7. CLASSLESS INTER-DOMAIN ROUTING (CIDR)
7
• Dot-decimal
notation
• Subnet mask
corresponds to
block size
• When you
combine the IP
address and
subnet mask,
you can
determine the
network address
and broadcast
address
Regional construct
VPC CIDR Ranges
VPC can be between /16 and /28.
/16 is a recommended VPC size
CIDR cannot be modified once it created, but you are able to add an additional range after creation
Make sure to not use overlapping CIDR ranges between VPCs or on-premise
Private Addressing space
Class A 10.0.0.0/8
Class B 172.16.0.0-172.31.255.255 /12
Class C 192.168.0.0/16
Default VPC
Companies hardly ever use them
They come standard with public subnets and route tables already working
Reserved IP Addresses in each Subnet CIDR block
Subnetting can be hard, don’t be afraid to use an online tool like http://www.subnet-calculator.com/cidr.php
The first 4 IPs in a subnet are reserved with also the last ip, totaling 5 per subnet.
In an example of a subnet with 10.0.0.0/24
10.0.0.0 is the network address
10.0.0.1 – VPC router
10.0.0.2 – DNS Server
10.0.0.3 – reserved for future expansion
10.0.0.255 – Network broadcast address
Subnets are a Zonal Construct
Public vs Private
Inbound vs Outbound Rules
Outbound rules are created by default
SGs are Stateful
SGs only allow for allow rules
NACLs are stateless, meaning there needs to be an explicit outbound rule allowing traffic outbound
You’ll want to make sure you enable outbound ephemeral ports 1024-65535
ELB Logs
Nslookup public RDS vs Private
Nc public vs private
You’ll notice the reject logs that are all one way
Whereas the successful logs are two way and accepted
You’ll notice the reject logs that are all one way
Whereas the successful logs are two way and accepted
You’ll notice the reject logs that are all one way
Whereas the successful logs are two way and accepted