For advanced technology 1 on 1 sessions / seminars / consulting on AWS and other technologies, please visit TekSeminars.com

How do you break up a VPC into Tiers designed for specific workloads? (Answer – Subnets)

Inside each AZ, you can define one or more subnets (these cannot, by design, span across AZs).  For e.g.  – A particular AZ could be loaded with all PROD layer subnets:

  1. Web Subnet (public subnet)
  2. Data Subnet (private subnet)
  3. Middle Tier Subnet (public or private)

The only difference between a public and private subnet is that the public  subnet has an established route to the Default Internet Gateway.  The private subnet has no default route, but can be assigned a NAT Gateway to get to the outside world.

How do you delegate cross account access?

Say you have two accounts – Production and Development. Development needs access to production.

You would define a ROLE. When creating the role, you can define the Development account as a trusted entity and attach/specify a permissions policy that allows trusted users to update the productionapp bucket.

How do you design a VPC to have a Failover or a STANDBY environment?

When you create a VPC, it spans all the available AZs in that region.   This provides a powerful way to delineate your production and staging environments.

For e.g.  – A particular AZ could be loaded with all PROD layers – Web Subnet (public subnet), Data Subnet (private subnet) and Middle Tier Subnet (public or private). The STAGING would have similar subnets  (Web, Middle and Data) that would exist in a separate AZ.  This would provide a full failover environment into a different AZ.

How do you connect back to on-premises assets?

Essentially, you need to create a VPN tunnel between the AWS VPC and your corporate network. To accomplish this, for e.g., using the private subnet that you created in your VPC above, you need to add 3 elements:

  1. A Virtual Private Gateway – on the AWS VPC side
  2. A Customer Gateway  – on-premises
  3. A VPN Tunnel – which can be either
    • A Direct Connect
    • A Hardware VPN
    • Software VPN
    • AWS CloudHub

How do you create Subnets?

AWS provides a wizard for common VPC constructs such as :

  • VPC with a Single Public Subnet
  • VPC with Public and Private Subnets
  • VPC with Public and Private Subnets and Hardware VPN Access

What is a public Subnet? (Answer – if it has an Internet Gateway, it is a public subnet); What is a private Subnet? (Answer – If it has a Virtual Private Gateway and no public Gateway, it is a private Subnet)

  • Subnet 1 below (with the Internet Gateway) is a public subnet
  • Subnet 3 below (with the VPG) is a private subnet
  • A VPC can have either one or both – private and public subnets

routing_table

How do you ensure a VPC can connect to your private network?

  1. Step 1- Attach a virtual private gateway to the VPC
  2. Step 2 – Create a custom route table, and
  3. Step 3 – update all security group rules.

How can a VPC contain both – a private and a public Subnet ? (Answer – NAT Gateway for Private Subnet)

nat-gateway-diagram

How do you Route Traffic within a Subnet ? (Answer – Custom Routing Tables) and from the internet to Subnet Instances ? (Answer – DNS, Route 53)

routing_table

How do you secure individual VMs within a Subnet? (Security Groups);

How do you secure an entire Subnet? (Network ACLs)

What about an entire VPC? (Virtual Firewalls)

What aspects of a VPC can be modified after creation?

If you found out that you needed more IP addresses, you are out of luck. The IP Address space you start out with – is what you are stuck with. You will have to delete and recreate the VPC to use a different block of IP addresses.

However, aspects like VPC Peering, internal subnet divisions etc. can always be modified. Unfortunately, if you accidentally delete a VPC, there is no way to get it back.

Can you stop / pause AWS Managed AD?

No. If you need the ability to use as needed, it is best  to put a DC and ADDS on EC2. The EC2 can be paused, when not in use. Alternatively, use cohesity backups of the ADDS server

What is the GOV cloud?

AWS locations (where computing resources are hosted) are divided into regions. Each region is geographically separated.

US West (Oregon) Region us-west-2 – https://rds.us-west-2.amazonaws.com (RDS endpoint in that region)

US West (N. California) Region – us-west-1 – https://rds.us-west-1.amazonaws.com

US East (Ohio) Region – us-east-2  – https://rds.us-east-2.amazonaws.com

US East (N. Virginia) Region

The GOV cloud is a special region in the US in addition to the 4 primary regions listed above. It is meant for only government entities and requires a special subscription.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin