AWS Certified SysOps Administrator Part I: VPC

  • 1. Understanding Virtual Networking on AWS
    • a. What is a VPC?
      • i. Logically isolated network in the AWS cloud
      • ii. Every AWS subscription gets a root VPC, you can further segment that VPC down into smaller and smaller VPCs
      • iii. VPCs are free but VPN has some costs associated with it
    • b. AWS Reference Model for VPC
      • i. Layers:
        • 1. AWS Global Infrastructure (AWS managed services)
        • 2. Networking (VPC lives here) (AWS managed services)
        • 3. Compute | Storage | Database (Customer managed environments)
        • 4. Application Services (AWS managed services)
        • 5. Deployment & Automation (AWS managed services)
    • c. VPC Architecture and Characteristics
      • i. Regions have availability zones have subnets
      • ii. VPCs are assigned to a region
      • iii. Subnets are assigned to an availability zone
      • iv. AWS has a router within the region to connect all the subnets within the VPC to connect them
      • v. CIDR 16-28 supported IP address ranges
    • d. Creating a VPC
      • i. Hardware tenancy adds dedicated network hardware but at a higher cost
      • ii. You can setup Flow Logs
      • iii. You should always tag resources so you know what things are
    • e. VPC Access Methods
      • i. Gateway
        • 1. Internet Gateway (IGW)
          • a. Allows instances to get ingress / egress
        • 2. Virtual Private Gateway (VGP)
          • a. AWS side of secure VPN
        • 3. Customer Gateway (CG)
          • a. Customer side of secure VPN (hardware clients that are on premise)
      • ii. VPN
        • 1. Direct Connect
          • a. Dedicated and isolated
          • b. No internet, bypass the internet
          • c. HA connectivity supported
        • 2. Hardware-based VPN
          • a. Used to connect to VGP
    • f. VPC Security
      • i. Security Groups
      • 1. Resource level traffic firewall
      • a. Instance, ELB, etc…
      • 2. Ingress and Egress contrtolled
      • 3. Stateful
      • a. Connections outbound, assumes return traffic is allowed
      • ii. ACLs
      • 1. Source and protocol filtering
      • 2. Subnet level traffic firewall
      • a. Separate inbound and outbound rule set
      • 3. Stateless: Traffic strictly enforced, return traffic is not automatically allowed! You have to configure that.
    • g. VPC Configuration
      • i. AWS creates an internet gateway by default
        • 1. If you give something an elastic IP address then the instances within your VPC will be accessible to users outside of Amazon
        • 2. Want to gate the internet gateway with a tag to track ingress / egress
      • ii. Components:
        • 1. Customer Gateway:
        • 2. Virtual Private Gateway: Amazon-side
        • 3. View “VPN Connection” to see vpn connections that you’ve setup
      • iii. Network ACL
        • 1. Inbound rules
        • 2. Outbound rules
        • 3. Everything allowed by default
        • 4. Subnet associations: you can associate multiple subnets
      • iv. Security Group
        • 1. Any instances that have a certain security group applied you can set inbound / outbound rules to all instances within that security group
      • v. Web servers should get deployed to IGW
      • vi. Inbound / Outbound rules take
        • 1. Protocol
        • 2. Port
        • 3. Source
      • vii. If an instance goes down, you can detach the network interface and reattach it to a new instance
      • viii. Configuring Instances
        • 1. Can automatically join a Windows instance to the domain during creation
        • 2. Can specify an IAM role
        • 3. Shutdown behavior: Stop || Terminate
        • 4. Protect against accidental termination: API / management console, administrators wont be able to delete this unless they manually go uncheck that checkbox
        • 5. CloudWatch monitoring a switch to flick
        • 6. You can assign a primary / secondary IP Address if you want or just leave it up to DHCP
        • 7. Add storage (additional EBS drives)
        • 8. AMI = Amazon Machine Image (the template you are deploying from), contains a summary of all options you’ve specified
        • 9. When creating an existing, you can use an existing key pair or create a new one.
    • h. VPC Peering
      • i. Establish connections with other VPC’s
      • ii. No transitive peering is allowed! If VPC1 is connected to VPC2 and VPC3. VPC2 and VPC3 are not connected!
      • iii. IMAGE GOES HERE
      • iv. Cannot have overlapping network addressing schemes (e.g. if VPC1 is 192.168.1.0/24 then VPC2 can’t also be 192.168.1.0/24)
  • 2. In-depth VPC Configuration
    • a. In-depth VPC configuration
      • i. You can switch regions in the AWS console by using the region drop down in the upper right corner of the page menu
      • ii. Architectural Question: When would you use a non-default tenancy option when creating a VPC?
      • iii. The core components of a VPC that allow internet access:
        • 1. VPC + Subnet + Internet Gateway
      • iv. When creating subnets you need to specify what VPC you are creating the subnet inside. The CIDR range must be compatible with the parent VPC
      • v. When creating multiple subnets, the routing tables automatically get setup to grant access between the subnets
      • vi. When creating an internet gateway you just specify a name. After creation, you need to attach to a VPC.
      • vii. Creating the internet gateway manually does not update the routing table to allow internet access

3 thoughts on “AWS Certified SysOps Administrator Part I: VPC

  1. Pingback: AWS Certified SysOps Administrator Exam: Study Guide | Sky Cliffs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s