VPC endpoint enables creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address. Traffic between VPC and AWS service does not leave the Amazon network.
There are two types of VPC endpoints:
Interface endpoint is an elastic network interface (ENI) with a private IP address from the IP address range of user’s subnet that serves as an entry point for traffic destined to a supported service. It enables you to privately access services by using private IP addresses.
Gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. Currently supports S3 and DynamoDB services.
VPC Endpoints Limitations
- VPC endpoints support IPv4 traffic only.
- Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region.
- Endpoints cannot transfer an endpoint from one VPC to another, or from one service to another.
Interface Endpoints:
- For each interface endpoint, you can choose only one subnet per Availability Zone.
- Each interface endpoint can support a bandwidth of up to 10 Gbps per Availability Zone by default. Additional capacity may be added automatically based on your usage.
- Interface Endpoint supports TCP traffic only.
- Endpoints cannot be transferred from one VPC to another, or from one service to another.
Gateway Endpoints:
- Endpoint connections cannot be extended out of a VPC i.e. resources across the VPN connection, VPC peering connection, AWS Direct Connect connection cannot use the endpoint
VPC Security
While private subnets help protect your resources by making them harder to access, this is not enough security. We also have to use other tools such as Security Groups, Network Access Control Lists (NACLs), and Flow Logs.
Security Groups and NACLs act as firewalls and extra security layers, giving you complete control over what traffic is allowed in and out of your VPC and within your VPC.
Flow Logs allow you to capture information about IP traffic flowing between your network interfaces, which you can then analyze to detect anomalies.
Important information about NACLs
NACLs:
- Are at the subnet level - you assign one NACL to one or more subnets
- Have inbound and outbound rules - ie: allow this traffic to come in, but it can't go back out or vice-versa
- Allow everything by default
- Are stateless - traffic allowed one way has to also be allowed the other way
Important information about Security Groups
Security Groups:
- Are at the instance level (get evaluated after NACL) - you assign a Security Group when you create an instance, so each instance can have a different SG
- Deny everything by default, you can only specify allow rules
- Are stateful: traffic allowed one way is also allowed the other way
Important information about NACLs
NACLs:
- Are at the subnet level - you assign one NACL to one or more subnets
- Have inbound and outbound rules - ie: allow this traffic to come in, but it can't go back out or vice-versa
- Allow everything by default
- Are stateless - traffic allowed one way has to also be allowed the other way
Important information about Security Groups
Security Groups:
- Are at the instance level (get evaluated after NACL) - you assign a Security Group when you create an instance, so each instance can have a different SG
- Deny everything by default, you can only specify allow rules
- Are stateful: traffic allowed one way is also allowed the other way
Pricing on VPC
Q. How will I be charged and billed for my use of Amazon VPC?
There are no additional charges for creating and using the VPC itself. Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources, including data transfer charges.
- If you connect your VPC to your corporate datacenter using the optional hardware VPN connection, pricing is per VPN connection-hour (the amount of time you have a VPN connection in the "available" state.) Partial hours are billed as full hours.
-Data transferred over VPN connections will be charged at standard AWS Data Transfer rates. For VPC-VPN pricing information, please visit the pricing section of the Amazon VPC product page.
NAT Gateway Pricing
- If you choose to create a NAT gateway in your VPC, you are charged for each “NAT Gateway-hour" that your gateway is provisioned and available.
- Data processing charges apply for each gigabyte processed through the NAT gateway regardless of the traffic’s source or destination.
Each partial NAT Gateway-hour consumed is billed as a full hour. You also incur standard AWS data transfer charges for all data transferred via the NAT gateway. If you no longer wish to be charged for a NAT gateway, simply delete your NAT gateway using the AWS Management Console, command line interface, or API.
- https://medium.com/awesome-cloud/aws-vpc-endpoints-overview-intro-getting-started-guide-91ca23b5af8d
- https://www.linkedin.com/pulse/simple-explanation-vpcs-aws-cloud-practitioner-christophe-limpalair/
No comments:
Post a Comment