VPC Security

Important terms

• Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions.

• Security groups - Think of them as firewalls assigned to the EC2 instance.

You can have up to 5 per instance

These are stateful - they will remember.

• NACL - Network Access Control Lists

Remember these are stateless - so you need to enable both directions.

They are evaluated in order from low to high.

A NACL with always be associated with a subnet.

If no NACL is specified for a VPC the VPC will be assigned a default NACL.

• NAT - Forwards traffic from a private subnet ot the internet or other AWS service.

These are not secure - never use in production.

• VPC Endpoint

Allows a resounce to connect you AWS VPC or AWS services without the public internet.

• AWS Direct Connect

A direct connection to AWS - no public internet.

• Elastic network interface - A virtual network card.

The NO NO IP addresses

Some IP's cannot be used.

• .0 - DUR!!

• .1 - The VPC router

• .2 - Rserved by AWS

• .3 - Reseved by AWS

• .255 - Don't think about it (broadcast address)

Basically the same as most modern networks, except AWS takes .2 and .3

Multiple VPCs

• Every region has a default VPC

• You can setup another VPC if needed.

Remember the VPC is virtual - so setup is not a big deal.

Their is a nominal additional cost for an another VPC.

Route tables =

• Allows the subnet to route traffic.

• It is not security

• A subnet uses the default VPC route table if no route table is defined.