THE AWS CERTIFIED ADVANCED NETWORKING – SPECIALTY EXAM OBJECTIVES COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:
In the previous chapter, you reviewed the core components of Amazon Virtual Private Cloud (Amazon VPC). In this chapter, we go deeper into the more advanced features of Amazon VPC. The core components from the previous chapter meet the requirements of most designs, but some environments demand greater security, flexibility, and scalability from the network.
We review Amazon VPC endpoints, IP address features, and some elastic network interface features. We also review some of the design considerations that are important as you start to use and combine these features with other concepts like VPC peering. Some design scenarios include how you would create private access to services over a Virtual Private Network (VPN) with VPC endpoints.
The idea behind the principle of least privilege is that users and services should only have the minimum access required to perform their function. If a user needs read-only access, they should not have permissions that allow modifications. From a networking perspective, if your Amazon EC2 instances only need access to other instances in the same Amazon VPC, they should not have Internet access. How does this concept apply when internal instances need to access public AWS Application Programming Interfaces (APIs) such as Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Redshift? In these scenarios, VPC endpoints can allow instances to access shared resources through a private endpoint in a VPC.
A VPC endpoint lets you privately connect your VPC to an AWS Cloud service without requiring an Internet gateway, a Network Address Translation (NAT) device, a VPN connection, or AWS Direct Connect. Instances in your VPC do not require public IP addresses to communicate with AWS resources when using VPC endpoints. Traffic between your VPC and the AWS Cloud service does not leave the Amazon network.
Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication from resources in your VPC without imposing availability risks or bandwidth constraints on your network traffic.
Beyond the principle of least privilege, there are additional use cases for VPC endpoints. For some customers, security and compliance impose strict requirements on resources with access to the Internet. VPC endpoints allow access to public AWS APIs without requiring access to the Internet. VPC endpoints also allow you to define granular access control to services between VPCs or accounts without allowing the broad access provided by VPC peering. The principle of least privilege and controlling Internet access is covered in more detail in Chapter 15, “Risk and Compliance.” Reducing the number of instances or subnets that have Internet access can make security operations simpler, avoiding the complexity involved with NAT and routing policies and reducing the scope of certain audits and compliance checks.
Services such as Amazon Simple Storage Service (Amazon S3) allow more granular access when they are accessed over VPC endpoints using bucket policies and endpoint policies. It is possible to limit Amazon S3 bucket access to specific VPC endpoints, which can be configured for specific subnets and instances through routing and security groups.
It is also possible to reduce or eliminate the need for an AWS Direct Connect public Virtual Interface (VIF) if all of the AWS Cloud services that you need to access are available through VPC endpoints. This is another method to reduce public exposure. Details on how to access endpoints over AWS Direct Connect are provided later in this chapter.
VPC endpoints may support a VPC endpoint policy. A VPC endpoint policy is an AWS Identity and Access Management (IAM) resource policy that you attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, AWS attaches a default policy for you that allows full access to the service. An endpoint policy does not override or replace IAM user policies or service-specific policies (such as Amazon S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.
There are two types of VPC endpoints that you can use to access services privately. We compare them briefly and then review each endpoint type in more detail.
A gateway VPC endpoint is a gateway that serves as a target for a route in your route table for traffic destined to an AWS Cloud service. This type of endpoint supports Amazon S3 and Amazon DynamoDB. Gateway VPC endpoints use routes and prefix lists to route privately to AWS Cloud services. Instances using gateway VPC endpoints will resolve the service’s Domain Name System (DNS) to a public address. The route to those public addresses uses the gateway VPC endpoint to access the service.
Interface VPC endpoints (powered by AWS PrivateLink) are implemented as special elastic network interfaces in Amazon VPC. When you create an interface VPC endpoint, AWS generates endpoint network interfaces in the subnets that you specify. Each interface VPC endpoint is specific to a single VPC and uses IPv4 addresses from the local subnets. When you create an interface VPC endpoint, AWS generates endpoint-specific DNS hostnames that you can use to communicate with the service. For AWS services and AWS Marketplace partner services, you can optionally enable private DNS for the endpoint. This option associates a private hosted zone with your VPC. The hosted zone contains a record set for the default DNS name for the service, which resolves to the private IP addresses of the endpoint network interfaces in your VPC. This enables you to make requests to the service using its default DNS hostname instead of the endpoint-specific DNS hostnames.
AWS PrivateLink is a type of interface VPC endpoint for AWS in addition to customer and partner services. AWS provides access to services such as the Amazon EC2 API and Elastic Load Balancing API with AWS PrivateLink. AWS PrivateLink is a newer and different way to access AWS Cloud services compared to gateway VPC endpoints.
AWS PrivateLink also enables building your own VPC endpoint services. AWS PrivateLink customers and service providers can create private endpoints to resources or services in their own VPC. You can access services in another VPC or account, including service providers and partners that support AWS PrivateLink. Each AWS PrivateLink connection is a relationship between a service consumer and a service provider. Example use cases for AWS PrivateLink include accessing a shared enterprise-provided API across many VPCs or accessing a Software as a Service (SaaS) logging provider’s services with a private connection.
A gateway VPC endpoint enables you to create a private connection between your VPC and AWS Cloud services without requiring access over the Internet or through a NAT device, a VPN connection, or AWS Direct Connect. Amazon S3 and Amazon DynamoDB have gateway VPC endpoints.
An Amazon S3 endpoint allows private access to Amazon S3 from your VPC. As shown in Figure 3.1, instances in subnet 2 can access Amazon S3 through the VPC endpoint.
When you create an Amazon S3 endpoint, a prefix list and a VPC endpoint are created in your VPC. The prefix list is the collection of IP addresses that Amazon S3 uses. It is formatted as pl-xxxxxxxx and becomes an available option in both subnet routing tables and security groups.
The VPC endpoint uses the format of vpce-xxxxxxxx, and it appears as a route destination in your route tables. The subnets that you select when you create the Amazon S3 endpoint will receive a new route for the prefix list directed toward the new gateway VPC endpoint. Table 3.1 shows a sample routing table using gateway VPC endpoints.
TABLE 3.1 Sample Routing Table Using Gateway VPC Endpoints
Prefix | Destination |
10.0.0.0/16 | local |
pl-xxxxxxxx | vpce-xxxxxxxx |
You can create multiple endpoints in the same VPC. This is used to apply different endpoint policies to allow different access. Because each route table may contain only a single prefix list, you are limited to one endpoint per subnet. If instances in the subnet require different Amazon S3 access policies, consider alternative subnet designs that achieve your desired policy or control outcomes.
The Amazon S3 endpoint uses DNS to direct traffic to the endpoint. You must enable DNS resolution in your VPC.
Amazon DynamoDB endpoints are very similar to Amazon S3 endpoints. Because Amazon DynamoDB uses gateway VPC endpoints, they use the same concepts of prefix lists and route tables to direct traffic to Amazon DynamoDB.
Like VPC endpoints for Amazon S3, VPC endpoints for Amazon DynamoDB support endpoint policies. An endpoint policy can restrict access to operations such as writes or access to specific tables.
There are some service-specific limitations that endpoints impose that, while out of the scope of this exam, may be important for design. One example is that you cannot access Amazon DynamoDB Streams through an endpoint.
Gateway VPC endpoints use AWS route table entries and DNS to route traffic privately to AWS Cloud services. These mechanisms only work within a VPC and prevent access to gateway endpoints from outside the VPC. Connections that originate from Amazon VPN or AWS Direct Connect through a Virtual Private Gateway (VGW) cannot directly access gateway endpoints. You also cannot access a gateway endpoint over VPC peering.
In order to overcome transitive routing limitations, you can modify DNS resolution and use a proxy fleet to reach VPC endpoints. Figure 3.2 shows a DNS-based proxy solution that directs traffic from a corporate network to a VPC endpoint for Amazon S3.
Core components of the solution are Elastic Load Balancing, a proxy farm, and the corporate DNS. The corporate DNS is configured to direct Amazon S3 requests to the CNAME of the load balancer. In this scenario, the destination IP address is a load balancer interface in the VPC. This configuration resolves the transitive routing scenario. The load balancer forwards the traffic to an Auto Scaling group of proxy instances. The proxy instances are placed in a subnet with access to an Amazon S3 endpoint. The proxies can be configured with an additional policy to allow or disallow certain requests, which can augment the level of control that the endpoint policy and Amazon S3 bucket policy provide.
This solution applies to both Amazon S3 and Amazon DynamoDB. The solution will work for VPN and AWS Direct Connect traffic sources.
VPC endpoint policies can limit what resources, such as buckets or tables, are accessible using the endpoint. When using endpoints for Amazon S3, bucket policies can allow incoming requests from either public connections or specific Amazon S3 endpoints.
Inside the VPC, you can control endpoint access by limiting the subnets with routes to the VPC endpoint. To provide granular access per instance, you can specify the prefix list in an outbound security group rule. The prefix list is not available in a network Access Control List (ACL).
Interface VPC endpoints are a different and more recently added approach to service endpoints. As opposed to gateway VPC endpoints that use routing and prefix lists, interface endpoints are local IP addresses in your VPC. The interface approach simplifies routing and allows for more flexibility. AWS Cloud services supported by interface endpoints include the Amazon EC2 API, Amazon EC2 Systems Manager (SSM), Amazon Kinesis, and the Elastic Load Balancing API.
Interface VPC endpoints appear as an elastic network interface in your VPC. When the interface endpoint is created, AWS creates regional and zonal DNS entries that resolve to local IP addresses within your VPC. This design allows you to switch your connections gracefully from public AWS endpoints to your private VPC endpoints without causing any downtime. Interface VPC endpoints also support connectivity over AWS Direct Connect, enabling applications outside AWS to access AWS Cloud services via the Amazon private network. Interface VPC endpoints are highly available, can deliver high network performance, and are managed by Amazon. These endpoints are powered by a distributed networking architecture called AWS Hyperplane. Hyperplane is not on the exam, but it is an internal AWS architecture used to build services such as NAT gateway, Network Load Balancer, and AWS PrivateLink.
Interface VPC endpoints allow you to access specific AWS Cloud services. This access method is also called AWS PrivateLink for AWS Services. In Figure 3.3, instances in subnet 1 can communicate with Amazon Kinesis through the interface VPC endpoint. Instances in subnet 2 communicate over the Internet through an Internet gateway.
The following are some considerations that you should take into account when accessing services over an interface VPC endpoint.
So far, this chapter has discussed how to access AWS Cloud services privately through VPC endpoints, but you may also want to access your own or someone else’s services privately. AWS PrivateLink allows you to access or share a service securely between VPCs or accounts using the Network Load Balancer to create VPC endpoint services. A VPC endpoint service is an interface VPC endpoint that you control and that keeps traffic within Amazon’s private network.
Customers can build microservices architectures and share applications between VPCs, though these use cases may create complex networking challenges that involve many VPCs, granular security requirements, and overlapping addresses. In addition, many hosted services and SaaS offerings are provided on AWS. It is possible to increase the security of accessing these services with the VPC endpoint service.
VPC endpoint service uses private and public DNS, Network Load Balancer, and elastic network interfaces to operate between VPCs. In Figure 3.4, VPC endpoint service is configured between a service provider and service consumer.
The provider has a service that is registered as something like vpce-svc-0569c51ce317ddfdb.us-east-2.vpce.amazonaws.com.
This name is associated with a Network Load Balancer in the provider’s VPC. The interfaces and IP addresses for this Network Load Balancer are in the consumer’s VPC. DNS will resolve vpce-svc-0569c51ce317ddfdb.us-east-2.vpce.amazonaws.com in the consumer VPC to the local IP addresses, which will forward the traffic to the provider’s Network Load Balancer in another VPC. It is recommended to treat this name in a similar manner as Elastic Load Balancing DNS names and to use an alias record to make the endpoint easier to use, such as vpce.example.com. The Network Load Balancer will perform source NAT using the source IP of the Network Load Balancer. The source NAT allows for providers to connect consumers with overlapping addresses. Providers can determine the source of traffic by enabling proxy protocol on the load balancer or by using application-level identification.
VPC endpoint service functionality is useful for connecting applications across VPCs. Use cases include shared services VPCs, connecting with business partners and customers, and enabling more granular access between applications in different VPCs. The shared services VPC concept is explained in greater depth in Chapter 16 on Scenarios and Reference Architectures.
As discussed in Chapter 2 on Amazon VPC and Networking Fundamentals, VPC peering allows for two Amazon VPCs to communicate. Peering requires the requested VPC to accept the peering request and for both VPCs to configure routing over the peering connection in the applicable subnets.
VPC peering is appropriate when there are many resources that should communicate between the peered VPCs. If there is a high degree of inter-VPC communication and the security and trust levels are similar, VPC peering is a good choice for connectivity.
You can use AWS PrivateLink to simplify multi-VPC network configurations in a variety of scenarios. First, VPC peering allows access to the full VPC. To limit traffic across VPC peers, you can use route table entries and security groups. Even with the availability to reference security groups in a peered VPC in the same region, there is ample room for errors. Moreover, if you are providing a service to multiple VPCs, there are scalability challenges in managing the volume routes and security groups. If you only need to share one application, even across multiple VPCs, AWS PrivateLink significantly reduces overall complexity. AWS PrivateLink allows one-way access on a per-application basis, from the consumer to the provider, solving connectivity between multiple VPCs in a simple way.
Second, peering requires non-overlapping VPC Classless Inter-Domain Routing (CIDR) ranges. If multiple VPCs use a common IP range, then they cannot peer directly together. A hub VPC can peer with multiple spoke VPCs that use the same address range, but the hub will only be able to route any particular portion of the overlapping address range to a single peered VPC. AWS PrivateLink supports overlapping CIDR ranges by applying source NAT from the consumer to the provider of the AWS PrivateLink.
Third, there are scale limits associated with VPC peering. A VPC can only peer with 125 other VPCs. AWS PrivateLink scales to thousands of consumers per VPC. The amount of services provided by a single VPC is limited by the amount of Network Load Balancers supported. Providing services can be split into multiple VPCs if they do not have dependencies on each other.
AWS PrivateLink has its own design considerations. AWS PrivateLink only allows the consumer to originate connections to the provider. If bidirectional communication is needed, VPC peering or a reciprocal AWS PrivateLink between the consumer and provider may be required. In addition, traffic to AWS PrivateLink is load balanced, and it inherits the design considerations of Network Load Balancer. For example, Network Load Balancer only supports Transmission Control Protocol (TCP) (more about Network Load Balancer design considerations are covered in Chapter 6 on Domain Name System and Load Balancing). In addition, connections from the consumer to the provider go through source NAT, which may prevent applications from identifying the consumer IP address. This behavior is different than the standard Network Load Balancer behavior, where the source IP is preserved.
This section reviews what is involved with configuring the provider side of a VPC endpoint service (powered by AWS PrivateLink). You may choose to configure a provider endpoint to offer services publicly, to a business partner, or privately within a trusted set of accounts or VPCs.
The first step is to associate a Network Load Balancer with your service. You will need to select the Availability Zones applicable for your service. The Network Load Balancer is responsible for the load balancing, exposing a single address per Availability Zone, and performing source NAT on incoming connections.
You can create an endpoint service after the Network Load Balancer is configured. You will receive the DNS name of your endpoint after creating the endpoint, such as vpce-svc-0569c51ce317ddfdb.us-east-2.vpce.amazonaws.com. You will also receive the service name that consumers will reference, such as com.amazonaws.vpce.us-east-2 .vpce-svc-0569c51ce317ddfdb.
The consumer will receive multiple endpoint DNS names to allow for a regional name and names for each Availability Zone in which the service operates.
The next step is to allow access to the endpoint. You can whitelist IAM principals such as account or choose to offer the service to all AWS accounts.
To consume a VPC endpoint (powered by AWS PrivateLink), you can start by requesting access to a private service with the service name. You may also choose to consume available public endpoints from AWS Marketplace and AWS Cloud services. There may be multiple endpoints available, depending on the service and Availability Zones chosen.
There are multiple ways to reach a VPC endpoint. You may want to enable split-horizon DNS with the private DNS name, available for AWS Cloud services and AWS Marketplace endpoints. Split-horizon DNS configures a private hosted zone with the appropriate DNS entries to map the service name to the created endpoints. This will map a DNS entry such as api.example.com to vpce-svc-0569c51ce217fffdb.us-east-2.vpce.amazonaws.com. You may also choose to do this yourself or use your own DNS solution for your own endpoint services using Amazon Route 53 private hosted zones.
Each VPC endpoint will have both a regional DNS name and a DNS name for each Availability Zone. The consumer has the choice of using the services local to each Availability Zone to increase performance. If DNS is not supported or causes application issues, it is possible to hardcode endpoint IP addresses into applications. Similar to Elastic Load Balancing, you are not charged for traffic crossing Availability Zones.
Security of the VPC endpoint is the consumer’s responsibility. Traffic can only connect from the consumer to the provider. Only responses to connections originating from the consumer are possible.
There are multiple scenarios where you may need to access services that are in a different VPC. You can use interface VPC endpoints, for example, to access AWS Cloud services. You can also access services provided by third parties or partners. If your organization has common access requirements across many VPCs, it is helpful to centralize common or shared services. You can use AWS PrivateLink to access privately shared central services, which may be called “Services VPC,” “Shared Services VPC,” “Administrator VPC,” or similar names. These common resources may include authentication, provisioning, or security services.
Figure 3.5 illustrates what a shared services VPC may look like.
In Figure 3.5, there is a dedicated VPC for shared services. There are two instances running in two subnets that are targets for a Network Load Balancer. There is a single service in the shared services VPC in this example, but in practice there could be many other services. The service is shared to three consumer VPCs that have private access to the shared service. Each can use the VPC endpoint DNS name to access the service. This design pattern allows the organization to deploy and operate core services centrally, such as authentication, logging, monitoring, code pipeline tools, and other administrative and security services.
Depending on organizational requirements, there could be multiple “services VPCs,” or they may be segmented further by function such as security, networking, administrative tools, incident response, and more. VPC endpoints offers greater scale and address flexibility than VPC peering. This model scales to thousands of consumer VPCs, and it allows for the consumer VPCs to have overlapping IP addresses. VPC endpoint connectivity originates from consumers toward the provider services. Provider services cannot initiate connections to the consumer resources. VPC peering or other connectivity methods are needed for provider-initiated communication.
Transitive routing was briefly mentioned earlier in the context of accessing gateway VPC endpoints over VPN and AWS Direct Connect. It is important that you understand transitive routing in the context of AWS network functionality. It is worth repeating the VPC routing requirements again.
If the source of a packet is not an interface in the local VPC, the destination of the connection must be the IP address of a network interface local to the VPC. The destination or source of the packet must be an interface local to the VPC or the traffic will be dropped.
One exception to this guideline involves the VGW. The VGW, by default, will re- advertise any routes it receives over VPN or AWS Direct Connect to all other peers. This functionality is called CloudHub, and it is covered in Chapter 4 on Virtual Private Networks and Chapter 5 on AWS Direct Connect. CloudHub allows traffic that arrives at the VGW from an AWS Direct Connect peer or AWS VPN peer to connect to other AWS VPN or AWS Direct Connect destinations. You cannot change the CloudHub routing behavior of a VGW.
Proxies, routers, Amazon EC2 VPN, and NAT instances can enable more flexible connectivity to and from external networks. When these devices receive a packet and forward it to the next hop, the retransmitted packet will then have a source of the Amazon EC2 instance instead of the external network. This behavior requires disabling the source/destination check.
A common pattern to solve transitive routing scenarios is to use instances in each VPC to proxy or forward the traffic by providing a local network interface as the destination for remote networks. Inside a VPC, it is common for route tables to target firewalls, proxies, and caching servers to process or inspect network traffic.
This routing design changes when VPC peering is used. As typically defined in the route table, traffic destined to the remote VPC CIDR range uses the peering connection (pcx-xxxxxxxx) as its target. It is not possible to route traffic to a network interface in the peered VPC.
An example of this behavior would be a firewall in a shared services VPC. If all Internet-bound traffic must pass through the firewall, you would configure subnet route tables to forward Internet-bound traffic to the instance. If the firewall is in another VPC, you cannot configure a route to a network interface over VPC peering. To provide these types of architectures, there is a detailed review with approaches such as the transit VPC in Chapter 16 and other architectures reviewed later in this book. There are also routing options involving cross-account elastic network interfaces that provide a solution in limited scenarios, which is covered later in this chapter.
There is a review of Elastic IP addresses, IPv6 addressing, and the different options for private and public addresses in Chapter 2. There are some additional IP addressing features that you should understand, such as resizing an Amazon VPC and NAT options.
One of the first design decisions that you must make when creating your VPCs on AWS is the IPv4 CIDR range. There are options for what address type you would like to use, including RFC1918 addresses, public addresses, and other addresses such as RFC6598. We recommend RFC1918 addresses when possible, but there are reasons to use other ranges. The second choice is how large the CIDR range should be.
Historically, AWS has recommended starting with a large CIDR range so that you avoid the work of redesigning connectivity associated with exhausting the available IPv4 addresses. Allocating large blocks of IPv4 addresses to multiple VPCs can be challenging if you are constrained on available IPv4 address space.
The resize VPC feature allows you to add up to five additional IPv4 CIDR ranges to your VPC. You can submit a request to increase the limit higher than five. This feature allows for IPv4 expansion in VPCs that have exhausted their addresses and reduces the design tradeoffs involved with starting with smaller CIDR ranges.
New VPC CIDR ranges cannot overlap with the existing CIDR range or the CIDR range of any current VPC peer. In addition, the new ranges must be more specific than any currently-defined static route in the VPC route tables. Dynamic routes propagated by the VGW do not cause a conflict, and any new CIDR ranges will be automatically preferred because they are local routes. There are also restrictions on which CIDR ranges can be defined, depending on the original CIDR range configured for the VPC.
Figure 3.6 illustrates the changes to the local routing table when you add a new CIDR range. A new local route was added in this case for 10.2.0.0/16. You must have space for additional route entries in your route tables, since new local routes are added. In addition, the VGW will begin advertising the new address range. You can define a new CIDR range ranging from a /16 to a /28. This means that you can effectively create ranges up to a /14 or /15 using individual /16 ranges. Advertisements from the VGW will not summarize contiguous address ranges.
Only new subnets can use the new address space; subnets created before the added CIDR ranges cannot use the new addresses.
IP addresses are typically simple, but there are a few edge cases which you can control.
There may be a scenario where you have accidentally released an Elastic IP address when you still have dependencies on the public address. Human error and automation errors can both cause this issue. There is a method through the AWS Command Line Interface (AWS CLI) to make a request to reclaim a previously-owned Elastic IP address. Success is best-effort, which means AWS will try to reclaim the address, but it is not guaranteed if another customer is already using the public address. This feature is not for auto-assigned public IP addresses—only Elastic IP addresses.
There are some network scenarios that benefit from extending a networking interface from an instance into another account. The cross-account network permission grants an AWS-authorized provider account permission to attach a customer network interface to an instance in the provider account. The provider account must be whitelisted by AWS to provide this functionality.
An example use case for this feature is Amazon Relational Database Service (Amazon RDS). Customers want to modify and control the elastic network interface of the Amazon RDS instances, but they should not have access to the instance itself. In the Amazon RDS scenario, the instance is in a VPC managed by AWS, and the elastic network interface is in the customer VPC.
This capability also allows customers to define VPC route table entries pointing to the elastic network interface of an instance in another account. This makes the elastic network interface capable of routing to an instance in another VPC or account.
There are good reasons why AWS has widely used Elastic Load Balancing to provide availability and reliability for services as opposed to single network interfaces. The cross-account network interface does not provide high availability or fault tolerance. When a cross-account network interface is used, such as in the case of Amazon RDS, it is important that there is fault tolerance built in at the application level. It is also important to understand that a network interface is specific to a subnet and Availability Zone, which means that the cross-account interface must reside in the same Availability Zone as the provider’s instance.
Other design factors are scalability and cost effectiveness. Instances have a fixed number of interfaces, generally between 2 and 15. If a provider uses cross-account network interface functionality to more endpoints than there are interfaces, the provider must create additional instances to support the volume. Moreover, the number of interfaces available to a given instance is typically proportional to the amount of memory and CPU. It may not be cost effective to use high-end instance types simply for the density of network interfaces.
In summary, a cross-account network interface is a useful feature if you are interacting with a low level of abstraction. That said, this type of low-level control can cause architectural problems if used improperly, which is why it requires whitelisting.
Cross-account network interfaces effectively move the instance out of the VPC while maintaining a network interface for communication. In that perspective, you are dealing with a single instance for each network interface. The benefits of cross-account network interfaces are the simplicity of the connectivity and the ability to treat the connectivity like any other network interface. The challenge is that network interfaces by themselves do not scale well or have any built-in availability.
VPC peering and VPC endpoints are both designed to allow many instances to communicate to many instances over VPC boundaries. One large difference is that VPC peering is generally available for anyone to use, while cross-account network interfaces are limited to whitelisted provider accounts. You can’t point a route entry to a network interface that exists on the other side of a VPC peering connection. VPC peering allows more broad access between the two VPCs.
VPC endpoints (powered by AWS PrivateLink) are unidirectional and apply source NAT to incoming traffic. There may be use cases that require routing, require bidirectional communication, are not compatible with load balancing, or are not compatible with NAT.
In this chapter, you learned about advanced VPC components, VPC endpoints, transitive routing, and IP address features. These features may not be used by all customers, but they are important to understand for use cases that require additional security, agility, or scale, or for specific application architectures.
We reviewed VPC endpoints that come in both interface and gateway types. Gateway VPC endpoints allow you to connect to services but do not exist as a networking component in your VPC. Interface VPC endpoints are elastic network interfaces, private IP addresses, and DNS names that allow you to access AWS Cloud services privately from within your VPC.
AWS PrivateLink is an extension of interface VPC endpoints, and it allows you to create your own endpoints or consume endpoints that others have created. The endpoints use Network Load Balancer and DNS to provide private access.
We also reviewed the way that routing works within a VPC in the transitive VPC section. This section has examples to illustrate the ways that you can make complex routing work in AWS.
Overall, this chapter sets up the platform for the more advanced architectures and concepts in the rest of the book. Every service on AWS uses networking in some way, and understanding the core mechanics will allow you to conceptualize more complex architectures better.
Understand the security benefits of VPC endpoints. The principle of least privilege means that you should offer as little access as needed. Restricting access to resources over private connections limits the overall attack and vulnerability surface. Endpoints simplify connectivity and make it easier to create granular access.
Understand the different types of VPC endpoints. There are gateway and interface endpoints. Gateway endpoints are reached through a route table entry and use a prefix list to define access to public IP addresses. Interface endpoints are network interfaces inside the VPC with private IP addresses and use DNS names to direct traffic to the network interfaces. Gateway and interface endpoints provide different features to restrict access.
Understand how to access VPC endpoints from external networks. Different design patterns are used for accessing VPC endpoints from external networks. Gateway endpoints require a proxy for access originating outside the VPC. Interface endpoints are accessible over AWS Direct Connect but not over VPN or VPC peering.
Understand how to secure VPC endpoints. VPC endpoint policy allows more granular access for specific resources or actions. VPC endpoint policy extends what is possible with route entries, prefix lists, security group rules, and network ACLs. Additional policies such as Amazon S3 bucket policies can also be used to restrict access.
Understand how AWS PrivateLink works. AWS PrivateLink is a type of interface VPC endpoint. It uses a Network Load Balancer to distribute traffic to a shared resource. The endpoint has multiple DNS names for regional and zonal access.
Understand the difference between AWS PrivateLink and VPC peering. VPC peering is a coarser method of providing access for two VPCs. AWS PrivateLink is a scalable way to provide access to a single service for many VPCs. VPC peering does not support overlapping addresses, and it is more difficult to use to create specific access at an instance level. VPC endpoints are also more suited for VPC relationships that have different trust levels.
Understand the difference between consumer and provider requirements for VPC endpoints (powered by AWS PrivateLink). Providers must define a set of attributes for their endpoint and associate a Network Load Balancer. The consumer is responsible for securing the endpoint. The consumer can also choose among the regional DNS name, zonal DNS name, or a direct IP address.
Understand transitive routing and the limitations of VPC routing. If traffic arrives externally from a VPC, the destination must be a network interface in the local VPC. The exception is that traffic arriving on a VGW may leave via another VGW route. Transitive routing affects traffic that arrives or leaves via an Internet gateway, NAT Gateway, VPC peering, gateway VPC endpoint, DNS services, AWS Direct Connect, or AWS VPN. There are many permutations of this routing behavior that are important to understand for the exam.
Understand how to add IPv4 CIDR ranges to a VPC. There are some caveats around what types of addresses you can add, prefix lengths (/16 to /28), and how adding CIDR ranges works. Each new prefix adds a local route, and the new prefix cannot overlap or conflict with existing VPC routes.
Understand Elastic IP features. It is possible to reclaim an accidentally-released Elastic IP address in some circumstances, such as if another customer has not used a released address.
Understand cross-account network interfaces. Cross-account network interfaces are for whitelisted partner accounts to use. Using cross-account network interfaces requires understanding of the availability and scalability tradeoffs of network interfaces and which types of applications are appropriate for this feature. Additionally, you should understand the benefits and design tradeoffs versus VPC peering and VPC endpoints.
For further review, visit the following URLs:
In this section, you will configure some more advanced VPC features that will help solidify the concepts introduced in this chapter.
For assistance completing these exercises, refer to the Amazon VPC User Guide located at http://aws.amazon.com/documentation/vpc/ and the Amazon EC2 User Guide located at https://aws.amazon.com/documentation/ec2/.
In this exercise, you will consume the AWS PrivateLink endpoint that you created in the previous exercise. In this exercise, we’re choosing a VPC in the same account. The consumer side also works for any VPC or account within the same AWS Region. You will finish connectivity by creating the consumer side of the AWS PrivateLink endpoint.
On the test instance, connect to the endpoint service. From the Endpoints page in the Amazon VPC console, you can select the first DNS name listed in the Details tab. This will be different than the service name that was used to find and create the endpoint.
$ curl <endpoint name>
Example: $ curl vpce-01847ae84f118942c-xvi8p3vm.vpce-svc-0d669f84acd4283ee .us-east-2.vpce.amazonaws.com
You may also want to check the IP address in your VPC that you’re using for this connectivity.
$ curl <endpoint name>
While we covered transitive routing in this chapter, it is good practice to see it in your own environment. Complete this exercise to do so.
You will configure the environment in the graphic shown here. There are three VPCs: 10.0.0.0/16, 10.1.0.0/16, and 10.2.0.0/16. 10.1.0.0 is peered with the other two VPCs. Each VPC has an Internet gateway so that you can use SSH to access the instances. The route table for each VPC has a route to the Internet and routes to the other two VPCs over the peering connection.
You now can see how transitive routing works in your own environment.
This exercise will review the mechanics of adding IPv4 CIDR ranges to an existing VPC.
In this exercise, you reviewed the mechanics of adding CIDR ranges to an existing VPC.
Which of the following is a security benefit of Amazon Virtual Private Cloud (Amazon VPC) endpoints?
You are configuring a secure access policy for your Amazon Simple Storage Service (Amazon S3) bucket. There is a Virtual Private Cloud (VPC) endpoint and Amazon S3 bucket policy that restricts access to the VPC endpoint. When browsing the bucket through the AWS Management Console, you do not have access to the buckets. Which statement is NOT true?
You have created a centralized, shared service Virtual Private Cloud (VPC) for your organization. It uses VPC peering, and you have been asked to evaluate AWS PrivateLink to optimize connectivity. Which of the following design considerations are true? (Choose two.)
You have configured an AWS PrivateLink connection between your Virtual Private Cloud (VPC) and the VPC of a business partner’s hospital. The hospital has specialized applications that staff developed in-house; some were developed more than 10 years ago. The hospital is trying to enable access to your private service but is having problems connecting to your service. Which of the following are possible solutions? (Choose two.)
You have configured a new Amazon Simple Storage Service (Amazon S3) endpoint in your Virtual Private Cloud (VPC). You have created a public Amazon S3 bucket so that you can test connectivity. You can download objects from your laptop but not from instances in the VPC. Which of the following could be the problem? (Choose two.)
You have configured private subnets so that applications can download security updates. You have a Network Address Translation (NAT) instance in each Availability Zone as the default gateway to the Internet for each private subnet. You find that you cannot reach port 8080 of a server on the Internet from any of your private subnets. Which are the most likely causes of the problem? (Choose two.)
You have created three Virtual Private Clouds (VPCs) named A, B, and C. VPC A is peered with VPC B. VPC B is peered with VPC C. Which statement is true about this peering arrangement?
You have configured a consumer Virtual Private Cloud (VPC) endpoint for a remote authentication service hosted by a business partner using AWS PrivateLink. The endpoints have been whitelisted and configured on the consumer and provider. Some instances are not able to access the private authentication service. Which of the following could cause this issue? (Choose two.)
You are trying to create a new Virtual Private Cloud (VPC). You try to add a Classless Inter-Domain Routing (CIDR) range, but the additional CIDR range is not being applied. Which of the following could solve this issue? (Choose two.)
You have defined your original Virtual Private Cloud (VPC) Classless Inter-Domain Routing (CIDR) as 192.168.20.0/24. Your on-premises infrastructure is defined as 192.168.128.0/17. You have configured a route to on-premises as 192.168.0.0/16 in your VPC route table. You have added a new CIDR range of 192.168.100.0/24 to your VPC. Users on-premises say that they can no longer reach the original 192.168.20.0/24 addresses. Which of the following is true?
You run a hosted service on AWS. Each copy of your hosted service is in a separate Virtual Private Cloud (VPC) and is dedicated to a single customer. Your hosted service has thousands of customers. The services in the dedicated VPCs require access to central provisioning and update services. Which connectivity methods can enable this architecture? (Choose two.)
Your networking group has decided to migrate all of the 192.168.0.0/16 Virtual Private Cloud (VPC) instances to 10.0.0.0/16. Which of the following is a valid option?
Your organization has a single Virtual Private Cloud (VPC) for development workloads. An open source Virtual Private Network (VPN) running on an Amazon Elastic Compute Cloud (Amazon EC2) instance is configured to provide developers with remote access. The VPN instance gives users IP addresses from a Classless Inter-Domain Routing (CIDR) range outside the VPC and performs a source Network Address Translation (NAT) on received traffic to the private address of the instance. Your organization acquired a company that also uses AWS with their own VPC. You have configured VPC peering between the two VPCs and instances can communicate without issue. Which of the following flows will fail?
Which of the following services can you access over AWS Direct Connect? (Choose two.)
Some people in your company have created a very complicated and management-intensive workflow for automating development builds and testing. They have requested those involved in creating it not to repeat this workflow more than once. The security organization, however, wants every developer to have their own account to reduce the blast radius of development issues. What is the best design for providing access to the development system?
An administrator was using an Elastic IP address to perform Application Programming Interface (API) calls with a business partner. The business partner whitelisted that IP in their firewalls. Unfortunately, the administrator ran a script that they did not understand which deleted the instance; the public address is no longer available. The administrator has submitted an API call to recall the Elastic IP address, but the address is not being returned. What could be the cause of this issue? (Choose two.)
3.138.105.255