VPCs

VPC Components

  • Virtual Private Cloud
  • Subnet
  • Internet Gateway
  • NAT Gateway
  • Virtual Private Gateway
  • Peering Connection
  • VPC Endpoints
  • Egress-only Internet Gateway

VPC (Virtual Private Cloud)

  • VPC (Virtual Private Cloud) is a virtual private network dedicated to your AWS account.
  • Logically isolated from other virtual networks in AWS Cloud
  • VPC is defined on Region level
  • VPC Tenancy
    • Default
    • Dedicated
  • By default, VPC is created with Route Table, Network ACL and Security Group
  • Availability Zones a, b and c are randomized per account
  • Default VPC
    • All Subnets in default VPC have a route out to the internet
    • Each EC2 instance has both a public and private IP address

Subnet

  • Subnet is defined on AZ level
  • IP Ranges which can be assigned to Subnets
    • 10.0.0.0-10.255.255.255 (/8 prefix) - largest network
    • 172.16.0.0-172.31.255.255 (/12 prefix)
    • 192.168.0.0-192.168.255.255 (/16 prefix)
  • 5 IP addresses are reserved
    (first four and the last one)
    • Network address (10.0.0.0)
    • Reserved by AWS for VPC router (10.0.0.1)
    • DNS server IP (10.0.0.2)
    • For future use (10.0.0.3)
    • Network broadcast address - is not supported in VPC, so reserved (10.0.0.255)
  • Allowed block size is between /16 and /28 netmask
  • AWS Resources can be launched into Subnets
  • Public IPs can be auto-assigned to resources in Subnet

IGW (Internet Gateway)

  • IGW is a virtual router providing VPC connectivity to the Internet
  • IGW can be attached to VPC
  • You can have only one IGW per VPC

RTB (Route Table)

  • Route Tables belong to a VPC
  • Route Tables can be associated with Subnets
  • Subnets which are not associated with any Route Table will be associated with the main Route Table
  • It’s a better practice to keep the main Route Table as private and create the public Route Tables on demand
  • Route’s status “blackhole” is a route that goes nowhere

VPC Peering

  • Allows you to connect one VPC with another via a direct network route using private IP addresses
  • Instances behave as if they were on the same private network
  • You can peer VPC’s with other AWS accounts as well as with other VPCs in the same account
  • No Transitive Peering - VPC Peering should be defined between each of VPCs that should be connected

NAT Instances, NAT Gateways

  • NAT = Network Address Translations
  • NAT Instances, NAT Gateways - can provide connectivity to the Internet for private resources, without the need of being public, i.e. having a public IP
  • NAT Instance:
    • NAT Instance is a single point of failure
    • NAT instance should be in a public subnet
    • The amount of traffic that NAT instances can support depends on the instance size
    • Launching NAT instance
      • Use EC2 instance with community AMI
      • Disable Source / Destination check
        Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT Instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable these checks on the NAT Instance.
      • Add a route in Route Table to provide the Internet connectivity:
        0.0.0.0/0 -> ENI of the NAT Instance (Elastic Network Interface)
  • NAT Gateway
    • Created within the Subnet
    • Redundant within the Availability Zone
    • Elastic IP is assigned to the NAT Gateway
    • The Route should be added to Route Table.
      0.0.0.0/0 -> NAT Gateway
    • Starts with a throughput of 5Gbps and scales up to 45Gbps
    • Not associated with Security Groups
    • For Availability Zone-independent architecture, create a NAT gateway in each AZ and configure routing to ensure that resources use the NAT gateway in the same AZ

Network ACLs (Network Access Control Lists)

  • Network ACLs are created in VPCs
  • Default NACL, created with VPC allows all inbound and outbound traffic
  • By default each custom NACL denies all inbound and outbound traffiic, until you add rules
  • Network ACLs are associated with several Subnets. When associating a network ACL with a Subnet, the previous Subnet’s association is removed.
  • Subnet without NACL association will be automatically associated with the default NACL in VPC
  • Recommended adding rules numbers as increments of 100
  • NACL Rules are applied starting from the lower numbered rule
  • Each Subnet can be associated with only one NACL
  • Inbound and Outbound Rules
  • Ephemeral Ports are allocated automatically and typically used by TCP, UDP as port assignment for the client end of a client-server communication to a well-known port on a server
  • Ephemeral ports should be Allowed in NACL’s Outbound Rules for NAT Gateway to work
    • NAT Gateway uses Ephemeral ports 1024-65535
  • Network Access Control Lists (ACLs) and Security Groups provide security on different levels
  • Security Groups are stateful
    (Return traffic is automatically allowed, regardless of any rules)
  • Network Access Control Lists are Stateless
    (Return traffic must be explicitly allowed by rules)
  • You can block IP address in NACL - this cannot be done in SGs (Security Groups)

VPC Flow Logs

  • Enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
  • Flow log data is stored using Amaazon CloudWatch Logs.
  • Flow log is created from VPC list by selecting the VPC and choosing “Create flow log” from the actions
  • You can filter traffic type in Flow Log: Accepted, Rejected or All Traffic
  • Flow Log can send traffic to S3 bucket or CloudWatch Log
    • Destination Log Group has to be created from CloudWatch / Logs
  • You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
  • You cannot tag a flow log
  • After creating a flow log you cannot change its configuration
  • Not all IP Traffic is monitored
    • Traffic to Amazon DNS server is not logged
    • Traffic generated by a Windows Instance for Amazon Windows license activation
    • Traffic to and from 169.254.169.254 for instance metadata
    • DHCP traffic
    • Traffic to the reserved IP addresses for the default VPC router

Bastion Host

Special purpose computer on a network specifically designed and configured to withstand attacks.

  • Community AMIs are available for Bastion Hosts
  • A Bastion is used to securely administer EC2 instances (Using SSH or RDP). Bastions are sometimes called Jump Boxes.

Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

It’s a direct connection through dedicated lines from the Customer location to Direct Connect Location in AWS Data Centers.

  • Direct Connect directly connects your data center to AWS
  • Useful for high throughput workload
  • Or if you need a stable and reliable secure connection

VPC Endpoints

  • VPC Endpoint enables you to privately connect your VPC supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT devices, VPN connection or AWS Direct Connect Connection. Traffic between your VPC and the other service does not leave the Amazon network.
  • Two types of VPC Endpoints
    • Interface Endpoints
    • Gateway Endpoints
      • S3
      • DynamoDB
  • VPN Endpoint can be added from VPC/Endpoints in the management console
  • Endpoints are added in the VPC, with routes being added to the Route Tables.

FAQs

  • There are no additional charges for creating and using the VPC itself
  • If you connect your VPC to your corporate data center using the optional hardware VPN connection, pricing is per VPN connection-hour
  • Data transfer charges are not incurred when accessing AWS services like Amazon S3 via your VPC’s Internet gateway
  • An Internet gateway is horizontally-scaled, redundant and highly available. It imposes no bandwidth constraints.
  • Traffic between two EC2 instances communicating using public IP addresses in the same AWS Region stays within the AWS network.
  • Traffic between two EC2 instances located in 2 different regions with VPC peering stays with the AWS network. Without VPC Peering connection between VPCs traffic is not guaranteed to stay within the AWS network.
  • Site-to-Site VPN connection connects your VPC to your data center. This can be done using IPSec VPN connection. Internet Gateway is not required to establish a Site-to-Site VPN connection.
  • Amazon VPCs support 5 IP ranges: one primary and four secondary IPv4. Each of these ranges can be between /28 and /16 size (in CIDR notation). For IPv6, the VPC is a fixed size of /56 (in CIDR notation). A VPC can have both IPv4 and IPv6 blocks attached to it.
  • Size of the VPC can be changed by expanding your existing VPC and adding the secondary IPv4 ranges.
  • You can create 200 subnets per VPC - the limit can be adjusted through a request.
  • The minimum size of the subnet is /28 (14 IPs v4). For IPv6 the subnet size is fixed to be /64.
  • You can assign one or more secondary private IP address to an Elastic Network Interface (ENI) or an EC2 instance in Amazon VPC.
  • Multiple Elastic IPs (EIP) addresses can be assigned to VPC-based Amazon EC2 instance. Each EIP address will be associated with a unique private IP address on the instance. This is applicable only for IPv4.
  • EIPs for IPv6 are not supported at this time.
  • Multicast and broadcast are not supported by Amazon VPC.
  • If the instances reside in subnets in different Availability Zones, you will be charged $0.01 per GB for data transfer.
  • Elastic Network Interfaces (ENIs) can be attached or detached from an EC2 instance while it’s running.
  • Total number of ENIs attached depends on the instance type. ENIs and instances should be in the same AZ and VPC.
  • VPC peers can be done between VPCs in different regions as well as VPCs belonging to different AWS accounts.
  • AWS Direct Connect cannot be used to access VPCs peered with.
  • VPC peering traffic within the region is not encrypted - traffic remains private and isolated. Inter-Region VPC peering traffic is encrypted.
  • Transitive peering relationships are not supported: A-B and B-C peering does not imply A-C peering.
  • Network Load Balancers, AWS PrivateLink, and Elastic File System cannot be used over Inter-Region VPC Peering.
  • AWS PrivateLink and VPC Endpoints is the same thing
  • Bring Your Own IP (BYOIP) enables customers to move all or part of their existing publicly routable IPv4 address space to AWS. They will be able to create EIPs from IP space and associate them with AWS resources. Sometimes it’s done for IP reputation, regulation and compliance reasons.
  • Limits
    • 5 VPCs per AWS account per region
    • 200 subnets
    • 5 VPC EIP addresses per AWS account per region
    • 1 Internet Gateway per VPC