Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
Gives control to launch your AWS resources such as EC2 instance, specify IP address range, add subnets, associate security groups and configure route tables.
VPCs are region wide. A default VPC is created in each region with a subnet in each AZ .
Default VPC-has internet gateway associated with it and each default subnet is a public subnet. Each instance that you launch into a default subnet has a private IPv4 address and Public IPv4 address.These instances can communicate to internet through Internet Gateway.
By Default each instance that you launch into a non default subnet, has a private IP address, but no Public IP address unless you specifically assign one at launch or unless you modify the subnets Public IP address attribute. These instances can communicate with each other but can’t access internet.
You can enable internet access for an instance launched into a non default subnet by attaching an internet Gateway to its VPC (If its VPC is not default VPC) and associating elastic IP address with the instance.
The VPC router performs routing between AZs within a region and and connects the VPC to the Internet Gateway. Each subnet has a route table the router uses to forward traffic within the VPC.
Each subnet can only be associated with one route table. Can assign one route table to multiple subnets.
If no route table is specified a subnet will be assigned to the main route table at creation time.
The first 4 and last 1 IP addresses in a subnet are reserved.
Each subnet must reside entirely within one Availability Zone and cannot span zones.
Below are key points to remember regarding VPC:
- 1 Region can have maximum of 5 VPCs.
- 1 VPC can have 200 subnets.
- 1 VPC can have 200 routing tables.
- 1 account can have 5 elastic IPs.
IPv4 CIDR blocks per VPC–5. This primary CIDR block and all secondary CIDR blocks count toward this quota. This quota can be increased up to a maximum of 50.
IPv6 CIDR blocks per VPC-1.This quota cannot be increased.
VPCs are created in a region and not in Availability Zone.
Same CIDR can not be used on different VPC in a region.
Some Other key points related to VPC are:
Other region VPC can have same CIDR range.
VPC peering can not be done on same CIDR.
Routing table in public subnet should have the route-0.0.0.0/0 for Internet Gateway.
A subnet can not be in diff Availability Zone in same region.
Once VPC is created , you can not change its CIDR block range but can create secondary CIDR ranges.
NAT gateway resides in Public Subnet but is used to provide internet access to private Subnets.
Each region has a default VPC which can be deleted and can be recreated if required.
There are two types of VPC-
- Default VPC- has internet gateway and main Routing table.
- Custom VPC- You can only attach one Internet gateway to a custom VPC
To launch a custom VPC following steps are to be followed:
- 1.Create a VPC
- 2.Create a subnet.
- 3.Create a Internet Gateway
- 4.Create a Route Table.
EC2 instances must have Public IP or Elastic IP in order to communicate with Internet. Public IPs are dynamic and elastic IPs are static.
Different subnets in a VPC can communicate with each other.
Implied Router–Virtual Router to communicate between different availibility zone and Internet Gateway.
In a 1 Route table maximum of 50 Routes can be added.
Each Subnet must be associated with only one Routing table at a given time.
If after creating VPC, it is not associated with any subnet , by default it would get associated with default route table.
You can edit main Route Table but can not delete it.
1 Route table can have multiple subnets but 1 subnet can have only one Route table.
1 subnet-1 Route table
In order to access Internet, Route table should be updated with entry 0.0.0.0/0
Route Table,NACL and Security Group:
When a new VPC are created-3 things are created by Default-
A route table, NACL and Security Group.
There are two route tables: Main route table , Customized Route Table.
The main route table is associated with a private subnet.The first entry is the default entry for local routing in the VPC-This entry enables the instances to communicate with each other.The Second entry sends all other subnet traffic to the NAT gateway. The main route table has a route to the virtual private gateway.
The custom route table is associated with public subnet.
A custom route table is explicitly associated with the public subnet. The custom route table has a route to the internet ( 0.0.0.0/0) through the internet gateway.
Security Groups and NACL
Security Groups Vs NACL
|Security groups operates at instance level.|
VPC security groups per Region -2500
Inbound or outbound rules per security group -60
You can have 60 inbound and 60 outbound rules per security group (making a total of 120 rules)
|NACL operates at Subnet level.|
Network ACLs per VPC-200
Rules per network ACL-20
|Per EC2 instance, maximum 5 security groups can be applied.||NACL security applied at Implied/logical Router.|
|Can only allow but not deny specific port.|
By default, custom security groups do not have inbound allow rules (all inbound traffic is denied by default).
By default, default security groups do have inbound allow rules (allowing traffic from within the group)
You cannot delete the security group that’s created by default within a VPC.
|Default NACL–By default allows all inbound and Outbound traffic.|
Custom NACL–By default denies all inbound and outbound traffic.
Each Subnet must be associated with a NACL.if a subnet is not associated with a NACL, by default it gets associated with Default NACL.
At a time, one subnet can be associated with one NACL.
|Stateful–Same Rule for inbound and Outbound traffic.||NACL are stateless- So both Inbound and Outboud Rules are different.|
| Security group membership can be changed whilst instances are running.|
There is no limit on the number of EC2 instances within a security group.
|NACL applies rules based on numbering.|
Priority is given to less numbered Rules.
Highest number to Rule is 32776.
Subnets resides in Availability Zone.
Types of subnet: Can create private, public or VPN subnets.
- If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.
- If a subnet doesn’t have a route to the internet gateway, the subnet is known as a private subnet.
- If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.
|Public Subnet||Private Subnet|
|Internet Gateway is Connected||Not connected with Internet Gateway|
|Private Subnet must have a range between /16 to /28.|
- Internet Gateway allows communication between instances in your VPC and the internet.
- Internet Gateways (IGW) must be created and then attached to a VPC, be added to a route table, and then associated with the relevant subnet(s)
- Internet Gateway Supports both IPv4 and IPv6.
- Can only attach 1 IGW to a VPC at a time
- IGW performs NAT between private and public IPv4 addresses .
- Natting and Elastic IP resides in Internet Gateway.
- Egress-only Internet Gateway: to be used for IPv6. Provides outbound Internet access for IPv6 addressed instances
Best practice is to keep Web Server in Public Subnet and Database server in Private Subnet.
A NAT gateway or NAT instance is used to provide internet traffic to EC2 instances in Private Subnet.
- NAT instance is managed by user while NAT gateway is managed by AWS.
- Security groups for NAT instances must allow HTTP/HTTPS inbound from the private subnet and outbound to 0.0.0.0/0 .There needs to be a route from a private subnet to the NAT instance for it to work .
- Using a NAT instance does not provide High Availability.
- HA can be achieved by using :
- Auto Scaling groups, multiple subnets in different AZ’s and a script to automate failover.
- Performance is dependent on instance size. Can scale up instance size or use enhanced networking.
- Can scale out by using multiple NATs in multiple subnets.
- Can use as a bastion (jump) host
You can connect this private subnet to your corporate data center via an IPsec Virtual Private Network (VPN) tunnel .
Public subnet instances use Elastic IPs to access the Internet.
- NAT Gateway-Gives access to Internet to Private subnet and resides in Public Subnet.
- Private Subnets may need access to Internet for Patch upgrades etc.
- One NAT Gateway in one Availability Zone.
- Pvt Subnet–NAT Gateway–Internet Access
- Traffic can transverse from Private Subnet to NAT Gateway to Internet, but no traffic can transverse from Internet to Private Subnet.
- To create NAT gateway, you must specify which Public Subnet NAT gateway is to be associated.
- You must specify Elastic IP address when you create NAT gateway.
- Please note, no need to assign Public IPs to Private subnet when NAT gateway is added.
- Once NAT gateway is installed, Private Subnet Routing table must be updated with routes to NAT gateway.
- When you delete a NAT gateway-elastic IP is not released and is still being charged unless disassociated.
- NAT gateways can not be associated with security group.
- Bastion Host is not supported.
VPC Connectivity :-There are several methods of connecting to a VPC. These include:
AWS Managed VPN , AWS Direct Connect, AWS Direct Connect plus a VPN , AWS VPN CloudHub , Software VPN , Transit VPC , VPC Peering , AWS PrivateLink , VPC Endpoints.
To connect non-AWS network to AWS network:
1.VPN-It can be hardware or Software based. VPN connection can be established over an Internet to an Amazon Web Services (AWS)-managed virtual private gateway, which is the VPN device on the AWS side of the VPN connection. You can download the IPSec VPN configuration from the AWS VPC console to configure the firewall or the device in your local network that will establish the VPN. You cannot use a NAT gateway in AWS for clients coming in via a VPN .
2.Software VPN: This option is recommended if you must manage both ends of the VPN connection either for compliance purposes or for leveraging gateway devices that are not currently supported by Amazon VPC’s VPN solution.
3.AWS VPN CloudHub- For multiple VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. This enables your remote sites to communicate with each other, and not just with the VPC .It works on Hub and Spoke Model.
4. AWS PrivateLink :AWS provided connectivity between VPCs or AWS Services using Interface endpoints.It keeps VPCs private by not requiring to access Internet to connect to other AWS services.It creates end points for required services in all required subnets and accessed via the provided DNS hostname.
5.Direct Connect-Dedicated network connection between On-premise network and AWS VPC. It establish a 1-gigabit or 10-gigabit dedicated network connection using Ethernet fiber-optic cable. Direct Connect is priced per port-hour, with additional data transfer rates that vary by region.
- VPC peering is done to communicate between two different VPCs without going through internet using private IPv4 or v6.
- VPC peering can be done within own account or with another VPC account.
- The VPCs can be in different regions.
- Instances in either VPC can communicate with each other as if they are within the same network.
- No separate physical hardware required for VPC peering.It is neither a gateway nor a VPN connection. There is no single point of failure for communication or a bandwidth bottleneck.
- Active VPC peering connections per VPC -50 default/ Maximum-125.
- Expiry time for an unaccepted VPC-1 week.
- You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.
- Inter-Region VPC Peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
- Flow for VPC Peering:
- The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection.
- The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.
- Owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC)
- If required, update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted
- Pricing for a VPC peering connection– If the VPCs in the VPC peering connection are within the same region, the charges for transferring data within the VPC peering connection are the same as the charges for transferring data across Availability Zones. If the VPCs are in different regions, inter-region data transfer costs apply.
A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, NAT device, a VPN connection, or AWS Direct Connect. Endpoints are virtual devices.
Traffic between your VPC and the other service does not leave the Amazon network.
Different types of VPC endpoints : Interface endpoints & Gateway endpoints.
|Interface Endpoints||Gateway Endpoints|
An Interface end point is an elastic network interface with a private IP address from the IP address range of your subnet.
Uses DNS entries to redirect traffic.
It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service.
Interface endpoints are powered by AWS PrivateLink.
An interface endpoint supports services such as Amazon CloudWatch, Amazon SNS, etc.
Gateway Endpoint is a gateway which is targeted for a specific route in your route table.
Uses prefix list in the route table to redirect traffic.
Amazon S3 and DynamoDB are the only services which are supported by Gateway Endpoints.
- Why to go for VPC endpoints–VPC endpoints can replace NAT Gateways as they are very cost effective.
- To access AWS Services without using internet, use VPC endpoints.
- VPC endpoint is a virtual device.
- VPC endpoints resides in Private subnets.
- Gateway VPC endpoints per Region-Default 20. You cannot have more than 255 gateway endpoints per VPC.
- Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC Flow log data is stored using Amazon CloudWatch Logs .
- Not all traffic is monitored, e.g. the following traffic is excluded:
- Traffic that goes to Route53.
- Traffic generated for Windows license activation.
- Traffic to and from 169.254.169.254 (instance metadata).
- Traffic to and from 169.254.169.123 for the Amazon Time Sync Service
- DHCP traffic.
- Traffic to the reserved IP address for the default VPC router.