VPC Security

Think of the VPC as a personal network.

A business may have multiple VPC or one.

Subbets

A range of IP addresses in a VPC.

A subnet cannot span multiple AZ or regions.

Security groups

These are virtual firewalls.

Assigned to the EC2 instance.

Maximum of 5 per instance.

They are Stateless no need for a return port number.

Rules are allow only, no deny rule.

All rules are evaluated.

NACL - Network Access Control Lists

Work at the subnet level.

They are stateful you need to state a return port number.

Rules are evaluated until a match is found.

Rules can be allow or deny.

NAT - Network Address Translation

Forwards traffic to the internet.

Communication with other AWS services is not recommended due to security concerns.

VPC endpoints

These connect the VPC to an AWS service without crossing the internet.

Results in improved privacy.

AWS Direct Connect

Direct connection to the AWS cloud without crossing the internet.

Elastic network interface

A Virtual networking card.

Reserved IP addresses

AWS receives 5 IP addresses.

In a /24 range, these would be

192.168.0.0 - Network

192.168.0.1 - AWS Router

192.168.0.2 - Reserved for AWS

192.168.0.3 - Future use

192.168.0.255 - Reserved for AWS

255 normally network broadcast address; as AWS does not support broadcast, it is reserved for AWS use.

Flow logs tab

This enables the setup of flow logs.

These logs capture IP traffic sent between network interfaces.

This will only work for the assigned subnet.

Route Tables

This route network traffic.

By default, a local route is created that cannot be deleted.

The route marked with 0.0.0.0/0 is the default route. This is connected to the internet gateway and routes all traffic that is not staying in the subnet.