CPSC 4820 - DAY 8 FEBRUARY 15, 2018 ================================================================================ The 16 in CIDR notation can change between 1 and 0, allowing 2^4 addresses In every subnet, the first four and last one IP addresses are reserved for AWS use. Subnets ------- +---------------------------------------+------------------------------------+ | Public Subnets | Private Subnets | +---------------------------------------+------------------------------------+ | Include a routing table entry to an | Do not have a routing table entry | | internet gateway to support inbound/ | to an internet gateway and are not | | outbound access to the public internet| directly accessable from the public| | | Typically use a "jump box" (NAT | | | proxy, etc) to support restricted | | | outbound-only public internet | +---------------------------------------+------------------------------------+ Recommendation: Start with one public and one private subnet per AZ. How do you control VPC traffic??? -Determine where network traffic is routed. -Main and custom route tables -VPC route table: Local route -Only one route table per subnet. Security Groups with VPC Traffic -------------------------------- -Security groups are virtual firewalls that control inbound and outbound traffic for one or more instances. -Deny all incoming traffic by default and use allow rules that can filter based on TCP, UDP and ICMP protocols. -Are stateful, which means that if your inbound request is allowed, the outbound responses does not ahve to be inspected/tracked and vise versa. -Can define a source/target as either a CIDR block or another security group to handle auto scaling. -Typically only add inbound rules. -Automatically allow all outbound traffic. -Frequently have different inbound/outbound rules for each functional tier (web, application, database, etc.) Network Access Control List (ACL) --------------------------------- -Are optional virtual firewalls that control traffic in and out of a subnet. -Allow all incomming/outgoing traffic by default and use stateless rules to allow or deny traffic. -Enforce rules only at the boundry of the subnet, not at the instance level like security groups. Internet Gateways ----------------- -Allow communication between instances in your VPC and the internet. -Are horizontally scaled, redundant, and highly available by default. -Default CIDR is 172.31.0.0/16 -If you don't specify a custom VPC, it will be placed in the default. subnet.