VISI

VPC Security Components

Security Groups — stateful, instance-level. Allow rules only (no deny). Return traffic automatically allowed. All rules evaluated before decision.

NACLs: Stateless — stateless, subnet-level. Support both allow and deny rules. Rules evaluated in order (lowest number = highest priority, first match wins). Last rule is * which denies everything. Must explicitly allow return traffic (ephemeral ports 1024-65535). Newly created NACLs deny everything — do NOT modify the default NACL.

NAT Gateway — allows private subnet instances to reach internet (outbound only). Managed by AWS, scales automatically up to 100 Gbps, 5 Gbps minimum. NAT Gateway: Must live in a public subnet. Requires IGW. No security groups to manage. Per-AZ — create one per AZ for HA. Cost: per hour + per GB of data processed.

NAT Instance (legacy) — EC2 you manage. Must disable source/destination check. Single point of failure without ASG. You manage security groups.

Bastion Host — EC2 in public subnet used to SSH into private instances.

VPC Endpoints — connect to AWS services privately without internet:

  • Gateway Endpoints — for S3 and DynamoDB only. Gateway Endpoints are free. Added to route table.
  • Interface Endpoints (PrivateLink) — for most other AWS services. Creates an ENI in your subnet. Costs money per hour + per GB.

VPC Flow Logs — capture IP traffic info for VPCs, subnets, or ENIs. Send to S3, CloudWatch Logs, or Kinesis Data Firehose. Key fields: srcaddr, dstaddr, srcport, dstport, action (ACCEPT/REJECT). Use Athena or CloudWatch Logs Insights to analyze.

VPC Peering — connect two VPCs using AWS private network. Non-transitive. No overlapping CIDRs. Must update route tables in both VPCs. Works cross-account and cross-region.

AWS Transit Gateway — hub-and-spoke topology. Connects VPCs and on-premises networks through one central hub. Supports IP Multicast. Can peer Transit Gateways across regions. Supports ECMP for VPN bandwidth scaling.

Site-to-Site VPN — encrypted tunnel over the public internet. Setup requires a Virtual Private Gateway (VGW) on AWS side and a Customer Gateway (CGW) on on-premises side. Enable Route Propagation on route tables.

Direct Connect (DX) — dedicated private network connection, 1 Gbps to 400 Gbps. More consistent bandwidth, lower latency than VPN. Lead time > 1 month. Data in transit NOT encrypted by default — combine with VPN for encryption. Use Direct Connect Gateway to connect to VPCs in multiple regions.

DX + VPN as backup — use Site-to-Site VPN as a failover if Direct Connect goes down.

VPN CloudHub — hub-and-spoke model for connecting multiple on-premises sites via VPN. Uses the same VGW.

Traffic Mirroring — copy network traffic from ENIs for inspection/analysis by security appliances.

Egress-Only Internet Gateway — like NAT Gateway but for IPv6 outbound traffic only.

AWS Network Firewall — Layer 3-7 protection for the entire VPC. Internally uses Gateway Load Balancer. Rules: IP/port filtering, protocol, domain list, regex patterns, stateful inspection.

VPC subnet reserved IPs: AWS reserves 5 IPs per subnet (first 4 + last 1). Exam tip: need 29 IPs → use /26 (64 IPs), not /27 (32 IPs).

Private IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. VPCs use these.

References

Quiz

A few quick questions based on this unit. Mark it complete when you are done.

Question 1 / 3

What is Egress-Only Internet Gateway?