AWS Notes - VPC
- IP ranges:
10.0.0.0 ~ 10.255.255.255 (10/8 prefix)
172.16. 0.0 ~ 172.31.255.255 (172.16/12 prefix)
192.168.0.0 ~ 192.168.255.255 (192.168/16 prefix) - Default 5 VPCs in a region
- VPC can be peered with other VPCs from another account.
- 1 Subnet = 1 Availability Zone
- Secure Groups are stateful (open port 80 all in once), Network Control Lists are stateless (open port 80 for both inbound and outbound separately)
- There is no transitive peering support.
- 5 IP addresses will be reserved by AWS in a subnet ending in: 0, 1, 2, 3, 255.
- Only one IGW can be attached to a VPC
- Security Groups will not span multiple VPCs. They are only available in its own VPC.
- Open ICMP port in an EC2 instance to enable ping the instance from public network.
- You can only associate a subnet to a single ACL. One ACL can be associated with multiple sub nets.
- Default ACL allows all inbound and outbound traffic.
- When a private ACL is created all inbound and outbound traffics are denied.
- ACL rules are evaluated in the order of numbers.
- Block IP Addresses using ACL not Security Groups.
- Application load balancer requires at least two public availability zones.
- You can use Security Group to create a jump box to connect instances in a private subnet.
- When creating a NAT instance, remember to disable source/destination check.
- NAT must be in a public subnet
- NAT instance is behind a security group
- Security Groups operate at the instance level, they support “allow” rules only, and they evaluate all rules before deciding whether to allow traffic.
- VPC Flow Logs can be created at the VPC, subnet, and network interface levels.
- Each subnet must reside entirely within one Availability Zone and cannot span zones.
- When you create a custom VPC, a default Security Group, Access control List, and Route Table are created automaticaly. You must create your own subnets, Internet Gateway, and NAT Gateway (if you need one.)
- When a VPC is created, an ACL, a Security Group and a Route Table is created.
- ACL can be assigned to multiple subnets.
- Security Groups are assigned to instances.
- Once a VPC is set to Dedicated hosting, it is not possible to change the VPC or the instances to Default hosting. You must re-create the VPC.
- You can create VPC peering cross regions and to VPC in another account.
- By default 5 limited EIP per region.