AWS Virtual Private Cloud (VPC)

This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

VPC Summary

VPC Logo

A VPC is a logically separated section of AWS for you to launch resources in a network you define.
VPC’s consist of an internet gateway or virtual private gateway, subnets, route tables, network access control lists and security groups.
A subnet is a range of IP addresses within your VPC. A subnet can not span multiple availability zones.
When we create a VPC, the following are created by default: a route table, network access control list and security group.
Subnets or internet gateway are not created by default.
Auto assigning a public IP Address is turned off by default, this will need to be updated if you want a public subnet.
You can only have one internet gateway in your VPC
You are not charged for using a VPC, however you are charged for the components used within it e.g. gateway, traffic monitoring etc.
One way to save costs when it comes to networking is to use private IP addresses instead of public IP addresses as they utilise the AWS Backbone network.
If you want to cut all network costs, group all EC2 instances in same AZ and use private IP addresses.
You can have 5 VPCs per AWS region.

Connecting to a VPC

There are two ways to connect into a VPC:

Virtual Private Gateway
Internet Gateway

What you can do with VPC

Launch instances
Assign custom IP address ranges
Configure route tables between subnets

VPC IP Ranges

Amazon don’t allow /8 prefix as it is too large — the largest they allow is /16
AWS will always reserve 5 IP Addresses within a CIDR block for:

Network Address
Router Address
DNS Server Address
Broadcast address
1 more for future use

These are the first four IP addresses and the last IP address

VPC Peering

This is a connection between VPCs, that allows you to route traffic between them using private IP addresses.
The peering connections allow instances to operate as if they were in the same network.
It is possible to peer with another AWS account or region.
Peering connections have to be one-to-one relationships. There is no transitive peering, so you can’t transit between one VPC to connect to another — each VPC has to be directly connected to another.

Types of tenancy

On set up of your VPC you will be asked to choose either:

Dedicated → Everything on dedicated hardware (Very expensive)
Default → multi-tenant share underlying hardware with other AWS customers

Network Access Control Lists (NACL)

Extra layer of security for your VPC as it can be used to control the traffic in and out of subnets.
Similar to security groups, as they contain rules, but you can you can block IP addresses with a NACL, unlike with security groups.
A NACL can be associated with many Subnets, but a subnet can only have one NACL
NACL are stateless, meaning they can have separate inbound and outbound rules, again unlike with security groups.

Route Table

A route table is created by default with your VPC.
Allows subnets to talk to each other. It is a set of rules that determines where the network traffic is directed.
Every subnet within your VPC must be associated with a route table.
By default your subnets are associated with the main route table, but this can be a security risk e.g. if you were to put a route out to the public internet in the route table all subnets would automatically be made public.
To resolve this — keep main route table as private and then have separate route tables that use the main one, but have additional routes.

Internet Gateways

Allows your VPC to communicate with the internet.
For internet communication, you must set up a route in your route table that directs traffic to the Internet Gateway.
Performs network address translation for instances.

Network Address Translation (NAT) Gateways/ Instances

NAT gateways/instances provides private subnets access to internet traffic, but ensures internet traffic does not initiate a connection with the instances.
For example this can enable our EC2 Instances in a private subnet to go out and download software by communicating with our Internet Gateway.
The NAT gateway or instance must live in a public subnet and then for a private subnet to connect to it, the private subnet must have a route in its route table that directs traffic to it.

NAT Instances

Since NAT Instances send and receive traffic from different sources/destinations, it can cause some issues as EC2 does source/destination checks automatically — so when using a NAT Instance you need to disable source/destination checks on the EC2 instance when creating it.
NAT instances are managed by you.
You can associate them with security groups to control inbound and outbound traffic.

NAT Gateway

NAT Gateways are preferred by enterprise as they are highly available, can scale and are managed by AWS.
Can not be associated with security groups, but you can associate the resources behind the NAT Gateway with security groups.
Automatically assigned public IP Address
For NAT Gateways you don’t need to worry about disabling source & destination checks on the instance.
You can create an AZ independent architecture with Network Gateways to reduce the risks of failures. This can be done by creating a NAT Gateway in each AZ and then configuring the routing to ensure resources in the same NAT Gateway are in the same AZ.

VPC Flow Logs

Capture information about IP traffic entering and leaving interfaces in your VPC.
You can publish these flow logs with CloudWatch or S3.
They allow you to monitor the traffic reaching your instances and can help you see if your security groups are restrictive enough.
Flow logs do not impact latency or network throughput as they are collected outside the path of your network traffic.
You can have flow logs for peered VPCs, but only if they are in same account.
Can be created at 3 levels: VPC, Subnet, Network Interface level.

Direct Connect

Directly connects your on-premise datacenter to an AWS VPC using a dedicated network connection over a standard ethernet fiber-optic cable.
Benefits of using Direct Connect includes: reduced network costs and increase in bandwidth throughput.

Global Accelerator

Allows you to improve availability and performance of your applications for global users.
Can improve performance by up to 60% as it directs traffic to optimal endpoints to avoid congestion.
You are assigned two static IP address — alternately you can bring your own.
Can automatically mitigate endpoint failure by re-routing traffic to nearest healthy endpoint.

VPC Endpoint

Allows you to privately connect a VPC to other AWS resources and it is powered by Private Link, so traffic never leaves the AWS Network.

3 types:

Interface endpoint →Attach an elastic network interface with a private IP address onto your EC2 instance for it to communicate to services using AWS network.
Gateway Load Balancer endpoints → Is an entry point that intercepts traffic and routes it to services configured using Gateway Load Balancers.
Gateway endpoints →Create it as a route table target for traffic to services, like NAT gateways — its supported for only S3 & Dynamo.

VPC Private Link

Provides private connections between VPC’s, AWS services and on-premise networks.
Best way to expose your VPC to hundreds or thousands of other VPC’s.
Can secure your traffic and simplify network management.
Doesn’t require VPC peering, route tables or NAT gateways
Requires Network Load Balancer on the service VPC and an elastic network interface on the customer VPC.

Transit Gateway

Allows transitive peering between VPCs and on-premises data centres through a central hub.
Works on regional bases but can span multiple regions.
Supports IP Multicast, so can distribute the same content to multiple specific destinations (NOT supported by any other service)
Overall used to simplify network typology.

VPN CloudHub

With multiple sites all on different VPN connections, you can use VPN CloudHub to securely connect them.
Low cost easy to manage.
Operates over public internet, but all traffic is encrypted.