forked from avizway1/june2024
-
Notifications
You must be signed in to change notification settings - Fork 0
/
VPC.txt
383 lines (227 loc) · 12.4 KB
/
VPC.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
VPC : Virtual Private Cloud : Networking part in AWS..
Public IP : Unique across the globe. (Internet) :
Private IP : unique with in the network. (internal) :
IPv4 : 32 bit : 2^32
IPv6 : 128 bit : 2^128
Below commands gives us private IP Information.
ipconfig /all --> Windows
ip addr (or) ifconfig --> linux
To know public IP of your network goto any of these website.
https://whatismyipaddress.com/
https://www.whatismyip.com/
https://iplocation.io/
IPv4 : 5 Classes
Class A : 0.0.0.0 - 126.255.255.255 (0-126)
Class B : 128.0.0.0 - 191.255.255.255 (128-191)
Class C : 192.0.0.0 - 223.255.255.255 (192-223)
Class D : 224.0.0.0 - 239.255.255.255 : Broadcosting/multicasting
Class E : 240.0.0.0 - 255.255.255.255 : R&D
127 : loopback / localhost
10 laptops : ENable internal communication : Using private IP addresses won't cost us anything.
Class A : 10.0.0.0 - 10.255.255.255
Class B : 172.16.0.0 - 172.31.255.255
Class C : 192.168.0.0 - 192.168.255.255
ipconfig /all : Windows
ifconfig (or) ip addr : Linux
Network : groups interconnected hosts, which can communicate each other.
Host : Device we have with in network.
How many networks we required.?
How many hosts you required in each network.?
Class A : N.H.H.H : 127 Networks, Each network supports 16M hosts.
Class B : N.N.H.H : 16,000 Networks, Each network supports 65,000 Hosts
Class C : N.N.N.H : 2M Networks, Each network supports 256 Hosts.
ISP : internet Service provider..
N.N.N.H :
192.168.0.(0-255) : 192.168.0. 1/2/3/4/5 .. 255
192.168.1.(0-255) : 192.168.1. 1/2/3/4/5 .. 255
192.168.2.(0-255) : 192.168.2. 1/2/3/4/5 .. 255
As AWS reservs 5 IPs..
/32 ==> 32-32=0 -> 2^0 = 1
/31 ==> 32-31=1 -> 2^1 = 2
/30 ==> 32-30=2 -> 2^2 = 4
/28 ==> 32-28=4 -> 2^4 = 16 - 5 = 11 Usable IPs
/24 ==> 32-24=8 -> 2^8 = 256 - 5 = 251 Usable IPs
/23 ==> 32-23=9 -> 2^9 = 512 - 5 = 507 Usable IPs
/16 ==> 32-16=16 -> 2^16 = 65536 - 5 = 65531 Usable IPs
____________
In reguar networks, 2 IPs are reserved.. We cannot use these (First Ip/Network id and last ip/Broadcost ip)
In AWS, AWS Reserves three more IPs.. Total 5 IPs are not usable..
--> 2 regular network (Network ID and Broadcost ID)
--> 2 for DNS servers
--> 1 Future use
192.168.0.0/16
/32 --> 32-32=0 2^0 = 1
/31 --> 32-31=1 2^1 = 2
/30 --> 32-30=2 2^2 = 4
/32 /31 /30 /29 /28 /27 /26 /25 /24 .. /16 /0
2^0 2^1 2^2 2^3 2^4 2^5 2^6 2^7 2^8 2^16 2^32
1 2 4 8 16 32 64 128 256 65536 4M
/24 : Usable IPs : ..??
32-24 = 8 = 2^8 = 256 - 5 = 251 Usable IPs
==> AWS supports Min /28 SUbnet.. Maximum /16 Subnet.
Minimum : 32-28 = 4 ==> 2^4 = 16 IPs - 5 reserved = 11 Usable IPs
Maximum : 32-16 = 16 ==> 2^16 = 65536 - 5 reserved = 65531 Usable IPs
https://www.davidc.net/sites/default/subnets/subnets.html
=======================================================================================
https://www.youtube.com/watch?v=zWW27SYFx6c&list=PLneBjIzDLECkLfCzg4O6iNzt84QpoNs8D&index=3
=======================================================================================
D: 01/08/2024
VPC : Virtual Private Cloud : Region specific service..
CIDR : Classless InterDomain Routing :
--> How big network we required.
--> How many instances/ resources, we gonna launch. (predict)
Public Subnet : Internet facing subnet.. :
Private Subnet : Non-Internet facing subnet.. :
How big VPC we required.? Ans : 800 Instances.. : 192.168.0.0/22 (1024 IPs)
How many subnets we required within the VPC..? Ans : 4 (2 public & 2 private)
How many public Subnets required within vpc..? Ans : 2 192.168.0.0/24 & 192.168.1.0/24
How many private Subnets required within vpc.? Ans : 2 192.168.2.0/25 192.168.2.128/25
Are you going to create any subnets in future.? Ans : Yes (Have some IPs for future use).
192.168.3.0/24
VPC CIDR : 192.168.0.0/22
Public-SN-1A : ap-south-1a : 192.168.0.0/24
Public-SN-1B : ap-south-1b : 192.168.1.0/24
Private-SN-1A : ap-south-1a : 192.168.2.0/25
Private-SN-1B : ap-south-1b : 192.168.2.128/25
192.168.0.0/18 - VPC CIDR
192.168.0.0/21 - Web-SN-1A - ap-south-1a
192.168.8.0/21 - Web-SN-1B - ap-south-1b
192.168.16.0/21 - App-SN-1A - ap-south-1a
192.168.24.0/21 - App-SN-1B - ap-south-1b
192.168.32.0/21 - DB-SN-1A - ap-south-1a
192.168.40.0/21 - DB-SN-1B - ap-south-1b
192.168.48.0/20 - Future usage
Web/Public -> 2 subnets to run elb (ap-south-1a & ap-south-1b) (ELB)
APP -> 2 more subnets (ap-south-1a & ap-south-1b) (App Servers)
DB -> 2 more subnets (ap-south-1a & ap-south-1b) (DB Servers)
Lambda -> 2 more subnets (ap-south-1a & ap-south-1b) (lambda functions)
Pubic Subnets : Place one public-1 subnet in ap-south-1a and public subnet-2 in ap-south-1b.
Private Subnets : Place Private subnet-1 in ap-south-1a and another one in ap-south-1b.
Public Subnet : Internet facing.. : ELB, Jump/ Bastian Host..
Private Subnet : DBs, Application, Web servers..
Step 1 : Create a VPC.
VPC Name : CustomVPC VPC CIDR : 192.168.0.0/22
Step 2 : Create Subnets within CustomVPC.
Public-SN-1A : ap-south-1a : 192.168.0.0/24
Public-SN-1B : ap-south-1b : 192.168.1.0/24
Private-SN-1A : ap-south-1a : 192.168.2.0/25
Private-SN-1B : ap-south-1b : 192.168.2.128/25
Step 3 : Create an Internet Gateway and associate with CustomVPC.
--> One VPC can contains one IGW.
Step 4 : Create RouteTables and Associate appropriate Subnets, add required routes.
--> PublicRoute : Go to SUbnet Association and choose all "Public SUbnets". Navigate to "Routes" and add a route via IGW. (0.0.0.0/0 --> IGW)
--> PrivateRoute : Go to SUbnet Association and choose "Private SUbnet". (DON'T ADD INTERNET GATEWAY).
Step 5 (Optional) : Navigate to Subnets, Choose "Public SUbnet", Actions, "Modify auto assign public ip settings", Enable.
Step 6 (Optional) : Go to VPC, "Edit VPC Settings", and "Enable DNS hostnames" to get DNS host names. Its required for our RDS Clusters.
JUMP Server / Bastian Host : Is a Dedicated EC2 instance, Runs in CustomVPC PUblicSUbnet and can be used to connect to all the "Private Subnet" ec2 instances.
___________
Task : Create a VPC with 2 Subnets. (1 Public SUbnets and 1 Private Subnets)
1 Public SUbnets (ap-south-1a)
1 Private SUbnets (ap-south-1b)
Task 2: Create a VPC with 4 Subnets. (2 Public SUbnets and 2 Private Subnets)
2 Public SUbnets (ap-south-1a, ap-south-1b)
2 Private SUbnets (ap-south-1a, ap-south-1b)
---------
Task 3 : create a CustomVPC, Launch a JUMP Server in CustomVPC's PUBLIC Subnet (Use WINDOWS AMI), Now launch another EC2 instance (Amazon Linux 2) in CUSTOM VPC's PRIVATE SUBNET. Connect to Linux instance from Jump Server.
Task 4 : create a CustomVPC, Launch a JUMP Server in CustomVPC's PUBLIC Subnet (Use LINUX AMI), Now launch another EC2 instance (Amazon Linux 2) in CUSTOM VPC's PRIVATE SUBNET. Connect to Linux instance from Jump Server.
================================================================================
PublicRoute : We need to associate InternetGateway.
PrivateRoute without internet : Don't add NAT.
PrivateRoute With Intenet : Create NAT Gateway and add NAT Gateway.
VPC NAT Gateway (NO FREE TIER ELIGIBILITY) : Is designed to provide Internet to private Subnet resources. NAT always runs in custom VPCs public subnet. We need to generate an EIP (Elastic IP).
Private subnet ec2 instances want to access something from internet / endpoint hosted over the internet / patching purpose it needs internet.
--> Make sure your edit PrivateRoute, and add an entry with 0.0.0.0/0 via NAT gateway.
____________________________________________________________________________________
Enable Logging at VPC :
Flow Logs: We can enable flowlogs at
--> VPC Level
--> Subnet Level
--> Instance Level
We can choose destination as 1. S3 bucket 2. Cloudwatch Logs groups 3. kenisis Forehose.
--------------------------------
permissions for flowlogs role policy:
--> create a policy and add below permisisons to that policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
---
Create a role and associate above policy to role you are creating.
Set Trust entity as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
======================================================================================================
D: 03/08/2024
NACL : Network Access Control List : We can allow/deny traffic at Subnet level/AZ level using this NACLs.
--> We need to takes care about the inbound rules and outbound rules.
--> one subnet can be member of one NACL at a time.
SG works as firewall at Instance level
NACLs works as firewall at subnet level
--> Default NACLs, : all subnets member of this. It allows all the traffic.
--> New NACLs won't allow any traffic, Defaultly deny everything.
--> Ephemeral ports / Temporary ports need to opened in NACL.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
1024-65535
--> Lowest rule number will have highest permissions.
====================================================================
Endpoints : Private Links : It provides private connectivity to the resources. If we have any requirement, s3 requests/dynamodb request should not flow over the internet.
--> Without having internet also, we can access aws resources i.e; s3, dynamodb.. with the help of Endpoints.
Gateway EP : Managed by AWS. Data transfer cost only. No hourly cost involved.
Interface EP : An NIC (network interface card) creates with in our vpc, data flow happens over the NICard only. Per hour cost.
You have an instance in private subnet without Internet(NAT GW), you want to access s3/other aws services.?
==================
**Advanced topic and used rarely.
Endpoint Services : We can use this endpoint services to share a service from your own aws acocunt to anotyher aws account securely. We are controlling how trafic flow is happening in backend.
--> refer youtube video : https://www.youtube.com/watch?v=MeIhu3eseyA
=================
NAT Gateway Works with IPv4.
If our VPC is configured to use IPv6, Instead of NAT Gateway, We use "Egress Only Internet Gateways".
================
Can we associate multiple CIDRs for our VPC.
Yes..
** Make sure your new cidr range is not conflicting with existing cidr range.
================================================================================================
D: 05/08/2024
VPC Peering : Allow us to enable communication between multiple VPCs. (Same region, DIff region, Diff AWS accout VPCs)
--> Requester VPC and Accepter VPC should not have same CIDR range.
--> VPC Peering is non transitive peering.
--> Update both the VPCs route tables with Another VPC CIDR blocks via Peering connection.
Requester VPC (Mumbai) Accepeter VPC (Hyd)
VPC CIDR 192.168.0.0/22 172.31.0.0/16
VPC ID vpc-06fe24c4aaab4d98a vpc-0d9b1271da40faed2
Region ap-south-1 ap-south-2
ACC ID 123445678998 123445678998
==================
8 Subnets in environment : 2 public-web (Load Balncer & BH) (public), 2 application (private), 2 Database/data (private), 2 lambda..
10 Subnets in environment : 2 Public - LoadBalancer & Bastian Host, 2 Web-Tier (Private), 2 Application/Logic (Private), 2 Database/Data (Private), 2 Lambda..
==================
VPN Connectivity (openvpn): https://www.youtube.com/watch?v=JSTyjISscNg
Transit Gateway : https://www.youtube.com/watch?v=xyLlMBHy2wc
==================
Site-to-site vpn settings
1. Create Virtual private gateway.
2. Create Customer Gateway. You need to provide your corporate office Public IP address which is confired in Firewall.
3. Using the Step 1 and step 2 resource and configure the Site to site vpn. Download the configuration and share it with Firewall team.