it to Cloud Watch

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s