VPC Security Components
Security Groups — stateful, instance-level. Allow rules only (no deny). Return traffic automatically allowed. All rules evaluated before decision.
NACLs: Stateless — stateless, subnet-level. Support both allow and deny rules. Rules evaluated in order (lowest number = highest priority, first match wins). Last rule is * which denies everything. Must explicitly allow return traffic (ephemeral ports 1024-65535). Newly created NACLs deny everything — do NOT modify the default NACL.
NAT Gateway — allows private subnet instances to reach internet (outbound only). Managed by AWS, scales automatically up to 100 Gbps, 5 Gbps minimum. NAT Gateway: Must live in a public subnet. Requires IGW. No security groups to manage. Per-AZ — create one per AZ for HA. Cost: per hour + per GB of data processed.
NAT Instance (legacy) — EC2 you manage. Must disable source/destination check. Single point of failure without ASG. You manage security groups.
Bastion Host — EC2 in public subnet used to SSH into private instances.
VPC Endpoints — connect to AWS services privately without internet:
- Gateway Endpoints — for S3 and DynamoDB only. Gateway Endpoints are free. Added to route table.
- Interface Endpoints (PrivateLink) — for most other AWS services. Creates an ENI in your subnet. Costs money per hour + per GB.
VPC Flow Logs — capture IP traffic info for VPCs, subnets, or ENIs. Send to S3, CloudWatch Logs, or Kinesis Data Firehose. Key fields: srcaddr, dstaddr, srcport, dstport, action (ACCEPT/REJECT). Use Athena or CloudWatch Logs Insights to analyze.
VPC Peering — connect two VPCs using AWS private network. Non-transitive. No overlapping CIDRs. Must update route tables in both VPCs. Works cross-account and cross-region.
AWS Transit Gateway — hub-and-spoke topology. Connects VPCs and on-premises networks through one central hub. Supports IP Multicast. Can peer Transit Gateways across regions. Supports ECMP for VPN bandwidth scaling.
Site-to-Site VPN — encrypted tunnel over the public internet. Setup requires a Virtual Private Gateway (VGW) on AWS side and a Customer Gateway (CGW) on on-premises side. Enable Route Propagation on route tables.
Direct Connect (DX) — dedicated private network connection, 1 Gbps to 400 Gbps. More consistent bandwidth, lower latency than VPN. Lead time > 1 month. Data in transit NOT encrypted by default — combine with VPN for encryption. Use Direct Connect Gateway to connect to VPCs in multiple regions.
DX + VPN as backup — use Site-to-Site VPN as a failover if Direct Connect goes down.
VPN CloudHub — hub-and-spoke model for connecting multiple on-premises sites via VPN. Uses the same VGW.
Traffic Mirroring — copy network traffic from ENIs for inspection/analysis by security appliances.
Egress-Only Internet Gateway — like NAT Gateway but for IPv6 outbound traffic only.
AWS Network Firewall — Layer 3-7 protection for the entire VPC. Internally uses Gateway Load Balancer. Rules: IP/port filtering, protocol, domain list, regex patterns, stateful inspection.
VPC subnet reserved IPs: AWS reserves 5 IPs per subnet (first 4 + last 1). Exam tip: need 29 IPs → use /26 (64 IPs), not /27 (32 IPs).
Private IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. VPCs use these.
