Quick revision on topics AWS VPC, Route53, IAM before appearing AWS Certified Solutions Architect – Associate level exam.
This article notes down few important points about AWS (Amazon Web Services) VPC, Route53 and IAM. This can be helpful in last minute revision before appearing for AWS Certified Solutions Architect – Associate level certification exam.
This is second part of AWS CSA revision series. Rest of the series listed below :
- AWS CSA revision part I (EC2, S3, RDS)
- AWS CSA revision part III (Cloudfront, SNS, SQS)
- AWS CSA revision part IV (SWF,Beanstalk, EMR, Cloudfomation)
In this article we are checking out key points about VPC (Virtual Private Cloud), Route53 (DNS Service) and IAM (Identity and Access Management).
Recommended read : AWS CSA exam preparation guide
Lets get started :
VPC (Virtual Private Cloud)
- NACL (Network Access Control List) controls traffic security at subnet level
- Security groups controls traffic security at instance level
- NACL are stateless (i.e. all traffic need to exclusively allow) while Security groups are stateful (i.e. response traffic is automatically allowed)
- Only 1 Internet gateway per VPC is allowed.
- VPC peering can be done between two AWS accounts or other VPS within same region.
- VPC peering is direct network route between two VPC enabling sharing resources in different subnets.
- Limits :
- 5 VPC per region
- 50 customer gateways per region
- 200 route table per region
- 50 entries per route table
- 5 elastic IP
- 5 security group per network interface
- 500 security groups per VPC
- 50 rules per security group
- First 4 and last 1 IP of each subnet is reserved by AWS as below :
- x.x.x.0 : Network IP
- x.x.x.1 : VPC router IP
- x.x.x.2 : For VPC DNS
- x.x.x.3 : For future use
- x.x.x.255 : Broadcast IP
- Can register domain, act as DNS, Check health of resources.
- Port 53 used to serve request by DNS hence the name route 53!
- Primarily TCP used to serve DNS request but if response is more than 512 bytes it will use TCP.
- Currently supported records :
- A (address record)
- AAAA (IPv6 address record)
- CNAME (canonical name record)
- MX (mail exchange record)
- NAPTR (name authority pointer record)
- NS (name server record)
- PTR (pointer record)
- SOA (start of authority record)
- SPF (sender policy framework)
- SRV (service locator)
- TXT (text record)
- Routing policies :
- Simple routing : Single resource serving traffic
- Weighted routing : Divert proportion wise traffic to multiple resources
- Latency routing : Returns result with lowest latency to requestor origin
- Failover routing : Active-passive. One resource takes traffic when other one is failed
- Geolocation routing : Returns DNS queries based on geo location of user
- Limits :
- 500 hosted zones per AWS account
- 50 domains per AWS account
- Ideal TTL values for CNAME to existing domain is 24 hours and CNAM to S3 or ELB is 1 hour.
- There is no default TTL for any record type in Route 53. You have to specify TTL for your records.
- Weights can be assigned as integer 0 to 255. 0 means no weight i.e. dont route to that record. Probability of routing to be done to particular record is equals to weight of that record/Sum of all record weights.
IAM (Identity and Access Management)
- Never use root account for login. Create admin user and use it for administrative tasks
- Created users, groups and roles are global and available across all regions in same AWS account
- Prebuilt policy for :
- Administrator – All access
- Power user – Everything administrator has except IAM management access
- Read only – Only view access (accounting purpose)
- By default, newly created user has normal deny on all AWS resources. Explicit allow will override normal deny.
- Cross account roles can be defined. It assumes access of other user granted to another user.
- Public key can be viewed in account setting anytime. Private key visible only at time of creation. If lost can not be retrieved and need to create fresh key pair to use.