Amazon Virtual Private Cloud (Amazon VPC)

Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.

Gives control to launch your AWS resources such as EC2 instance, specify IP address range, add subnets, associate security groups and configure route tables.

VPCs are region wide. A default VPC is created in each region with a subnet in each AZ .

Default VPC-has internet gateway associated with it and each default subnet is a public subnet. Each instance that you launch into a default subnet has a private IPv4 address and Public IPv4 address.These instances can communicate to internet through Internet Gateway.

By Default each instance that you launch into a non default subnet, has a private IP address, but no Public IP address unless you specifically assign one at launch or unless you modify the subnets Public IP address attribute. These instances can communicate with each other but can’t access internet.

You can enable internet access for an instance launched into a non default subnet by attaching an internet Gateway to its VPC (If its VPC is not default VPC) and associating elastic IP address with the instance.

The VPC router performs routing between AZs within a region and and connects the VPC to the Internet Gateway. Each subnet has a route table the router uses to forward traffic within the VPC.

Each subnet can only be associated with one route table. Can assign one route table to multiple subnets.

If no route table is specified a subnet will be assigned to the main route table at creation time.

The first 4 and last 1 IP addresses in a subnet are reserved.

Each subnet must reside entirely within one Availability Zone and cannot span zones.

Below are key points to remember regarding VPC:

• 1 Region can have maximum of 5 VPCs.
• 1 VPC can have 200 subnets.
• 1 VPC can have 200 routing tables.
• 1 account can have 5 elastic IPs.

IPv4 CIDR blocks per VPC–5. This primary CIDR block and all secondary CIDR blocks count toward this quota. This quota can be increased up to a maximum of 50.
IPv6 CIDR blocks per VPC-1.This quota cannot be increased.

VPCs are created in a region and not in Availability Zone.

Same CIDR can not be used on different VPC in a region.

When a new VPC are created-3 things are created by Default-

A route table, NACL and Security Group.

Route Table:

There are two route tables: Main route table , Customized Route Table.

The main route table is associated with a private subnet.The first entry is the default entry for local routing in the VPC-This entry enables the instances to communicate with each other.The Second entry sends all other subnet traffic to the NAT gateway. The main route table has a route to the virtual private gateway.

The custom route table is associated with public subnet.

 A custom route table is explicitly associated with the public subnet. The custom route table has a route to the internet ( 0.0.0.0/0) through the internet gateway.

Security Groups and NACL

Subnets:

Subnets resides in Availability Zone.

Types of subnet: Can create private, public or VPN subnets.

• If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.
• If a subnet doesn’t have a route to the internet gateway, the subnet is known as a private subnet.
• If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.

• NAT Gateway-Gives access to Internet to Private subnet and resides in Public Subnet.
• Private Subnets may need access to Internet for Patch upgrades etc.
• One NAT Gateway in one Availability Zone.
• Pvt Subnet–NAT Gateway–Internet Access
• Traffic can transverse from Private Subnet to NAT Gateway to Internet, but no traffic can transverse from Internet to Private Subnet.
• To create NAT gateway, you must specify which Public Subnet NAT gateway is to be associated.
• You must specify Elastic IP address when you create NAT gateway.
• Please note, no need to assign Public IPs to Private subnet when NAT gateway is added.
• Once NAT gateway is installed, Private Subnet Routing table must be updated with routes to NAT gateway.
• When you delete a NAT gateway-elastic IP is not released and is still being charged unless disassociated.
• NAT gateways can not be associated with security group.
• Bastion Host is not supported.

VPC Peering:

• VPC peering is done to communicate between two different VPCs without going through internet using private IPv4 or v6.
• VPC peering can be done within own account or with another VPC account.
• The VPCs can be in different regions.
• Instances in either VPC can communicate with each other as if they are within the same network.
• No separate physical hardware required for VPC peering.It is neither a gateway nor a VPN connection. There is no single point of failure for communication or a bandwidth bottleneck.
• Active VPC peering connections per VPC -50 default/ Maximum-125.
• Expiry time for an unaccepted VPC-1 week.
• You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.
• Inter-Region VPC Peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
• Flow for VPC Peering:
  • The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection.
  • The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.
  • Owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC)
  • If required, update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted
• Pricing for a VPC peering connection– If the VPCs in the VPC peering connection are within the same region, the charges for transferring data within the VPC peering connection are the same as the charges for transferring data across Availability Zones. If the VPCs are in different regions, inter-region data transfer costs apply.

VPC endpoints:

A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, NAT device, a VPN connection, or AWS Direct Connect. Endpoints are virtual devices.

Traffic between your VPC and the other service does not leave the Amazon network.

Different types of VPC endpoints : Interface endpoints & Gateway endpoints.

• Why to go for VPC endpoints–VPC endpoints can replace NAT Gateways as they are very cost effective.
• To access AWS Services without using internet, use VPC endpoints.
• VPC endpoint is a virtual device.
• VPC endpoints resides in Private subnets.
• Gateway VPC endpoints per Region-Default 20. You cannot have more than 255 gateway endpoints per VPC.

VPC Flowlogs:

• Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC Flow log data is stored using Amazon CloudWatch Logs .
• Not all traffic is monitored, e.g. the following traffic is excluded:
• Traffic that goes to Route53.
• Traffic generated for Windows license activation.
• Traffic to and from 169.254.169.254 (instance metadata).
• Traffic to and from 169.254.169.123 for the Amazon Time Sync Service
• DHCP traffic.
• Traffic to the reserved IP address for the default VPC router.