Concepts

VPC, or Virtual Private Cloud, is a cornerstone of AWS infrastructure that provides a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. Understanding VPC configurations is key to managing AWS environments effectively and is essential knowledge for the AWS Certified SysOps Administrator – Associate exam.

Subnets

A subnet is a range of IP addresses in your VPC. Subnets allow you to partition your VPC’s IP address range into separate segments that can be used to optimize resource allocation, improve security, and ensure that network traffic flows efficiently.

Each VPC is subdivided into subnets that are located within one Availability Zone. For instance, if your VPC has an IP address range of 10.0.0.0/16, you could create a subnet with a range of 10.0.1.0/24.

Public vs Private Subnets

  • Public Subnet: It uses a route table that directs traffic to the VPC’s internet gateway. Instances in a public subnet can be directly accessed from the internet if they have a public IP or Elastic IP address.
  • Private Subnet: It uses a route table that doesn’t have a route to the internet gateway. Instances here cannot directly access the internet; they might access the internet via a NAT gateway or NAT instance located in a public subnet.

Route Tables

Route tables contain rules, called routes, that determine where network traffic from your subnet or gateway is directed. Each VPC has a main route table by default, and you can create additional custom route tables. Each subnet must be associated with a route table, which controls the routing for the subnet.

Example of Route Table Entries:

Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-abc123

In the table above, the first route sends all traffic destined for the local VPC to the “local” target, ensuring that instances within the same VPC can communicate with each other. The second route directs all other traffic (0.0.0.0/0) to the internet gateway (igw-abc123), allowing instances with public IPs to access the internet.

Network ACLs

A Network Access Control List (ACL) acts as a firewall for controlling traffic at the subnet level. By default, each VPC comes with a default network ACL that allows all inbound and outbound traffic. You can create custom Network ACLs with specific inbound and outbound rules.

Example Network ACL Rules:

Rule # Type Protocol Port Range Source Allow / Deny
100 HTTP TCP 80 0.0.0.0/0 ALLOW
120 SSH TCP 22 203.0.113.0/24 ALLOW
130 ALL ALL ALL 0.0.0.0/0 DENY

Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

Security Groups

Security groups act as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance, you associate it with one or more security groups. You can add rules to each security group that allow traffic to or from its associated instances.

Unlike Network ACLs, security groups are stateful – if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Example Security Group Rules:

Type Protocol Port Range Source Description
HTTP TCP 80 0.0.0.0/0 Allow all web traffic
SSH TCP 22 203.0.113.0/24 SSH access from corp

Comparing Network ACLs and Security Groups

Here’s a comparative look at some key differences:

Feature Network ACLs Security Groups
Scope Subnet level Instance level
Rules Stateless; Return traffic must be explicitly allowed by rules Stateful; Return traffic automatically allowed
Default Setting Allows all inbound and outbound Denies all inbound; Allows all outbound
Rule Evaluation Processes in order (lowest numbered rule first) Evaluates all rules before allowing traffic
Supports Allow and Deny Yes Only allows allow rules

To effectively interpret VPC configurations, it is critical to understand the use-cases and implications of subnets, route tables, network ACLs, and security groups, and how they interact to facilitate secure and efficient network architecture within AWS. Practitioners should ensure they apply the principle of least privilege, meaning every resource should only have the access that it absolutely needs to function.

Answer the Questions in Comment Section

True or False: VPC stands for Virtual Private Cloud, which is a virtual network dedicated to your AWS account.

  • 1) True

True, a VPC is a Virtual Private Cloud that provides a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

In a VPC, can you create a subnet that spans multiple Availability Zones?

  • 2) False

False, a subnet must reside entirely within one Availability Zone and cannot span zones.

Which AWS resource acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic?

  • A) Route Tables
  • B) Network ACLs
  • C) Security Groups
  • D) Internet Gateway

C) Security Groups, Security Groups act as a virtual firewall for instances to control inbound and outbound traffic at the instance level.

True or False: Network ACLs are stateful, meaning that they automatically return traffic for sessions that are initiated from within the subnet.

  • 4) False

False, Network ACLs are stateless; they do not keep track of the state of network connections. Each inbound and outbound packet is evaluated independently.

If a subnet doesn’t have a route to the internet gateway, what type of subnet is it classified as?

  • A) Private subnet
  • B) Public subnet
  • C) Isolated subnet
  • D) Both A and C are correct

D) Both A and C are correct, A subnet without a route to an internet gateway is considered a private subnet or an isolated subnet.

What is the purpose of an Internet Gateway within a VPC?

  • 6) True

False, you can have multiple routes in a single route table, one for each destination CIDR block that you want to define routing for.

Is it possible to associate a security group with a network interface at the instance and subnet level?

  • A) True, but only at the instance level.
  • B) True, but only at the subnet level.
  • C) True, at both the instance and subnet level.
  • D) False, you cannot associate a security group at any level.

C) True, at both the instance and subnet level., Security groups can be associated with network interfaces, allowing you to specify rules at both the instance level and subnet level.

True or False: By default, all outbound traffic is allowed in a VPC’s security group.

  • 10) True

True, by default, security groups allow all outbound traffic unless you add rules that specifically deny outbound traffic.

What happens if you create a VPC with the same CIDR block as another VPC in your account?

  • A) They will merge into a single VPC.
  • B) AWS will not allow the creation of overlapping CIDR blocks within the same account.
  • C) They will co-exist without any issues.
  • D) You will need to connect them with VPC peering for them to operate correctly.

B) AWS will not allow the creation of overlapping CIDR blocks within the same account., AWS does not allow the creation of VPCs with overlapping CIDR blocks within the same account to avoid IP addressing conflicts.

True or False: You can add or remove rules within a security group at any time, and the changes are applied immediately to all instances associated with the security group.

  • 12) True

True, any changes made to the security groups are applied immediately, affecting all instances associated with the security group.

0 0 votes
Article Rating
Subscribe
Notify of
guest
25 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Anjali Raval
8 months ago

Great post! Can someone explain the difference between a subnet and a route table?

Julian Espinoza
6 months ago

The explanation of Network ACLs was very helpful. Thanks!

Vivan Beck
7 months ago

Could someone clarify if Security Groups are stateful or stateless?

Babür Tanrıkulu
7 months ago

Fantastic overview of VPC configurations!

بهاره زارعی

Why would one use a Network ACL if Security Groups are already in place?

Annabel Fanebust
8 months ago

Appreciate the insights on route tables.

Shane Matthews
6 months ago

Does anyone have a good strategy for managing Security Groups?

Lea Christiansen
8 months ago

What are some best practices for subnet design?

25
0
Would love your thoughts, please comment.x
()
x