AWS VPC, Route53, IAM revision before the CSA exam

Quick revision on topics AWS VPC, Route53, IAM before appearing AWS Certified Solutions Architect – Associate exam.

This article notes down a few important points about AWS (Amazon Web Services) VPC, Route53, and IAM. This can be helpful in last-minute revision before appearing for the AWS Certified Solutions Architect – Associate level certification exam.

This is the second part of the AWS CSA revision series. Rest of the series listed below :

• AWS CSA revision part I (EC2, S3, RDS)
• AWS CSA revision part III (Cloudfront, SNS, SQS)
• AWS CSA revision part IV (SWF,Beanstalk, EMR, Cloudfomation)

In this article, we are checking out key points about VPC (Virtual Private Cloud), Route53 (DNS Service) and IAM (Identity and Access Management).

Recommended read : AWS CSA exam preparation guide

Lets get started :

VPC (Virtual Private Cloud)

• NACL (Network Access Control List) controls traffic security at the subnet level
• Security groups control traffic security at the instance level
• NACL is stateless (i.e. all traffic need to exclusively allow) while Security groups are stateful (i.e. response traffic is automatically allowed)
• Only 1 Internet gateway per VPC is allowed.
• VPC peering can be done between two AWS accounts or other VPS within the same region.
• VPC peering is a direct network route between two VPC enabling sharing resources in different subnets.
• Limits :
  • 5 VPC per region
  • 50 customer gateways per region
  • 200 route table per region
  • 50 entries per route table
  • 5 elastic IP
  • 5 security group per network interface
  • 500 security groups per VPC
  • 50 rules per security group
• First 4 and last 1 IP of each subnet is reserved by AWS as below :
  • x.x.x.0: Network IP
  • x.x.x.1 : VPC router IP
  • x.x.x.2: For VPC DNS
  • x.x.x.3: For future use
  • x.x.x.255: Broadcast IP

Route 53

• Can register domain, act as DNS, Check health of resources.
• Port 53 used to serve request by DNS hence the name route 53!
• Primarily TCP used to serve DNS request but if the response is more than 512 bytes it will use TCP.
• Currently supported records :
  • A (address record)
  • AAAA (IPv6 address record)
  • CNAME (canonical name record)
  • MX (mail exchange record)
  • NAPTR (name authority pointer record)
  • NS (name server record)
  • PTR (pointer record)
  • SOA (start of authority record)
  • SPF (sender policy framework)
  • SRV (service locator)
  • TXT (text record)
• Routing policies :
  • Simple routing: Single resource serving traffic
  • Weighted routing: Divert proportion wise traffic to multiple resources
  • Latency routing: Returns result with the lowest latency to requestor origin
  • Failover routing: Active-passive. One resource takes traffic when the other one is failed
  • Geolocation routing: Returns DNS queries based on the geolocation of the user
• Limits :
  • 500 hosted zones per AWS account
  • 50 domains per AWS account
• Ideal TTL values for CNAME to the existing domain are 24 hours and CNAM to S3 or ELB is 1 hour.
• There is no default TTL for any record type in Route 53. You have to specify TTL for your records.
• Weights can be assigned as integer 0 to 255. 0 means no weight i.e. don’t route to that record. The probability of routing to be done to a particular record equals to the weight of that record/Sum of all record weights.

IAM (Identity and Access Management)

• Never use the root account for login. Create an admin user and use it for administrative tasks
• Created users, groups and roles are global and available across all regions in the same AWS account
• Prebuilt policy for :
  • Administrator – All access
  • Power-user – Everything administrator has except IAM management access
  • Read-only – Only view access (accounting purpose)
• By default, the newly created user has normal deny on all AWS resources. Explicit allow will override normal deny.
• Cross account roles can be defined. It assumes access of other users granted to another user.
• The public key can be viewed in the account settings anytime. The private key visible only at the time of creation.  If lost can not be retrieved and need to create fresh key pair to use.