AWS VPC

Overview

• Logically isolated part of AWS network

Internet Gateway (IGW)

• allows traffic to the Internet
• Horizontally scaled
• Max 5 per region
• 1 per VPC
• Acts as Equal Cost Multi-Path (ECMP) route to the set of AWS Internet routers

Egress-only Internet Gateway

• Used for IPv6 to restrict inbound access (e.g. VPC using IPv6)
  • IPv6 addresses are publicly routable
• Stateful (like Security Group) no need for separate "response" rule
• For IPv4 use NAT gateway

Default VPC

• /16
• IGW attached
• Main Route Table
  
  • Send all traffic destined for the Internet to IGW
• Default Security Group
• Default NACL
• Default DHCP options set
  • DNS hostnames enabled
    
    • Opposite for regular VPC
• Default Subnet in each AZ
  • Public
    • Can be made private by removing route 0.0.0.0/0->IGW
  • Instances get Public IP addresses unless you specify otherwise (opt-out)
    • • Opposite for regular VPC (opt-in)
  • /20 (16 such subnets possible) each 4096 IP addresses

Security Groups (VPC)

• Differences with EC2-Classic
  
  • Rules for outbound traffic
  • Cannot reference SG outside of AWS account
  • Association can be changed after instance launch
  • Multiple groups can be associated
    • ALLOW rules are unioned
• Cannot block ranges of IPs (use NACL instead)
• Rules applied immediately
  • Exception: Connection Tracking (already established connection)
• Max 100 per region
  • Max 50 rules each group
• Connection Tracking
  • "Stateful firewall"
  • UDP, TCP, ICMP
  • No need for outbound rules (even though UDP/ICMP is not connection oriented SG can track them)
  • Tracked flow may not be immediately interrupted
    • Use NACL to immediately interrupt (they are stateless)
  • Untracked flow is immediately interrupted

IP Addresses

• Private and Public IP addresses are NAT'ed between each other
• Private
  • Primary always assigned to an instance (on default network interface)
  • From subnet range (e.g. 10.0.0.0/24)
  • If publicly routable private IP range selected still no IGW Internet access
    • must use VGW, DX, VPN in such case
  • Automatically assigned via DHCP
  • Secondary private IP addresses can be assigned manually to network interface
  • Retained when instance is stopped (corresponding EIP is also retained)
    • unlike EC2-Classic

• Public
  • Attribute: enable auto-assigned Public IP (default Subnet = true, non-default = false)
  • Not retained after stop-start (reason to use EIP)

  

Elastic IP (EIP)

• • Public IP address that is allocated for account
  • Region specific
  • If associated it has NAT to a single private IP address
  • Retained after stop-start 
  • If attached to eth0 it replaces existing public IP
  • Accessed by IGW (not accessible from VGW)
  • Each EIP can be associated with private IP (primary or secondary)
    • ENI can have multiple EIPs
  • Separate EIP pool from EC2-Classic

VPC Flow logs

• Capture traffic from/to VPC in Cloudwatch Logs
  • Level: VPC, Subnet, Elastic Network Interface
  • Log Stream: individual network interface
  • Filter: All, Accepted, Rejected
• Not captured
  • DHCP traffic
  • Traffic to 169.254.169.254 (instance metadata)
  • Amazon DNS servers
• Can be used to debug and analyze malicious traffic
• Contains
  • Source: IP/port
  • Target: IP/port
  • Result: Accept/Reject

NAT

• Actually NAPT (Network and Port Translation) as there is only single outgoing IP address
• Instances in private subnet can use NAT instance to access internet
  • Remain unreachable to the Internet
• Runs in public subnet (IGW) and has EIP
• Private subnet's route table points to NAT instance as default gateway (0.0.0.0/0)
• AWS provides AMI (Amazon Linux based)
• HA: requires 2 NAT instances and script to takeover (see References)
• Possible bandwidth bottleneck
• Source/Destination check enabled by default
  • Each instance is either source or target of traffic it sends/receives
  • Not the case for NAT instance so must be manually disabled (ENI settings)
• NAT Gateway released 2015/12/17
  • Managed - 10 Gbps bursty traffic
  • Private subnet still needs route entry
  • Unlike IGW or VGW each AZ has its own NAT Gateway

DHCPv4

• Uses UDP 67 (server) / 68 (client)
• Operation
  • Discovery: client broadcast 0.0.0.0 -> 255.255.255.255
  • Offer:  server response 10.0.0.1 -> 255.255.255.255 ("your IP is 10.0.0.4")
  • Request: client "which server selected" broadcast 0.0.0.0 -> 255.255.255.255 (others see it and withdraw)
  • Acknowledgement:  server->client lease duration, subnet mask, DNS servers, default gateway
  • From now on client uses 10.0.0.4 for communication
• VPC DHCP Options
  • domain name servers (by default AmazonProvidedDns on private IP .2)
  • domain name and domain-name-servers
    • Used in Directory Service "Simple Type" scenarios to make it easy to join the domain
  • ntp servers (UDP/123)
    • Use amazon vendor zone pool n.amazon.pool.ntp.org
  • netbios-name-servers: Windows 
  • netbios-node-type: Windows - 2 recommended

DNS

• AmazonDNS server mapped to .2 private IP address (e.g. 10.0.0.2)
• Options
  • enableDnsHostnames - instance in VPC get DNS hostname
  • enableDnsSupport - enables Amazon DNS Server in VPC
    • Without it there is no DNS resolution
• Private Hosted Zones - resolved by Amazon DNS Server
  • Split horizon

Dedicated instance

• VPC tenancy { default, dedicated }
  • Cannot be changed later
• Additional per region fee
• EBS is still shared (not dedicated)
• RDS instances not supported
• Reserved Instances can be used
• Instance price similiar 

ClassicLink

• Allows EC2-Classic instances talk to VPC instances directly (i.e. without public IP)
• EC2-Classic instance is linked to VPC
• Enabling
  • Enable on VPC
  • On EC2-Classic instance click "Link to VPC"
  • Select Security Group

Multi VPC

• Max 5 region
• Use cases 
  • Application Isolation
  • Scope of Audit Containment
  • Risk-level separation
  • Separate production from non-production
  • Multi-tenant isolation
  • Business unit alignment

Elastic Network Interface

• Can be attached/detached between instances (attributes follow the ENI)
• Attributes
  
  • Primary private IP
    • Automatically created
    • 1+ secondary private IP may be added
  • 1 EIP per private IP address (either primary or secondary)
  • Public IP
    • Auto-assigned only when creating custom ENI for eth0 
  • MAC address
  • Security Groups
  • Source/Destination check flag
    • disable when traffic is forwarded (e.g. NAT instance)
• Each VPC EC2 Instance has default ENI (primary network interface)
  • Cannot be detached
• Use Cases for multiple ENIs
  • Management network
  • Network and security appliances (LB, NAT)
  • Dual homed instances with distinct roles on network interfaces
  • Low budget, HA solution
• Number of ENIs depends on instance
  • Max: c4.8xlarge: 8 ENI with 30 IP addreses
• Does not increase bandwidth
• Can be used for Jumbo Frames (MTU 9001) on selected network path
  • Fragmentation slows down traffic so important to ensure whole path supports Jumbo Frames
• ec2-net-utils
  • set of scripts to configure networking (e.g. when hot-adding ENI), e.g. ec2ifscan
• Multiples public IP address
  • Must use EIP (only 1 auto-assigned public IP is available)

References

• https://aws.amazon.com/blogs/aws/classiclink-private-communication-between-classic-ec2-instances-vpc-resources/
• https://technet.microsoft.com/en-us/library/cc737154(v=ws.10).aspx
• https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13847.htm
• http://serverfault.com/questions/49765/how-does-ipv4-subnetting-work
• https://www.quora.com/What-is-the-difference-between-NAT-and-PAT
• https://aws.amazon.com/articles/2781451301784570
• https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html
• http://stackoverflow.com/questions/1228089/how-does-the-network-time-protocol-work
• https://en.wikipedia.org/wiki/Reverse_path_forwarding
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck