Profile Applicability:
- Level 1
Description:
A VPC (Virtual Private Cloud) in AWS provides network isolation for resources within the AWS cloud. AWS Availability Zones (AZs) are isolated locations within a region, designed to be independent from each other to ensure fault tolerance. This SOP ensures that each VPC has subnets in more than one Availability Zone (AZ), which enhances availability and fault tolerance for your resources. Distributing subnets across multiple AZs ensures that if one AZ becomes unavailable, the resources in the other AZs remain operational.
Rationale:
By placing subnets in more than one Availability Zone (AZ), you ensure high availability and fault tolerance for your applications and resources. This setup prevents a single AZ failure from affecting the entire VPC and enhances the resiliency of applications, load balancing, and resource distribution. It is considered a best practice for building robust, fault-tolerant architectures in the cloud.
Impact:
Pros:
Improved Availability: If one AZ goes down, resources in other AZs will remain operational.
Fault Tolerance: Better protection against localized failures in the AWS region.
Scalability: Spreads resources across AZs, facilitating load balancing and scaling.
Cons:
Cost: Additional resources may be required to manage multiple AZs (e.g., additional networking costs, load balancers).
Complexity: Requires careful management of routing, security groups, and other configurations to ensure proper communication between AZs.
Default Value:
By default, VPCs are created with subnets in a single AZ. To improve resilience, subnets should be explicitly created in more than one AZ.
Pre-requisite:
AWS IAM Permissions:
ec2:DescribeVpcs
ec2:DescribeSubnets
ec2:CreateSubnet
ec2:ModifyVpcAttribute
AWS CLI installed and configured.
Basic knowledge of VPC, subnetting, and AWS Availability Zones.
Remediation
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to VPC under Services.
In the VPC Dashboard, select Your VPCs.
For each VPC, ensure that there are subnets in multiple Availability Zones (AZs):
Check the subnet availability zones to confirm that subnets are distributed across different AZs within the region.
Verify Route Tables:
Ensure routing configurations support traffic flow between subnets in different AZs.
Using AWS CLI:
To list all VPCs and their associated subnets, run:
aws ec2 describe-vpcs --query 'Vpcs[*].VpcId'
aws ec2 describe-subnets --query 'Subnets[*].{SubnetId:SubnetId,VpcId:VpcId,AvailabilityZone:AvailabilityZone}'Review the AvailabilityZone attribute:
For a VPC to have subnets in multiple AZs, the AvailabilityZone value should differ across subnets within the same VPC.
Implementation Steps:
Using AWS Console:
Open the AWS Management Console
Navigate to VPC.
In the VPC Dashboard, choose Subnets under the Virtual Private Cloud section.
Review each VPC to ensure that subnets are distributed across multiple AZs.
If subnets are only in a single AZ:
Click Create Subnet.
Select a different Availability Zone for each subnet and ensure resources are spread across the chosen AZs.
For multiple AZs, ensure Route Tables are correctly set up to route traffic between subnets in different AZs.
Using AWS CLI:
To create a subnet in a different Availability Zone, run the following command:
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <cidr-block> --availability-zone <zone>
Verify that the subnet is created in the desired AZ
aws ec2 describe-subnets --query 'Subnets[*].{ID:SubnetId,AZ:AvailabilityZone,VpcId:VpcId}'Repeat for multiple Availability Zones within the same VPC to ensure resources are spread across AZs.
Backout Plan:
If creating or modifying subnets results in misconfigurations:
Identify the affected subnet and route tables.
Delete the misconfigured subnet:
aws ec2 delete-subnet --subnet-id <subnet-i
Revert any changes to route tables that were incorrectly applied:
aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0
Verify that the VPC and its subnets are functioning correctly.