This page is my personal study section for the AWS Solutions Architect -Associate Test. If you see something in error please let me know.
What is an AWS VPC?
A VPC or Virtual Private Cloud is a logically isolated section of the ASW Cloud networking infrastructure where you can launch AWS resources under your own security policies.
You have complete control of the VPC by IP allocation, subnets, gateways, routing tables and a series of virtual firewalls like NACLs at the subnet level and Security Groups (SGs) at the resource (EC2) level.
- A VPC is a Virtual Private Cloud, which is like defining your own personal (or virtual) datacenter.
- A fully functioning VPC is created for you by default in each AWS Region (for accounts created after August 2009)
- VPCs isolate your infrastructure from other customers within the AWS network.
- You can have up to 5 VPC’s per region. This is a soft limit, which can be increased by AWS (if requested).
- When provisioning (creating) a VPC, you must supply a private IP address from one of 3 blocks of your choosing.
- 10.0.0.0 – 10.255.255.255 (10/8 prefix)
- 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
- Min Size of the VPC is a /28 in CIDR Notation or 16 IP Addresses
- Max Size of the VPC is a /16 in CIDR Notation or 65,536 IP Addresses
- It contains one or more subnets. Think of subnets as mini networks, within your private datacenter (your VPC).
- The address range of your subnets must fit inside of the VPC address blocks. For this reason, you should create the VPC to max available size (the /16 of 65,536 IPS). This ensures you have room for your subnets to grow. There’s no additional cost, and ASW recommends it.
- It spans all the Availablity Zones (AZs), for the region in which it is created.
VPC Flow Logs
VPC Flow Logs capture and log/record data about your network traffic. This allows you to monitor how your network resources are being accessed in AWS. It records information about the IP data going to and from designated interfaces. You can use CloudWatch to view the data.
By default, VPC Flow Logs are not enabled. You can easily enable them from the console window or CLI, however, the amount of data it can generate can be enormous and you could quickly rack up fees for capture and storage.
Logging is available at the following levels:
- Network Interface Level
Not all traffic is monitored
Traffic that AWS assumes would muddy the logs is not logged. For example, the following traffic won’t appear in the logs:
- AWS DNS Traffic
- Window License Activation
- Meta Data Traffic 169.254.169.254
- Time Server Traffic: 169.254.169.123
- DHCP Traffic
- Traffic to the default VPC reserved IP
- Traffic between endpoints and Load Balancers
For more information see: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html