VPC Endpoints - Gateway vs Interface, VPC Peering and VPC Flow Logs - AWS Certification Cheat Sheet


Let’s get a quick overview of VPC Endpoints (Gateway vs Interface), VPC Peering and VPC Flow Logs.

You will learn

  • What are VPC Endpoints?
  • What are the different types of VPC Endpoints?
  • When do you use Gateway Endpoints vs Interface Endpoints?
  • What is VPC Peering?
  • How do you use VPC Flow Logs to debug problems?

VPC Endpoint

VPC Endpoint helps you to securely connect your VPC to another service.

There are two types

  • Gateway endpoint
  • Interface endpoint

A Gateway endpoint:

  • Help you to securely connect to Amazon S3 and DynamoDB
  • Endpoint serves as a target in your route table for traffic
  • Provide access to endpoint (endpoint, identity and resource policies)

An Interface endpoint:

  • Help you to securely connect to AWS services EXCEPT FOR Amazon S3 and DynamoDB
  • Powered by PrivateLink (keeps network traffic within AWS network)
  • Needs a elastic network interface (ENI) (entry point for traffic)

Important things to remember about VPC Endpoints:

  • (Avoid DDoS & MTM attacks) Traffic does NOT go thru internet
  • (Simple) Does NOT need Internet Gateway, VPN or NAT

VPC Peering

VPC Peering helps you to connect VPCs belonging to same or different AWS accounts irrespective of the region of the VPCs.

This allows private communication between the connected VPCs.

Peering uses a request/accept protocol:

  • Owner of requesting VPC sends a request
  • Owner of the peer VPC has one week to accept

Couple of important things to remember about VPC Peering:

  • Peering is not transitive
  • Peer VPCs cannot have overlapping address ranges

VPC Flow Logs

VPC Flow Logs are used to Monitor network traffic.

Using VPC Flow Logs you can:

  • Troubleshoot connectivity issues (NACL and/or security groups misconfiguration).
  • Capture traffic going in and out of your VPC (network interfaces).

VPC Flow Logs can be created for

  • a VPC
  • a subnet
  • or a network interface (connecting to ELB, RDS, ElastiCache, Redshift etc)

You can Publish logs to Amazon CloudWatch Logs or Amazon S3. Flow log records contain ACCEPT or REJECT - Is traffic is permitted by security groups or network ACLs?

Troubleshoot using VPC Flow Logs

How do you troubleshoot issues? Here is some simplified logic:

  • Problem with response => Problem with NACL.
  • Problem with request could be problems with NACL or SG.

Inbound traffic rules are checked in this order: NACL IN, SG IN, NACL OUT (SG OUT NOT checked):

  • If inbound request is rejected, SG or NACL could be mis-configured
  • If outbound response is rejected, NACL is mis-configured

Outbound traffic rules are checked in this order: SG OUT, NACL OUT, NACL IN (SG IN NOT checked):

  • If outbound request is rejected, SG or NACL could be mis-configured
  • If inbound response is rejected, NACL is mis-configured

Certification - Recommended Reading

Cloud Certifications - AWS, Azure and Google Cloud - Top 8 FAQ For Me

Google Cloud For Beginners - How to choose a Database Service?

Teaching Cloud Certifications - Top 6 Learnings

Google Cloud For Beginners - How to choose a Compute Service?

Important Kubernetes Concepts Made Easy

Introduction to Google Cloud - For AWS Professionals

Getting Started with Docker - 5 Easy Steps

GCP PubSub - GCP Certification Cheat Sheet

GCP IAM - GCP Certification Cheat Sheet

GCP App Engine - GCP Certification Cheat Sheet

WHAT NEXT?

Congratulations on reading this article!

Wondering what to learn next?

MY RECOMMENDATIONS

Keep Learning Every Day

Check Out Our Amazing ROADMAPS