AWS/VPC at main · dude1141/AWS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Define the network boundary (VPC)

Enable internet capability (IGW)


✔ IGW is attached to the VPC
✔ Route table references this IGW
✔ Subnet associated with that route table becomes public


Segment the network (subnets)

Control traffic paths (route tables)
Route tables do nothing until they are associated with subnets.
Public route table → Public subnet
Private route table → Private subnet

Enforce routing behavior (associations)
Apply instance security (security groups)
Apply subnet security (NACLs)
Deploy compute (EC2)
Validate internal vs external access

Network Access Control Lists (ACLs) in AWS are used to control inbound and outbound traffic at the subnet level.

Route tables do nothing until they are associated with subnets.
Public route table → Public subnet
Private route table → Private subnet

Internet Gateway
   ↓ (attached to)
VPC
   ↓ (contains)
Subnets
   ↓ (associated with)
Route Table
   ↓ (has route)
0.0.0.0/0 → IGW


                     Internet
                         |
                         |
                 +----------------+
                 | Internet Gateway|
                 +----------------+
                         |
                         |
        -------------------------------------------------
        |              AWS VPC (10.0.0.0/16)            |
        |                                               |
        |   Route Tables                                |
        |   -------------                               |
        |   Public RT:                                  |
        |     0.0.0.0/0 -> IGW                          |
        |   Private RT:                                 |
        |     (no internet route)                       |
        |                                               |
        |   Network ACLs (Subnet-level, stateless)      |
        |   --------------------------------------      |
        |   NACL (applies to both subnets)              |
        |                                               |
        |   +-------------------+   +-------------------+
        |   |  Public Subnet    |   |  Private Subnet   |
        |   |  10.0.1.0/24      |   |  10.0.2.0/24      |
        |   |                   |   |                   |
        |   |  EC2 (Public)     |   |  EC2 (Private)    |
        |   |  Public IP: YES   |   |  Public IP: NO    |
        |   |  Private IP: YES  |   |  Private IP: YES  |
        |   |                   |   |                   |
        |   |  Security Group   |   |  Security Group   |
        |   |  (instance-level, |   |  (instance-level, |
        |   |   stateful)       |   |   stateful)       |
        |   +-------------------+   +-------------------+
        |                                               |
        -------------------------------------------------