Networking services of VPCs

What are the benefits of using AWS VPC compared to traditional on-premises networking solutions?

AWS VPC provides scalable infrastructure that allows for easy expansion, increased fault tolerance through multiple Availability Zones, and flexibility with security settings. It offers a faster setup time, customizable network configurations, reduced capital expenditure due to a pay-as-you-go pricing model, and global reach with the AWS infrastructure.

How do the security groups and network access control lists (ACLs) in an AWS VPC differ?

Security groups operate at the instance level and are stateful, meaning they track and automatically allow return traffic. Network ACLs, on the other hand, operate at the subnet level and are stateless, requiring explicit rules for both inbound and outbound traffic.

Can you explain the difference between a public and a private subnet within an AWS VPC?

A public subnet is one that has a route table entry allowing direct access to the Internet through an Internet Gateway, thus allowing instances within this subnet to be reachable from the Internet. A private subnet does not have direct access to the Internet and is used for instances that should not be directly exposed to the outside world. Instances in a private subnet often access the Internet indirectly through a NAT gateway or instance.

What is a VPC peering connection and what are the limitations of VPC peering?

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Limitations include no transitive peering (you can’t route through one VPC to another), VPC CIDR blocks cannot overlap, and peering is only possible between VPCs in the same or different AWS accounts within a single region (inter-region peering is possible but with certain limitations).

How can you enable DNS resolution between two VPCs that are connected by a peering connection?

To enable DNS resolution for instances in peered VPCs, you’ll need to modify the VPC peering connection settings to enable DNS resolution by setting the enableDnsSupport attribute to true. Additionally, ensure that your VPCs’ DNS hostnames and DNS resolution settings are also enabled.

What is an AWS Transit Gateway, and how does it enhance network connectivity within an AWS environment?

AWS Transit Gateway is a service that enables you to connect multiple VPCs, AWS accounts, and on-premises networks through a central hub to simplify network topology and management. It enhances connectivity by reducing the need for VPC peering connections and simplifying routing through a centralized gateway, which also aids in scaling connections and managing a growing network infrastructure.

Describe the role of AWS Direct Connect in a VPC and its advantages over VPN connectivity.

AWS Direct Connect provides a dedicated private connection from an on-premises network to an AWS VPC. This connection bypasses the public internet, offering a more consistent network experience with lower latency and increased bandwidth. It can be more secure and cost-effective for high-volume traffic compared to a VPN that relies on public internet connectivity.

What steps would you take to design a highly available network architecture within an AWS VPC?

To design a highly available network in an AWS VPC, I would use multiple Availability Zones, deploy redundant connectivity options like Internet Gateways and NAT Gateways, set up Route 53 for DNS failover and load balancing, configure Autoscaling Groups, and establish proper routing and security measures. Implementing a combination of AWS Transit Gateways or VPC peering for inter-VPC connectivity would also ensure robust networking.

In AWS VPC, what is the purpose of Network Address Translation (NAT) gateways or instances, and when should you use them?

NAT gateways or instances allow instances in a private subnet of a VPC to connect to services outside the VPC (like the Internet) without receiving unsolicited inbound connections. You use them when you need to provide internet access to instances without exposing them to inbound connections directly from the internet.

How can the AWS Route 53 service be integrated with a VPC to enhance your network architecture?

AWS Route 53 can be integrated with a VPC to provide reliable and flexible DNS management, including domain registration, DNS routing, and health checking. Within a VPC, Route 53 can route traffic to different endpoints, balance load across multiple instances, direct incoming traffic based on various conditions, and work with Private Hosted Zones to resolve domain names within the VPC.

What is an Elastic IP and when would you need it in an AWS VPC environment?

An Elastic IP (EIP) is a public IPv4 address provided by AWS that you can allocate to an account and is yours until you release it. It’s useful when you need a static IP address for use with a public-facing server, for example, an EC2 instance that will serve as a web server or needs to be accessed from the internet reliably.

How does AWS Network Access Control List (NACL) support layered security within a VPC?

AWS NACL supports layered security by functioning as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. This adds an additional layer of security to complement security groups that act at the instance level, providing an effective way to set up a tiered access structure within a VPC.