AWS-VPC-2

-

VPC Endpoints

Primary Issue

Some of the services and resources from AWS do not exist in VPC itself but in AWS. If there is a service from VPC needs to access the AWS services or resources, it has to pass through the public internet and then go back to AWS. This will make the cost higher and slow the speed. 

Solution - VPC endpoints

That is the reason why VPC endpoint here for resolving the wasting issue.

Interface endpoints: PrivateLink

Private link could provide a private connection through the inner AWS internet connect between AWS services or resources and VPCs (under the same or different accounts) ENI (Elastic Network Interface), no need to expose to the public internet.

Gateway endpoints: Gateway

VPC Endpoint Gateway provides the connection between S3 or DynamoDB and VPC, through the router, any service could connect VPC Endpoint Gateway with normal way.

VPC Peering

  1. VPC peering provides a connection between two VPCs which do not have CIDR overlapping.
  2. The connected VPCs is able to be distributed in different regions, called Inter-Region.
  3. The relationship between these two VPCs cannot be transferred (A -> B, B -> C, but A !-> C).
  4. The limitation in inter-region:
    • The security group in different VPCs could not be referred to.
    • Doesn't support IPv6
    • Doesn't support Jumbo Frame
  5. One of each connected VPC could not access resources through the other VPC by VPN connection/DX, Internet Gateway, NAT, and VPC endpoints.

Transit VPC

Transit VPC provides connections between user local data center to multiple VPCs, using Transit VPC(Hub) could reduce workload (if not, the user has to make full-mapping), but the user needs to maintain an EC2 to set up a VPN connection.

Transit Gateway

  1. According to the dialog above, the corporate data center could connect to Transit VPC, and the Transit VPC could connect to multiple VPCs. The corporate data center could access multiple (1 to 1) VPCs through the Transit VPC, but for every two VPCs, there is no way to connect to each other directly no matter through the Transit VPC or others.
  2. Transit Gateway could allow the local corporate data center(s) to connect to the Transit VPC. All other VPCs could attach to the Transit Gateway for making the Transit VPC like a hub. (Not only VPC, like VPC and DX could connect to this Transit Gateway).
  3. The scope of Transit Gateway is Region when the user wants to bind a VPC to the Transit Gateway, he/she needs to pick a subnet from each AZ to attach to the Transit Gateway.
  4. In short, all VPC or others could be communicated once it attaches to the Transit VPC.

NACL (Network Access Control List)

  1. When the user initialing a VPC, there is a default NACL got created and be used for this VPC (as default, the NACL doesn't allow any data flow).
  2. NACL allows all inbound and outbound data flow.
  3. NACL is bonded to subnet, but the security group is existed inside of subnet for the instances of services or resources in the subnet.
  4. If creating a new subnet, it will be associated with the default NACL.
  5. NACL is stateless, the user has to configure both inbound and outbound to be allowed. But for the security group, because it is stateful, only need to configure any one of these two, the other will be allowed automatically.
  6. NACL has rule number which is for the sequence, only need one rule satisfied, then it will allow the data flow. The security group has to be satisfied with all rules for allowing data flow.
  7. NACL rules: 
    • Rule Number
    • Protocol
    • Port Range (Destination Port)
    • Source (CIDR)
    • Allow/Deny (NACL can configure allow or deny rules, but the security group only can configure the allow rules.)

Security Group

    1. Only could set allowed rules
    2. There is no sequence limitation, which following the sequence to check whether could handle any rule. If the request is accepted, then it must be satisfied with all of the rules.
    3. Stateful (sync the inbound and outbound)
    4. The resource could bound more security groups, and the security group also could bound to multi resources
    5. In default, all of the instances could communicate with each other which belongs to the same security group, and doesn't allow all inbound data flow from outside of the security group
    6. Security Group Rules
      • Protocol
      • Port Range (Destination Port)
      • Source (CIDR or another security group from the same region)
      • Description

    Comments

    Post a Comment

    Popular posts from this blog

    Union Find 模板

    -
    Union Find Union Find Union Find 动态的计算联通块问题 结构 global variables constructor() find(int x) union(int a, int b) 模板 (Map) global variables private Map<Integer, Integer> f; constructor() UnionFind(int n) { this.f = new HashMap<Integer, Integer>(); for (int i = 0; i < n; i++) { f.put(i, i); } } find(int x) int find(int x) { int root = x; // 找到“根” while (f.get(root) != root) { root = f.get(root); } // 拆“整”为“零”,把每个元素直接接到“根”上 while (root != x) { int nx = f.get(x); f.put(x, root); x = nx; } return root; } union(int a, int b) void union(int a, int b) { int rA = find(a); int rB = find(b); if (rA != rB) { f.put(rB, rA); } } 例题 Friend Circles 根据模板添加额外的全局变量,比如此题需要count,在每次合并的时候 count-- ,在初始化的时候或者写一个 setter 和 getter 去给 count 赋值和取值 public class Solution { class UnionFind { private int count; private Map...
    Read more

    Tree的经典题

    -
    Tree的经典题 Tree的经典题 找第k小 Kth Smallest Element in a BST 在树上就不需要使用Heap了,因为inorder traversal本身就是一个从小到大的序列,这里我们有几种方法 1. Recursive traversal 创建全局变量,记录traverse到哪儿了,当走到k的时候把值赋给result即可 时间复杂度 O(n) public class Solution { //设置全局变量 private int count = 0; private int result = 0; public int kthSmallest(TreeNode root, int k) { traversal(root, k); return result; } private void traversal(TreeNode root, int k) { if (root == null) { return; } traversal(root.left, k); //如果count等于k的时候才把结果赋给result //注意count从0开始,所以count先++之后再判断 count++; if (count == k) { result = root.val; } traversal(root.right, k); } } 2. Quick Select on Tree 首先要traverse计算每个点到它的时候子树总共有多少个点,然后用quick select,如果大于k,直接去左边找,如果小于k,判断当左边的个数加1正好等于k,那么这个k就落在root上,如果加1之后还小于k那么就要去向右边找了,因为此时左边没有第k个点。 时间复杂度 O(n) 最好最坏都是 public class Solution { public int kthSmal...
    Read more

    Tree DFS

    -
    Tree DFS Tree DFS Tree上的DFS分为两种(Divide Conquer + Traversal和纯Divide Conquer) 建立当前/用全局变量(根据不同的方式) root 为 空 ( 返回 什么/ 更新 指针) 左 节点和 右 节点 都 为 空 ,用 root 构建 当前 解( 返回 什么/ 更新 指针) 左 节点和 右 节点 不 为 空 ,用 左右 构建 当前 解 返回 当前 /选择 左 , 右 , 中 Divide Conquer + Traversal 不同 一般 没有 全局变量, 创建当前 变量作为当前最终解 通过 左 节点的最终解和 右 节点的最终解, 计算 并更新 当前 变量 判断 左 节点的最终解, 右 节点的最终解, 当前 变量,在三个解中 选择 一个 作为当前层的最终解 返回 更新传入的参数指针 ( 有时会单独建立 class Result 类 ) 流程 建立 当前 变量(不一定第一步) root 为 空 ( 返回 什么) left 节点和 right 节点 都 为 空 ,用 root 构建 当前 解( 返回 什么/ 更新 指针) left 节点和 right 节点 不 为 空 ,用 左右 解 leftResult , rightResult 计算 当前 解 选择 符合的解 比较 ( leftResult , rightResult , result ) + 选出 合适的解 直接使用 :当前解 使用 选中的解 返回 更新 传入的指针 例题(Minimum Subtree) public class Solution { class Result { TreeNode minSubtree; int minSum; int sum; Result(TreeNode minSubtree, int minSum, int sum) { this.minSubtree = minSubtree; this...
    Read more