AWS GLOBAL INFRASTRUCTURE [VPC, IGW, ROUTE TABLES, NACLs, Subnets, AZ |
AWS Regions:
• A grouping of aws resources located in specific geographical locations
• Designed to serve aws customer/users that are located closest to the region
• Regions are comprised of multiple availability zones
AWS Availability zone
• Geographically isolated zones within same region that houses AWS resources
• AZs are where separate, physical AWS data centres are located
• Multiple AZs in each region provide redundancy for AWS resources in that region
Where the physical hardware that runs AWS services is located.
VPC (Virtual Private Cloud)
A private sub-section of AWS that we control in which we can put our aws resources and we have full control over it and also who should have access to AWS resources under that VPC. When we create a aws account default VPC is got created.
When we create an AWS account a default VPC got created including the standard components that are needed to make it functional
i) Internet Gateway
ii) A route table
iii) A network access control list
iv) Subnets to provision AWS resources
IGW
An internet gateway is a redundant and highly available VPC component that allows communication between instances between VPC and Internet it doesn’t imposes no availability risks or bandwidth constraints on our network traffic.
Route tables rules and details:-
i) Only 1 IGW can be attached to a VPC
ii) IGW can not be detached from VPC while there are active AWS resources in the VPC
Route Tables
Route tables contains a set of rules called as routes which are used to determine where to divert the traffic route tables with dependencies can’t be deleted single VPC can have multiple active route tables. It provides connection between various resources within VPC. Default VPC already has a main route table.
NACL
A Network access control list (NACL) is an optional layer of security for the VPC that acts as firewall for controlling traffic in and out of one or more subnets.
The default VPC already has a NACL in place and associated with the default subnets. It lies between any of the route table and the subnet
They have both inbound and outbound rule
there are some NACL rules depicted below:
NACL rules:
i) Rules are execucted from lowest to highest based on “rule #”
ii) The first rule found that applies to the traffic type is immediately applied regardless of any rules that come after it
iii) The default NACL allows all traffic to default subnets
iv) Any new NACL by default denies all the traffic
v) A subnet can only be associated with one NACL at a time
vi) An NACL allows or denies traffic from entering to subnet once its inside subnet additional layer of security come into play at instance level
Subnet
When we create a VPC it spans all of the availability zones in the region after creating a VPC we can add one or more subnet in each Availability zone each subnet must reside entirely within one AZ and can span across AZs.
Subnet Rules:
i) Subnet MUST be associated with route table
ii) A private subnet doesn’t not have route to internet
iii) A subnet is located in one specific AZ.