diff --git a/knowledge base/acronyms and abbreviations.md b/knowledge base/acronyms and abbreviations.md
index db29534..755564e 100644
--- a/knowledge base/acronyms and abbreviations.md
+++ b/knowledge base/acronyms and abbreviations.md
@@ -25,6 +25,7 @@
| CD | Continuous Deployment | |
| CDN | Content Delivery Network | |
| CI | Continuous Integration | |
+| CIDR | Classless Inter-Domain Routing | |
| CLI | Command Line Interface | |
| CMS | Content Management System | |
| CN | Canonical Name | In Active Directory, the full path of an object in a canonical format |
diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index d938683..da6cb68 100644
--- a/knowledge base/cloud computing/aws/README.md
+++ b/knowledge base/cloud computing/aws/README.md
@@ -71,16 +71,30 @@ subsequent requests that API receives.
VPCs define isolated virtual networking environments.
AWS accounts include one default VPC for each AWS Region.
+Every VPC will have at least one CIDR block.
+Every new AWS account will have one default VPC in every region, all with the `172.31.0.0/16` CIDR block assigned.
+
VPCs can be _peered_ to enable direct connectivity between them via private IP addresses.
The peer connection also requires exchanging route table entries between the VPCs.
-Subnets are ranges of IP addresses in VPCs.
+Subnets are virtual networks, each of which carves out smaller range of IP addresses from their VPC's CIDR block.
Each subnet resides in a single Availability Zone.
_Public_ subnets have a direct route to an Internet gateway. Resources in public subnets **can** access the public
Internet.
_Private_ subnets do **not** have a direct route to an Internet gateway. Resources in private subnets **require** a NAT
device to access the public internet.
+_Security groups_ control the traffic in and out of the resources associated with them, like firewalls would do.
+_Security group rules_ are **stateful**, meaning that connections initiated from the security group will allow the
+corresponding answers to come back in (but not new connections).
+The default value for Egress traffic is to allow all connections.
+
+_Network Access Control Lists_ also control the traffic in and out. However, they are associated with subnets, and
+affect all resources within that subnet.
+NACLs are **stateless**, meaning that both the Inbound and Outbound rules must match traffic patterns to allow
+communications in **any** direction.
+_NACL rules_ allow all traffic by default. They also have a priority.
+
Gateways connect VPCs to other networks.
[_Internet gateways_][connect to the internet using an internet gateway] connect VPCs to the Internet.
[_NAT gateways_][nat gateways] allow resources in private subnets to connect to the Internet, other VPCs, or on-premises
@@ -88,6 +102,10 @@ networks. They can communicate with services outside the VPC, but cannot receive
[_VPC endpoints_][access aws services through aws privatelink] connect VPCs to AWS services privately, without the need
of Internet gateways or NAT devices.
+_Route tables_ control how traffic flows throughout, and in or out, a VPC.
+They are associated with subnets, and affect all resources within those subnets.
+By default, a VPC only comes with a single route table. It is referred to as the `Main` route table.
+
By default, connections to AWS services use the services' **public** endpoint.
Traffic from instances in **public** subnets is routed to the VPC's internet gateway, then forwarded to the requested
@@ -109,7 +127,7 @@ graph LR
end
ei --> ig
ig --> i
- ig --> as
+ i --> as
```
@@ -138,14 +156,39 @@ graph LR
ei --> ng
ng --> ig
ig --> i
- ig --> as
+ i --> as
```
[PrivateLink] leverages VPC endpoints to create a private and direct connection between a VPC and an AWS service.
-[Gateway endpoints] do the same in a more convenient way that does not use Elastic Network Interfaces, but can be used
-only for some services ([S3] and DynamoDB).
+[Gateway endpoints] do the same in a more convenient way that does not use Elastic Network Interfaces, but are only
+supported by specific AWS services ([S3] and DynamoDB).
+
+
+
+```mermaid
+graph LR
+ i(Internet)
+ subgraph Region
+ direction LR
+ subgraph VPC
+ subgraph Public Network
+ ng(NAT Gateway)
+ end
+ subgraph Private Network
+ ei(Instance)
+ end
+ ge(Gateway
Endpoint)
+ ig(Internet
Gateway)
+ end
+ as(AWS Service)
+ end
+ ei --> ge
+ ge --> as
+```
+
+
[Direct Connect] creates a dedicated network connection between on-premises data centers or offices and AWS.
@@ -772,6 +815,8 @@ machine if not.
- [Tools to Build on AWS]
- [Boto3 documentation]
- [More info about resource deprecation?]
+- [What Is OIDC and Why Do We Need It?]
+- [AWS Fundamentals Blog]
### Sources
@@ -803,6 +848,12 @@ machine if not.
- [What is AWS Global Accelerator?]
- [How AWS Global Accelerator works]
- [Using Amazon CloudWatch with AWS Global Accelerator]
+- [Gateway Endpoints vs Internet Routing for S3]
+- Introduction to the AWS Virtual Private Cloud (VPC) -
+ [Part 1][Introduction to the AWS Virtual Private Cloud (VPC) - Part 1],
+ [Part 2][Introduction to the AWS Virtual Private Cloud (VPC) - Part 2],
+ [Part 3][Introduction to the AWS Virtual Private Cloud (VPC) - Part 3]
+- [VPC Endpoints: Secure and Direct Access to AWS Services]
[avoid the 60 minutes timeout when using the aws cli with iam roles]: https://cloudonaut.io/avoid-the-60-minutes-timeout-when-using-the-aws-cli-with-iam-roles/
[aws iam roles - everything you need to know & examples]: https://spacelift.io/blog/aws-iam-roles
+[AWS IAM Users: Understanding Identity Center, Organizations, and Federation]: https://awsfundamentals.com/blog/aws-iam-users
[aws.permissions.cloud]: https://aws.permissions.cloud/
[get to grips with aws iam roles: terms, concepts, and examples]: https://blog.awsfundamentals.com/aws-iam-roles-terms-concepts-and-examples
[introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b
[using aws cli securely with iam roles and mfa]: https://dev.to/albac/using-aws-cli-securely-with-iam-roles-and-mfa-56c3
-[you might be clueless as to why aws assume role isn't working, despite being correctly set up]: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07
[what is exactly "assume" a role in aws?]: https://stackoverflow.com/questions/50082732/what-is-exactly-assume-a-role-in-aws
+[you might be clueless as to why aws assume role isn't working, despite being correctly set up]: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07
diff --git a/knowledge base/cloud computing/aws/s3.md b/knowledge base/cloud computing/aws/s3.md
index 05283c2..0ef0c26 100644
--- a/knowledge base/cloud computing/aws/s3.md
+++ b/knowledge base/cloud computing/aws/s3.md
@@ -224,6 +224,7 @@ Examples: [1][lifecycle configuration examples], [2][s3 lifecycle rules example
- [Understanding and managing Amazon S3 storage classes]
- [Using S3 Intelligent-Tiering]
- [Amazon S3 cost optimization for predictable and dynamic access patterns]
+- [Gateway Endpoints vs Internet Routing for S3]
### Sources
@@ -233,6 +234,7 @@ Examples: [1][lifecycle configuration examples], [2][s3 lifecycle rules example
- [CLI subcommand reference]
- [Find out the size of your Amazon S3 buckets]
- [How S3 Intelligent-Tiering works]
+- [Amazon S3 Intelligent Tiering]
+[Amazon S3 Intelligent Tiering]: https://awsfundamentals.com/blog/amazon-s3-intelligent-tiering
+[Gateway Endpoints vs Internet Routing for S3]: https://awsfundamentals.com/blog/gateway-endpoints-vs-internet-routing-s3