These notes were written while working through the A Cloud Guru AWS Certified Solutions Architect - Associate online course. These notes are partly from the videos, and also from various other online sources. Primarily, they’re notes for me, but you might find them useful too.
Since the AWS platform is changing so quickly, it’s possible that some of these notes may be out of date, so please take that into consideration if you are reading them.
Please let me know in the comments below if you have any corrections or updates which you’d like me to add.
VPC (Virtual Private Cloud)
VPC applies to all exams. Need to know this inside-out.
A VPC is like a logical data center.
A VPC consists of:
- Internet Gateways or Virtual Private Gateways
- Route Tables
- Security Groups
All VPC traffic can be logged via Flowlogs
Creating a VPC also creates a route table, but doesn’t create a subnet or internet gateway by default
Use public facing subnets for public facing web servers Use private subnets for backend services, databases, etc
You can use a Bastion / Jump Box located in the public subnet to access instacnes in the private subnet by first SSH into the Bastion, and then using it to SSH to instances in the private subnet.
For multiple layers of security, it’s recommended you use a VPC in addition to security groups and NACLs (Network Access Control Lists).
Security groups (first layer of defense) exist at the instance level
NACLs (second layer of defense) exist at the subnet level
It’s possible to implement a private cloud (i.e. a corporate data center) using VPCs.
Each subnet is always mapped to an AZ (Availability Zone). It’s not possible to span subnets across multiple AZs. However, security groups, NACLs, and Route Tables CAN span multiple subnets and AZs.
Only one internet gateway can be attached to a subnet.
CIDR - Classless Inter-domain Routing
The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.
- 10.0.0.0: Network address.
- 10.0.0.1: Reserved by AWS for the VPC router.
- 10.0.0.2: Reserved by AWS for DNS.
- 10.0.0.3: Reserved by AWS for future use.
- 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.
Netmasks: /16 - support up to 65,536 IP addresses /24 - supports up to 256 IP addresses /28 - supports up to 16 IP addresses /32 - an absolute ip address - matches exactly one
To enable ping, you need to allow ICMP traffic.
Security groups vs NACLs
|Supports only Allow rules||Supports Allow and Deny rules|
|All rules are evaluated before allowing traffic||Evaluates rules in nuumerical order. As soon as a rule is found allowing the traffic, the traffic is allowed.|
|Rules apply to specific instances||Rules apply to ALL instances in the subnet|
|Unable to block IP addresses||Able to block IP addresses|
A NACL can be applied to multiple subnets. If you attempt to assign a NACL to a subnet which already has a NACL, the new NACL will replace the existing NACL for the subnet.
A subnet can have only one NACL assigned to it
Types of NACL:
- Default - allows all traffic by default
- Custom - denies all traffic by default
In order to allow outgoing traffic, enable outgoing and incoming ephermal ports (1024-65535)
NAT gateways and NAT instances
NAT is used for traffic routing
In order for a NAT instance to work, you need to disable source/dest checks via the Actions->Networking menu
It’s best practice to always enable HTTP and HTTPs traffic.
If you want you instances in private subnets to access the internet, you’ll need to to create a route from private subnet, through nat, and out to the internet.
Add 0.0.0.0/0 to the private route table and set the target as the NAT to allow all traffic through. i.e. so you can run “yum update” on the console of an ec2 instance in a private subnet, and have it successfully connect and update the instance.
Put the NAT gateway in a public subnet and always update route tables to point to the NAT gateway and out to the internet
NAT gateways scale automatically up to 10GBPS
|NAT instance||NAT Gateway|
|Custom EC2 instances provisioned via custom community AMIs||Provisioned and managed by AWS|
|The amount of traffic handled by a NAT instance depends on it's size - bigger instances handle more traffic.||Managed by AWS and scale automatically up to , and are prefererred over NAT instances which are custom community AMIs.|
|NAT instances use security groups||.|
|Need source/dest checks disabled via the Actions->Networking menu||No need to disable source/dest check, no security group is needed; it is all AWS managed, rather than a custom EC2 instance which needs to be maintained.|
|Must be in the public subnet and must have a public ip address.||.|
Stateful vs Stateless
Security groups are stateful. This means that if you add an incoming HTTP rule, there will automatically be a corresponding outgoing one.
Subnet ACLs are stateless which means that if you add an incoming HTTP rule, you’ll need to add an outgoing one too, otherwise HTTP traffic won’t be able to get back out of your subnet.
AWS provids a default VPC. This is intended to make it user friendly to deploy and test EC2 instances on a new account. All default VPCs have routes out to the internet.
If you delete the default VPC, you’ll need to raise an Amazon support ticket to get it back.
VPC peering allows direct network connection via a private ip address.
VPC peering is only supported in a star configuration.
Transitive peering / edge-to-edge routing is not supported. i.e. if you have VPC A <-> VPC B <-> VPC C, VPC A can communicate with VPC B, and VPC B with C, but A cannot directly communicate with C unless a direct connection is made between A and C.
VPC Peering is supported across multiple accounts, but not multiple regions.
Direct connect uses a dedicated line, provisioned by your telco, between your data center and an AWS Direct Connect Facility. Data transferred via direct connect does not travel over the internet.
While VPCs are quick to set up, direct connect can take more than a month, and sometimes more than 6 months to get set up.
Know how to build out a VPC from memory before going into the exam. Even though you don’t actually build a VPC in the exam, the knowledge of how to build it out from memory will be immensely helpful.
Know the difference between:
- Public and private subnets
- NAT gateway and NAT instance
Know what a bastion host is, and that it is possible to use a dual purpose web server and bastion host.