VPC is a logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.

• A VPC spans all of the Availability Zones in the Region。
• The owner of a VPC can shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations.

Default VPC

A default VPC is a logically isolated virtual network in the AWS cloud that is automatically created for your AWS account the first time you provision Amazon EC2 resources. When you launch an instance without specifying a subnet-ID, your instance will be launched in your default VPC.

Route table

• A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.
• You can replace the main route table with a custom subnet route table, but you cannot replace the main route table with a gateway route table.
• A subnet must and can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.
• You can optionally associate a route table with an internet gateway or a virtual private gateway (gateway route table). This enables you to specify routing rules for inbound traffic that enters your VPC through the gateway.
• Destination: The range of IP addresses where you want traffic to go (destination CIDR).
• Target: The gateway, network interface, or connection through which to send the destination traffic.
• Local route: A default route for communication within the VPC.
• Edge association: A route table that you use to route inbound VPC traffic to an appliance.
• Route table association: The association between a route table and a subnet, internet gateway, or virtual private gateway.
• Propagation: Route propagation allows a virtual private gateway to automatically propagate routes to the route tables.
• Route table use the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). If the destinations for the static and propagated routes are the same, the static route takes priority.

Gateway route table

• You can associate a route table with an internet gateway or a virtual private gateway. A gateway route table is used for fine-grain control over the routing path of traffic entering your VPC, for example, redirecting traffic to a middlebox security applicance in your VPC.
• A gateway route table supports routes where the target is local (the default local route), a Gateway Load Balancer endpoint, or an elastic network interface (network interface) in your VPC that's attached to your middlebox appliance
• You cannot route traffic from a virtual private gateway to a Gateway Load Balancer endpoint.
• When you route traffic through a middlebox appliance, the return traffic from the destination subnet must be routed through the same appliance. Asymmetric routing is not supported.

Prefix List

• When you create a prefix list, you must specify the maximum number of entries that the prefix list can support. When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts as the same number of rules or entries for the resource.
• A prefix list only applies to the Region where you created it.
• A prefix list supports a single type of IP addressing only (IPv4 or IPv6).

AWS-managed prefix list

Represents the IP address ranges for an AWS service. Often referred in the inbound and outbound VPC security group rules when an AWS service is used.

Customer-managed prefix list

A set of IPv4 or IPv6 CIDR blocks that you define and manage.
You can reference the prefix list in your VPC security group rules, subnet route table entries, and transit gateway route table entries to avoid referencing each IP address repeatedly in each resource.

Subnet:

• A subnet must reside within a single Availability Zone.
• A segment of a VPC’s IP address range where you can place groups of isolated resources.
• All subnets are reachable from all other subnets within the same VPC. This is the default behavior and cannot be changed
• User can specify which subnet will use which gateway
• Public Subnets includes a routing table entry to a internet gateway
• Private Subnets are not directly accessible from public network
• VPN-only Subnets do not have a route to the internet gateway, but has their traffic routed to a virtual private gateway for a Site-to-Site VPN connection.

Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. As you expand globally, inter-Region peering connects AWS Transit Gateways together using the AWS global network. Your data is automatically encrypted, and never travels over the public internet.

With AWS Transit Gateway, you can also connect to any VPC attached to AWS Transit Gateway with a single VPN connection. AWS Transit Gateway also enables you to scale the IPsec VPN throughput with equal cost multi-path (ECMP) routing support over multiple VPN tunnels. A single VPN tunnel still has a maximum throughput of 1.25 Gbps. If you establish multiple VPN tunnels to an ECMP-enabled transit gateway, it can scale beyond the default limit of 1.25 Gbps.
To use ECMP, the VPN connection must be configured for dynamic routing. ECMP is not supported on VPN connections that use static routing.

Elastic Network Interface

• An elastic network interface is a virtual network interface that can include the following attributes:
  • a primary private IPv4 address
  • one or more secondary private IPv4 addresses
  • one Elastic IP address per private IPv4 address
  • one public IPv4 address, which can be auto-assigned to the network interface for eth0 when you launch an instance
  • one or more IPv6 addresses
  • one or more security groups
  • a MAC address
  • a source/destination check flag
  • a description
• You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. When you move a network interface from one instance to another, network traffic is redirected to the new instance.
• A EC2 instance can attach more than one ENI, but it cannot detach the primary eth0 interface.
• Network interfaces can only be attached to instances in the same Availability Zone and VPC.

Elastic IP addresses (EIP)

• An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing.
• Elastic IP addresses are regional. You cannot migrate an Elastic IP address to another Region.
• Elastic IP addresses for IPv6 are not supported.

Elastic Network Interface VS Elastic IP addresses

An Elastic IP address is a property of a network interface. The advantage of associating the Elastic IP address with the network interface instead of directly with the instance is that you can move all the attributes of the network interface from one instance to another in a single step.

By default, when you create a network interface, it's associated with the default security group for the VPC,

IPV4 VS IPV6

• Your VPC can operate in dual-stack mode: your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 addresses are independent of each other.

Private IPV4

• When you launch an instance into a VPC, a primary private IP address from the IPv4 address range of the subnet is assigned to the default network interface (eth0) of the instance.
• You can assign a secondary private IP addresses to instances that are running in a VPC.
• A private IP address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated.

Public IPV4

• When we determine that a subnet of a VPC is public, a public IP address is assigned to the primary network interface (eth0) that's created for an instance in this subnet.
• A public IP address is assigned from Amazon's pool of public IP addresses; it's not associated with your account.
• An IPv6 address persists when you stop and start your instance, and is released when you terminate your instance. If you require a persistent public IP address, use an Elastic IP address instead.
• We resolve a public DNS hostname to the public IP address of the instance outside the instance network, and to the private IP address of the instance from within the instance network.

IPV6

• Your instance in a VPC receives an IPv6 address if an IPv6 CIDR block is associated with your VPC and your subnet.
• An IPv6 address persists when you stop and start your instance, and is released when you terminate your instance.
• You can assign additional IPv6 addresses to your instance by assigning them to a network interface attached to your instance. You cannot reassign an IPv6 address while it's assigned to another network interface—you must first unassign it.

Network Address Translation (NAT)

• A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances.
• NAT devices are not supported for IPv6 traffic—use an egress-only Internet gateway instead

NAT gateway

• You can associate exactly one Elastic IP address with a NAT gateway. You cannot disassociate an Elastic IP address from a NAT gateway after it's created
• You cannot associate a security group with a NAT gateway. To protect your instance, you can associate security groups with instances in your private subnets or set up network ACLs to control the traffic to and from the subnet in which the NAT gateway is located.
• Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access.
• A NAT gateway cannot be used by resources on the other side of a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect

NAT instance

• Traffic from the instances in the private subnet is directed to the NAT instance in the public subnet. The NAT instance then sends the traffic to the internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.
• For creating a NAT instance, you launch an instance from an AMI that's configured to run as a NAT instance

NAT gateway VS NAT instance

NAT gateway is an optimized solution provided by AWS to solve the NAT problem. NAT gateways in each Availability Zone are implemented with redundancy to ensure high availability. It also enables auto-scaling for bandwidth up to 45 Gbps.

Gateway

Internet Gateway

• The Amazon VPC side of a connection to the public Internet
• An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It imposes no availability risks or bandwidth constraints
• The internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic leaves your VPC subnet and goes to the internet, the reply address field is set to the public IPv4 address or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined for the public IPv4 address or Elastic IP address of your instance has its destination address translated into the instance's private IPv4 address before the traffic is delivered to the VPC.

NAT Gateway

A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet

• Only manage outgoing traffics
• Only support IPv4

Virtual Private Gateway

The Amazon VPC side of a VPN connection

Egress-only Internet Gateway

• A stateful gateway to provide outgoing egress only access for IPv6 traffic from the VPC to the Internet, and prevents the internet from initiating an IPv6 connection with your instances.
• You cannot associate a security group with an egress-only internet gateway. To protect your instance, you can add security groups to the instances and add network ACLs to the subnets for which the egress-only internet gateway routes traffic.

Carrier gateway

• A IPV4 gateway serves two purposes:
  1. allows inbound traffic from a carrier network in a specific location
  2. allows outbound traffic to the carrier network and the internet.
• Carrier gateways are only available for VPCs that contain subnets in a Wavelength Zone. The carrier gateway provides connectivity between your Wavelength Zone and the telecommunication carrier, and devices on the telecommunication carrier network
• The carrier gateway performs NAT of the Wavelength instances' IP addresses to the Carrier IP addresses from a pool that is assigned to the network border group. The carrier gateway NAT function is similar to how an internet gateway functions in a Region.

Enable Internet Acess

1. Create an internet gateway and attach it to your VPC.
2. Add a route to your subnet's route table that directs internet-bound traffic to the internet gateway.
3. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
4. Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.

VPC Peering

• A peering connection enables you to route traffic via private IP addresses between two peered VPCs
• VPC peering connections do not require an Internet Gateway.
• Traffic between instances in peered VPCs are not encrypted
• VPC peering is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. Thus you cannot use AWS Direct Connect or hardware VPN connections to access VPCs you are peered with.

Restrictions:

• No overlapping IP ranges
• No NAT gateway routing between VPCs
• No transitive peering (A to B, B to C, C not to A)

VPC ClassicLink

• VPC ClassicLink allows EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
• An EC2-Classic instance cannot be linked to more than one VPC by ClassicLink at the same time.
• In a VPC ClassicLink, the EC2 public DNS hostname will not resolve to the private IP address of the EC2-VPC instance. Indeed, the EC2-Classic instance can only use private IP address to pin EC2-VPC instances. Resource in VPC also communicate with the EC2-Classic instance by its existing private IP address.
• The ClassicLink connection will not persist through stop/start cycles of the EC2-Classic instance.

VPC Endpoints

Enables private connectivity to AWS services and VPC endpoint services powered by AWS PrivateLink, from within your VPC, without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies

Endpoints are virtual devices horizontally scaled, redundant, and highly available. It allows communication between instances in your VPC and supported services without imposing availability risks or bandwidth constraints on your network traffic.

Categories

Gateway Endpoints

• Gateway endpoint will add an entry to your route table for traffic destined to only AWS services.
• The traffics will go through Amazon’s private network.

Gateway Load Balancer Endpoints

• Gateway Load Balancer endpoint is an elastic network interface with a private IP address from the IP address range of your subnet.
• It serves as an entry point to intercept traffic and route it to a service that you've configured using Gateway Load Balancers.
• It is powered by PrivateLink.

Interface Endpoints

• Interface Endpoints is an elastic network interface with a private IP address from the IP address range of your subnet
• It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service.
• It is powered by PrivateLink.
• Interface gateway will assign a private IP address from your subnet to the external source. You may need to change you entry point of your the external resource in your code to use this endpoint.
• AWS STS (interface Endpoint)
• Can across multiple subnets, AZ, or regions

Important service that your VPC can connect to through Endpoints

• AWS Dynamo DB
• AWS S3
• No extra costs, and no code invasion
• Only assign to one subnet

Endpoint service

Your own application or service in your VPC. Other AWS principals can create an endpoint from their VPC to your endpoint service.

Private DNS names for endpoint services

When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that you can use to communicate with the service. These names include the VPC endpoint ID, the Availability Zone name and Region Name.
If the endpoint service is for an AWS service, or a service available in the AWS Marketplace, there is a default DNS name.
For other services, the service provider can configure a private DNS name so consumers can access the service using an existing DNS name without making changes to their applications.
You can only use public domain name servers.
You can only use the private DNS name to access the endpoint service when the verification status is verified. If you add a new subdomain to a verified domain, you must verify the domain or subdomain before your can use it to configure your endpoint.

AWS PrivateLink

AWS PrivateLink enables customers to access services hosted on AWS without traversing across the Internet or using public IPs.

Bring Your Own IP (BYOIP)

• Bring Your Own IP (BYOIP) enables customers to move all or part of their existing publicly routable IPv4 or IPv6 address space to AWS for use with their AWS resources
• BYOIP prefix can be used with any number of VPCs in the same account.

AWS Network Firewall

A firewall connects a firewall policy's network traffic filtering behavior to the VPC that you want to protect.

• A firewall policy defines the monitoring and protection behavior for a firewall. The details of the behavior are defined in the rule groups that you add to your policy, and in some policy default settings.
• A rule group is a reusable set of criteria for inspecting and handling network traffic. You add one or more rule groups to a firewall policy as part of your policy configuration. Rule groups can be either stateless or stateful. Stateless rule groups are similar to Network ALC, and stateful rule groups are similar to security group.

Network ACL

• Act as a firewall for associated subnets
• Allows allow and deny
• You can associate a network ACL with multiple subnets. However, a subnet can be associated with only one network ACL at a time
• Stateless: allows inbound traffic are subject to the rules for outbound traffic (and vice versa)
• Prioritize rules with lower order number
• A default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic, by default
• A custom network ACL denies all inbound and outbound traffic by default

Security Group

• Act as a virtual firewall for associated instances
• Only allows accept rules
• Stateful: inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa. However, if there is an explicit Outbound rule for an Inbound request, the response traffic is allowed on the basis of the Outbound rule.
• Use Connection tracking to track information about traffic
• Instances associated with a security group can’t talk to each other unless rules allowing the traffic are added
• Evaluated as a Whole or Cumulative bunch of rules with the most permissive rule taking precedence
• When you create a new security group, it includes no inbound rules and an outbound rule that allows all outbound traffic
• A security group can only be used in the VPC that you specify when you create the security group
• An instance can be assigned 5 security groups with each security group having 60 rules
• Instances associated with a security group can't talk to each other unless you add rules allowing the traffic (exception: the default security group has these rules by default)
• You cannot associate a security group with an egress-only internet gateway
  fE

Stale Security Group Rules

If your VPC has a VPC peering connection with another VPC, a security group rule can reference another security group in the peer VPC. This allows instances that are associated with the referenced security group and those that are associated with the referencing security group to communicate with each other.
If the owner of the peer VPC deletes the referenced security group, or if you or the owner of the peer VPC deletes the VPC peering connection, the security group rule is marked as stale. You can delete stale security group rules as you would any other security group rule.

Security Group VS NACL

VPC Flow Logs

• Log information about network traffic going in and out of network interfaces in your VPC. You can create a flow log for a VPC, subnet, or individual network interface.
• Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
• Flow logs do not capture real-time log streams for your network interfaces. It can take several minutes to begin collecting and publishing data to the chosen destinations. After you've deleted a flow log, it can take several minutes to stop collecting data.

Aggregation Interval

• The aggregation interval is the period of time during which a particular flow is captured and aggregated into a flow log record.
• Flow logs with a smaller maximum aggregation interval produce a higher volume of flow log records.

Limitations

Limitations

• You cannot enable flow logs for network interfaces that are in the EC2-Classic platform.
• You can't enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
• After you've created a flow log, you cannot change its configuration or the flow log record format.

Amazon VPC traffic mirroring

Capture and mirror network traffic from an elastic network interface of an Amazon EC2 instance.

Dynamic Host Configuration Protoco （DHCP）

The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network.

DHCP options set

• domain-name-servers: The IP addresses of up to four domain name server, or AmazonProvidedDNS
• domain-name: The domain name for your instances. This value is used to complete unqualified DNS hostnames
• ntp-servers: The IP addresses of up to four Network Time Protocol (NTP) servers
• netbios-name-servers: The IP addresses of up to four NetBIOS name servers
• netbios-node-type: The NetBIOS node type (1, 2, 4, or 8)

DNS

• Domain Name System (DNS) is a standard by which names used on the Internet are resolved to their corresponding IP addresses
• DNS is composed of a host name and a domain name
• A DNS hostname is a name that uniquely and absolutely names a computer;

DNS Server

• DNS servers resolve DNS hostnames to their corresponding IP addresses. It enables DNS for instances that need to communicate over the VPC's internet gateway.
• The Amazon DNS server in your VPC is used to resolve the DNS domain names that you specify in a private hosted zone in Route 53.
• You cannot filter traffic to or from the Amazon DNS server using network ACLs or security groups.

AmazonProvidedDNS

• AmazonProvidedDNS is an Amazon Route 53 Resolver server in VPC
• The string AmazonProvidedDNS maps to a DNS server running on a reserved IP address at the base of the VPC IPv4 network range, plus two (e.g 10.0.0.2)
• AWS do not provide DNS hostnames for IPv6 addresses
• When you launch an instance into a VPC, it always receives a private DNS hostname. It also receives a public DNS hostname if it has a public IPv4 address, and if both the enableDnsHostnames and enableDnsSupport attributes for your VPC are set to true.
• If any of enableDnsHostnames and enableDnsSupport is false, instances with a public IP address do not receive corresponding public DNS hostnames. The Amazon Route 53 Resolver also cannot resolve Amazon-provided private DNS hostnames.
• If you enable enableDnsHostnames and enableDnsSupport in a VPC that didn't previously support them, an instance that you already launched into that VPC gets a public DNS hostname if it has a public IPv4 address or an Elastic IP address.

Private Hosted Zone

• A private hosted zone is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more VPCs without exposing your resources to the Internet.
• Route 53 resource record sets: Rules determine how Route 53 responds to queries for your domain and subdomains.
• You can access a private hosted zone from an EC2-Classic instance that is linked to your VPC using ClassicLink, provided your VPC is enabled for ClassicLink DNS support. Otherwise, private hosted zones do not support transitive relationships outside of the VPC;

Conditional Forwarder

AWS Firewall Manager

AWS Firewall Manager simplifies your VPC administration and maintenance tasks across multiple accounts and resources.

• Configure common baseline across your organization
• Audit existing resources in your organization
• Get reports on non-compliant resources and remediate them

Ephemeral port

Maximum Transmission Unit (MTU)

Path MTU Discovery is used to determine the path MTU between two devices. The path MTU is the maximum packet size that's supported on the path between the originating host and the receiving host.

How to connect from on-premise network to AWS cloud

• Direct Connect (DX)
• VPN connection = Customer gateway (on-premise) + virtual private gateway(VPC)
• DX + VPN for availability
• Transit Gateway

Agent forwarding

https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
Private instances's security group should allows the security group of the bastion instances for devOps convenientce.