vpc
vpc
by attached network interfaces. They are defined as public: for publicy available resources create route tables, which are sets of rules that you can
network. It can imitate your local data center, but with all the AWS Region Classless Inter-Domain Routing (CIDR) blocks.
private: for resources that only need to be access associate with a subnet (custom route tables).
benefits of the cloud's scalable infrastructure. They are made up of two number sets internally and therefore do not need a public IP address.
internet, you need a Network Address Translations (NAT) have a custom route table attached.
Security Groups (SG) define allow rules for your traffic - Network Access Control Lists (NACLs) act as a firewall on
device that maps multiple of your private IPv4 addresses to
inbound or outbound. They enable traffic filtering based on network level. They can hold one or multiple allow and/or You can monitor your VPC via Flow Logs. Those logs capture
a single public IPv4.
TCP 80 0.0.0.0/0
TCP 1433
Inbound Rules ↓
HTTP
SSH
/80 /22
NAT Instance - your own NAT device, running on EC2
::/0
TCP 80 ::/0
TCP 1433
Rule Type Protocol Port Range Source Allow/Deny
0.0.0.0/0
TCP 22 0.0.0.0/0
TCP 3306
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
[...] eni-5123b7ac012345678 219.42.22.48 172.16.0.101 [...] ACCEPT OK
Each of those default VPCs also has a public subnet in each
SGs operate on instance level and are stateful. 110 SSH TCP 22 192.0.2.0/24 ALLOW [...] eni-5123b7ac012345678 172.31.16.139 219.42.22.48 [...] REJECT OK
resources into the centrally-managed subnets but still be in over the network. You don’t need to manually assign them
Peering connections allow you to route traffic between two Each subnet must be assigned to a network ACL and return
full control of their resources. Participating accounts can’t but rely on DHCP servers that are using the Dynamic Host
traffic must be explicitly allowed (NACLs are stateless).
IAM INTEGRATION
VPCs as if they were in the same VPC. It also allows you to
modify resources in shared subnets that they do not own.
Configuration Protocol.
PREFIX LISTS
Organization Root
Account A additional costs. Create roles and policies to define which Amazon VPC allows you to further control information
Account A Account B You’re able to bind one or several CIDR blocks into a prefix principal can perform actions on what resources, and under returned by the AWS-managed DHCP servers via DHCP
Account B
list that can be later used within your security groups or what conditions.
option sets. This for example allows you to use your own
This allows for a fine-grained separation of accounts for route tables. This reduces the efforts of referencing each of domain name server that should be used for domain name
billing and access control, but still having components with the CIDR blocks individually. VPC shares its API namespace with Amazon EC2. resolution in your network.
CIDR blocks for your VPCs can't overlap.
high interconnectivity.