VPC

3. Network ACL

The Network ACL (NACL) acts as a stateless firewall that is attached within a VPC and operates at the subnet level, managing both inbound and outbound traffic within a VPC.

1. A single NACL can be associated with multiple subnets, allowing you to apply the same set of rules across several subnets.
2. However, each subnet in a VPC can only be associated with one NACL at a time. If you associate a new NACL with a subnet, the previous NACL is automatically disassociated.
3. By default, new subnets are automatically associated with the Default NACL, which allows all inbound and outbound traffic until it is manually modified.
4. You can create and assign a custom NACL to define specific rules for controlling traffic. This allows for more granular control over what traffic is allowed or denied at the subnet level.

This setup makes NACLs useful for subnet-level traffic filtering, separate from instance-level access control, which is handled by Security Groups.

4. Route Table, NACL, Security Group

Handling of Incoming Requests to EC2 instances.

1. Route Table:
   1. The request is first evaluated at the Route Table to determine where the traffic should go (e.g., inside the VPC, to a subnet, or toward the internet via an Internet Gateway).
   2. The Route Table handles routing only, not traffic filtering.
2. Network ACL (NACL):
   1. NACL is associated at the subnet level inside the VPC.
   2. It evaluates inbound and outbound traffic based on its rules to allow or deny traffic for that subnet.
   3. NACL acts as a stateless firewall at the subnet level. It processes each request independently without remembering previous requests.
3. Security Group:
   1. If the request is for an EC2 instance, it is further filtered by the Security Group attached to the instance.
   2. Security Groups are stateful firewalls applied at the instance level, allowing or denying traffic based on configured rules.
   3. There are no "deny" rules in a Security Group. Any traffic not explicitly allowed is automatically denied.
4. Subnets are implicitly associated with the main route table if no other route table is explicitly attached to them.

5. Access AWS VPC Resources from On-Premises/externally

1. AWS Site-to-Site VPN
   1. Establishes a secure connection between your on-premises network and AWS VPC over the internet.
   2. Useful for low to medium bandwidth requirements and quick setup.
2. AWS Direct Connect (DX)
   1. A dedicated, private connection between your on-premises data center and AWS.
   2. Offers low latency, high bandwidth, and consistent performance.
   3. Can be used with a Direct Connect Gateway for accessing multiple VPCs across Regions.
3. AWS Outposts
   1. Extends AWS infrastructure to your on-premises environment.
   2. Allows access to VPC resources locally without external connectivity.
   3. An Outpost is a pool of AWS compute and storage capacity deployed at a customer site.
4. PrivateLink (VPC Endpoint Services)
   1. Allows on-premises resources to securely access AWS services (like S3, DynamoDB) or privately expose services hosted in AWS.
   2. Uses a combination of VPN, Direct Connect, and VPC endpoints for secure communication.
5. Hybrid Connectivity Tools
   1. AWS Storage Gateway: For hybrid storage scenarios with on-premises access to S3, EFS, or other AWS storage services.
   2. Amazon DataSync: For data transfer between on-premises storage and AWS.

5. Question based on VPC endpoint

An application running in a private subnet accesses an Amazon DynamoDB table. The data cannot leave the AWS network to meet security requirements. How should this requirement be met?

1. Configure a Network ACL on DynamoDB to limit traffic to the private subnet.
2. Enable DynamoDB encryption at rest using an AWS Key Management Service (AWS KMS) key.
3. Add a NAT gateway and configure the route table on the private subnet.
4. Configure a VPC endpoint for DynamoDB and configure the endpoint policy. (Correct)