AWS: DIRECT CONNECT GATEWAY AND ENDPOINTS
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.
DIRECT CONNECT GATEWAY
The VPCs to which you connect through a Direct connect gateway cannot have overlapping CIDR blocks.
- If you add an IPV4 CIDR block to a VPC that’s associated with a Direct Connect gateway, ensure that the CIDR block does not overlap with an existing CIDR block for any other associated VPC.
You cannot create a public virtual interface to a Direct Connect gateway.
A Direct connect gateway supports communication between attached private virtual interfaces and associated virtual private gateways only.
The following traffic flows are not supported:
Direct communication between the VPCs that are associated with Direct connect gateway.
Direct communication between the virtual interfaces that are attached to the Direct Connect gateway.
Direct communication between a virtual interface attached to a Direct connect gateway and a VPN connection on a virtual private gateway that's associated with the same Direct connect.
You cannot associate a virtual private gateway with more than one Direct connect gateway and you cannot attach a private virtual interface to more than one direct connect gateway.
A virtual private gateway that you associate with more than one Direct connect gateway and you cannot attach a private virtual interface to more than one Direct connect gateway.
A virtual private gateway that you associate with a Direct connect gateway must be attached to a VPC.
AWS Direct Connect Limits
Without VPC Endpoints, EC2 instances/ Apps access to AWS services require to go over the internet (IGW), VPN connections, or NAT gateways, or Public IP addresses.
With VPC Endpoints, EC2 instances/Apps can leverage higher performance and more secure connections to connect, via its private IP address, to AWS services without the need to go over the internet (IGW), VPN connections, or NAT gateways, or public IP addresses.
A VPC endpoint allows EC2 instances/Apps to privately connect from the VPC to supported AWS services and the VPC endpoint services powdered by private link, without requiring an internet gateway, NAT device, VPN connection or AWS Direct Connect connection.
Hence, using VPC Endpoints, Instances in the VPC do not require Public IP addresses to communicate with resources in the target service.
Traffic between the VPC and the other services does not leave the AWS network.
There are two types of VPC endpoints: Interface endpoints and gateway endpoints.
Each service can be accessed by one of the two endpoints types and you cannot change that type.
Endpoints are virtual devices. They are horizontally scaled, redundant and highly available VPC components.
They allow communication between instances in the VPC and services without imposing availability risks or bandwidth constraints on network traffic.
A Gateway endpoint is a gateway that is a target for a specified route in the route table you specify.
It is used for traffic destined to a supported AWS service. The following AWS services are supported.
- Amazon S3
- Dynamo DB
An endpoint policy can be configured to control who can access and permissions on services accessed by the gateway.
Endpoints are supported with in the same region only.
VPC INTERFACE ENDPOINTS
An Interface endpoint is an ENI with a private IP address that serves as an entry point for traffic destined to a supported service.
AWS will create an ENI per subnet you specify.
Not highly available, you need to configure it in multiple subnets in multiple AZ’s.
It allows the connection to services that are powered by AWS PrivateLink.
These services include:
- Some AWS services
- Services hosted by other AWS customers and partners in their own VPC’s.
- Supported AWS Marketplace partner services.
The owner of the service is the service provider and you, as the principal creating the interface endpoint, are the service consumer.
Relies on DNS resolution and is not based on Route table entries.
Multiple DNS endpoints (URLs) are returned
- Services cannot initiate requests to resources in the VPC through the endpoint. An endpoint only returns responses to traffic initiated from resources in your VPC.
Example of the supported services:
- API Gateway
- Cloud Formation
- Cloud Watch
- EC2 API
- Kinesis Data Streams
- Endpoints hosted by other AWS Services
- Systems Manager
- Code build
- AWS config
- Service catalog
- Secrets Manager
INTERFACE VPC ENDPOINTS PRIVATE DNS
Instead of using the general Interface Endpoints specific DNS hostnames to access the respective service, and to avoid changing the applications, you can enable private DNS features.
It associates a private hosted zone with your VPC.
- The hosted then will have a record set for the default Services DNS name that resolves to a private IP address of the interface Endpoints created in the VPC.
- This allows to use the services default DNS hostname instead of the endpoint specific DNS hostnames to make requests to the service.
- This way applications in the VPC that were configured to use the default services DNS hostnames, can continue to use that and be routed to the interface endpoints.
IPV6 and the INTERNET GATEWAY
As in IPv4, an instance in a public subnet can connect to the Internet gateway if it has an IPv6 address.
Clients on the Internet can initiate a connection to such an instance as well.
IPv6 addresses are globally unique, which means IPv6 addresses are public IP addresses.
EGRESS ONLY INTERNET GATEWAY (IPV6)
To prevent initiating traffic to your IPv6 addressed instances from the internet, yet allow the instance to access the internet (initiate traffic).
- An egress only internet gateway will be required.
- Create egress only internet gateway in the VPC,
- Add a route to the respective route table, directing all IPv6 traffic destined to the internet pointing to the egress only Internet gateway.
- Any IPv6 traffic in the subnet is then routed to the egress only internet gateway.
The egress only internet gateway is stateful:
- It forwards traffic from the instances in the subnet to the Internet or other AWS services.
- It then sends the response back to the instances.
An egress only gateway has the following characteristics:
A security group cannot be associated with an egress only internet gateway.
- Protect the private subnet EC2 instances with the security groups
VPC FLOW LOGS
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
Flow Logs can help you with a number of tasks
- To troubleshoot why specific is not reaching an instance, which in turn helps you diagnose overly restrictive security groups rules.
- You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.
You can create a flow log for a VPC, a subnet or a network interface.
- If you create a flow log for a subnet or a VPC, each network interface in the VPC or subnet is monitored.
Flow log data for a monitored network interface is recorded as flow logs records, which are log events consisting of fields that describe the traffic flow.
Flow log data can be published to Amazon CloudWatch Logs and Amazon S3
- After you created a flow log, you can retrieve and view its data in the chosen destination.
To create a flow log,
- You specify the resource for which to create the flow log,
- The type of traffic to capture and
- The destinations to which you want to publish the flow log data.
Cloud Watch Logs charges apply when using flow logs, whether you send them to cloud watch logs or to Amazon S3.
After you have created a flow log, it can take several minutes to begin collecting and publishing data.
VPC DHCP OPTION SETS
You can use an on-premise DNS for your AWS VPC environment.
But you cannot use Route53 as a DNS for your On-premise infrastructure.
The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network.
The options field of a DHCP message contains the configuration parameters.
Some of those parameters are the domain name, domain name server, and the NetBIOS node type.
You can configure DHCP options sets for your Virtual Private Cloud (VPC).
After you create a set of DHCP options, you can’t modify them.
- If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC.
- You can also set up your VPC to use no DHCP options at all.
You can have multiple sets of DHCP options, but you can associate only one set of DHCP options with a VPC at a time.
- If you delete a VPC, the DHCP options set associated with the VPC are also deleted.
After you associate a new set of DHCP options with a VPC, any existing instances and all new instances that you launch in the VPC use these options.
- You don't need to restart or relaunch the instances. They automatically pick up the changes within a few hours, depending on how frequently the instances renews its DHCP lease.
These are the following functions of VPC. In my next blog, I will start my discussion on EC2 which is one of the primary services of AWS.