Use Cases for Public Subnets

• Bastion Hosts

• SSH connections

• Public data

• Public Apps

Public Subnets

A subnet is classed as public when

1) An internet gateway is attached to the VPC

2) A default route 0.0.0.0/0 is assigned with the target of the Internet gateway

• Any subnet without these is considered private

Bastion hosts

This is just an EC2 instance that can connect to both networks.

• SSH into the bastion
• SSH from the bastion to the private network

• These allow connections to the private subnet from the internet.

• Hardended ec2 instance.

• Acts as a gateway to the private subnet.

• • Now, the communication can be established with the private subnet without directly exchanging packets.

Restrict the connections to the bastion host as much as possible using security groups.

Configure the private subnet machines to allow SSH communication with the bastion host only.

Nat Gateway

• Managed network service.

• Allows outbound internet access from a private subnet.

• Useful for updates, etc - but could also be used to exfiltrate data!

• This is a stateful service.

As the NAT gateway is a managed service, it provides better scalability than an EC2

• • AWS scales the gateway automatically based on demand.

How to use:

• Creare the NAT Gateway on the public subnet.

• Configure the private subnet to route traffic to the nat gateway.

Tying VPC's together

VPC Peering

• Connects two VPC's over a private connection.

• The VPC traffic acts like they are on the same network.

• Should be in the same AWS account.

Transit Gateway

• Central hub to connect multiple VPC's

• Simplifies routing and security configuration

• Think of it as a router that works on a per-region basis.

• The number of attachments is limited to 5,000.

• Can segment networks based on route tables, ensuring some networks cannot communicate.

VPN Connections

• It can be used to secure a link to an on-prem data center.

• Best to link accounts in different regions or link to on-prem.

• If multiple on-prem locations require access to the same VPC consider AWS VPN Cloudhub

Steps to connect a VPC to a VPN

1) Setup a VPG

• This is a logical representation of the VPC.
• Allows the VPN connections.

2) Configure the CGW

• This is the customer gateway
• Located at the on-premise data center - where the VPN tunnel terminates

3) Create a VPN connection

• Creare a connection between the VPG and the CGW

4) Configure routing

AWS Cloudhub

• Uses a hub and spoke model

• Keep in mind no locations can have overlapping IP ranges.

• Using a customer gateway at each location with cloudhub allows communication with AWS and between remote data centers.

AWS Direct connect

• Private network between the VPC and on-premise data center.

• More secure than a VPN connection.

• Best when high bandwidth and low latency are required.

VPC Peering

• This is a private connection between VPC's

• Uses private IP addresses

• VPC's can be in different regions or different accounts.

• This avoids the need for a VPN.

• Enables data transfer between VPCs without data transfer costs.

• Data transfer is private; it will not leave the AWS network.

VPC Peering Considerations

• Cannot peer if the CIDR blocks are overlapping - How will it route?
• This applies to both IP V4 and V6

• Peers cannot use the Internet Gateway of another peer.

• A peer cannot use the endpoint of another peer (This would create a security issue)

• Security group rules cannot reference other VPC security groups - use the IPv4 range instead.

Using Direct Connect

• Direct connect enables the extension of an on-pre data center to AWS.

• Direct Connect does not use a public network.

• Direct Connect data centers are where the networks physically touch.

• This is done using fiber connections though content delivery partners.

• AWS Direct connect is not encrypted by default you wany want to consider MAC Security

Direct Connect Encryption

VPC Endpoints

• Enables connection to services without traversing the internet.

• Improve security.

Two different types of endpoints:

• Interface endpoints - allow connection to services over aws private link

• Gateway endpoints - provided by Gateway load balancer - enables connection to S3 and DynamoDB