3. Introduction
Launch AWS
resources in a
virtual network
Logically isolated
virtual network in
the AWS cloud
Define a VPC’s IP
address space
from ranges you
select
Enhanced security
options
4. Subnets
Segment of a VPC’s IP address range
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
/16 - /28
5 IPs reserved by AWS
5. • Public Subnet
• Private Subnet
• Route Table
• 0.0.0.0/0 decides internet
• Internet Gateway provides
connectivity
• ACL can be used to secure
Subnet
• Security Group can be used to
secure EC2
• NAT Instance and NAT Gateway
can provide internet to Private
Subs
• Public EC2 should have public IP
• Private EC2 does not need public
IP
• NAT Gateway has Elastic IP
10. Security
Secure Amazon EC2 instances running
ACL
Security Groups
Stateful and Stateless filtering
VPC Flow Log (Capture IP Traffic)
11. Limits
VPCs per Region : 5 (Can be increased)
Subnets per VPC : 200
IPv4 CIDR blocks per VPC : 5
(1p 4s)
IPv6 : 1 (Can’t increase)
12. Limits
(Gateway)
Customer gateways per Region: 50
Egress-only internet gateways per Region : 5
Internet gateways per Region : 5
NAT gateways per Availability Zone : 5
Virtual private gateways per Region : 5 (1 per VPC)
You cannot enable flow logs for VPC that appeared with your VPC unless the peer VPC is within your own AWS account
You cannot tag a flow log at this time
After you've created a flow log you cannot change its configuration for example you can't associate a different IAM roll with the flow log.
Also remember that not all IP traffic is monitored traffic generated by instances when they contact the Amazon DNS server that's not going to be monitored if you use your own DNS server then all traffic to that DNS server will be logged
traffic generated by Windows instances for Amazon windows licensing activation is not going to be monitored
and then traffic to and from 169. 254.169.254 for instance metadata
And then DHS IP traffic is not monitored as well as well as traffic to the reserved IP addresses for the default VPC router.