Best Practices-references

USE of NACL

Additional layer of security. AWS recommends using network ACLs as firewalls to control inbound and outbound traffic at the subnet level. This Quick Start provides an option to create a network ACL protected subnet in each Availability Zone. These network ACLs provide individual controls that you can customize as a second layer of defense.

We recommend that you use network ACLs sparingly for the following reasons: they can be complex to manage, they are stateless, every IP address must be explicitly opened in each (inbound/outbound) direction, and they affect a complete subnet. We recommend that you use security groups more often than network ACLs, and create and apply these based on a schema that works for your organization. Some examples are server roles and application roles. For more information about security groups and network ACLs

Ref: https://docs.aws.amazon.com/quickstart/latest/vpc/architecture.html

Routing Tables

Independent routing tables configured for every private subnet to control the flow of traffic within and outside the Amazon VPC. The public subnets share a single routing table, because they all use the same Internet gateway as the sole route to communicate with the Internet.

Use NAT gateways

Highly available NAT gateways, where supported, instead of NAT instances. NAT gateways offer major advantages in terms of deployment, availability, and maintenance. For more information see the comparison provided in the Amazon VPC documentation.

Plan CIDER for VPC Sizing

Spare capacity for additional subnets, to support your environment as it grows or changes over time.

I have seen constrains caused by assigning tight spacing for vpc , this may be for valid reasons as orgs have some limitations around ip address space availability but this will quickly bounce back and have a serious impact on future production releases

Page updated

Google Sites

Report abuse