Summary: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20237280

• Contents:

Refresher: Intro to VPC

Amazon VPC (Virtual Private Cloud) 101

IP Addresses in AWS

Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/36566084

• 💡 IPv4 & IPv6 Refresher from Tech Fundamentals course: IP Address Space
• When a resource (e.g. EC2 instance) gets deployed into a VPC subnet:
  • It automatically gets a static Private IPv4 address (can be used internally in that subnet to route traffic to the instance)
    • More Private IPv4 addresses can be added to the instance
    • Stopping and restarting instance does NOT change its Private IPv4 addresses (static)
  • It can get a dynamic Public IPv4 address if it's deployed in a public subnet
    • ❗ Stopping and restarting instance will change its Public IPv4 address (dynamic)
  • It can get an Elastic IP (EIP) = static Public IPv4 address if it's deployed in a public subnet
    • ❗ Stopping and restarting instance does NOT change its EIP (static)
  • It can get any number of IPv6 addresses (which are all routable in the internet)
    • Subnet must have an IPv6 CIDR (range of addresses) configured
• ❗ Billing:
  • ALL public IPv4 addresses in AWS cost money ($0.005/hour)
    • ‼️ This includes any EIPs!! → if you allocate an EIP and don't release it, it will get charged, even if not in use by an instance!!
    • Free Tier: 750 hours/month
      • 💡 If you do math, this amounts to exactly one instance running continuously for one month with either one public IPv4 or one EIP.
  • IPv6 addresses and Private IPv4 addresses are FREE

VPC Components

Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20237290

• VPC subnet: a partition of the VPC, tied to an AZ
  • AWS resources from private services are deployed in subnets
  • Private subnet: not accessible from the internet
  • Public subnet: accessible from the internet
  • Route Table (RT): configures routing within subnet & outbound
  • Example VPC with 4 subnets (2 private, 2 public)
• Internet Gateway (IGW): allow access to internet and AWS public services
  • Deployed in a public subnet
• NAT (Network Address Translation): translates private IPv4 addresses into public IPv4 addresses & viceversa → can allow outbound connections to internet from private subnets
  • NAT instance: EC2 instance that performs NAT, customer-managed
  • NAT Gateway (NATGW): AWS-managed
• **Firewalls: block incoming & outgoing traffic**
  • NACL (Network Access Control List): stateless FW, blocks/allows traffic IN/OUT at the subnet-level
  • Security Group (SG): stateful FW, allows traffic IN/OUT at the instance/ENI-level
• VPC Flow Logs: NW traffic logs (only traffic metadata, does not log traffic content)