AWS VPC

-
1) Subnet
2) Internet Gateway
3) NAT Gateway

NAT Instance -> Disable Source/Destination Check

4) hardware VPN connection
5) Virtual Private Gateway
6) Coustomer gateway
7) Router
8) Peering connection

VPC peering
-> no transitive peering
-> DNS supported

-50 VPC peer -> deafult
-125 -> by request

9) VPC endpoint (endpoint to S3)

Endpoints S3, DynamoDB

10) Engress-only Internet Gateway (outbound only for IPv6)


enable DNS hostname : https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html


Public subnet:
Subnet Actions -> modify auto-assign IP settings -> Enable auto-assign public IPv4 addresess


11) Adding Lb to VPC:
-secifi 1 subnet/AZ
-you must specifity from at least 2 AZ to increase of your LB
-2 public subnets at least + 1 subnet/AZ


12)

VPC Security




13) VPC Flow Log:

- wybierane w CloudWqtch
-3 levele:
  1.VPC
  2.subnet
  3.network interface
-nie można enablować flow logów dla peered VPC chyba, że jest ono na tym samym koncie
-nie można tagować
-nie można modyfikować flow logów

Nie każdy traffic monitorowany np.:
1. związany DNS
2. traffic Window Instance to Amazon Window Instance --- ?
3. traffic from 169.254.169.254 instance metadata
4.DHCP
5.traffic to reserved IP address for default XPC router

Komentarze

Prześlij komentarz

Popularne posty z tego bloga

Kubernetes

-
Obraz
I. Introduction 1. Kubernetes Overview - Kubernetes = popular container orchestrator  * it lets you schedule containers on a cluster of machines  * you can run multiple containers on one machine  * you can run long running services (like web applications)  * Kubernetes will manage the state of those containers:    ** Can start the container on specific nodeskubectl create -f pod-demo.yml    ** Will restart a container when it gets killed    ** Can move containers from one dnode to another node - you can run Kubernetes anywhere:   *on-premise (own datacenter)   *public (Google cloud, AWS)   *hybrid: public & private -highly modular -open source -backed by google -Container Orchestration = Make many servers act like one -Released by Google in 2015, maintained by large community -Runs on top of Docker (usually) as a set of APIs in containers -Provides API/CLI to managed containers across server...
Czytaj więcej

Helm

-
 0. Overivew - Packet manager 1. Helm Provenance and Integrity - https://github.com/technosophos/k8s-helm/blob/master/docs/provenance.md - Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files. a) Overview   -  I ntegrity is established by comparing a chart to a provenance record. Provenance records are stored in   provenance files , which are stored alongside a packaged chart. For example, if a chart is named   myapp-1.2.3.tgz , its provenance file will be   myapp-1.2.3.tgz.prov .  -  Provenance files are generated at packaging time ( helm package --sign ... ), and can be checked by multiple commands, notable   helm install --verify . b) The workflow This section describes a potential workflow for using provenance data effectively. Prerequisites: A valid PGP keyp...
Czytaj więcej

Ansible Tower / AWX

-
- Ansible Tower provides a web server interface to ansible.  - System rewuierments are somewhat heavy.  - Tower is only free for minimal use. Working with more than a few system requires a paid lincense.  - The two keys benefots of Ansible Tower are user permissioning and the audit trail (only provided with license.  - Only touched on in EX4077  - How is ansible Tower installed on your system? Ansible Tower is provided in a tarball containing binaries, config files, and an installation script that must be ran.  - To populate an Ansible Tower project with source files can be used:        * file system of the Ansible Tower server        * git        * subversion  - features:        * an interface for running Ansible plays and playbooks against target hosts.       * Separate user accounts permissioned for selective access to Tower-managed ...
Czytaj więcej