Thursday, April 8, 2021

DNS Route 53 and ELB - AWS - Routing Policies

When you create a record, you choose a routing policy, which determines how Amazon Route 53 responds to queries:

  • Simple routing policy – Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the website.

  • Failover routing policy – Use when you want to configure active-passive failover.

  • Geolocation routing policy – Use when you want to route traffic based on the location of your users.

  • Geoproximity routing policy – Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.

  • Latency routing policy – Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.

  • Multivalue answer routing policy – Use when you want Route 53 to respond to DNS queries with up to 8 healthy records selected at random.

  • Weighted routing policy – Use to route traffic to multiple resources in proportions that you specify.

  • ELB is one of many AWS services that have a regional scope and can span across zones in a given region.
  • Other services like Route 53 is global in scope, as shown below, and provides services to multiple Regions.

Amazon VPC Limits - AWS

Wednesday, April 7, 2021

AWS, VPC, Subnet, Internet Gateway, Route Tables, NACL, Security Groups,order%2C%20from%20top%20to%20bottom.

VPC Peering : Connecting 2 VPC 

Data Flow inside AWS


Route Table : Once Data Arrives at Subnet, RT attached to Subnet decides where to route data traffic , It cannot block/unblock, it can just route
Data Traffic may want to come to My Subnet
Data Traffic may want to go from Subnet to Other Subnet or May want to Go to Outside World
Route to Local or Route to IGW or Route to NAT Gateway. : Traffic meant for "NOT VPC Subnet"  -> Route to IGW or NAT
p.q.r.s/16  : "Subnet Traffic " -> Route Locally to Subnet

NACL : Once Data Traffic arrives at Subnet
It has to cross N/W Firewall - Subnet Firewall - known as NACL which may allow it or block it.
It checks Protocol Type, Port, Source/Destination (depending on Incoming/Outgoing Direction) and then allows or blocks, The rules are Numbered, If a Match is found, It can be DENY or ALLOW Rule and no further rules are processed.
Its stateless, You have to configure separate rule for incoming and outgoing and they both are independent of each other

Security Group :
It is stateful 
It has Incoming and Outgoing Rules
But Incoming is related to Outgoing 
It has no DENY/ALLOW rule flag
All Rules are ALLOW by default
Rule says 
->  Allow PROTOCOL on PORT from SOURCE  - Incoming
->  Allow PROTOCOL on PORT from DESTINATION - Outgoing
SSH is TCP Protocol on 22
HTTP is TCP protocol on 80
PING in NCMP Protocol
If Incoming Rule allowed SSH on Port 80 and I did not mention Allow SSH on Port 22 for Outgoing, Even Then SSH will be allowed in Outgoing because its stateful, it remembers.
If Outgoing Rule is allowed, on PORT 80 and We did  not Configure HTTP on Incoming Side
Even then SSH will be allowed on that Machine

Internet  :  Internet GW <-> VPC <-> Route Table   <->  NACL  <-> Security Group <-> EC2 Instance

"Default" or not 
"Default" is a property of NACL
Default NACL has Implicit Mapping of all  Subnets.
stateless - Outbound/Inbount have no memory(no Statefulness)- Need to be Configured Separately
allow/deny property for each rule - Just in case we change our Mind later :-P
Default NACL allows all Traffic for both Inbound/Outbound
A new custom NACL denies all Traffic for both Inbound/Outbound
NACL is applied at Subnet Level (Firewall for Subnet)
NACL rules are numbered , Lower number gets evaluated 1st
                        Rules are created with specific increments, like the difference between 2 rules is either 1,10, 100 
NACL has * DENY Rule at the end , It cannot be deleted/modified
Inbound:    RuleNumber, Type, Protocol, PortRange, Source, Allow/Deny
Outbound: RuleNumber, Type, Protocol, PortRange, Destination, Allow/Deny
Each subnet is required to be associated with one—and only one—NACL
Each VPC has a default NACL - which allows all Traffic
In contrast, AWS processes NACL rules one at a time. 
Each NACL rule has a number, and AWS starts with the lowest numbered rule. 
If traffic matches a rule, the rule is applied and no further rules are evaluated.
If traffic doesn't match a rule, AWS moves on to evaluate the next consecutive rule
This default NACL has one "allow-all" and one "deny-all" rule for both inbound and outbound traffic, for a total of 4 default rules. 
A custom (non-default) NACL, it has one deny-all rule for both inbound and outbound traffic,total of 2 rules.
NACLs work at the subnet level.
NACLs are considered an optional form of defense for instances. A subnet must have a NACL, but by default, a NACL is configured to allow all traffic in and out.
Subnet can have only one NACL
Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.
VPC can have many NACL, but each Subnet is associated with 1 NACL only
Without Subnet explicilty associated to NACL, its rules have no effect
When you create a VPC, AWS automatically creates a Security Group, NACL[Default]
Default NACL has Implicit Mapping of all  Subnets.
NACL knows who its Subnets are !!

Security Group:
Security Group has no record of Instances connected to it, But Instances know which Security Group They Belong
No "Default", No "Main" attribute here but VPC comes with 1 Security Group where everything is allowed
No Instance can be made without - SG
security groups work at the instance level
Security groups are a required form of defense for instances, because an instance must be associated with at least one security group. You can't launch an instance without one, and you can't remove the only remaining security group from an existing instance.
However, a particular security group only applies to an instance if a user deliberately associates it with the instance, either at launch time or after the instance has been created.
                       Security group -Rules' dont have Allow/Deny - feature. If a Rule is there, its for Allow
                        If Rule is not there- It means its Denied Implicitly
Implicit deny, which means all traffic is denied unless an inbound or outbound rule explicitly allows it.
Security groups are stateful; they automatically allow return traffic, no matter what rules are specified. If your instance sends out a request, the connection is tracked and the response is accepted regardless of explicit inbound rules. If traffic is allowed into an instance, the response is allowed out regardless of explicit outbound rules
Security Groups are not numbered
AWS evaluates all rules for all the security groups associated with an instance before deciding whether to allow traffic in or out. The most permissive rule is applied—so remember that your instance is only as secure as your weakest rule.
Security groups don't need rules to evaluate response traffic. There's only a need to define inbound or outbound rules to evaluate requests, because once a request is permitted, its response is automatically permitted as well.
AWS created default security group has one default inbound rule allowing traffic from other instances associated with the same security group. 
A custom (non-default) security group, it has no inbound rules by default.
Inbound: Type,Protocol,Port range,Source,Description - optional
Outbound: Type,Protocol,Port range,Destination,Description - optional

Instance can have multiple Security groups. When you launch an instance in a VPC, you can assign up to 5 security groups to the instance
Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.

Internet Gateway :
No "Default", No "Main" attribute here
IGW knows which VPC its connected to - Attribute "VPC ID"
A VPC can have  multiple IGW - Internet Gateways
Internet Gateway is associated/attached with VPC
But Only 1 IGW will be "Attached" , Rest will be in "Detached" mode

Route Table :
VPC has a "MAIN" Route Table, which VPC gets by default
"Main" is a property attribute of RT.
                        You cannot delete the main route table.
                        Route Table knows - Who its associated Subnets are - "Explicit subnet associations" - Attribute of RT
Route Table is associated with Subnet.
                        You cannot set a gateway route table as the main route table.
                        You can replace the main route table with a "Custom" route table.
Destination, Target, Status, Propagated local         igw-0320a023a88aa238e
Subnets have not been explicitly associated with any route tables and are associated with Main route table.
Default"Main" Route Table has 2 Routes - 1st to "Local",2nd to "Internet Gateway"
"Custom" Route Table has Only 1 Local Route within VPC
Every route table contains a local route for communication within the VPC
Each route in a table specifies a destination and a target.
IPv4 and IPv6 traffic are treated separately. i.e. Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other.
Route Priority — if your route table has multiple routes, we use the most specific route that matches the traffic (longest prefix match) to determine how to route the traffic.

Internet  :  Internet Gateway  <-> Route Table   <->  NACL  <-> Security Group <-> EC2 Instance

SAP -1

[Please see our list of available and valid certifications.]

SAP Learning Journeys

150+ different certifications are available in up to 9 languages to meet the needs of learners across your entire organization. All currently available certifications can be found here. Three different certification types are offered: 

Associate certification - Covers fundamental knowledge requirements for the successful acquisition of broad SAP solution knowledge and skills

Specialist certification - Offered in addition to an Associate certification, this certification level focuses on a specific role or integration component 

Professional certification - Advanced certification, requiring proven project experience, business process knowledge, and a more detailed understanding of SAP solutions

SAP ECC - SAP ERP Central Component

Tuesday, April 6, 2021

Allocating an Elastic IP address,and%20can't%20span%20zones.&text=One%20Subnet%20can%20span%20only,by%20default%20inside%20one%20VPC.

An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. You can associate an Elastic IP address with any instance or network interface in any VPC in your account. With an Elastic IP address, you can mask the failure of an instance by rapidly remapping the address to another instance in your VPC.

Starting from the introduction of VPC (Virtual Private Cloud), we have the ability to specify whether an EC2 instance should have a public IP address or not.

In some three-tier architectures, none of EC2 instances have public IP addresses and only public ELBs (Elastic Load Balancers) have them. The ELBs are used to accept traffic from the internet.

AWS has a giant pool of public IP addresses. The IP ranges are published here :

When an IP address is disassociated from an EC2 instance (for example when the instance is terminated), the IP address is returned back to the pool and may not be reused. Because of the nature of cloud computing where instances come and go, the risk for AWS to run out of IP address in the pool is somewhat reduced.

You can also claim a public IP address from Amazon’s pool into your account and associate it with your EC2 instance instead of relying on AWS to randomly assign it every time. It is called Elastic IP Address. It gives you the ability to assign “static” IP address to your instance. The default limit is 5 IP addresses per region (can be increased to some extent by contacting AWS support).

Elastic IP Address in your account that is not associated to any EC2 instance will incur cost. That is to discourage people from hoarding a large number of unused IP addresses in the account.

Bastion Host - An Instance Which Allows Authenticated users to login to Private EC2 instances via Internet, AWS

When we configure Bastion Host, We need to allow INCOMING Acess of SSH from Bastion Host only , In That Case we will mention Security Group Associated with Bastion Host

"SG-BASTION-HOST" - Source for Private EC2 Instances

Security Group :
It is stateful 
It has Incoming and Outgoing Rules
But Incoming is related to Outgoing 
It has no DENY/ALLOW rule flag
All Rules are ALLOW by default

Rule says 
->  Allow PROTOCOL on PORT from SOURCE  - Incoming
->  Allow PROTOCOL on PORT from DESTINATION - Outgoing

SSH is TCP Protocol on 22
HTTP is TCP protocol on 80
PING in NCMP Protocol

If Incoming Rule allowed SSH on Port 80 and I did not mention Allow SSH on Port 22 for Outgoing, Even Then SSH will be allowed in Outgoing because its stateful, it remembers.

If Outgoing Rule is allowed, on PORT 80 and We did  not Configure HTTP on Incoming Side
Even then SSH will be allowed on that Machine

Subnetting, CIDR, Subnet VPC, AWS

5 Hosts are reserved by AWS
1)0 : Network Name
2) 1: Router
3) 2: DNS Name Server
4) Unknown
5)Broadcasting Netcasting – – –
An address is Private if it starts with:
  • 10 or
  • 192.168 or
  • 172.[16-31]

Azure - Pipeline - Add Approver for Stage