4. AWS Riyadh User
Group
• AWS Registered User Group in
Riyadh, Saudi Arabia
• Founded by Ahmed Aziz
• Public Group
• 352 Members
• Connect all AWS Geeks
5. Past and Coming
Topics
• Storage
• S3
• Compute
• EC2
• Auto Scaling
• Networking
• VPC Session 1
• VPC Session 2
• Route 53
• API Gateway
6. Past and Coming
Topics Cont’d
• Databases
• RDS
• Dynamo DB
• ElastiCache
• Application Integration
• SNS
• SQS
• SWF
• Management Tools
• Cloud Formation
• Cloud Trail vs Cloud Watch
7. Past and Coming
Topics Cont’d
• Add-Ons
• Lambda
• Cost Optimization
• Well Architected Framework
• Having Fun with Alexa
• Chatbot
• Machine Learning
10. What can you do
with a VPC?
• Launch instances into a subnet of
your choice
• Assign custom IP address ranges in
each subnet
• Configure route tables between
subnets
• Create internet gateway and attach it
to your VPC
• Much better security control over
your AWS resources
• Instance security groups
• Subnet network access control lists
11. Default VPC vs
Custom VPC
• Default VPC is user friendly,
allowing you to immediately
deploy instances.
• All subnet in default VPC have a
route out to the internet.
• Each EC2 instance has both a
public and private IP address.
12. Reserved AWS IP
Addresses
• The first four IP addresses and the
last IP address in each subnet CIDR
block are reserved.
• For example, 10.0.0.0/24
– 10.0.0.0
Network Address
– 10.0.0.1
VPC Router
– 10.0.0.2
VPC DNS Server
– 10.0.0.3
Future Use
– 10.0.0.255 Network
Broadcast Address
13. NAT Instances
• Enable instances in the private subnet to
initiate outbound IPv4 traffic to the
Internet or other AWS services, but
prevent the instances from receiving
inbound traffic initiated by someone on
the Internet.
• You must disable source/destination
checks on it.
14. NAT Gateway
• NAT Gateway is AWS managed service.
– You don’t have to care about the availability or
scalability of it.
• Both are used only for outbound IPv4 traffic.
• Egress-Only Internet gateway is used for
outbound IPv6 traffic.
17. NAT Instance vs Bastion Host
• A NAT instance is used to provide internet traffic to EC2
instances in private subnets.
• A Bastion host is used to securely administer EC2
instances (using SSH or RDP) in private subnets. Called
also Jump box.
18. VPC Peering
• Allows you to connect one VPC with
another via a direct network route
using private IP addresses.
• Instances behave as if they were on
the same private network.
• You can peer VPCs with other in the
same account, other AWS accounts
or even other regions.
• Peering is in a star configuration: ie 1
central VPC peers with 4 others. NO
TRANSITIVE PEERING!!!
19. VPC Peering Cont’d
• Allows you to connect one VPC with
another via a direct network route
using private IP addresses.
• Instances behave as if they were on
the same private network.
• You can peer VPCs with other in the
same account, other AWS accounts
or even other regions.
• Peering is in a star configuration: ie 1
central VPC peers with 4 others. NO
TRANSITIVE PEERING!!!
20. VPC Flow Logs
• VPC Flow Logs is a feature that
enables you to capture
information about the IP traffic
going to and from network
interfaces in your VPC.
• Flow log data can be published
to Amazon CloudWatch Logs and
Amazon S3.
• After you've created a flow log,
you can retrieve and view its
data in the chosen destination.
21. VPC Flow Logs Cont’d
• Flow Logs can be
created at 3 level:
– VPC
– Subnet
– Network Interface
23. VPC Endpoint
• A VPC endpoint allows you to securely connect your VPC to another service.
• An interface endpoint is powered by PrivateLink, and uses an elastic network
interface (ENI) as an entry point for traffic destined to the service.
• AWS PrivateLink is a highly available, scalable technology that enables you to
privately connect your VPC to supported AWS services, services hosted by
other AWS accounts (VPC endpoint services), and supported AWS Marketplace
partner services. You do not require an internet gateway, NAT device, public IP
address, AWS Direct Connect connection, or VPN connection to communicate
with the service. Traffic between your VPC and the service does not leave the
Amazon network.
• A gateway endpoint serves as a target for a route in your route table for traffic
destined for the service.
24. Interface Endpoints
• Amazon API Gateway
• AWS CloudFormation
• Amazon CloudWatch
• Amazon CloudWatch Events
• Amazon CloudWatch Logs
• AWS CodeBuild
• AWS Config
• Amazon EC2 API
• Elastic Load Balancing API
• AWS Key Management Service
• Amazon Kinesis Data Streams
• Amazon SageMaker Runtime
• AWS Secrets Manager
• AWS Security Token Service
• AWS Service Catalog
• Amazon SNS
• AWS Systems Manager
• Endpoint services hosted by other AWS
accounts
• Supported AWS Marketplace partner
services
31. AWS Managed VPN Connections
• By default, instances that you launch into an Amazon VPC can't
communicate with your own (remote) network.
• You can enable access to your remote network from your VPC by
attaching a virtual private gateway to the VPC, creating a custom route
table, updating your security group rules, and creating an AWS
managed VPN connection.
• AWS supports Internet Protocol security (IPsec) VPN connections.
• AWS currently does not support IPv6 traffic through a VPN connection.
34. Direct Connect
• AWS Direct Connect lets you establish a dedicated network connection between your network and one of the
AWS Direct Connect locations.
• Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual
interfaces.
• This allows you to use the same connection to access public resources such as objects stored in Amazon S3
using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon
Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public
and private environments.
• Virtual interfaces can be reconfigured at any time to meet your changing needs.
• It reduces your network costs, increase bandwidth throughput, and provide a more consistent network
experience than Internet-based connections.
36. VPC Limits and Pricing
Limits
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-
vpc-limits.html
Pricing
https://aws.amazon.com/vpc/pricing/
37. VPC Exam
Tips
THINK OF A VPC AS A
LOGICAL DATACENTER
IN AWS.
CONSISTS OF IGWS (OR
VIRTUAL PRIVATE
GATEWAYS), ROUTE
TABLES, NETWORK
ACCESS CONTROL LISTS,
SUBNETS AND SECURITY
GROUPS.
1 SUBNET = 1
AVAILABILITY ZONE
SECURITY GROUPS ARE
STATEFUL; NETWORK
ACCESS CONTROL LISTS
ARE STATELESS.
THERE'S NO WAY FOR
YOU TO COORDINATE
AVAILABILITY ZONES
BETWEEN ACCOUNTS.
NO TRANSITIVE PEERING YOU WILL NEED AT
LEAST 2 SUBNETS (2 AZS)
IN ORDER TO DEPLOY AN
ALB.
38. NAT Instance
Exam Tips
• When creating a NAT instance, disable
source/destination check on the instance.
• NAT instances must be in a public subnet.
• There must be a route out of the private
subnet to the NAT instance, in order for this
to work.
• The amount of traffic that NAT instances can
support depends on the instance size. If you
are bottlenecking, increase the instance size.
• You can create high availability using auto
scaling groups, multiple subnets in different
AZs, and a script to automate failover.
39. NAT GW Exam
Tips
Preferred by the
enterprise
Scale automatically
up to 45 Gbps
No need to patch Not associated with
security groups
Automatically
assigned a public IP
address
Remember to update
your route table
No need to disable
source/destination
checks
More secure that a
NAT instance
40. Network ACL
Exam Tips
• Your VPC comes automatically with a default network
ACL, and by default it allows all outbound and
inbound traffic.
• You can create custom network ACLs. By default, each
custom network ACL denies all inbound and
outbound traffic until you add rules.
• Each subnet in your VPC must be associated with a
network ACL. If you don’t explicitly associate a subnet
with a network ACL, the subnet is automatically
associated with the default network ACL.
• You can associate a network ACL with multiple
subnets; however, a subnet can only be associated
with one network ACL at a time. When you associate
a subnet with a network ACL, the previous association
is removed.
41. Network ACL
Exam Tips Cont’d
• Network ACLs contain a numbered
list of rules that is evaluated in order,
starting with the lowest numbered
rule.
• Network ACLs have separate
inbound and outbound rules, and
each rule can either allow or deny
traffic.
• Network ACLs are stateless;
responses to allowed inbound traffic
are subject to the rules for outbound
traffic and vice versa.
• Block IP addresses using network
ACLs not security groups.
42. VPC Flow Log Exam Tips
• You cannot enable flow logs for VPCs that are peered with your
VPC unless the peer VPC is in your account.
• You cannot tag a flow log.
• You can’t change the flow log configuration after creating it.
43. VPC Flow Log Exam Tips Cont’d
• Not all IP traffic is monitored.
• Traffic generated by instances when they contact Amazon DNS server. If you use
your own DNS server, then all traffic to that DNS server is logged.
• Traffic generated by a Windows instance for Amazon Windows license
activation.
• Traffic to and from 169.254.169.254 for instance metadata.
• DHCP traffic
• Traffic to the reserved IP address for the default VPC router.
53. LAB: Peering Connection, VPC End Points, NAT GW
• Create S3-Full-Access IAM Role
• Create My VPC with CIDR 10.0.0.0/16, No IPv6, Default Tenancy
– Create My VPC IGW and attach it to My VPC
– Create My Public Subnet 10.0.1.0/24, with AZ no preference, enable auto-assign public IP address
– Add default route in My VPC Public RT (Main), associate My Public Subnet
– Create SG Allow SSH and ICMP for My VPC – SSH 10.0.0.0/16,192.168.0.0/16 – All ICMP 192.168.0.0/16
– Create My Private Subnet with CIDR 10.0.2.0/24
– Create My VPC Private RT, associate My Private Subnet
– Launch TestVPCPeer-Instance1 in First Private Subnet, Attach IAM Role S3_Full_Access
• Create Peer VPC with CIDR 192.168.0.0/16
– Create Peer VPC IGW and it attach to Peer VPC
– Create Peer Public Subnet 192.168.1.0/24, with AZ no preference, enable auto-assign public IP address
– Add default route in Peer VPC Public RT (Main), associate Peer Public Subnet
– Create Security Group Allow SSH and ICMP for Peer VPC – SSH <My Public IP> - All ICMP 10.0.0.0/16
– Launch TestVPCPeer-Instance2 in Peer Public Subnet, Attach IAM Role S3_Full_Access
54. LAB: Peering Connection, VPC End Points, NAT GW
Cont’d
• Create Peering My VPC and Peer VPC between My VPC and Peer VPC
– Add route to 10.0.0.0/16 in Peer VPC Public RT
– Add route to 192.168.0.0/16 in My VPC Private RT
– SSH into TestVPCPeer-Instance2 and ping <TestVPCPeer-Instance1 IP>
– Accept Request for Pending Peering Connection
• Create Endpoint to S3 for My VPC and My VPC Private RT and Full Access policy
– Download LondonKP.pem and change the permission
– From TestVPCPeer-Instance2 ssh into TestVPCPeer-Instance1 using LondonKP.pem
– From TestVPCPeer-Instance1 run aws s3 --region eu-west-2 ls
• In My VPC
– Create My NAT GW for My Public Subnet
– Add default route to My NAT GW in My VPC Private RT
– From TestVPCPeer-Instance1 run sudo yum update
You can safely remove this slide. This slide design was provided by SlideModel.com – You can download more templates, shapes and elements for PowerPoint from http://slidemodel.com
You can safely remove this slide. This slide design was provided by SlideModel.com – You can download more templates, shapes and elements for PowerPoint from http://slidemodel.com