VPC

VPC - Virtual Private Cloud #

Amazon Virtual Private Cloud (VPC) enables you to provision logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you defined.

• VPC, Subnets, Internet Gateways, NAT Gateways
• Security Groups, Network ACL (NACL), VPC Flow Logs
• VPC Peering, VPC Endpoints
• Site to Site VPN and Direct Connect
• Transit Gateway

VPC components #

VPC Rules and Guidance #

• CIDR block size can be between /16 and /28
• The CIDR block must not overlap with any existing CIDR block that’s associated with the VPC
• You cannot increase or decrease the size of an existing CIDR block
• The first four and last IP address are not available for use
• AWS recommend you use CIDR blocks from the RFC 1918 ranges:

Purpose and Benefits #

• Network Address Translation (NAT): Private IP addresses allow multiple devices on a local network to share a single public IP address through NAT.
• Security: Using private addresses enhances security by making it difficult for external hosts to initiate connections to internal systems.
• No Registration Required: Organizations can use these addresses without needing approval from Internet registries, simplifying network setup.

IP Addresses in AWS #

• IPv4 (4.3 Billion Addresses)

  • Public IPv4 - can be used on the Internet
    • EC2 instance gets a new public IP address every time it’s started
  • Private IPv4 - can be used on private networks (LAN) such as internal AWS networking
    • Private IPv4 is fixed for EC2 instances even after stopping / starting

• Elastic IP - allows to attach a fixed public IPv4 address to an EC2 instance

• Note: Every public IPv4 address on AWS will be charged $0.005 per hour (including Elastic IP)

• IPv6 - Number of addresses: 3.4 x 10^38

  • Every IP address is public in AWS (no private range) (??)
  • Free

VPC and Subnets Primer #

VPC - Virtual Private Cloud - private network to deploy resources (regional resource)

• Subnets allow to partition the network inside of VPC (Availability Zone Resource)
• A public subnet is a subnet that is accessible from the internet
• A private subnet is a subnet that is not accessible from the internet
• To define access to the internet and between subnets, we use Route Tables

Internet Gateway & NAT Gateways #

• Internet Gateways help our VPC instances connecting with the internet

  • Public Subnets will have a route to the internet gateway

• NAT Gateways (AWS Managed) & NAT Instances (self managed) allow instances in Private Subnets to access the internet while remaining private

VPC > Subnets

EC2 Instance created in a Public Subnet will have Public IPv4 address associated. All Public Subnets have Internet Gateway (IGW) associated with them.

VPC > Virtual Private Cloud > Subnets > subnet-ID > Route table

Creating Private Subnet #

# For Private Subnet we don't associate it with any Internet Gateway. Traffic OUT goes via the NAT Gateway.

VPC > Virtual Private Cloud > Subnets > Create subnet

Security Groups & Network ACL #

Security Groups #

• A firewall that controls traffic to and from an EC2 Instance
• Can only have allow rules
• Rules include IP addresses and other security groups

NACL (Network ACL) #

• A firewall that controls traffic to and from a SUBNET
• Can have allow and deny rules
• Are attached at the Subnet level
• Rules only include IP addresses

More: AWS Network Firewall that protects entire VPC.

VPC > Security > Security Groups

VPC > Security > Network ACLs

VPC Flow Logs #

Helps to monitor and troubleshoot connectivity issues #

• Capture information about IP traffic going into your interfaces

  • VPC Flow Logs
  • Subnet Flow Logs
  • Elastic Network Interface Flow Logs

• Helps to monitor and troubleshoot connectivity issues

  • Subnets to internet
  • Subnets to subnets
  • Internet to subnets

• Captures network information from AWS managed interfaces too:

  • Elastic Load Balancers
  • ElastiCache
  • RDS
  • Aurora
  • etc…

VPC Flow Logs must first be created for each VPC #

VPC > Virtual Private Cloud > Your VPCs > Flow Logs > Create flow log

VPC Peering #

Connect to VPC privately using AWS Network and make them behave as if they were in the same network.

• Must NOT have overlapping CIDR (IP address range)
• VPC Peering connection is NOT transitive (must be established for each VPC that needs to communicate with one another)

VPC > Virtual Private Cloud > Your VPCs > Peering Connections > Create peering connection

VPC Endpoints #

Endpoints allow connecting to AWS Services using a private network instead of the public www network.

This gives enhanced security and lower latency to access AWS services.

• VPC Endpoint Gateway - for Amazon S3 and DynamoDB only
• VPC Endpoint Interface - most services (including S3 and DynamoDB)

Private Link #

Most secure and scalable way to expose a service to 1000s of VPCs. Using VPC Peering (see above) is not practical because of the management overhead.

• Does not require VPC peering, internet gateway, NAT, route tables…
• Requires a Network Load Balancer (NLB) - Service VPC and Elastic Network Interface (ENI) - Customer VPC

Site to Site VPN & Direct Connect #

Site to Site VPN #

• Connect to an on-premises VPN to AWS
• The connection is automatically encrypted
• Goes over the public internet (cheaper and slower than Direct Connect)

Site-to-Site VPN CloudHub #

Site-to-Site VPN CloudHub uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous system numbers (ASNs).

The remote sites must not have overlapping IP ranges. Your gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.

These routing advertisements are received and re-advertised to each BGP peer so that each site can send data to and receive data from the other sites.

Direct Connect (DX) #

• Establish a physical connection between on-premises and AWS
• The connection is private, secure and fast
• Goes over a private network (more expensive but faster than Site to Site VPN)
• Takes at least a month to establish

AWS Client VPN #

Connect from your computer using OpenVPN to your private network in AWS and on-premises.

Allows connecting to your EC2 instances over a private IP (just as you were in the private VPC network).

Goes over the public Internet.

Transit Gateway #

Transit Gateway is used for having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection. #

Works with Direct Connect Gateway, VPN connections.

Summary #

• VPC: Virtual Private Cloud
• Subnets: Tied to and AZ, network partition of the VPC
• Internet Gateway: at the VPC level, provide Internet Access
• NAT Gateway / Instances: give internet access to private subnets
• Security Groups: Stateful, operate at the EC2 instance level for ENI
• NACL: Stateless, subnet rules for inbound and outbound
• VPC Peering: Connect two VPC with non overlapping IP ranges, non-transitive (must be established for each VPC that needs to communicate with one another)
• Elastic IP: Fixed public IPv4
• VPC Endpoints: Provide private access to AWS Services within VPC
• Private Link: Privately connect to a service in a 3rd party VPC
• VPC Flow Logs: Network traffic logs
• Site to Site VPN: VPN over public internet between on-premises DC and AWS
• Site-to-Site VPN CloudHub
• Client VPN: OpenVPN connection from your computer into your VPC
• Direct Connect: Direct private connection to AWS
• Transit Gateway: Connect thousands of VPC and on-premises networks together

» Sources « #

• Amazon VPC Documentation: https://docs.aws.amazon.com/vpc/
• Internetwork traffic privacy in VPC: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html

» References « #

• Elastic Load Balancing
• S3

» Disclaimer « #