Stephane Maarek의 「Ultimate AWS Certified Developer Associate 2021 - NEW!」 강의 내용 정리

VPC, Subnets, IGW and NAT

VPC & Subnets Primer

VPC(virtual private cloud): private network to deploy your resources(regional resource) -> one default VPC per AWS region
Subnets allow you to partition your network inside your VPC(AZ resource)

• a public subnet: accessible from the internet
• a private subnet: not accessible from the internet

Route tables: define access to the internet and btw subnets

Internet Gateway(IGW) & NAT Gateways

Internet gateways helps our VPC instances connect with the internet
Public subnets have a route to the internet gateway
NAT gateways(aws-managed) & NAT instances(self-managed) allow your instances in your private subnets to access the internet while remaining private

NACL, SG, VPC Flow Logs

Network ACL & Security Groups

NACL(network ACL): default NACL allows everything in & out

• a firewall which controls traffic from and to subnet
• can have “allow“ and “deny” rules
• are attached at the subnet level
• rules only include IP addresses

Security Groups

• a firewall that controls traffic to and from an ENI / an EC2 instance
• can have only “allow” rules
• rules include IP addresses and other security groups

VPC Flow Logs

Capture information about IP traffic going into your interfaces:

• VPC flow logs
• subnet flow logs
• elastic network interface flow logs

Helps to monitor & troubleshoot connectivity issues
Captures network information from AWS managed interfaces too: ELB, ElastiCache, RDS, Aurora etc
VPC flow logs data can go to S3 / Cloud Watch logs

VPC Peering, Endpoints, VPN, DX

VPC Peering

Connect two VPC, privately using AWS’ network
Make them behave as if they were in the same network
Must not have overlapping CIDR(IP address range)
VPC peering connection is not transitive

VPC Endpoints

Allows you to connect to AWS services us gin a private network instead of the public www network
This gives you enhanced security and lower latency to access AWS services
2 VPC Endpoints

• VPC endpoint gateway: s3 & DynamoDB
• VPC endpoint interface: the rest

Only used within your VPC

Site to Site VPN & Direct Connect

Site to Site VPN:

• connect an on-premises VPN to AWS
• the connection is automatically encrypted
• goes over the public internet

Direct Connect(DX)

• establish a physical connection btw on-premises and AWS
• the connection is private, secure and fast
• goes over a private network
• takes at least a month to establish

Site to Site VPN and Direct Connect cannot access VPC endpoints