Ref: https://learn.cantrill.io/courses/1820301/lectures/41301348

DEMO: https://learn.cantrill.io/courses/1820301/lectures/45241150

• Summary
• Contents:

Amazon VPC - Refresher

• 💡 Continues from: Amazon VPC - Key Concepts
• Regional service: create a VPC in a region → operate in all AZs of the region → regionally resilient
• Allows to create isolated NWs inside AWS (in a single region):
  • Nothing comes IN or OUT of a VPC without explicit configuration
  • Isolated blast radius: if a resource gets exploited in a VPC, it only affects the VPC and whatever it's connected with
• Support for Hybrid NWing - VPCs can connect to other cloud NWs and/or on-premises NWs
• Advantage: one can start with a simple VPC and layer components piece by piece, like LEGO

Amazon VPC - Custom VPCs

• 🔧 Customer-managed VPCs with flexible configuration - simple or multi-tier
  • opposite of default VPC which always has the same configuration
• Default Tenancy (resources provisioned on shared HW) or Dedicated Tenancy (resources provisioned on dedicated HW)
  • ‼️ Careful! Default Tenancy allows to configure (later) on a per-resource basis whether resource goes to shared or dedicated HW. No option to choose if you establish Dedicated Tenancy at VPC level → always locked-in to dedicated HW (& comes at a premium cost!)
    • When in doubt, choose Default!

Custom VPC IP addressing (VPC Quotas)

IPv4:

• Private CIDR blocks: main communication channel
  • min /28 (16 IPs) & max /16 (65536 IPs)
  • Mandatory to allocate 1 Primary Private IPv4 CIDR block
  • Optional secondary IPv4 CIDR blocks can be added after creating the VPC
    • Up to 5 without support tickets
    • After 5, extra blocks can be obtained with support ticket
• Public IP addresses: when public exposure is needed

IPv6:

• No concept of private/public addresses
  • all IPv6 addresses in AWS are routable by default → less admin overhead
  • security not a problem: one still needs to explicitly allow public connectivity
• Optional single IPv6 /56 CIDR block
  • IPv6 feature still being matured → not all features available as in IPv4 yet
  • Default should be to include it since IPv6 is being used worldwide more and more
  • Addresses ownership:
    • You can use IPv6 addresses that you own
    • You can use addresses assigned by AWS (no custom addresses like in IPv4, no control over which addresses AWS gives you)

❗ Custom VPCs are either IPv4-only OR dual stack (IPv4 + IPv6)

• Documentation on VPC Quotas: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html