AWS Certified Solutions Architect Professional Course S1-S5

© Digital Cloud Training | https://digitalcloud.training
SECTION 1
Introduction

SECTION 2
AWS Accounts and Organizations

Create Management AWS
Account

What you need…
Credit card for setting up the account and
paying any bills
Unique email address for this account
AWS account name – mine will be DCT-MANAGEMENT
Check if you can use an alias
with an existing email address
(e.g dynamic aliases in Gmail /
O365)
john+dctmanagement@example.com
john+dctprod@example.com
john@example.com
Phone to receive an SMS verification code

Configure Account and Setup
Billing Alarms

Install Tools (AWS CLI and VS
Code)

AWS Organizations

AWS Organizations
AWS Organization
Management Account
Receive a
consolidated bill
Test
Development
Production
You can group accounts
into Organizational Units
(OUs)
Service Control Policies
(SCPs) can control
tagging and the
available API actions
Create accounts
programmatically
using the
Organizations API
Enable CloudTrail in
management account
and apply to members
Enable AWS SSO using
on-prem directory

Account Configuration

Account Configuration
AWS Organization
Management Account Production
Use the AWS Management
Console to create an
Organization
AWS Organizations Production (OU)
Create a Service
Control Policy (SCP)
and attach to OU
OrganizationAccountAccessRole
Role has full
permissions in
the account
Role can be assumed by any
user with the sts:AssumeRole
permissions

Create AWS Organization and
Add Account

Service Control Policies (SCPs)

AWS Organization
Management
Account
Root
Test
Dev
Prod
Dev users can only
launch T2.micro
instances
Prod users cannot launch
any instance other than
t2.micro (denied above)
Users in the
management
account are
not restricted
Tag policy applied
to enforce tag
standardization
SCPs control the maximum
available permissions
NOTE: SCPs do not grant ANY
permissions, they control the
AVAILABLE permissions

SCP Strategies and
Inheritance

SCP Strategies and Inheritance
A B
C
D E
SCP attached to or
inherited from parent
SCP permissions attached
to child OU or account
Permissions that the
child can actually use

SCP Strategies and Inheritance
Deny List Strategy Allow List Strategy
• The FullAWSAccess SCP
is attached to every OU and
account
• Explicitly allows all
permissions to flow down
from the root
• Can explicitly override with
a deny in an SCP
• This is the default setup
• The FullAWSAccess SCP
is removed from every OU
and account
• To allow a permission, SCPs
with allow statements must
be added to the account
and every OU above it
including root
• Every SCP in the hierarchy
must explicitly allow the
APIs you want to use
Note: An explicit allow
overrides an implicit
deny
Note: An explicit deny
overrides any kind of
allow

Create Development Account

Test SCP Inheritance

Management
Account
Dev
Prod
Root
OU1
OU2

Management
Account
Root
Production
Development
Prod users can
only launch
t2.micro instances
Dev users cannot launch
any instance other than
t2.micro (denied above)
Users in the
management
account are
not restricted
OU1
OU2

SECTION 3
Identity Management and Permissions

How IAM Works

How IAM Works
AWS Account
Console
CLI
API
AWS IAM
IAM Principals must be authenticated to
send requests (with a few exceptions)
Role
User Federated
User
Application
A principal is a person or
application that can make a
request for an action or
operation on an AWS resource
Request context:
• Actions / operations
• Resources
• Principal
• Environment data
• Resource data
Identity-
based policy
Resource-
based policy
AWS determines whether
to authorize the request
(allow/deny)
S3
EC2
IAM
RunInstances
GetBucket
CreateUser
Actions are
authorized
on AWS
resources

Overview of Users, Groups,
Roles and Policies

Users, Groups, Roles and Policies
AWS Account
User Group Role Policy
The user gains the
permissions applied
to the group through
the policy
IAM Group
User
Policies define the
permissions for the
identities or resources
they are associated with
Roles are used for
delegation and are
assumed
Identity-based policies
can be applied to users,
groups, and roles

IAM Users
AWS IAM
Account Root User
The root user has full permissions. It’s
a best practice to avoid using the root
user account + enable MFA
Ethan Andrea
Eric
Up to 5000 individual user
accounts can be created. Users
have no permissions by default.
Friendly name:
Andrea
Amazon Resource Name:
arn:aws:iam::625148252389
:user/Andrea
Authentication via
username/password for console
or access keys for API/CLI
Email
used for
signup

IAM Groups
Admin Group Development Group Operations Group
Ethan Andrea
Eric Sunil Lee
Groups are
collections of users.
Users can be
members of up to
10 groups
The main reason to
use groups is to
apply permissions to
users using policies
The user gains the
permissions applied
to the group through
the policy

IAM Roles
S3 Bucket
AWS Account AWS Account
IAM Users
sts:AssumeRole
IAM Users
IAM Role
Roles are assumed by
users, applications, and
services
Once assumed, the
identity “becomes” the
role and gain the roles’
permissions
Short-term access is
granted to the S3
bucket
An IAM role is an IAM identity that
that has specific permissions

IAM Policies
AdministratorAccess
Bucket Policy
Policies are documents
that define permissions
and are written in JSON
All permissions
are implicitly
denied by
default
User Group Role
Identity-based policies
can be applied to users,
groups, and roles
S3 Bucket
Resource-based
policies apply to
resources such as
S3 buckets or
DynamoDB tables

IAM Authentication Methods

AWS Management
Console
CLI
API
AWS IAM
Username: John
Password: Eo28720*!
MFA Token: (optional)
John
Access key ID: AKIAXP4J2EKUQIQJTJLV
Secret access key:
wiMjGpewNMRHFi9ud0pJwh7NBX4F6i
John is authenticated and
can perform operations
in the console
Access keys are used for
programmatic access
AWS IAM AWS API

AWS IAM
X.509 certificate
authentication to some
services. E.g. Amazon EC2
SOAP and CLI interfaces
Signing Certificate Amazon EC2
AWS IAM
SSH Key / HTTPS
Git Credentials
AWS IAM
Keyspaces
Credentials
AWS CodeCommit
Authentication
to AWS
CodeCommit
Amazon Keyspaces

Create User, Group, and
Configure CLI

AWS Security Token Service
(STS)

AWS Security Token Service (STS)
AWS STS
IAM Role
EC2 Instance
Instance Profile
Application
Trust Policy Permissions Policy
S3 Bucket
EC2 attempts to assume role
(sts:AssumeRole API call)
Temporary security
credentials are
returned
AWS STS
Credentials include:
• AccessKeyId
• Expiration
• SecretAccessKey
• SessionToken
Temporary credentials are used
with identity federation,
delegation, cross-account
access, and IAM roles
Trust policies
control who can
assume the role

Multi-Factor Authentication
(MFA)

Something you know:
EJPx!*21p9%
Password
Something you have: Something you are:

Something you know:
EJPx!*21p9%
Password
Something you have:
IAM User
Virtual MFA
Physical MFA
e.g. Google Authenticator on
your smart phone

Secure the AWS Account

Identity-Based Policies and
Resource-Based Policies

Identity-Based IAM Policies
Managed policy. Either
AWS managed or
customer managed
AWS managed are
created and managed
by AWS; customer
managed are created
and managed by you
User
Group
Role
Inline policies have
a 1-1 relationship
with the user,
group, or role
Inline policy
Managed policies are
standalone policies that
can be attached to multiple
users, groups, or roles
Identity-based policies are JSON permissions policy
documents that control what actions an identity can
perform, on which resources, and under what conditions

Resource-based policies are JSON policy documents that
you attach to a resource such as an Amazon S3 bucket
S3 Bucket
Paul
s3:PutObject
Resource-based policies grant
the specified principal (Paul)
permission to perform specific
actions on the resource

IAM Role
A trust policy is also an
example of a resource-
based policy Whereas a permissions
policy is an identity-based
policy

Access Control Methods -
RBAC & ABAC

Role-Based Access Control (RBAC)
Admin Group Development Group Operations Group
Ethan Andrea
Eric Sunil Lee
Users are assigned
permissions through
policies attached to
groups
Groups are organized
by job function
Best practice is to
grant the minimum
permissions required
to perform the job

Role-Based Access Control (RBAC)
Job function policies:
• Administrator
• Billing
• Database administrator
• Data scientist
• Developer power user
• Network administrator
• Security auditor
• Support user
• System administrator
• View-only user
Billing Admins
Joanne
AWS managed policies for job
functions are designed to
closely align to common job
functions in the IT industry
The Billing managed
policy is attached to
the group

Attribute-Based Access Control (ABAC)
Amazon RDS
Amazon RDS
Dave
DBAdmins
Tag Key Tag Value
Department DBAdmins
Tag Key Tag Value
Environment Production
Tag Key Tag Value
Environment Development
Tags are a way of
assigning metadata
to resources using
key/value pairs
rds:StopDBInstance
rds:RebootDBInstance
Permissions are
granted to resources
when the tag matches
a certain value

Permissions Boundaries

Permissions Boundaries
Joanne
Developers
The permissions
boundary sets the
maximum permissions
that the entity can have
Permissions
Boundary
IAM
Amazon S3
S3:ListBuckets
iam:CreateUser
The operation fails
because the
permissions boundary
does not allow it
Permissions
boundaries are
attached to
users and roles
Policy allows full control of S3,
CloudWatch, EC2, and IAM

Privilege Escalation
Lindsay
IAMFullAccess
IAM
iam:CreateUser
Lindsay applies the
AdministratorAccess policy
to the X-User account
X-User
AdministratorAccess
Lindsay is assigned permissions
to AWS IAM only and cannot
launch AWS resources
Lindsay is now able to login with
the X-User account and gain full
privileges to the AWS account
AWS Batch
Lindsay mines bitcoins

Preventing Privilege Escalation
Lindsay
IAMFullAccess
IAM
iam:CreateUser
Lindsay applies the
AdministratorAccess
policy to the X-User
account
X-User
AdministratorAccess
Lindsay is assigned permissions
to AWS IAM only and cannot
The permissions boundary
ensures that users created
by Lindsay have the same
or fewer permissions
Permissions
Boundary
Lindsay does not have more privileges
when logging in as X-User and cannot

IAM Policy Evaluation Logic

Evaluation Logic

Steps for Authorizing Requests to AWS
Console
CLI
API
AWS IAM
1. Authentication –
AWS authenticates
the principal that
makes the request
Request context:
• Actions – the actions or operations the
principal wants to perform
• Resources – The AWS resource object upon
which actions are performed
• Principal – The user, role, federated user, or
application that sent the request
• Environment data – Information about the
IP address, user agent, SSL status, or time of
day
• Resource data – Data related to the
resource that is being requested
Identity-based policy
Resource-
based policy
s3:GetObject
User
S3 Bucket
2. Processing the request context
3. Evaluating
policies within
the account
3. Evaluating all
policies within
the account
4. Determining
whether a request is
allowed or denied

Types of Policy
• Identity-based policies – attached to users, groups, or roles
• Resource-based policies – attached to a resource; define
permissions for a principal accessing the resource
• IAM permissions boundaries – set the maximum
permissions an identity-based policy can grant an IAM entity
• AWS Organizations service control policies (SCP) – specify
the maximum permissions for an organization or OU
• Session policies – used with AssumeRole* API actions

Evaluating Policies within an AWS Account
Identity-based
policy
Resource-based
policy Effective
permissions
Identity-based
policy
Permisions
boundary Effective
permissions
Identity-based
policy
Organizations
SCP Effective
permissions

Determination Rules
1. By default, all requests are implicitly denied (though the
root user has full access)
2. An explicit allow in an identity-based or resource-based
policy overrides this default
3. If a permissions boundary, Organizations SCP, or session
policy is present, it might override the allow with an
implicit deny
4. An explicit deny in any policy overrides any allows

IAM Policy Structure

IAM Policy Structure
An IAM policy is a JSON
document that consists of one
or more statements
The Effect element can be
Allow or Deny
The Action element is the
specific API action for which
you are granting or denying
permission
The Resource element
specifies the resource
that's affected by the
action
The Condition element is
optional and can be used
to control when your
policy is in effect

IAM Policy Example 1
The AdministratorAccess
policy uses wildcards (*)
to allow all actions on all
resources

The effect is to deny the API
action if the IP address is not
in the specified range
The specific API
action is defined

You can tell this is a resource-
based policy as it has a
principal element defined
The policy grants read and write
access to an EFS file systems to all
IAM principals ("AWS ": "*")
Additionally, the policy condition
element requires that SSL/TLS
encryption is used

A variable is used for the
s3:prefix that is replaced with
the user’s friendly name
The actions are allowed only
within the user’s folder
within the bucket

Using Role-Based Access
Control (RBAC)

Using Attribute-Based Access
Control (ABAC)

Apply Permissions Boundary

Permisions Boundary Hands-On Practice
*** Use the PermissionsBoundary.json file
from the course download ***
The policy will enforce the following:
• IAM principals can't alter the permissions boundary to allow their
own permissions to access restricted services
• IAM principals must attach the permissions boundary to any IAM
principals they create
• IAM admins can't create IAM principals with more privileges than
they already have
• The IAM principals created by IAM admins can't create IAM principals
with more permissions than IAM admins

Use Cases for IAM Roles

Use Case: Cross Account Access
S3 Bucket
Identity-based
policy
Account A
Role
Account B
sts:AssumeRole
User
Permissions
Policy
Allows the user
to assume the
role in account A
Allow role to
access bucket
Allows the user
from account B to
assume the role
Trust
Policy

Use Case: Cross Account Access (3rd Party)
S3 Bucket
Identity-based
policy
Account A
Role
Account B
sts:AssumeRole
with external ID
User
Permissions
Policy
Allows the user to
assume the role in
account A using a
shared ARN
The trust policy condition
requires the external ID
Trust
Policy
Allow role to
access bucket

Use Case: Delegation to AWS Services
AWS STS
IAM Role
EC2 Instance
Instance Profile
Application
EC2 attempts to assume role
(sts:AssumeRole API call)
Temporary security
credentials are
returned
AWS STS
Credentials include:
• AccessKeyId
• Expiration
• SecretAccessKey
• SessionToken
Trust policies
control who can
assume the role

Cross Account Access to
Amazon S3

Cross Account Access (3rd Party) Hands-On
S3 Bucket
Identity-based
policy
DCT-MANAGEMENT
Role
DCT-PRODUCTION
sts:AssumeRole
with external ID
Jack
Permissions
Policy
Trust
Policy

Amazon EC2 Instance Profile

Attach Role to EC2 Instance
S3ReadOnly
Permissions Policy
s3:ListBuckets
The user needs
permissions to
pass the role
iam:PassRole
The role is
attached to the
EC2 instance
Jack

AWS IAM Best Practices

• Lock away your AWS account root user access keys
• Create individual IAM users
• Use groups to assign permissions to IAM users
• Grant least privilege
• Get started using permissions with AWS managed policies
• Use customer managed policies instead of inline policies
• Use access levels to review IAM permissions
• Configure a strong password policy for your users
• Enable MFA

• Use roles for applications that run on Amazon EC2 instances
• Use roles to delegate permissions
• Do not share access keys
• Rotate credentials regularly
• Remove unnecessary credentials
• Use policy conditions for extra security
• Monitor activity in your AWS account

SECTION 4
AWS Directory Services and Federation

AWS Directory Services

AWS Managed Microsoft AD
Corporate Office / DC
VPC
Azure AD
Microsoft AD
ADSync ADFS
Console Workspaces
RDS Workdocs
QuickSight Workmail
HA pair of Windows
Server 2012 Domain
Controllers (DCs)
Securely connect to
Amazon EC2 Linux and
Windows instances
Some of the Apps and
Services that support
authentication and
authorization using
AWS Directory Services
Synchronize users and
federate identities
with Azure/O365
VPN
Managed
implementation
of Microsoft
Active Directory
running on
Windows Server
2012 R2
Also Allows you to:
• Apply group policy
• Use single sign-on to
apps and services
• Enable MFA with
RADIUS
One or two-
way trust
relationship

AD Connector
AD
Connector
Active Directory Amazon EC2
AWS Management
Console
Amazon WorkSpaces
Connection
over VPN or
Direct Connect
Self-managed
Micorosoft AD
VPN
Provides federated sign-in to the AWS
Management Console by mapping
Active Directory identities to IAM Roles
Sign-in to AWS applications such as
Amazon WorkSpaces, Amazon
WorkDocs, and Amazon WorkMail by
using your Active Directory credentials
Seamlessly join
Windows EC2
instances to an on-
premise AD domain

Create AWS Managed
Microsoft AD

VPC
AD DC
AWS Management
Console
Windows Server
AD DC
Windows 10
EC2DomainJoin
EC2 instance joins
domain using
permissions
assigned to a role
HA pair of Domain
Controllers
Windows server
with admin tools
Create user in
Active Directory
Create a
workspace and
assign user
User can access
Management
console using
delegation

Identity Federation

Identity Federation Services
AWS Single Sign-On
AWS Identity &
Access Management
• Central management for
federated access
• Attach multiple AWS accounts
and business applications
• Identities can be in AWS SSO
• Works with many IdPs (e.g.
Active Directory)
• Permissions assigned based on
group membership in IdP
• Can use separate SAML 2.0 or
OIDC IdPs for each account
• Enables access control using
federated user attributes
• User attributes can be cost
center, job role etc.
• Federation support for web
and mobile applications
• Provides sign-in and sign-up
• Supports sign-in with social
IdPs such as Apple, Facebook,
Google, and Amazon
• Supports IdPs using SAML 2.0
Amazon Cognito

IAM Identity Federation

Identity Federation
Identity store
(LDAP)
Identity
provider (IdP)
STS S3 Bucket
1 3
2
4
5
6
1. Client application attempts to authenticate using IdP
2. IdP authenticates the user
3. IdP sends client SAML assertion
4. App calls sts:AssumeRoleWithSAML
5. AWS return temporary security credentials
6. App uses credentials to access S3 bucket

Identity Provider Implementation
AWS IAM
Active Directory
(self-managed)
Social
Providers
Web Identity Federation
for mobile apps uses
OpenID Connect (OIDC)
AWS recommend to use
Cognito for web identity
federation in most cases
SAML 2.0 compatible
LDAP source (AD +
ADFS)
Authenticated and
authorized users can
access AWS services
Identity provider is
configured in AWS IAM
- Either SAML or OIDC

AWS Single Sign-on (SSO)

AWS Single Sign-on (SSO)
AWS Single Sign-On
AWS Organizations
AWS
Account A
AWS
Account B
AWS Account C
AWS Account D
Active Directory
(self-managed)
AWS Directory Service
Azure AD
Identity sources can be AWS SSO,
Active Directory and standard
providers using SAML 2.0
Built-in SSO integrations to
business applications
Enables centralized
permissions
management
Connect AWS
accounts and
Organizations
Connect AWS
accounts and
Organizations

Configure AWS SSO with AWS
Managed AD

VPC
AD DC
AWS Management
Console
AD DC
Windows 10
SSO uses AD as an
identity source
DCT-PRODUCTION
DCT-MANAGEMENT
Single Sign-On
User logs into
domain using
Windows
SSO authenticates
user using federation
Access levels are
controlled using
permission sets

Cleanup the Hands-On Lab

Amazon Cognito

Cognito User Pools
Cognito User Pool
SAML OIDC
Identity
Providers
Client /
Mobile
Token (JWT)
AWS Lambda
Token (JWT)
A User Pool is a
directory for managing
sign-in and sign-up for
mobile applications
Users can also sign
in using social IdPs
Cognito acts as an
Identity Broker between
the IdP and AWS
API Gateway used for
application
API
Lambda authorizer
accepts JWT

Cognito Identity Pool
Cognito Identity Pool
SAML OIDC
Identity
Providers
AWS Lambda
STS
IAM Role
Amazon DynamoDB
Identity pools are used to obtain
temporary, limited-privilege
credentials for AWS services
Cognito User Pool
Identity pools use AWS STS to
obtain the credentials
Identities can
come from a
Cognito user pool
Identities can
come from social
IdPs
An IAM role is assumed
providing access to the
AWS services

User Pools + Identity Pools
Token (JWT)
Cognito User
Pool
Region
Cognito Identity
Pool
Other AWS Services
Amazon DynamoDB
Authenticate and get
tokens
Exchange tokens for AWS credentials
Access AWS services
with credentials
AWS Lambda
SAML OIDC
Identity Providers
1
2
3
Client /
Mobile

SECTION 5
Advanced VPC

Defining VPC CIDR Blocks

Defining VPC CIDR Blocks
192
. . .
168 0 0
255
. . .
255 255 0
Network
/24 Subnet Mask 8 host bits = 256 addresses
255
. . .
255 0 0 16 host bits = 65536 addresses
/16 Subnet Mask
255
. . .
255 0 12 host bits = 4096 addresses
/20 Subnet Mask 0
First Address Last Address
192.168.0.1 192.168.0.254
192.168.0.1 192.168.255.254
192.168.0.1 192.168.15.254
Classless Interdomain
Routing (CIDR) uses
variable length
subnets masks (VLSM)

Rules and Guidelines
• CIDR block size can be between /16 and /28
• The CIDR block must not overlap with any existing CIDR block
that's associated with the VPC
• You cannot increase or decrease the size of an existing CIDR block
• The first four and last IP address are not available for use
• AWS recommend you use CIDR blocks from the RFC 1918 ranges:
RFC 1918 Range Example CIDR Block
10.0.0.0 - 10.255.255.255 (10/8 prefix) Your VPC must be /16 or smaller, for example, 10.0.0.0/16
172.16.0.0 - 172.31.255.255 (172.16/12 prefix) Your VPC must be /16 or smaller, for example, 172.31.0.0/16
192.168.0.0 - 192.168.255.255 (192.168/16 prefix) Your VPC can be smaller, for example 192.168.0.0/20

Create a Custom VPC with
Subnets

Create a Custom VPC
Region
VPC
Availability Zone
Public subnet
Private subnet
Availability Zone
Public subnet
Private subnet
Availability Zone
Public subnet
Private subnet
10.0.48.0/20
10.0.64.0/20
10.0.80.0/20
10.0.0.0/20
10.0.16.0/20
10.0.32.0/20
CIDR 10.0.0.0/16

VPC Routing Deep Dive

Region
VPC
Public subnet
Internet
gateway
Private subnet
Public subnet
Private subnet
Public subnet
Private subnet
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
10.0.48.0/20
10.0.64.0/20
10.0.80.0/20
10.0.0.0/20
10.0.16.0/20
10.0.32.0/20
Main Route table
CIDR 10.0.0.0/16
Main route table is implicitly
associated with subnets that
haven’t been explicitly
associated with a route table

Region
VPC
Public subnet
Internet
gateway
Private subnet
Public subnet
Private subnet
Public subnet
Private subnet
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
10.0.48.0/20
10.0.64.0/20
10.0.80.0/20
10.0.0.0/20
10.0.16.0/20
10.0.32.0/20
Main Route table
CIDR 10.0.0.0/16
Private Route table
Destination Target
10.0.0.0/16 Local
Private Route Table

Region
VPC
Public subnet
Internet
gateway
Private subnet
Public subnet
Private subnet
Public subnet
Private subnet
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
10.0.48.0/20
10.0.64.0/20
10.0.80.0/20
10.0.0.0/20
10.0.16.0/20
10.0.32.0/20
Main Route table
CIDR 10.0.0.0/16
Private Route table
Destination Target
10.0.0.0/16 Local
Private Route Table
Subnets are explicitly
associated the private
route table
Each subnet can only
be associated with
one route table

Region
VPC
Public subnet
Internet
gateway
Private subnet
Public subnet
Private subnet
Public subnet
Private subnet
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
CIDR 10.0.0.0/16
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 nat-gw-id
Private Route Table
Destination Target
10.0.0.0/16 Local
Longest prefix wins so
traffic to 10.0.0.0/16 is
routed locally, all other
traffic goes out the IGW
Outbound data is
routed to the NAT
Gateway

VPC
Private subnet
Destination Target
10.0.0.0/16 Local
172.16.0.0/16 vpc-peer-1
172.16.0.0/16 vpc-peer-2
VPC
Private subnet
VPC
Private subnet
CIDR 10.0.0.0/16
CIDR 172.16.0.0/16
CIDR 172.16.0.0/16
172.16.0.15
Destination Target
10.0.0.0/16 Local
172.16.0.0/16 vpc-peer-1
172.16.0.15/32 vpc-peer-2
Longest prefix wins so
all 172.16.0.0 traffic
goes via peer 1 except
traffic to 172.16.0.15
which goes via peer 2
172.16.0.30

VPC
Private subnet
Destination Target
10.0.0.0/16 Local
172.16.0.0/16 vpc-peer-1
172.16.0.0/16 vgw-conn-1
VPC
Private subnet
CIDR 10.0.0.0/16
CIDR 172.16.0.0/16
Static routes are
preferred over
propagated routes
DC CIDR 172.16.0.0/16
CGW
VGW
Routes learned and
propagated by BGP
to route table
172.16.0.20
172.16.0.20
Traffic to 172.16.0.20 gets
routed to EC2 instance

Security
Applications
Gateway Route Tables
VPC
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 eni-id-sec
SN 10.0.1.0/24
0.0.0.0/0 points to
the ENI ID of the
security appliance
All outbound traffic
forwarded to IGW
Internet
gateway
Destination Target
10.0.0.0/16 Local
10.0.1.0/24 eni-id-sec
Security Appliance
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
A Gateway route
table is attached to
an IGW or VGW
SN 10.0.2.0/24

IPv4 and IPv6 Routing
Destination Target
10.0.0.0/16 Local
2001:db8:1234:1a00::/56 Local
172.31.0.0/16 pcx-11223344556677889
0.0.0.0/0 igw-12345678901234567
::/0 eigw-aabbccddee1122334
IPv4 traffic within
the VPC is routed
locally
IPv6 traffic within
the VPC is routed
locally
IPv4 traffic for
172.31.0.0/16 network
goes via a peering
connection
Traffic that doesn’t
match a more
specific route goes
via the IGW
IPv6 traffic that
doesn’t match a
more specific route
goes via the EIGW

Configure Routing

Create a Custom VPC
Region
VPC
Availability Zone
Public subnet
Internet
gateway
Private subnet
Availability Zone
Public subnet
Private subnet
Availability Zone
Public subnet
Private subnet
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
Destination Target
10.0.0.0/16 Local
Private Route Table
10.0.48.0/20
10.0.64.0/20
10.0.80.0/20
10.0.0.0/20
10.0.16.0/20
10.0.32.0/20
Main Route table
Private Route table
CIDR 10.0.0.0/16

Security Groups and Network
ACLs

Security Groups and Network ACLs
VPC
Availability Zone
Public subnet
Private subnet
Security
Group A
Availability Zone
Public subnet
Private subnet
Security
Group A
Network ACL
Security
Group B
Security
Group B
Security
Group A
Router
NACLs apply at the
subnet level
Security Groups
can be applied
to instances in
any subnet
Security Groups
apply at the
Instance level
NACLs apply only to
traffic entering /
exiting the subnet
Network ACL
Network ACL
Network ACL

Stateful vs Stateless Firewalls
Web Server
(10.2.1.10)
Dest Port: 80
A stateful firewall
allows the return
traffic automatically
Firewall
Src Port: 65188
Src Port: 80 Dest Port: 65188
PROTOCOL SOURCE IP DESTINATION IP SOURCE PORT DESTINATION PORT
HTTP 10.1.1.1 10.2.1.10 65188 80
HTTP 10.2.1.10 10.1.1.1 80 65188
A stateless firewall
checks for an allow
rule for both
connections
Client
(10.1.1.1)

Security Group Rules
Security groups support
allow rules only
A source can be an IP
address or security
group ID
Separate rules
are defined for
outbound traffic

Security Groups Best Practice
Private subnet(s)
Public subnet(s)
Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0
Outbound: Protocol/Port HTTPS:80 Destination: PublicEC2
Security group – PublicALB
Security group – PublicEC2
Security group – PrivateALB
Security group – PrivateEC2
Inbound: Protocol/Port HTTP/80 Source: PublicALB
Outbound: Protocol/Port HTTPS/8080 Destination: PrivateALB
Inbound: Protocol/Port HTTP/8080 Source: PublicEC2
Outbound: Protocol/Port HTTPS/8080 Destination: PrivateEC2
Inbound: Protocol/Port HTTP/8080 Source: PrivateALB
Internet-facing
ALB
Web Front-End
Application
Layer
Internal ALB

Network ACLs
Inbound Rules
Outbound Rules NACLs have an
explicit deny
Rules are processed
in order

Setup Security Groups and
NACLs

NAT Gateways and NAT
Instances

Private subnet
NAT Gateways
Region
VPC
Availability Zone
Public subnet
Internet
gateway
EC2 Instance
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
Private Route Table
NAT gateway
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 nat-gateway-id
Private-IP
Private-IP
Elastic-IP
The NAT gateway ID must
be specified in the private
subnet RT
The NAT gateway is created
in the public subnet

Private subnet
NAT Instances
Region
VPC
Availability Zone
Public subnet
Internet
gateway
EC2 Instance
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Main Route Table
Private Route Table
NAT Instance
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 nat-instance-id
Private-IP
Private-IP
Elastic-IP
The NAT instance ID must
be specified in the private
subnet RT
Must disable
source/destination checks
Uses a special AMI with
the string “amzn-ami-
vpc-nat” in the name

NAT Instance vs NAT Gateway
NAT Instance NAT Gateway
Managed by you (e.g. software updates) Managed by AWS
Scale up (instance type) manually and use
enhanced networking
Elastic scalability up to 45 Gbps
No high availability – scripted/auto-scaled
HA possible using multiple NATs in multiple
subnets
Provides automatic high availability within an AZ
and can be placed in multiple AZs
Need to assign Security Group No Security Groups
Can use as a bastion host Cannot access through SSH
Use an Elastic IP address or a public IP
address with a NAT instance
Choose the Elastic IP address to associate with a
NAT gateway at creation
Can implement port forwarding through
manual customisation
Does not support port forwarding

Using IPv6 in a VPC

Using IPv6 in a VPC
192
. . .
168 0 1
11000000 10101000
Public IPv4 addresses are
close to being exhausted
and NAT must be used
extensively
IPv4 provides approximately 4.3 billon addresses
00000000 00000001
An IPv4 address is 32 bits long

Using IPv6 in a VPC
2020 0001 5bc2 1c48 32c1 b12c
a93b
9d32
: : : : : : :
IPv6 provides 340,282,366,920,938,463,463,374,607,431,768,211,456
addresses
An IPv6 address is 128 bits long
An IPv6 addresses use
hexadecimal whereas IPv4
addresses use dotted decimal
Network Part Node Part
That’s enough to assign more than
100 IPv6 addresses to every atom
on earth!!!

Using IPv6 in a VPC
VPC
Public subnet Public subnet
IPv4 CIDR 10.0.0.0/16
10.0.0.0/20 10.0.16.0/20
Destination Target
10.0.0.0/16 Local
2406:da1c:f7b:ae00::/56 Local
0.0.0.0/0 igw-id
::/0 igw-id
Route Table
IPv6 CIDR 2406:da1c:f7b:ae00::/56
2406:da1c:f7b:ae11::/64 2406:da1c:f7b:ae10::/64
A hexadecimal pair is assigned
for each subnet – values from 00
– FF = 256 /64 subnets
AWS assign a /56 IPv6
address range to your VPC
Subnets receive a
/64 address range
allowing 18 million
trillion addresses
Route table has an entry to
send all external IPv6
traffic to the IGW
All IPv6 addresses are
publicly routable (no NAT)

Using IPv6 in a VPC
VPC
Public subnet Public subnet
IPv4 CIDR 172.31.0.0/16
172.31.0.0/20 172.31.16.0/20
Destination Target
172.31.0.0/16 Local
0.0.0.0/0 igw-id
::/0 eo-igw-id
Route Table
IPv6 CIDR 2406:da1c:f7b:ae00::/56
2406:da1c:f7b:ae11::/64 2406:da1c:f7b:ae10::/64
All IPv6 addresses are
publicly routable (no NAT)
An Egress-only Internet
Gateway allows IPv6 traffic
outbound but not inbound

Configure IPv6

Additional Settings

VPC Peering

VPC Peering
VPC A VPC B
VPC C VPC D
VPC Peering
connections are
NOT transitive –
full mesh required
10.1.0.0/16 10.2.0.0/16
10.3.0.0/16 10.4.0.0/16
CIDR blocks
cannot overlap
VPC Peering
enables routing
using private IPv4
or IPv6 addresses
VPCs can be in
different accounts
and Regions

VPC Peering
VPC
Public subnet
Route Table
CIDR: 10.1.0.0/16
Region 1 Region 2
EC2 Instance
CIDR: 10.0.0.0/16
VPC
Public subnet
EC2 Instance
Security group (Region2-SG)
Destination Target
10.0.0.0/16 peering-id
Protocol Port Source
ICMP All 10.1.0.0/16
TCP 22 0.0.0.0/0
ICMP All 10.0.0.0/16
TCP 22 0.0.0.0/0
Destination Target
Route Table

Setup VPC in Second Account

Create VPC Peering
Connection

Create VPC Peering Connection
VPC
Public subnet
Route Table
CIDR: 10.1.0.0/16
Region 1 / Account 1 Region 2 / Account 2
EC2 Instance
CIDR: 10.0.0.0/16
VPC
Public subnet
EC2 Instance
Destination Target
ICMP All 10.1.0.0/16
TCP 22 0.0.0.0/0
ICMP All 10.0.0.0/16
TCP 22 0.0.0.0/0
Destination Target
Route Table

VPC Endpoints

VPC Interface Endpoints
VPC
Private subnet
EC2 Instance
AWS CloudFormation
AWS CodeDeploy
An ENI is created in
the subnet
Each interface endpoint
can connect to one of
many AWS services
EC2 instance connects
to public AWS service
using a private IP
Endpoint ENI
AWS PrivateLink
Or you can connect to
an AWS PrivateLink
powered service

VPC Gateway Endpoints
VPC
Private subnet
Destination Target
pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24,
52.95.128.0/21)
vpce-ID
Route Table
S3 Gateway
Endpoint
Amazon S3
EC2 Instance
EC2 instance connects
to S3 using a private
IP
A route table entry is
required with the prefix list
for S3 and the gateway ID
Bucket policies
can limit access to
endpoint source
IAM policies
can be applied
to endpoints

VPC Endpoints
Interface Endpoint Gateway Endpoint
What Elastic Network Interface with a Private IP A gateway that is a target for a specific route
How Uses DNS entries to redirect traffic Uses prefix lists in the route table to redirect
traffic
Which
services
API Gateway, CloudFormation,
CloudWatch etc.
Amazon S3, DynamoDB
Security Security Groups VPC Endpoint Policies

Service Provider Model
VPC
Private subnet
Public subnet
Web Server
Consumer VPC
VPC
Private subnet
Public subnet
EC2 Instance
Service Provider VPC
Endpoint
Network Load
Balancer
Endpoint Service

Create VPC Endpoint

VPC Gateway Endpoints
VPC
Private subnet
Destination Target
pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24,
52.95.128.0/21)
vpce-ID
Private Subnet Route Table
S3 Gateway
Endpoint
Amazon S3
EC2 Instance
Public subnet
Internet
gateway
EC2 Instance

AWS Certified Solutions Architect Professional Course S1-S5

More Related Content

What's hot

Similar to AWS Certified Solutions Architect Professional Course S1-S5

Recently uploaded

AWS Certified Solutions Architect Professional Course S1-S5

Editor's Notes