How do you logically create ‘private’ partitions of the public cloud?
How do you break up a VPC into Tiers designed for specific workloads? (Answer – Subnets)
Inside each AZ, you can define one or more subnets (these cannot, by design, span across AZs). For e.g. – A particular AZ could be loaded with all PROD layer subnets:
- Web Subnet (public subnet)
- Data Subnet (private subnet)
- Middle Tier Subnet (public or private)
The only difference between a public and private subnet is that the public subnet has an established route to the Default Internet Gateway. The private subnet has no default route, but can be assigned a NAT Gateway to get to the outside world.
How do you design a VPC to have a Failover or a STANDBY environment?
When you create a VPC, it spans all the available AZs in that region. This provides a powerful way to delineate your production and staging environments.
For e.g. – A particular AZ could be loaded with all PROD layers – Web Subnet (public subnet), Data Subnet (private subnet) and Middle Tier Subnet (public or private). The STAGING would have similar subnets (Web, Middle and Data) that would exist in a separate AZ. This would provide a full failover environment into a different AZ.
How do you connect back to on-premises assets?
Essentially, you need to create a VPN tunnel between the AWS VPC and your corporate network. To accomplish this, for e.g., using the private subnet that you created in your VPC above, you need to add 3 elements:
- A Virtual Private Gateway – on the AWS VPC side
- A Customer Gateway – on-premises
- A VPN Tunnel – which can be either
- A Direct Connect
- A Hardware VPN
- Software VPN
- AWS CloudHub
How do you create Subnets? (Automated Creation of Subnets)How do you create Subnets? (Automated Creation of Subnets)
AWS provides a wizard for common VPC constructs such as :
- VPC with a Single Public Subnet
- VPC with Public and Private Subnets
- VPC with Public and Private Subnets and Hardware VPN Access
In addition to the wizard, one can use Cloud Formation Templates, CLIs and programmable APIs to launch subnets.
What is a public Subnet? (Answer – if it has an Internet Gateway, it is a public subnet); What is a private Subnet? (Answer – If it has a Virtual Private Gateway and no public Gateway, it is a private Subnet)
- Subnet 1 below (with the Internet Gateway) is a public subnet
- Subnet 3 below (with the VPG) is a private subnet
- A VPC can have either one or both – private and public subnets
How do you ensure a VPC can connect to your private network?
- Step 1- Attach a virtual private gateway to the VPC
- Step 2 – Create a custom route table, and
- Step 3 – update all security group rules.
How can a VPC contain both – a private and a public Subnet ? (Answer – NAT Gateway for Private Subnet)
How do you Route Traffic within a Subnet ? (Answer – Custom Routing Tables) and from the internet to Subnet Instances ? (Answer – DNS, Route 53)
How do you secure individual VMs within a Subnet? (Security Groups); How do you secure an entire Subnet? (Network ACLs) What about an entire VPC? (Virtual Firewalls)
What aspects of a VPC can be modified after creation?
If you found out that you needed more IP addresses, you are out of luck. The IP Address space you start out with – is what you are stuck with. You will have to delete and recreate the VPC to use a different block of IP addresses.
However, aspects like VPC Peering, internal subnet divisions etc. can always be modified. Unfortunately, if you accidentally delete a VPC, there is no way to get it back.
What is a private cloud? Is a private cloud automatically a hybrid cloud?
For starters, a Virtual Private Cloud (VPC) is NOT a private cloud. It is still in the public cloud – just a logically separated section of the public cloud for your consumption.
A private cloud is different, as highlighted below:
- A highly controlled environment, which typically sits behind a firewall, and is thus, not publicly available.
- RackSpace and VMWare are popular private cloud providers.
- The private cloud has a stronger focus on governance, security, and compliance.
What is Serverless Computing? How does AWS offer Serverless computing?
What is the GOV cloud?
AWS locations (where computing resources are hosted) are divided into regions. Each region is geographically separated.
US West (Oregon) Region us-west-2 – https://rds.us-west-2.amazonaws.com (RDS endpoint in that region)
US West (N. California) Region – us-west-1 – https://rds.us-west-1.amazonaws.com
US East (Ohio) Region – us-east-2 – https://rds.us-east-2.amazonaws.com
US East (N. Virginia) Region
The GOV cloud is a special region in the US in addition to the 4 primary regions listed above. It is meant for only government entities and requires a special subscription.