Skip to content
This repository has been archived by the owner on Jun 15, 2023. It is now read-only.

Commit

Permalink
Documentation updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@julieso
julieso committed Sep 13, 2021
1 parent fa74a83 commit ef4a904
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 59 deletions.
8 changes: 4 additions & 4 deletions doc_source/amazon-vpc-limits.md
View file
Expand Up @@ -42,7 +42,7 @@ Each EC2 instance limits the number of packets that can be sent to the Amazon Ro
| --- | --- | --- |
| Prefix lists per Region | 100 | |
| Versions per prefix list | 1,000 | If a prefix list has 1,000 stored versions and you add a new version, the oldest version is removed so that the new version can be added\. |
| Maximum number of entries per prefix list | 1,000 | |
| Maximum number of entries per prefix list | 1,000 | When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource\. For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules\. |
| References to a prefix list per resource type | 5,000 | This quota applies per resource type that can reference a prefix list\. For example, you can have 5,000 references to a prefix list across all of your security groups plus 5,000 references to a prefix list across all of your subnet route tables\. If you share a prefix list with other AWS accounts, the other accounts' references to your prefix list count toward this quota\. |

## Network ACLs<a name="vpc-limits-nacls"></a>
Expand All @@ -67,7 +67,7 @@ Each EC2 instance limits the number of packets that can be sent to the Amazon Ro
| Name | Default | Adjustable | Comments |
| --- | --- | --- | --- |
| Route tables per VPC | 200 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-589F43AA) | The main route table counts toward this quota\. |
| Routes per route table \(non\-propagated routes\) | 50 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-93826ACB) | You can increase this quota up to a maximum of 1,000; however, network performance might be impacted\. This quota is enforced separately for IPv4 routes and IPv6 routes\. If you have more than 125 routes, we recommend that you paginate calls to describe your route tables for better performance\. If you reference a customer\-managed prefix list in a route, the maximum number of entries for the prefix lists equals the same number of routes\. |
| Routes per route table \(non\-propagated routes\) | 50 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-93826ACB) | You can increase this quota up to a maximum of 1,000; however, network performance might be impacted\. This quota is enforced separately for IPv4 routes and IPv6 routes\. If you have more than 125 routes, we recommend that you paginate calls to describe your route tables for better performance\. |
| BGP advertised routes per route table \(propagated routes\) | 100 | No | If you require additional prefixes, advertise a default route\. |

## Security groups<a name="vpc-limits-security-groups"></a>
Expand All @@ -76,7 +76,7 @@ Each EC2 instance limits the number of packets that can be sent to the Amazon Ro
| Name | Default | Adjustable | Comments |
| --- | --- | --- | --- |
| VPC security groups per Region | 2,500 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-E79EC296) | This quota applies to individual AWS account VPCs and shared VPCs\. If you increase this quota to more than 5,000 security groups in a Region, we recommend that you paginate calls to describe your security groups for better performance\. |
| Inbound or outbound rules per security group | 60 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-0EA8095F) | You can have 60 inbound and 60 outbound rules per security group \(making a total of 120 rules\)\. This quota is enforced separately for IPv4 rules and IPv6 rules; for example, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic\. A rule that references a security group or AWS\-managed prefix list ID counts as one rule for IPv4 and one rule for IPv6\. A quota change applies to both inbound and outbound rules\. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000\. For example, if you increase this quota to 100, we decrease the quota for your number of security groups per network interface to 10\. If you reference a customer\-managed prefix list in a security group rule, the maximum number of entries for the prefix lists equals the same number of security group rules\. |
| Inbound or outbound rules per security group | 60 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-0EA8095F) | You can have 60 inbound and 60 outbound rules per security group \(making a total of 120 rules\)\. This quota is enforced separately for IPv4 rules and IPv6 rules; for example, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic\. A rule that references a security group or AWS\-managed prefix list ID counts as one rule for IPv4 and one rule for IPv6\. A quota change applies to both inbound and outbound rules\. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000\. For example, if you increase this quota to 100, we decrease the quota for your number of security groups per network interface to 10\. |
| Security groups per network interface | 5 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-2AFB9258) \(up to 16\) | This quota is enforced separately for IPv4 rules and IPv6 rules\. The quota for security groups per network interface multiplied by the quota for rules per security group cannot exceed 1,000\. For example, if you increase this quota to 10, we decrease the quota for your number of rules per security group to 100\. |

## VPC peering connections<a name="vpc-limits-peering"></a>
Expand Down Expand Up @@ -122,7 +122,7 @@ For information about Amazon EC2 throttling, see [API Request Throttling](https:
## Additional quota resources<a name="additional-quotas"></a>

For more information, see the following:
+ [Transit gateway quotas](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html) in *Amazon VPC Transit Gateways*\.
+ [Transit gateway quotas](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html) in *Amazon VPC Transit Gateways*
+ [AWS Client VPN quotas](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/limits.html) in the *AWS Client VPN Administrator Guide*
+ [Site\-to\-Site VPN quotas](https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html) in the *AWS Site\-to\-Site VPN User Guide*
+ [AWS Direct Connect quotas](https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html) in the *AWS Direct Connect User Guide*
2 changes: 1 addition & 1 deletion doc_source/flow-logs.md
View file
Expand Up @@ -119,7 +119,7 @@ If a field is not applicable or could not be computed for a specific record, the
| az\-id | The ID of the Availability Zone that contains the network interface for which traffic is recorded\. If the traffic is from a sublocation, the record displays a '\-' symbol for this field\. | 4 |
| sublocation\-type | The type of sublocation that's returned in the sublocation\-id field\. The possible values are: [wavelength](https://aws.amazon.com/wavelength/) \| [outpost](https://docs.aws.amazon.com/outposts/latest/userguide/) \| [localzone](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-local-zones)\. If the traffic is not from a sublocation, the record displays a '\-' symbol for this field\. | 4 |
| sublocation\-id | The ID of the sublocation that contains the network interface for which traffic is recorded\. If the traffic is not from a sublocation, the record displays a '\-' symbol for this field\. | 4 |
| pkt\-src\-aws\-service | The name of the subset of [IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) for the pkt\-srcaddr field, if the source IP address is for an AWS service\. The possible values are: AMAZON \| AMAZON\_APPFLOW \| AMAZON\_CONNECT \| API\_GATEWAY \| CHIME\_MEETINGS \| CHIME\_VOICECONNECTOR \| CLOUD9 \| CLOUDFRONT \| CODEBUILD \| DYNAMODB \| EC2 \| EC2\_INSTANCE\_CONNECT \| GLOBALACCELERATOR \| KINESIS\_VIDEO\_STREAMS \| ROUTE53 \| ROUTE53\_HEALTHCHECKS \| S3 \| WORKSPACES\_GATEWAYS\. | 5 |
| pkt\-src\-aws\-service | The name of the subset of [IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) for the pkt\-srcaddr field, if the source IP address is for an AWS service\. The possible values are: AMAZON \| AMAZON\_APPFLOW \| AMAZON\_CONNECT \| API\_GATEWAY \| CHIME\_MEETINGS \| CHIME\_VOICECONNECTOR \| CLOUD9 \| CLOUDFRONT \| CODEBUILD \| DYNAMODB \| EBS \| EC2 \| EC2\_INSTANCE\_CONNECT \| GLOBALACCELERATOR \| KINESIS\_VIDEO\_STREAMS \| ROUTE53 \| ROUTE53\_HEALTHCHECKS \| ROUTE53\_HEALTHCHECKS\_PUBLISHING \| ROUTE53\_RESOLVER \| S3 \| WORKSPACES\_GATEWAYS\. | 5 |
| pkt\-dst\-aws\-service | The name of the subset of IP address ranges for the pkt\-dstaddr field, if the destination IP address is for an AWS service\. For a list of possible values, see the pkt\-src\-aws\-service field\. | 5 |
| flow\-direction | The direction of the flow with respect to the interface where traffic is captured\. The possible values are: ingress \| egress\. | 5 |
| traffic\-path | The path that egress traffic takes to the destination\. To determine whether the traffic is egress traffic, check the flow\-direction field\. The possible values are as follows\. If none of the values apply, the field is set to \-\. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) | 5 |
Expand Down
82 changes: 28 additions & 54 deletions doc_source/vpc-subnets-commands-example.md
View file
Expand Up @@ -21,24 +21,19 @@ The first step is to create a VPC and two subnets\. This example uses the CIDR b

**To create a VPC and subnets using the AWS CLI**

1. Create a VPC with a `10.0.0.0/16` CIDR block\.
1. Create a VPC with a `10.0.0.0/16` CIDR block using the following [create\-vpc](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html) command\.

```
aws ec2 create-vpc --cidr-block 10.0.0.0/16
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text
```

In the output that's returned, take note of the VPC ID\.
The command returns the ID of the new VPC\. The following is an example\.

```
{
"Vpc": {
"VpcId": "vpc-2f09a348",
...
}
}
vpc-2f09a348
```

1. Using the VPC ID from the previous step, create a subnet with a `10.0.1.0/24` CIDR block\.
1. Using the VPC ID from the previous step, create a subnet with a `10.0.1.0/24` CIDR block using the following [create\-subnet](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-subnet.html) command\.

```
aws ec2 create-subnet --vpc-id vpc-2f09a348 --cidr-block 10.0.1.0/24
Expand All @@ -56,55 +51,43 @@ After you've created the VPC and subnets, you can make one of the subnets a publ

**To make your subnet a public subnet**

1. Create an internet gateway\.
1. Create an internet gateway using the following [create\-internet\-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html) command\.

```
aws ec2 create-internet-gateway
aws ec2 create-internet-gateway --query InternetGateway.InternetGatewayId --output text
```

In the output that's returned, take note of the internet gateway ID\.
The command returns the ID of the new internet gateway\. The following is an example\.

```
{
"InternetGateway": {
...
"InternetGatewayId": "igw-1ff7a07b",
...
}
}
igw-1ff7a07b
```

1. Using the ID from the previous step, attach the internet gateway to your VPC\.
1. Using the ID from the previous step, attach the internet gateway to your VPC using the following [attach\-internet\-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html) command\.

```
aws ec2 attach-internet-gateway --vpc-id vpc-2f09a348 --internet-gateway-id igw-1ff7a07b
```

1. Create a custom route table for your VPC\.
1. Create a custom route table for your VPC using the following [create\-route\-table](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html) command\.

```
aws ec2 create-route-table --vpc-id vpc-2f09a348
aws ec2 create-route-table --vpc-id vpc-2f09a348 --query RouteTable.RouteTableId --output text
```

In the output that's returned, take note of the route table ID\.
The command returns the ID of the new route table\. The following is an example\.

```
{
"RouteTable": {
...
"RouteTableId": "rtb-c1c8faa6",
...
}
}
rtb-c1c8faa6
```

1. Create a route in the route table that points all traffic \(`0.0.0.0/0`\) to the Internet gateway\.
1. Create a route in the route table that points all traffic \(`0.0.0.0/0`\) to the internet gateway using the following [create\-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html) command\.

```
aws ec2 create-route --route-table-id rtb-c1c8faa6 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-1ff7a07b
```

1. To confirm that your route has been created and is active, you can describe the route table and view the results\.
1. \(Optional\) To confirm that your route has been created and is active, you can describe the route table using the following [describe\-route\-tables](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-route-tables.html) command\.

```
aws ec2 describe-route-tables --route-table-id rtb-c1c8faa6
Expand Down Expand Up @@ -138,7 +121,7 @@ After you've created the VPC and subnets, you can make one of the subnets a publ
}
```

1. The route table is currently not associated with any subnet\. You need to associate it with a subnet in your VPC so that traffic from that subnet is routed to the internet gateway\. First, use the `describe-subnets` command to get your subnet IDs\. You can use the `--filter` option to return the subnets for your new VPC only, and the `--query` option to return only the subnet IDs and their CIDR blocks\.
1. The route table is currently not associated with any subnet\. You need to associate it with a subnet in your VPC so that traffic from that subnet is routed to the internet gateway\. Use the following [describe\-subnets](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-subnets.html) command to get the subnet IDs\. The `--filter` option restricts the subnets to your new VPC only, and the `--query` option returns only the subnet IDs and their CIDR blocks\.

```
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-2f09a348" --query "Subnets[*].{ID:SubnetId,CIDR:CidrBlock}"
Expand All @@ -157,13 +140,13 @@ After you've created the VPC and subnets, you can make one of the subnets a publ
]
```

1. You can choose which subnet to associate with the custom route table, for example, `subnet-b46032ec`\. This subnet will be your public subnet\.
1. You can choose which subnet to associate with the custom route table, for example, `subnet-b46032ec`, and associate it using the [associate\-route\-table](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html) command\. This subnet is your public subnet\.

```
aws ec2 associate-route-table --subnet-id subnet-b46032ec --route-table-id rtb-c1c8faa6
```

1. You can optionally modify the public IP addressing behavior of your subnet so that an instance launched into the subnet automatically receives a public IP address\. Otherwise, you should associate an Elastic IP address with your instance after launch so that it's reachable from the internet\.
1. \(Optional\) You can modify the public IP addressing behavior of your subnet so that an instance launched into the subnet automatically receives a public IP address using the following [modify\-subnet\-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-subnet-attribute.html) command\. Otherwise, associate an Elastic IP address with your instance after launch so that the instance is reachable from the internet\.

```
aws ec2 modify-subnet-attribute --subnet-id subnet-b46032ec --map-public-ip-on-launch
Expand Down Expand Up @@ -215,32 +198,23 @@ If you use `0.0.0.0/0`, you enable all IPv4 addresses to access your instance us
**Note**
In this example, the AMI is an Amazon Linux AMI in the US East \(N\. Virginia\) Region\. If you're in a different Region, you'll need the AMI ID for a suitable AMI in your Region\. For more information, see [Finding a Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) in the *Amazon EC2 User Guide for Linux Instances*\.

1. Your instance must be in the `running` state in order to connect to it\. Describe your instance and confirm its state, and take note of its public IP address\.
1. Your instance must be in the `running` state in order to connect to it\. Use the following command to describe the state and IP address of your instance\.

```
aws ec2 describe-instances --instance-id i-0146854b7443af453
aws ec2 describe-instances --instance-id i-0146854b7443af453 --query "Reservations[*].Instances[*].{State:State.Name,Address:PublicIpAddress}"
```

The following is example output\.

```
{
"Reservations": [
[
[
{
...
"Instances": [
{
...
"State": {
"Code": 16,
"Name": "running"
},
...
"PublicIpAddress": "52.87.168.235",
...
}
]
"State": "running",
"Address": "52.87.168.235"
}
]
}
]
```

1. When your instance is in the running state, you can connect to it using an SSH client on a Linux or Mac OS X computer by using the following command:
Expand Down

0 comments on commit ef4a904

Please sign in to comment.