VPC / Virtual Private Cloud
- VPC = personal datacenter
give complete cotrol over virtual networking environtment
region > vpc > AZ >
public / private subnet ---- security group --- ec2 instance / rdsDB --- nat ---
NACL --- Route table --- router --- IGW --- internet
================
// VPC Key Features
- vpc are region specfic // ga span across region
- bs create 5 vpc per region
- tiap region ada 1 default vpc
- bs create 200 subnet per VPC
- bs make ipv4 cidr block + ipv6 cidr block
features cost nothing:
vpc
route table
NACL
internet gateway
security group and sunet
VPC Peering
features cost money :
NAT Gateway
VPC edpoint
Vpn gateway
Customer gateway
DNS hostname ( klo instance butuh dns )
============
// default vpc
- ada default vpc di tiap region sehingga bs immediate deploy instance
1 create vpc with size /16 cidr block.
2 create a size /20 default subnet in each AZ
3 create internet gateway and connect it to default vpc
4 create default security group and asssociate with default VPC
5 create default NACL / network access control list and associate with default VPC
6 associate default dhcp option to default vpc
7 when vpc created = auto create route table
===========
0.0.0/0 = all possible ip address.
klo specify di route table for IGW = allow internet access
klo specify 0di security group inbound rules = allowing all traffic from internet to our public resources
0.0.0.0/0 => giving access from anywhere or the internet
==========
// VPC peering
- allowing connect one vpc with another over a direct route using private IP Address
1 instance on peered vpc behave like they are on same network
2 able to connect vpc across same or different aws account and regions
3 peering use start configuration: 1 central vpc - 4 other vpc
4 no transitive peering ( peering must take place directly between vpcs )
- need a one to one connect to immediator VPC
5 no overlapping CIDR block
VPC A = 10.0.0.0/16
VPC B = 172.31.0.0/16
VPC PEERING CON
VPC A 10.0.0.4/32 --------------- VPC B 172.31.0.8/32
==========
// route table
- route table = determine where network traffic is directed
- tiap subnet d vpc mesti ada route tablenya.
- 1 route table bisa berisi multiple subnet
destination target
10.0.0.0/16 local
0.0.0.0/0 igw-19asda21312ifsd
public subnet --- route table ---- router --- igw --- internet
===========
// internet gateway ( IGW )
- allow vpc access ke internet
fungsi:
1 provide target didalem vpc buat ngeroute ke internet
2 melakukan NAT buat instances yg telah diassign public ipv4 IP
BUAT NGEROUTE KE internet mesti add ke routing table
destination = 0.0.0.0
target = igw
(route table) ---- router --- IGW --- internet
==========
// bastion / jumpbox
bastion = intermediate ec2 instances yg telah di hardening. // bs buat jump jalur traffic remote dari internet ke private ec2 ip
- help gain access ke ec2 instance via SSH / RCP yg ada di private subnet
** bastion ga boleh pake NAT ( security purpose )
// nat gateways
- nat gateway : penggunaan nat gateway digunakan agar ec2 instances dapet akses ke outbound internet for security updates
** bastion bs direplaace pake Session manager ( ada didalem system manager )
==========
// direct connect
- aws direct connect : establish dedicated network connection from on premises location to AWS
- help reduce network cost
- increase bandwidth throughput
- provide more consisten network experience than typical internet based connection
++ very fast network
ada 2 service:
1 lower bandwidth 50M-500M
2 higher bandwidth 1gb / 10gb
on premises customer ---- customer/partner cage ( router ) ---- aws cage ( router ) ---- vpc / ec2
aws direct connect = router ditengah2 ( customer / partner cage dan aws caage )
=========
// vpc endpoint
- secret tunnel inside private network aws
- privately connect vpc to other AWS service, and VPC endpoint services
- eliminate the need for an internet gateway, NAT, VPN or AWS Direct connect
- instance in vpc ga perlu public ip address buat ngobrol dengan service tertentu
- traffic antar vpc dan other service ga akan bs keluar dari aws network
- horizontal scaled, redundant and high available VPC component
- allow secure communication between instance and service without adding availability risk or bandwidth constraint on ur traffic
// ga perlu route traffic via internet buat akses service tertentu
VPC -- VPC endpoint --- s3 bucket
2 tipe vpc endpoint :
1 interface endpoint
2 gateway endpoint
// interface endpoint
- disebut ENI / elastic network interface with private ip address.
entry point for traffic going to a supported service.
interface endpoint are powered by AWS PrivateLink
- access service hosted on AWS easily and secured by keeping network private within AWS network
// ENI Cost
price per vpc endpoint per az $/hour = 0.01
price per GB data processed ($) = 0.01
estimated 7.5$ / month
ENI support following service:
API GW
cloudformation
cloudwatch
kinsesis
sageMaker
Codebuild
AWS Config
EC2 API
ELB API
AWS KMS
Secret manager
security token service
service catalog
SNS
SQS
System Manager
Marketplace partner services
endpoint services in other AWS accounts
// vpc gateway endpoint
- gateway that is a target for a specific route in ur routing table
- used for traffic destined for a supported AWS Service
buat bikin gateway endpoint mesti specify vpc dan target service yg mau diestablish connectionnya
aws gateway endpoint only support 2 service:
1 S3
2 DynamoDB
** vpc endpoint is free
=========