Professional Documents
Culture Documents
1. Default VPC is a flat network where all the default VPCs of all the users are present
2. Custom VPC will provide isolation from default network available to world
3. Custom VPC is the next level of security
Route Table
➢ RT contains set of rules(called routes) that are applied to Subnet and used to determine
where network traffic is directed
➢ Each RT contains a default route called local route, which enables communication within
the VPC and this route can’t be modified or removed
➢ Additional routes can be added to direct traffic to exit the VPC via IGW
➢ Your custom VPC has an implicit ROUTER
➢ Your VPC automatically comes with a main RT that you can modify to apply additional
routing
➢ You can also create additional RTs if needed( we will create one each for Public subnet and
Private subnet)
➢ You can’t delete a RT if it has dependencies i.e. any associated subnets
Let’s try to answer a tricky Question to check our understanding.
Explanation- Each subnet must be associated with a route table, which controls the routing
for subnet.
If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly
associated with main route table.
IGW
★ a software router which connects VPC with internet
★ Only 1 IGW can be attached to a VPC at a time
★ An IGW can’t be detached from a VPC while there are active resources in VPC
★ One IGW can only connect to 1 VPC at a time
★ If you detach IGW from VPC and then go in Route Table, you will see the status of IGW
entry as “Black Hole”
● A subnet can only be associated with only one route table at a time
● However, you can associate multiple subnets with the same route table
Example1- Will allow all inbound HTTP to come because the rule 80 will be evaluated and the
rule 90 of DENY will not be evaluated
Example2- Will DENY all inbound HTTP traffic because the rule 70 will get evaluated and hence
denied even after rule 80 is allowing
➔ Any subnet can only be associated with one NACL at a time. An instance can have multiple
SGs.
➔ NACL is associated with VPC and it can’t span in another VPC, just like SG can’t span VPC
but buth NACL and SG can span AZs.
NACL Vs SG… Who Wins?
NACL has higher power than SG. NACL gets evaluated before SG. If a particular traffic is denied by
NACL and if allowed in SG, then the traffic will be denied
★ Each Subnet in your VPC must be associated with a NACL. If you do not explicitly associate,
the subnet is automatically with the default NACL
★ A NACL can be associated with multiple subnets, however, a subnet can only be associated
with one NACL at a time.
➢ NACL is STATELESS i.e. both inbound & outbound rules need to be defined
➢ SG is STATEFUL i.e. only inbound rule is to be defined
A Question- I want to block a specific IP address to hit my VPC. Which will help me- NACL or SG?
● NACL is the answer. Why? In SG you can only allow a particular traffic to come in, There is no
option to DENY. In NACL, I have both options of ALLOW and DENY
SG NACL
Supports only ALLOW rules Supports both ALLOW and DENY rule
AWS evaluates all rules before deciding AWS processes rules in number order
whether to ALLOW/DENY traffic when deciding to ALLOW/DENY traffic
For some reason I want to access Internet from my instance in Private Subnet (a use case-
downloading software patches on DB server in private subnet)
1. NAT Gateway (recommended as we have to pay only for traffic and no worries of maintaing
the EC2 instance)
→ need one EIP for this
→ create NAT gateway in public subnet
→ NAT route table add entry of NAT Gateway(if you add IGW entry then it will
not work)
❏ What is use-case of Peering- Private IP of one VPC can connect to Private IP of other VPC
❏ One VPC will request and other VPC will have to accept peering request
❏ VPC peering does not support transitive peering relationship
VPC Endpoint
A VPC endpoint enables you to privately connect your VPC to supported AWS services
and VPC endpoint services powered by AWS PrivateLink without requiring an internet
gateway, NAT device, VPN connection, or AWS Direct Connect connection
Practical-
1. create two subnets, launch instances in both public and private subnets
2. create a NAT gateway and try accessing internet from private instance
3. now create a role (s3 full access), attach this role to private instance and try listing
all buckets in your account
4. delete NAT gateway and create a endpoint for s3. check if route tables have proper
entry of endpoint’s private link
5. now try listing s3 buckets from private instance
6. if you can’t see buckets then try adding --region in cli command (aws s3 ls --region
ap-south-1)
7. after deleting NAT gateway, you must see blackhole in the route table entry