I have a QA instance in a VPC-appsubnet. My VPC has a NACL different from subnets NACL. Does this cause any issue accessing my QA Instance?
A Network ACL in AWS is an object that can created inside a VPC, and can be attached to Subnet objects.
So in a nutshell, a NACL belongs to a VPC but is associated with subnet/s.
See this.
Network ACL for your VPC is at Subnet level. VPC can have multiple subnets, so there can be multiple NACL associated with the VPC.
If there are issues accessing an instance and you're concerned about the Network ACL rules, you can check the Network ACL associated with the subnet in which the instance is. Also, you could check the VPC configuration.
Related
We have an EKS cluster running in a VPC and we are thinking of extending this VPC or creating another VPC with a different subnet IP range. EKS nodes (EC2 instances) are running with multiple ENIs, that is, with multiple private IPs.
We wonder if it is possible to make these EC2 instances which serve as EKS nodes automatically get an IP from this new subnet within current VPC or on the other VPC when they are getting instantiated. If the subnet is on another VPC, should we have a VPC peering connection between two VPCs? Can it be doable by Cloud Formation templates on EKS? What is the best practice here? Thanks.
The option to extend VPC in EKS is via adding secondary CIDR block and configure CNI plugin to use the subnets created in the secondary CIDR block. CNI is ultimately responsible to assign the ip addresses available through the subnet cidr to the pods.
To use the correct CIDR range for VPC extension and to configure the CNI please use the below article :
https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/
I have two GKE clusters with the same CIDR subnet addresses (the clusters are in different gcloud project). I need to connect the VPC with VPC peering but I get an error because the CIDR subnet and I need to change one. I have a lot of pods, secrets, deployemts...etc. Are any way to change the subnet without creating a new cluster and migrating the pods?
Thanks!
I am afraid you cannot, A subnet CIDR range in one peered VPC network cannot overlap with a static route in another peered network. This rule covers both subnet routes and static routes.
My understanding is that a CLB (Classic Load Balancer) is placed in a subnet and so we configure Security Group and NACL for it.
However, when it comes to ALB (Application Load Balancer), we don't configure NACL (Network ACL). Why? Architecturally where is it placed in a VPC?
As extension, how is NLB (Network Load Balancer) placed architecturally in a VPC?
Can you help me visualize the deployment of these components?
ALBs can span all subnets in VPC. They are not bound directly to subnets, but rather to TargetGroups which are themselves then bound (indirectly) to subnets.
So a single ALB could theoretically route to both private and public subnets within a VPC.
Because of this, and because the fact that ALBs span the VPC, they benefit from the default VPC ACL which permits IPV4 between hosts within the VPC. You can configure ACLs on the subnets that will be routed to by the ALB/NLB but in this case you need to remember that custom ACLS are by default closed to all traffic, rather than open within the VPC like the default ACL.
It would normally make sense to segregate your ALBs into public or private zones by security group and target group, but this is configuration rather than architectural placement - there is nothing preventing you from adding a rule to route specific paths or ports to a public subnet from an ALB that has until then been serving private subnets only.
I want to have different VPC for dev/test/prod and one separate VPC for share services like jenkins. I'll use VPC peering between the Shared Services VPC and each of the environments VPCs
Each environment will have its own RDS instance.
RDS setup has this option about instance public accesibily, and I'm confused about the "No EC2 instance or devices outside of the VPC will be able to connect" statement.
If I choose "no" will I still be able to connect to the dev RDS instance from the shared services VPC by using VPC peering?
Yes you will be able to access from your 'shared services' VPC if you've peered the two VPCs.
Be sure to follow the VPC peering guide. The biggest thing is to make sure the CIDR block ranges do not overlap and you'll have to set the security groups on each RDS instance to allow traffic from the Jenkins instance in the 'shared services' VPC
I was setting up an environment using Elastic Beanstalk and I wanted the hosts to be apart of the default VPC for my account. I didn't really understand what the options meant. See the below image for an example:
Associate Public IP Address - How does this differ from the ELB visibility?
Subnets for ELB and EC2 - What do these do? The set-up wizard requires at least one box is selected. During my setup I selected all of the boxes.
VPC Security Group - How does this differ from the security group of the EC2 hosts. I use the security groups to SSH onto the hosts. Why does the VPC need a security group?
If selected, the ELB will be created with a public IP address associated to it (or the EC2 instance will if you select single instance instead of load balanced during the setup). Visibility is just for ACLs, and won't actually give it a publically accessible IP.
In a common VPC setup, you'll have both public and private subnets with a NAT in between them. Things in the public subnet can usually access the Internet and private subnet. Private subnet can usually just access the local subnet. In a load balanced EB environment, you'd typically place the ELB in the public subnet and the EC2 instance(s) in the private subnet.
VPC security groups are for your resources (anything in your VPC). They're just prefixed with the term VPC so as to distinguish between VPC security groups and legacy EC2 security groups (for EC2 instances that are not part of any VPC). The option in the UI only affects the EC2 resources in your VPC though I believe...not the ELB.