Chloe McAree (McAteer)
Published on

AWS Virtual Private Cloud (VPC)


This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

VPC Summary

VPC Logo

  • A VPC is a logically separated section of AWS for you to launch resources in a network you define.

  • VPC’s consist of an internet gateway or virtual private gateway, subnets, route tables, network access control lists and security groups.

  • A subnet is a range of IP addresses within your VPC. A subnet can not span multiple availability zones.

  • When we create a VPC, the following are created by default: a route table, network access control list and security group.

  • Subnets or internet gateway are not created by default.

  • Auto assigning a public IP Address is turned off by default, this will need to be updated if you want a public subnet.

  • You can only have one internet gateway in your VPC

  • You are not charged for using a VPC, however you are charged for the components used within it e.g. gateway, traffic monitoring etc.

  • One way to save costs when it comes to networking is to use private IP addresses instead of public IP addresses as they utilise the AWS Backbone network.

  • If you want to cut all network costs, group all EC2 instances in same AZ and use private IP addresses.

  • You can have 5 VPCs per AWS region.

Connecting to a VPC

There are two ways to connect into a VPC:

  1. Virtual Private Gateway

  2. Internet Gateway

What you can do with VPC

  • Launch instances

  • Assign custom IP address ranges

  • Configure route tables between subnets

VPC IP Ranges

  • Amazon don’t allow /8 prefix as it is too large — the largest they allow is /16

  • AWS will always reserve 5 IP Addresses within a CIDR block for:

  1. Network Address

  2. Router Address

  3. DNS Server Address

  4. Broadcast address

  5. 1 more for future use

  • These are the first four IP addresses and the last IP address

VPC Peering

  • This is a connection between VPCs, that allows you to route traffic between them using private IP addresses.

  • The peering connections allow instances to operate as if they were in the same network.

  • It is possible to peer with another AWS account or region.

  • Peering connections have to be one-to-one relationships. There is no transitive peering, so you can’t transit between one VPC to connect to another — each VPC has to be directly connected to another.

Types of tenancy

On set up of your VPC you will be asked to choose either:

  1. Dedicated → Everything on dedicated hardware (Very expensive)

  2. Default → multi-tenant share underlying hardware with other AWS customers

Network Access Control Lists (NACL)

  • Extra layer of security for your VPC as it can be used to control the traffic in and out of subnets.

  • Similar to security groups, as they contain rules, but you can you can block IP addresses with a NACL, unlike with security groups.

  • A NACL can be associated with many Subnets, but a subnet can only have one NACL

  • NACL are stateless, meaning they can have separate inbound and outbound rules, again unlike with security groups.

Route Table

  • A route table is created by default with your VPC.

  • Allows subnets to talk to each other. It is a set of rules that determines where the network traffic is directed.

  • Every subnet within your VPC must be associated with a route table.

  • By default your subnets are associated with the main route table, but this can be a security risk e.g. if you were to put a route out to the public internet in the route table all subnets would automatically be made public.

  • To resolve this — keep main route table as private and then have separate route tables that use the main one, but have additional routes.

Internet Gateways

  • Allows your VPC to communicate with the internet.

  • For internet communication, you must set up a route in your route table that directs traffic to the Internet Gateway.

  • Performs network address translation for instances.

Network Address Translation (NAT) Gateways/ Instances

  • NAT gateways/instances provides private subnets access to internet traffic, but ensures internet traffic does not initiate a connection with the instances.

  • For example this can enable our EC2 Instances in a private subnet to go out and download software by communicating with our Internet Gateway.

  • The NAT gateway or instance must live in a public subnet and then for a private subnet to connect to it, the private subnet must have a route in its route table that directs traffic to it.

NAT Instances

  • Since NAT Instances send and receive traffic from different sources/destinations, it can cause some issues as EC2 does source/destination checks automatically — so when using a NAT Instance you need to disable source/destination checks on the EC2 instance when creating it.

  • NAT instances are managed by you.

  • You can associate them with security groups to control inbound and outbound traffic.

NAT Gateway

  • NAT Gateways are preferred by enterprise as they are highly available, can scale and are managed by AWS.

  • Can not be associated with security groups, but you can associate the resources behind the NAT Gateway with security groups.

  • Automatically assigned public IP Address

  • For NAT Gateways you don’t need to worry about disabling source & destination checks on the instance.

  • You can create an AZ independent architecture with Network Gateways to reduce the risks of failures. This can be done by creating a NAT Gateway in each AZ and then configuring the routing to ensure resources in the same NAT Gateway are in the same AZ.

VPC Flow Logs

  • Capture information about IP traffic entering and leaving interfaces in your VPC.

  • You can publish these flow logs with CloudWatch or S3.

  • They allow you to monitor the traffic reaching your instances and can help you see if your security groups are restrictive enough.

  • Flow logs do not impact latency or network throughput as they are collected outside the path of your network traffic.

  • You can have flow logs for peered VPCs, but only if they are in same account.

  • Can be created at 3 levels: VPC, Subnet, Network Interface level.

Direct Connect

  • Directly connects your on-premise datacenter to an AWS VPC using a dedicated network connection over a standard ethernet fiber-optic cable.

  • Benefits of using Direct Connect includes: reduced network costs and increase in bandwidth throughput.

Global Accelerator

  • Allows you to improve availability and performance of your applications for global users.

  • Can improve performance by up to 60% as it directs traffic to optimal endpoints to avoid congestion.

  • You are assigned two static IP address — alternately you can bring your own.

  • Can automatically mitigate endpoint failure by re-routing traffic to nearest healthy endpoint.

VPC Endpoint

Allows you to privately connect a VPC to other AWS resources and it is powered by Private Link, so traffic never leaves the AWS Network.

3 types:

  1. Interface endpoint →Attach an elastic network interface with a private IP address onto your EC2 instance for it to communicate to services using AWS network.

  2. Gateway Load Balancer endpoints → Is an entry point that intercepts traffic and routes it to services configured using Gateway Load Balancers.

  3. Gateway endpoints →Create it as a route table target for traffic to services, like NAT gateways — its supported for only S3 & Dynamo.

  • Provides private connections between VPC’s, AWS services and on-premise networks.

  • Best way to expose your VPC to hundreds or thousands of other VPC’s.

  • Can secure your traffic and simplify network management.

  • Doesn’t require VPC peering, route tables or NAT gateways

  • Requires Network Load Balancer on the service VPC and an elastic network interface on the customer VPC.

Transit Gateway

  • Allows transitive peering between VPCs and on-premises data centres through a central hub.

  • Works on regional bases but can span multiple regions.

  • Supports IP Multicast, so can distribute the same content to multiple specific destinations (NOT supported by any other service)

  • Overall used to simplify network typology.

VPN CloudHub

  • With multiple sites all on different VPN connections, you can use VPN CloudHub to securely connect them.

  • Low cost easy to manage.

  • Operates over public internet, but all traffic is encrypted.