{"componentChunkName":"component---src-templates-blog-js","path":"/ctf/aws-formation/tp4-vpc","result":{"data":{"markdownRemark":{"html":"<h2>1. Introduction To VPCs</h2>\n<h4>VPC definition</h4>\n<p>Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. </p>\n<ul>\n<li>virtual Data center in the cloud</li>\n<li>Virtual Private Cloud</li>\n<li>bound to a region</li>\n</ul>\n<p><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html\">https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html</a></p>\n<p>The following are the key concepts for VPCs:</p>\n<ul>\n<li>Virtual private cloud (VPC) — A virtual network dedicated to your AWS account.</li>\n<li>Subnet — A range of IP addresses in your VPC.</li>\n<li>Route table — A set of rules, called routes, that are used to determine where network traffic is directed.</li>\n<li>Internet gateway — A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.</li>\n<li>VPC endpoint — Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.</li>\n</ul>\n<h4>Steps to create your VPC with AWS console</h4>\n<ul>\n<li>launch instances into a subnet</li>\n<li>selection of you own IP address range</li>\n<li>creation of subnet</li>\n<li>configuration of route tables and network gateway</li>\n<li>private-facing subnet with no internet access</li>\n<li>multiple layer of security ( security group)</li>\n</ul>\n<h4>Glossary 1</h4>\n<ul>\n<li>ACL : subnet access control list</li>\n<li>SN : Subnet </li>\n<li>Bastion  : ec2 instance in a public SN used to connect an ec2 instance to internet from private SN</li>\n</ul>\n<h4>VPN  connection</h4>\n<p>VPN connection between corporate datacenter :</p>\n<ul>\n<li>better security control over AWS ressources</li>\n<li>instance security group</li>\n</ul>\n<h4>ACL vs Security group</h4>\n<ul>\n<li>network acl (access control list) : stateless</li>\n<li>security group : statefull network</li>\n</ul>\n<p>1 subnet = 1 availability zone (you can not have one subnet spread accross several availability zone )</p>\n<p>3 ranges on private network available :</p>\n<ol>\n<li>10.0.0.0 - 10.255.255.255 <strong>(prefix : 10/8)</strong></li>\n<li>172.16.0.0 - 172.31.255.255 <strong>(prefix : 172.16/12)</strong></li>\n<li>192.168.0.0 - 192.168.255.255 <strong>(prefix : 192.168/16)</strong></li>\n</ol>\n<h4>CIDR</h4>\n<ul>\n<li>Classless Inter-Domain Routing (CIDR), </li>\n<li><a href=\"www.CIDR.xyz\">CIDR.xyz</a> : is a notation for descibing block of IPs addresses and is used heavily in various networking configurations</li>\n<li>IP = 1.1.1.1 / X = 4 octets / Number of bit booked  by the routing prefix -> the more it is the less there are PC in the subnet</li>\n</ul>\n<h3>default vpc vs custom vpc</h3>\n<ul>\n<li>\n<p>in default</p>\n<ul>\n<li>all subnet  vpc have a route access out to the internet</li>\n<li>each ec2 instance have a public and private ip address</li>\n</ul>\n</li>\n</ul>\n<h3>vpc peering</h3>\n<ul>\n<li>allow to connect one vpc with another via a direct network route using private ip addresss</li>\n<li>peering is possible between several AWS account</li>\n<li>\n<p>star configuration -> no transitive peering</p>\n<ul>\n<li>we have to do direct peering relationship</li>\n</ul>\n</li>\n<li>peering between region possible</li>\n</ul>\n<h3>Glossary 2</h3>\n<p><a href=\"https://support.microsoft.com/en-us/help/164015/understanding-tcp-ip-addressing-and-subnetting-basics\">https://support.microsoft.com/en-us/help/164015/understanding-tcp-ip-addressing-and-subnetting-basics</a></p>\n<ul>\n<li>Gateway -- is a virtual router that connects a VPC to the internet - links the host's subnet to other networks, is called a default gateway</li>\n<li>Router -- A device that passes network traffic between different IP networks.</li>\n<li>Subnet Mask -- A 32-bit number used to distinguish the network and host portions of an IP address.</li>\n<li>Subnet or Subnetwork -- A smaller network created by dividing a larger network into equal parts.</li>\n<li>TCP/IP -- Used broadly, the set of protocols, standards and utilities commonly used on the Internet and large networks.</li>\n<li>Wide area network (WAN) -- A large network that is a collection of smaller networks separated by routers. The Internet is an example of a very large WAN.</li>\n</ul>\n<h3>gateway</h3>\n<p>an internet gateway can be attached to a vpc in order to enable communication with the internet</p>\n<h3>route table</h3>\n<p><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html\">https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html</a></p>\n<p>A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. </p>\n<p>**A route table in AWS is used as a firewall to subnets, which is used to restrict the traffic. It is also used to attach an instance with the resources. In regular terms, route tables have a set of rules called routes that are used to define where the network traffic from your subnet or gateway is to be directed. **</p>\n<p>Your VPC has an implicit router, and you use route tables to control where network traffic is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table. </p>\n<p>The following are the key concepts for route tables.</p>\n<ul>\n<li>Main route table—The route table that automatically comes with your VPC. It controls the routing for all subnets that are not explicitly associated with any other route table.</li>\n<li>Custom route table—A route table that you create for your VPC.</li>\n<li>Edge association - A route table that you use to route inbound VPC traffic to an appliance. You associate a route table with the internet gateway or virtual private gateway, and specify the network interface of your appliance as the target for VPC traffic.</li>\n<li>Route table association—The association between a route table and a subnet, internet gateway, or virtual private gateway.</li>\n<li>Subnet route table—A route table that's associated with a subnet.</li>\n<li>Gateway route table—A route table that's associated with an internet gateway or virtual private gateway.</li>\n<li>Local gateway route table—A route table that's associated with an Outposts local gateway. For information about local gateways, see Local Gateways in the AWS Outposts User Guide.</li>\n<li>Destination—The range of IP addresses where you want traffic to go (destination CIDR). For example, an external corporate network with a 172.16.0.0/12 CIDR.</li>\n<li>Propagation—Route propagation allows a virtual private gateway to automatically propagate routes to the route tables. This means that you don't need to manually enter VPN routes to your route tables. For more information about VPN routing options, see Site-to-Site VPN routing options in the Site-to-Site VPN User Guide.</li>\n<li>Target—The gateway, network interface, or connection through which to send the destination traffic; for example, an internet gateway.</li>\n<li>Local route—A default route for communication within the VPC.</li>\n</ul>\n<h3>subnet</h3>\n<p>In TCP/IP, the parts of the IP address that are used as the network and host addresses are not fixed, so the network and host addresses above cannot be determined unless you have more information. This information is supplied in another 32-bit number called a subnet mask. In this example, the subnet mask is 255.255.255.0. It is not obvious what this number means unless you know that 255 in binary notation equals 11111111; so, the subnet mask is:</p>\n<p>   11111111.11111111.11111111.0000000</p>\n<p>Lining up the IP address and the subnet mask together, the network and host portions of the address can be separated:\n11000000.10101000.01111011.10000100 -- IP address (192.168.123.132)\n11111111.11111111.11111111.00000000 -- Subnet mask (255.255.255.0)</p>\n<p>The first 24 bits (the number of ones in the subnet mask) are identified as the network address, with the last 8 bits (the number of remaining zeros in the subnet mask) identified as the host address. This gives you the following:\n11000000.10101000.01111011.00000000 -- Network address (192.168.123.0)\n00000000.00000000.00000000.10000100 -- Host address (000.000.000.132)</p>\n<h2>2. Build A Custom VPC - Part 1</h2>\n<p><img src=\"/assets/TP4-VPC-VPC.png\" alt=\"TP4-VPC-VPC\" title=\"vpc\"></p>\n<p>subnet are not associated automatically to the new vpc</p>\n<p>internet gateways hae not been created after the creation of a vpc instance</p>\n<p>availability zone of a subnet are not universal </p>\n<p>public ip address of subnet have been turned off</p>\n<p><strong>only 1  internet gateway link to 1 vpc</strong></p>\n<h3>vpc and subnet sizing</h3>\n<p><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing\">https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing</a></p>\n<p>The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:</p>\n<p>The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:</p>\n<ul>\n<li>10.0.0.0: Network address.</li>\n<li>10.0.0.1: Reserved by AWS for the VPC router.</li>\n<li>10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.</li>\n<li>10.0.0.3: Reserved by AWS for future use.</li>\n<li>10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.</li>\n</ul>\n<p>If you create a VPC or subnet using a command line tool or the Amazon EC2 API, the CIDR block is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR block, we create a CIDR block of 100.68.0.0/18. </p>\n<p>the subnet are created by default are attached to the main route table so are public</p>\n<h2>3. Build A Custom VPC - Part 2</h2>\n<p><img src=\"/assets/TP4-VPC-Securitygroup.png\" alt=\"TP4-VPC-Securitygroup\" title=\"secgroup\"></p>\n<h2>4. Network Address Translation (NAT)</h2>\n<p><img src=\"/assets/TP4-VPC-NAT.png\" alt=\"TP4-VPC-VPC\" title=\"vpn-nat\"></p>\n<p>Enable our EC2 instance to go out to download software but without making our subnet public</p>\n<p>2 type of NAT :</p>\n<ul>\n<li>instance : single EC2 gateway </li>\n<li>gateway : gateway allow you to have your vpc to communicate with internet without become public</li>\n</ul>\n<h3>Désactivation des contrôles à la source et à la destination</h3>\n<p><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck\">https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck</a></p>\n<ul>\n<li>Chaque instance EC2 effectue des contrôles de source/destination par défaut. Cela signifie que l'instance doit être la source ou la destination de tout trafic qu'elle envoie ou reçoit. </li>\n<li>Cependant, une instance NAT doit être capable d'envoyer et de recevoir du trafic lorsque la source ou la destination n'est pas elle-même. Par conséquent, vous devez désactiver les contrôles de source/destination sur l'instance NAT. </li>\n</ul>\n<h3>Nat instances</h3>\n<p>La table de routage principale est associée au sous-réseau privé et envoie le trafic des instances du sous-réseau privé à l'instance NAT du sous-réseau public. L'instance NAT envoie le trafic à la passerelle internet pour le VPC. Le trafic est attribué à l'adresse IP élastique de l'instance NAT. L'instance NAT spécifie un numéro de port élevé pour la réponse ; si une réponse revient, l'instance NAT l'envoie à une instance du sous-réseau privé sur la base du numéro de port pour la réponse. </p>\n<p><img src=\"https://docs.aws.amazon.com/vpc/latest/userguide/images/nat-instance-diagram.png\" alt=\"NAT instance basis\" title=\"nat instance basis\"></p>\n<p><strong>They are out of date !</strong></p>\n<ul>\n<li>When creating a Nat instance, Disable Source/destination check on the instance</li>\n<li>NAT instance must be in a public subnet</li>\n<li>There must be a route out of the private subnet to the NAT instance, in order for this to work</li>\n<li>\n<p>The amount of traffic that NAT instances can support depends on the instance size. </p>\n<ul>\n<li>If you are bottlenecking, increase the instance size</li>\n</ul>\n</li>\n<li>\n<p>you can create hight availability using :</p>\n<ul>\n<li>Autoscalling Groups,</li>\n<li>multiple subnet in different AZ</li>\n<li>a script to automate failover</li>\n</ul>\n</li>\n<li>Nat instance are always Behind a security Group</li>\n<li>there is a need to patch</li>\n<li>Need to be behind a security group -> more redundant</li>\n</ul>\n<h3>Nat gateways</h3>\n<ul>\n<li>No need to disable Source/Destination Checks</li>\n<li>\n<p>Redundant inside the AZ, they are not as single EC2 instance</p>\n<ul>\n<li><strong>they can survive failover of the EC2 instance</strong></li>\n<li><strong>NAT gateways can not span AZ</strong></li>\n<li><strong>NAT gateway is located on the subnet scale</strong></li>\n</ul>\n</li>\n<li>Preferred by the entreprse</li>\n<li>\n<p>Start at 5Gbps and scale currenty to 45Gbps</p>\n<ul>\n<li>autoscaling available</li>\n</ul>\n</li>\n<li>Not associated with security groups</li>\n<li>Automatically assigned a public ip address</li>\n<li>Remember to update your route tables</li>\n<li>No need to patch</li>\n<li>No need to be behind a security group -> less redundant</li>\n<li>\n<p>If you have resources in multiple AZ and if they share one NAT gateway </p>\n<ul>\n<li>and if the NAT gateway's AZ is down</li>\n<li>resource in the other AZ lose internet access</li>\n</ul>\n</li>\n<li>\n<p>To create an AZ-independant architecture :</p>\n<ol>\n<li>create a NAT gateway in each AZ</li>\n<li>configure your routing to ensure that resources use the NAT gateway in the same AZ</li>\n</ol>\n</li>\n</ul>\n<h2>5. Access Control Lists (ACL) vs Security group</h2>\n<p><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\">https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html</a>\nA network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.</p>\n<h3>Ephemeral port</h3>\n<p><a href=\"https://en.wikipedia.org/wiki/Ephemeral_port\">https://en.wikipedia.org/wiki/Ephemeral_port</a>\nAn ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications. Ephemeral ports are allocated automatically from a predefined range by the IP stack software.\nThe allocations are temporary and only valid for the duration of the communication session. After completion (or timeout) of the communication session, the ports become available for reuse. Since the ports are used on a per request basis they are also called dynamic ports.\n<a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports\">https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports</a>\nA NAT gateway uses ports 1024-65535.</p>\n<p><a href=\"https://acloud.guru/forums/aws-certified-solutions-architect-associate/discussion/-KXTbI9WQu5KThwFn7wN/why-do-ephemeral-ports-need-be-added-to-the-acl-inbound-rule-set\">https://acloud.guru/forums/aws-certified-solutions-architect-associate/discussion/-KXTbI9WQu5KThwFn7wN/why-do-ephemeral-ports-need-be-added-to-the-acl-inbound-rule-set</a>\nEphemeral ports need to be open for return traffic coming the instance / service that you are connecting to.</p>\n<p>The server is accepting an ssh connection on port 22 (ssh) and traffic is being sent out on ephemeral port 11919. The desktop is accepting traffic 11919 and sending on port 22.</p>\n<ul>\n<li>(Server Linux) : tcp 0 240 192.168.0.24:ssh 192.168.0.14:11919 ESTABLISHED</li>\n<li>(Desktop Windows) : TCP 192.168.0.14:11919 192.168.0.24:ssh ESTABLISHED</li>\n</ul>\n<p>Since NACLs are stateless. You will need to allow incoming traffic for ephemeral ports as well.</p>\n<ul>\n<li>Remember that NACLs are stateless and are attached to a subnet. </li>\n<li>Security groups are stateful and attached to the instance(s).</li>\n</ul>\n<h3>What is the Difference Between ACL and Firewall?</h3>\n<p><a href=\"https://www.gigxp.com/difference-between-acl-and-firewall/\">https://www.gigxp.com/difference-between-acl-and-firewall/</a></p>\n<p>The ACL refers to Access Control List : </p>\n<ul>\n<li>several usages</li>\n<li>be filtering the traffic to an interface and in a distribution list for filtering routing updates,</li>\n<li>used for policy-based routing purposes.</li>\n<li>is a logic that will allow or deny a few packets passing through the interface.</li>\n<li>does a stateless inspection,</li>\n<li>only looks at a packet and will not have anything to do with the conversation that this packet belongs to. </li>\n</ul>\n<p>Firewall :</p>\n<ul>\n<li>on usage</li>\n<li>a device that will check for the traffic passing through a part of the network. </li>\n<li>decides on the items to lock or what to let in.</li>\n<li>does a stateful inspection</li>\n<li>analyzes whether there is a proper beginning (Encapsulation) for the packets to pass through.</li>\n</ul>\n<h3>synthesis</h3>\n<ul>\n<li>vpc automatically comes with a default network ACL,</li>\n<li>\n<p><strong>default vs custom ACL</strong>, by default :</p>\n<ul>\n<li>default : <em>allow</em> all outbound and inbound traffic</li>\n<li>custom   <em>deny</em> all outbound and inbound traffic</li>\n</ul>\n</li>\n<li>each subnet in our the vpc must be associated with a network ACL</li>\n<li>\n<p>block IP Addresses :</p>\n<ul>\n<li>using network ACLs</li>\n<li>not security Groups</li>\n</ul>\n</li>\n<li>can associate a network ACL with multiple subnets</li>\n<li>a subnet can be associated with only one network ACL at a time</li>\n<li>when you associate a network ACL with a new subnet, the previous association is removed</li>\n</ul>\n<h2>6. Custom VPCs and ELBs</h2>\n<h3>types of Load Balancer</h3>\n<ol>\n<li>Application Load Balancer : HTTP / HTTPS</li>\n<li>Network Load Balancer : TCP / TLS</li>\n<li>Classic Load Balancer : previous generation</li>\n</ol>\n<h3>configuration</h3>\n<ul>\n<li>\n<p>scheme</p>\n<ul>\n<li>internet facing</li>\n<li>internat</li>\n</ul>\n</li>\n<li>\n<p>IP address Typ:</p>\n<ul>\n<li>IPV4 </li>\n<li>dulstack (IPV4 and IPV6)</li>\n</ul>\n</li>\n<li>2 public subnet must be specified at least </li>\n</ul>\n<h2>7. VPC Flow Logs</h2>\n<h3> definition</h3>\n<ul>\n<li>It Is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC</li>\n<li>Its data is stored using Amazon CloudWatch Logs</li>\n<li>\n<p>After you have created a flow log, you can :</p>\n<ul>\n<li>\n<p>view or retrieve</p>\n<ul>\n<li>its data in Amazon CloudWatch Logs</li>\n</ul>\n</li>\n</ul>\n</li>\n</ul>\n<h3>3 levels of Flow logs creation</h3>\n<ol>\n<li>VPC</li>\n<li>Subnet</li>\n<li>Network Interface Level</li>\n</ol>\n<h3>synthesis</h3>\n<ul>\n<li>you cannot enable flow logs for VPC that are peered with your VPC unless the peer VPC is in your account</li>\n<li>you can tag flow logs</li>\n<li>\n<p>after you have created a flow log : </p>\n<ul>\n<li>you can <em>not</em> change its configuration </li>\n<li>(<em>eg</em> you can not associate a different IAM role with the flow log) </li>\n</ul>\n</li>\n</ul>\n<h3>not all IP traffic is monitored</h3>\n<ul>\n<li>Traffic generated by instances when they contact the Amazon DNS server</li>\n<li>Traffic generated by a Windows instance for Amazon windows license activation</li>\n<li>Traffic to and from 169.254.169.254 for instance metadata</li>\n<li>DHCP Traffic</li>\n<li>Traffic to the reserved IP address for the default VPC router</li>\n</ul>\n<h2>8. Bastions</h2>\n<h3>definition</h3>\n<h4>AWS</h4>\n<p><a href=\"https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html\">https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html</a>\nIncluding bastion hosts in your VPC environment enables you to securely connect to your Linux instances without exposing your environment to the Internet.\n<img src=\"https://docs.aws.amazon.com/quickstart/latest/linux-bastion/images/linux-bastion-hosts-on-aws-architecture.png\"></p>\n<h4>Wikipedia</h4>\n<p>Un hôte bastion est un ordinateur spécial sur un réseau spécialement conçu et configuré pour résister aux attaques. L'ordinateur héberge généralement une seule application, par exemple un serveur proxy, et tous les autres services sont supprimés ou limités afin de réduire la menace pour l'ordinateur. Il est durci de cette manière principalement en raison de son emplacement et de sa finalité, qui se trouve soit à l'extérieur d'un pare-feu, soit dans une zone démilitarisée (DMZ) et implique généralement un accès à partir de réseaux ou d'ordinateurs non fiables. </p>\n<p>En <a href=\"https://fr.wikipedia.org/wiki/S%C3%A9curit%C3%A9_des_syst%C3%A8mes_d&#x27;information\">sécurité des systèmes d'information</a>, un <strong>bastion</strong> (de l'<a href=\"https://fr.wikipedia.org/wiki/Anglais\">anglais</a> : bastion host) est un élément du <a href=\"https://fr.wikipedia.org/wiki/R%C3%A9seau_informatique\">réseau informatique</a> qui est situé dans une partie accessible depuis l'extérieur, par exemple <a href=\"https://fr.wikipedia.org/wiki/Internet\">Internet</a>, en le plaçant soit devant le <a href=\"https://fr.wikipedia.org/wiki/Pare-feu_(informatique)\">pare-feu</a> d'un <a href=\"https://fr.wikipedia.org/wiki/Intranet\">intranet</a> (<a href=\"https://fr.wikipedia.org/wiki/Syst%C3%A8me_d&#x27;information\">système d'information</a> privé) soit dans une <a href=\"https://fr.wikipedia.org/wiki/Zone_d%C3%A9militaris%C3%A9e_(informatique)\">zone démilitarisée</a> (DMZ) de cet intranet, partiellement filtré par un pare-feu.</p>\n<p><img src=\"https://upload.wikimedia.org/wikipedia/commons/thumb/7/78/Demilitarized_Zone_Diagram.png/330px-Demilitarized_Zone_Diagram.png\" alt=\"Bastion Host\"></p>\n<h3>Lab</h3>\n<p><img src=\"TP4-VPC-Bastion.png\" alt=\"bastion\" title=\"bastion\"></p>\n<h3>synthesis</h3>\n<ul>\n<li>A NAT Gateways or NAT instance is used to provide internet traffic to EC2 instances in a private subnet</li>\n<li>A bastion is used to securely administer EC2 instances (using SSH or RDP)</li>\n<li>Bastion = Jump Boxes</li>\n<li>You cannot use a NAT Gateway as a Bastion Host</li>\n</ul>\n<h2>9. Direct Connect</h2>\n<p><a href=\"https://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html\">https://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html</a></p>\n<h3>definition</h3>\n<p>AWS Direct Connect vous permet d'interfacer directement votre réseau sur site avec un appareil dans un emplacement AWS Direct Connect</p>\n<p>AWS Direct Connect lie votre réseau interne à un emplacement AWS Direct Connect via un câble en fibres optiques Ethernet standard de 1 Go ou de 10 Go.\nUne extrémité du câble est raccordée à votre routeur et l'autre à un routeur AWS Direct Connect.\nUne fois la connexion installée, vous pouvez créer des interfaces virtuelles directement vers le cloud AWS et Amazon Virtual Private Cloud, en contournant les fournisseurs de service Internet de votre chemin d'accès réseau. </p>\n<h3>emplacement</h3>\n<p>Un emplacement AWS Direct Connect permet d'accéder à AWS dans la région à laquelle il est associé.\nVous pouvez utiliser une connexion unique dans une région publique ou AWS GovCloud (US) pour accéder aux services AWS publics dans toutes les autres régions publiques.</p>\n<h3>interface entre AWS Direct Connect et votre réseau</h3>\n<p>Le schéma suivant illustre l'interface entre AWS Direct Connect et votre réseau. <img src=\"https://docs.aws.amazon.com/fr_fr/directconnect/latest/UserGuide/images/direct_connect_overview.png\" alt=\"adc\" title=\"adc\"></p>\n<h3>Composants AWS Direct Connect</h3>\n<p>Voici les principaux composants que vous utilisez pour AWS Direct Connect :</p>\n<h4>Connexions</h4>\n<p>Créez une connexion dans un emplacement AWS Direct Connect pour établir une connexion réseau entre vos locaux et une région AWS. Pour plus d'informations, consultez Connexions AWS Direct Connect.</p>\n<h4>Interfaces virtuelles</h4>\n<p>Créez une interface virtuelle pour permettre l'accès aux services AWS. Une interface virtuelle publique permet d'accéder à des services publics, comme Amazon S3. Une interface virtuelle privée permet d'accéder à votre VPC. Pour plus d'informations, consultez Interfaces virtuelles AWS Direct Connect et Conditions préalables pour les interfaces virtuelles.</p>\n<h3>DC in action</h3>\n<p><img src=\"/assets/TP4-VPC-DirectConnection.png\" alt=\"TP4-VPC-DirectConnection\" title=\"vpc-dc\"></p>\n<h3>synthesis</h3>\n<ul>\n<li>Direct Connect directly connects your data cente to AWS</li>\n<li>\n<p>Usefull for  :</p>\n<ul>\n<li>high throughput workloads (<em>ie</em> lots of networ traffic)</li>\n<li>if you need a stable and reliable secure connection</li>\n</ul>\n</li>\n</ul>\n<h2>10. Setting Up A VPN Over A Direct Connect Connection</h2>\n<ul>\n<li><a href=\"https://aws.amazon.com/fr/premiumsupport/knowledge-center/create-vpn-direct-connect/\">https://aws.amazon.com/fr/premiumsupport/knowledge-center/create-vpn-direct-connect/</a></li>\n<li><a href=\"https://youtu.be/dhpTTT6V1So\">https://youtu.be/dhpTTT6V1So</a></li>\n</ul>\n<h3>Problème</h3>\n<p>Je souhaite établir une connexion VPN (virtual private  cloud) à partir de mon réseau local vers mon Amazon Virtual Private  Cloud (Amazon VPC) via une connexion AWS Direct Connect (DX) </p>\n<h3>Brève description</h3>\n<p>Un VPN AWS via une connexion DX vers votre VPC est  probablement plus rapide et plus sûr qu'un VPN via Internet. Une  connexion VPN AWS via une connexion DX fournit des niveaux constants de  débit et des algorithmes de cryptage qui protègent vos données.</p>\n<h3>Résolution</h3>\n<ol>\n<li><a href=\"https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-connection.html\">Créez votre connexion DX</a>.</li>\n<li><a href=\"https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-public-vif\">Créez une intefrace virtuelle publique</a> pour votre connexion DX. Pour <strong>Préfixes que vous voulez publier</strong>, entrez l'adresse IP publique du <a href=\"https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#CustomerGateway\">périphérique de votre passerelle client</a> et les préfixes réseau que vous souhaitez publier.\n<strong>Remarque :</strong> Votre interface virtuelle publique reçoit tous les préfixes d'<a href=\"https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html\">adresse IP publique AWS</a> depuis chaque région AWS (à l'exception de la région AWS Chine). Cela  inclut les adresses IP publiques des point de terminaison de VPN gérés  AWS.</li>\n<li><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html\">Créez une nouvelle connexion VPN</a>. Assurez-vous d'utiliser la même adresse IP publique de la passerelle  client que celle que vous avez utilisée à l'étape précédente.\n<strong>Remarque :</strong> La passerelle client peut être configurée dans BGP (Border Gateway Protocol) avec un numéro d'ASN (Autonomous System Number).</li>\n<li><a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_VPN.html#Examples\">Configurez votre VPN pour la connexion à votre VPC</a>. Pour des exemples de configuration, consultez <a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenarios.html\">Scénarios et exemples</a>.</li>\n</ol>\n<h2>11. Global Accelerator</h2>\n<h3>definition</h3>\n<p>AWS Global Accelerator is </p>\n<ul>\n<li>\n<p>a service in which you create accelerators to improve :</p>\n<ul>\n<li>availability </li>\n<li>and performance </li>\n</ul>\n</li>\n<li>\n<p>of your applications for :</p>\n<ul>\n<li>local</li>\n<li>and global users</li>\n</ul>\n</li>\n</ul>\n<p>GA directs traffic to optimal endpoint over the AWS global network\nThis improves the availability and performance of your internet application that are used by a global audience</p>\n<p>GA provides you with two static IP (IPV4) addresses that you associate with your accelerator (or yours)</p>\n<h4>AG components</h4>\n<ul>\n<li>Static IP addresses</li>\n<li>Accelerator</li>\n<li>DNS Name</li>\n<li>Network Zone</li>\n<li>Listener</li>\n<li>Endpoint Group</li>\n<li>Endpoint</li>\n</ul>\n<h4>Accelerator</h4>\n<ul>\n<li>directs traffic to optimal endpoints </li>\n<li>it includes listeners</li>\n</ul>\n<h4>DNS Name</h4>\n<p>GA assigns each accelerator a default DNS name that point to the static IP addresses that GA assigns to you</p>\n<p>Ending by : <strong>awsglobalaccelerator.com</strong></p>\n<h4>network zone</h4>\n<ul>\n<li>a network zone services the static IP addresses for your accelerator from an unique IP subnet</li>\n<li>similar to anAWS AZ , a network zone is an isolated unit with its own set of physicial infrasctrucuter</li>\n</ul>\n<h4>listeners</h4>\n<ul>\n<li>a listerner processes inbound connection from clients to Global Accelerator</li>\n<li>based on the port (or range port) and protocol that you configure</li>\n</ul>\n<p>GA supports protocols :</p>\n<ul>\n<li>TCP</li>\n<li>and UDP</li>\n</ul>\n<p>You associate endpint groups with listeners by specifiying the regions that you want to distribute traffic to </p>\n<p>Traffic is istributed to optimal endpoints within the endpoint groups associated with a listener</p>\n<h3>when to use it ?</h3>\n<ul>\n<li>\n<p>you can control traffic using traffic dials</p>\n<ul>\n<li>this is done within the endpoint group</li>\n</ul>\n</li>\n</ul>\n<h2>12. VPC End Points</h2>\n<h3>function</h3>\n<ul>\n<li>\n<p>enables you to privately connect your VPC to :</p>\n<ul>\n<li>supported AWS services</li>\n<li>\n<p>VPC endpoint services powered by PrivateLink without requiring :</p>\n<ul>\n<li>an internet gateway</li>\n<li>NAT evice</li>\n<li>VPN connection</li>\n<li>AWS DIrect Connect connection</li>\n</ul>\n</li>\n</ul>\n</li>\n<li>Instances in your VPC do not require public IP addresses to communicate with resources in the serviec</li>\n<li>Traffic between your VPC and the other service does not leave the amazone network</li>\n</ul>\n<h3>description</h3>\n<ul>\n<li>Endpoints are virutal devices</li>\n<li>\n<p>They are :</p>\n<ul>\n<li>horizontally scalled</li>\n<li>redundant</li>\n<li>highly available VPC component</li>\n</ul>\n</li>\n<li>Allowing communication between instance ni your VPC and services withut imposing availability risks or bandwidth constraints on your network traffic</li>\n</ul>\n<h3>Types</h3>\n<p>Two types of VPC endpoints :</p>\n<ul>\n<li>interface endpoints</li>\n<li>gateway endpoints</li>\n</ul>\n<h3>Currently gateway endpoints support</h3>\n<ul>\n<li>Amazon S3</li>\n<li>DynamoDB</li>\n</ul>","frontmatter":{"date":"July 31, 2020","path":"ctf/aws-formation/tp4-vpc","title":"TP4-VPC","tags":["cloud","ec2","aws"],"categorie":"ctf","thumbnail":"/assets/alex-machado-80sv993luki-unsplash.jpg"},"fields":{"readingTime":{"text":"21 min read"}}},"file":{"childImageSharp":{"fluid":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAANABQDASIAAhEBAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAAAAMEBf/EABUBAQEAAAAAAAAAAAAAAAAAAAED/9oADAMBAAIQAxAAAAGFz11jKaIn/8QAGhAAAgMBAQAAAAAAAAAAAAAAAAECERMSMf/aAAgBAQABBQLm3gxwaJTxe1i8/8QAGBEAAgMAAAAAAAAAAAAAAAAAAAECElH/2gAIAQMBAT8BUdKn/8QAFhEBAQEAAAAAAAAAAAAAAAAAABEB/9oACAECAQE/Abqv/8QAGhAAAQUBAAAAAAAAAAAAAAAAAQACEBESIv/aAAgBAQAGPwJckOjObVBtR//EABwQAQACAgMBAAAAAAAAAAAAAAEAETFBIWFxkf/aAAgBAQABPyEVB9ih2jUSxfkFQDkWX4Ju5grU/9oADAMBAAIAAwAAABDjD//EABYRAQEBAAAAAAAAAAAAAAAAAAEAIf/aAAgBAwEBPxAA1M//xAAWEQEBAQAAAAAAAAAAAAAAAAABIRD/2gAIAQIBAT8QWYTP/8QAGhABAQEAAwEAAAAAAAAAAAAAAREAIUFxwf/aAAgBAQABPxAYkFlcFzRnCFCH3zCCggiKI5gk6hL1lpwEhs0zEABv/9k=","aspectRatio":1.4970059880239521,"src":"/static/11cdcb302d032fa2db3a46428a8f74c9/a7715/alex-machado-80sv993luki-unsplash.jpg","srcSet":"/static/11cdcb302d032fa2db3a46428a8f74c9/8f7df/alex-machado-80sv993luki-unsplash.jpg 250w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/0f3a1/alex-machado-80sv993luki-unsplash.jpg 500w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/a7715/alex-machado-80sv993luki-unsplash.jpg 1000w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/37d86/alex-machado-80sv993luki-unsplash.jpg 1500w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/a41d1/alex-machado-80sv993luki-unsplash.jpg 2000w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/6a059/alex-machado-80sv993luki-unsplash.jpg 6000w","sizes":"(max-width: 1000px) 100vw, 1000px"}}}},"pageContext":{"slug":"ctf/aws-formation/tp4-vpc","featuredImage":"alex-machado-80sv993luki-unsplash.jpg"}}}