Stephane Maarek의 「Ultimate AWS Certified Developer Associate 2021 - NEW!」 강의 내용 정리
VPC, Subnets, IGW and NAT
VPC & Subnets Primer
VPC(virtual private cloud): private network to deploy your resources(regional resource) -> one default VPC per AWS region
Subnets allow you to partition your network inside your VPC(AZ resource)
-
a public subnet: accessible from the internet
- a private subnet: not accessible from the internet
Route tables: define access to the internet and btw subnets
Internet Gateway(IGW) & NAT Gateways
Internet gateways helps our VPC instances connect with the internet
Public subnets have a route to the internet gateway
NAT gateways(aws-managed) & NAT instances(self-managed) allow your instances in your private subnets to access the internet while remaining private
NACL, SG, VPC Flow Logs
Network ACL & Security Groups
NACL(network ACL): default NACL allows everything in & out
- a firewall which controls traffic from and to subnet
- can have “allow“ and “deny” rules
- are attached at the subnet level
- rules only include IP addresses
Security Groups
- a firewall that controls traffic to and from an ENI / an EC2 instance
- can have only “allow” rules
- rules include IP addresses and other security groups
VPC Flow Logs
Capture information about IP traffic going into your interfaces:
- VPC flow logs
- subnet flow logs
- elastic network interface flow logs
Helps to monitor & troubleshoot connectivity issues
Captures network information from AWS managed interfaces too: ELB, ElastiCache, RDS, Aurora etc
VPC flow logs data can go to S3 / Cloud Watch logs
VPC Peering, Endpoints, VPN, DX
VPC Peering
Connect two VPC, privately using AWS’ network
Make them behave as if they were in the same network
Must not have overlapping CIDR(IP address range)
VPC peering connection is not transitive
VPC Endpoints
Allows you to connect to AWS services us gin a private network instead of the public www network
This gives you enhanced security and lower latency to access AWS services
2 VPC Endpoints
- VPC endpoint gateway: s3 & DynamoDB
- VPC endpoint interface: the rest
Only used within your VPC
Site to Site VPN & Direct Connect
Site to Site VPN:
- connect an on-premises VPN to AWS
- the connection is automatically encrypted
- goes over the public internet
Direct Connect(DX)
- establish a physical connection btw on-premises and AWS
- the connection is private, secure and fast
- goes over a private network
- takes at least a month to establish
Site to Site VPN and Direct Connect cannot access VPC endpoints