KB Platform
kb.erickguedes.com
AWS: Cloud Computing na Prática

VPC — Redes na AWS

Aula 4 de 8

Amazon VPC

VPC (Virtual Private Cloud) é sua rede isolada dentro da AWS.

VPC (10.0.0.0/16)
├── Public Subnet (10.0.1.0/24) → Internet Gateway
│   └── EC2 (NAT, Bastion)
└── Private Subnet (10.0.2.0/24) → NAT Gateway
    └── RDS, ElastiCache, EC2 (app)

Lab: VPC Completa via CLI

# 1. Criar VPC + tags
VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 \
  --query 'Vpc.VpcId' --output text)
aws ec2 create-tags --resources $VPC_ID \
  --tags Key=Name,Value=minha-vpc

# 2. Habilitar DNS
aws ec2 modify-vpc-attribute \
  --vpc-id $VPC_ID --enable-dns-support
aws ec2 modify-vpc-attribute \
  --vpc-id $VPC_ID --enable-dns-hostnames

# 3. Subnets
PUB_SN=$(aws ec2 create-subnet \
  --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --query 'Subnet.SubnetId' --output text)
aws ec2 create-tags --resources $PUB_SN \
  --tags Key=Name,Value=public-subnet

PRIV_SN=$(aws ec2 create-subnet \
  --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1a \
  --query 'Subnet.SubnetId' --output text)
aws ec2 create-tags --resources $PRIV_SN \
  --tags Key=Name,Value=private-subnet

# 4. Internet Gateway
IGW_ID=$(aws ec2 create-internet-gateway \
  --query 'InternetGateway.InternetGatewayId' --output text)
aws ec2 attach-internet-gateway \
  --vpc-id $VPC_ID --internet-gateway-id $IGW_ID

# 5. Route Tables
PUB_RT=$(aws ec2 create-route-table --vpc-id $VPC_ID \
  --query 'RouteTable.RouteTableId' --output text)
aws ec2 create-route --route-table-id $PUB_RT \
  --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID
aws ec2 associate-route-table \
  --subnet-id $PUB_SN --route-table-id $PUB_RT

# 6. NAT Gateway (para subnets privadas)
EIP=$(aws ec2 allocate-address --query 'AllocationId' --output text)
NAT_ID=$(aws ec2 create-nat-gateway \
  --subnet-id $PUB_SN --allocation-id $EIP \
  --query 'NatGateway.NatGatewayId' --output text)

VPC Flow Logs — Monitoramento

# Flow Logs para todas as interfaces da VPC
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids $VPC_ID \
  --traffic-type ALL \
  --log-group-name "vpc-flow-logs" \
  --deliver-logs-permission-arn "arn:aws:iam::xxx:role/FlowLogsRole"

VPC Peering

# Conectar duas VPCs (mesma ou diferente conta)
aws ec2 create-vpc-peering-connection \
  --vpc-id vpc-aaa --peer-vpc-id vpc-bbb \
  --peer-owner-id 123456789012

# Aceitar (lado B)
aws ec2 accept-vpc-peering-connection \
  --vpc-peering-connection-id pcx-xxx

# Adicionar rotas em ambas as VPCs
aws ec2 create-route --route-table-id rtb-pub-a \
  --destination-cidr-block 10.1.0.0/16 \
  --vpc-peering-connection-id pcx-xxx

Security Groups e NACL

# SG — estado stateful, na instância
aws ec2 describe-security-groups --group-ids sg-xxx

# NACL — stateless, na subnet
aws ec2 describe-network-acls --filters "Name=vpc-id,Values=$VPC_ID"

# NACL exemplo: bloquear país específico (via IP ranges)
aws ec2 create-network-acl-entry \
  --network-acl-id acl-xxx \
  --ingress --rule-number 100 \
  --protocol tcp --port-range From=0,To=65535 \
  --cidr-block "203.0.113.0/24" --rule-action deny

Subnet Design Patterns

Produção:
├── us-east-1a public (10.0.1.0/24)
├── us-east-1a private (10.0.2.0/24)
├── us-east-1b public (10.0.3.0/24)
├── us-east-1b private (10.0.4.0/24)
└── us-east-1c public (10.0.5.0/24)
    us-east-1c private (10.0.6.0/24)

Projete CIDR blocks com folga (/16). Sempre use subnets privadas para bancos de dados. NAT Gateway custa hora, mas é necessário para atualizações de instâncias privadas.