Amzon Virtual Private Cloud
AWS accounts that support EC2-VPC will have a default VPC created in each region with a default subnet created in each AZ. The assigned CIDR block of the VPC will be 172.31.0.0/16.
An Amazon VPC consists of the following components.
- Subnets
- Route tables
- Dynamic Host Configuration Protocol(DHCP) option sets
- security group
- Network Access Control List(ACLs)
An Amazon VPC has the following optional components:
- Internet Gateways(IGWs)
- Elastic IP Addresses(EIPs)
- Elastic Network Interfaces(ENIs)
- Endpoints
- Peering
- Network Address Translation(NATs) instances and NAT gateways
- Virtual Private Gateway(VPG), Customer Gateways(CGWs) and Virtual Private Networks(VPNs)
Subnets
A subnet is a segment of Amazon VPC’s IP address range where you can launch Amazon EC2, RDS and other AWS resources.
- The smallest subnet you can define is /28(16 IP addresses), AWS reserves the first 4 IP addresses and the last IP address for internal network purposes. Default Amazon VPC contain one public subnet in each AZ within the region , with a mask of /20.
- One subnet resides in only one AZ and cannot span AZs. But one AZ can have multiple subnets.
- Subnets can be classified as public, private and VPN-only.
3.1 A public subnet is one in which the associated route table directs the subnet’s traffic to IGW.
3.2 A private subnet is one in which the associated route table does not direct the subnet’s traffic to IGW.
3.3 A VPN-only subnet is one in which the associated route table direct the subnet’s traffice to VPC’s VPG and doesnot have a route to IGW.
Route Table
- Each Route Table contains a default route called the local route, which enables communication within VPC and this route cannot be removed or modified.
- VPC has an implicit router.
- VPC automatically comes with a main route table that you can modify.
- Additional route table can be created for your VPC.
- Each subnet must be associated with a route table. If you do not explicitly associate a subnet with a particular route table, the subnet use the main route table.
- You can replace the main route table with your custom route table so that each new subnet is associated with it automatically.
- Each route in a table specifies a destination CIDR and a target. AWS uses most specific route that matches the traffic to determine how to route the traffic.
Internet Gateway(IGW)
IGW allows communication between instances in VPC and the internet. An IGW provides a target in route table for Internet-Routable traffice and it performs network address translation for instances that have been assigned public IP addresses.
You must do the following to create a public subnet with Internet access:
- Attach an IGW to VPC.
- Create a subnet route table rule to send all non-local traffic(0.0.0.0/0) to the IGW.
- Confirm network ACLs and security group rules to allow relevant traffic to flow to and from your instances.
- Assign a public IP address or EIP address to instances.
Dynamic Host Configuration Protocol(DHCP) Options Sets
AWS automatically creates and associates a DHCP option set for VPC upon creation and sets two options:
Every Amazon VPC must have only one DHCP option set assigned to it.
- domain-name-server: The IP addresses of up to four domain name servers,
separated by commas. The default is AmazonProvidedDNS.
- domain-name:Specify the desired domain name here, defaults to domain name of the region
- ntp-servers—The IP addresses of up to four Network Time Protocol (NTP) servers,
separated by commas
- netbios-name-servers—The IP addresses of up to four NetBIOS name servers,
separated by commas
- netbios-node-type—Set this value to 2.
Elastic IP Addresses(EIP)
- You must first allocate and EIP for use within a VPC and then assign it to an instance.
- EIPs are specific to an Region.
- There is a one-to-one relationship between network interfaces and EIPs.
- You can move one EIP from one instance to another, either in the same VPC or a different VPC within the same region.
- EIPs remain associated with your AWS account until you explicitly release them.
- There are charges for EIPs allocated to your account , even when they are not associated with a resource.
- An Elastic IP address doesn’t incur charges as long as the following conditions are true:
The Elastic IP address is associated with an EC2 instance.
The instance associated with the Elastic IP address is running.
The instance has only one Elastic IP address attached to it.
Elastic Network Interfaces(ENIs)
- An ENI is associated with an subnet upon creation and can only have one public IP and can have multiple private IPs.(One of the private IP is primary).
- Multiple network interfaces can be assigned to the same instance and make the instance dual-homed.
- An ENI created independently of a particular instance persists regardless of the lifetime of any instance to which it is attached; if an underlying instance fails, the IP address may be preserved by attaching the ENI to a replacement instance.
Endpoint
VPC Endpoints enable creation a private connection between VPC to supported services and endpoint services powered by PrivateLink without requiring an IGW, NAT devices, VPN connection or AWS direct connect connections.The instances within your VPC does not need public IP addresses.
There are two types of endpoints.
- gateway endpoint
- interface endpoint
Gateway Endpoint
A gateway endpoint is a gateway you specifies as a target for a route in the route table for traffic destined to a supported AWS service. The following AWS services are supported:
- Amazon S3
- DynamoDB
Steps:
- Specify the VPC in which to create the endpoint and the services to which you are connecting.
- Attach an endpoint policy to the endpoint that allows access to some or all of the service to which you’re connecting
- Specify one or more route tables in which to create routes to the service.
Configuration
- Endpoint requires the VPC and the service to be accessed via the endpoint
- Endpoint needs to be associated with the Route table and the route table cannot be modified to remove the route entry. It can only be deleted by removing the Endpoint association with the Route table
A route is automatically added to the Route table with a destination that specifies the prefix list of service and the target with the endpoint id. for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. vpce-12345678) will be added to the route tables
- Access to the resources in other services can be controlled by endpoint policies
- Security groups needs to be modified to allow Outbound traffic from the VPC to the service thats specified in the endpoint. Use the service prefix list ID for e.g. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
- Multiple endpoints can be created in a single VPC, for e.g., to multiple services.
- Multiple endpoints can be created for a single service, and different route tables used to enforce different access policies from different subnets to the same service.
- Multiple endpoints to the same service CANNOT be specified in a single route table
Limitations
- Endpoint cannot be created between a VPC and an AWS service in a different region.
- Endpoints support IPv4 traffic only.
- Endpoint cannot be transferred from one VPC to another, or from one service to another
- Endpoint connections cannot be extended out of a VPC i.e. resources across the VPN connection, VPC peering connection, AWS Direct Connect connection cannot use the endpoint.
Interface Endpoint
Configurations
- VPC Interface endpoint enables connectivity to services powered by AWS PrivateLink.
- Services include some AWS services for e.g. CloudTrail, CloudWatch etc., services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
Limitations
- For each interface endpoint, only one subnet per Availability Zone can be selected.
- Each interface endpoint can support a bandwidth of up to 10 Gbps per Availability Zone by default. Additional capacity may be added automatically based on your usage.
- Network ACL or security groups for the subnet can restrict traffic, and needs to be configured properly
- Interface Endpoint supports TCP traffic only.
- Endpoints are supported within the same region only.
- Endpoints support IPv4 traffic only.
- Endpoints cannot be transferred from one VPC to another, or from one service to another.
Peering
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network.
You can create a VPC peering connection
- between your own VPCs,
- with a VPC in another AWS account,
- or with a VPC in a different AWS Regiion.
** Limitations**
- You cannot create a peering connection between Amazon VPCs that have matching or
overlapping CIDR blocks.
- Amazon VPC peering connections do not support transitive routing.
- You cannot have more than one peering connection between the same two Amazon VPCs
at the same time.
Security Group
- There are quotas on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface.
- You can specify allow rules but not deny rules.
- Initially there is no inbound rule created on creation
- By default, a security group includes an outbound rule that allows all outbound traffic.
- Stateful
- By default, when you create a network interface, it’s associated with the default security group for the VPC, unless you specify a different security group.
- Instances associated with the same security group can’t talk to each other unless you add
rules allowing it (with the exception being the default security group).
- You can change the security groups with which an instance is associated after launch,
and the changes will take effect immediately.
Network ACL(Network Access Control List)
A network access control list (ACL) is another layer of security that acts as a stateless firewall
on a subnet level.
- A modifiable default network ACL is created automatically on creation of VPC. It allows all inbound and outbound traffic by default.
- You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
- Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
- You can associate a network ACL with multiple subnets. However, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed.
- A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest numbered rule.
- A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
NAT instances and NAT gateway
Use NAT devices to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating connections with the instances.
AWS offers two types of NAT devices:
- NAT instance
- NAT gateway
The NAT gateway provides better availability and higher bandwidth, and requires
less administrative effort than NAT instances.
NAT instance
An NAT instance is launched from a NAT AMI(The AMI has the string amzn-ami-vpc-nat in their names).
It accepts traffic from instances in a private subnet, translate the source IP Address to the Public IP address of the NAT instance and forward the traffic to the IGW. In addition, the NAT instance maintains the state of the forwarded traffic in order to return response traffic from the Internet to the proper instance in the private subnet.
To Create a NAT instance, you must:
- Create a NATSG security group for the NAT with outbound rules that specify the needed Internet
resources by port, protocol, and IP address.
- Launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it
with the NAT security group
- Disable the Source/Destination Check attribute of the NAT.
- Configure the route table associated with a private subnet to direct Internet-bound traffic
to the NAT instance
- Allocate an EIP and associate it with the NAT instance IF you did not assign a public IP address to your NAT instance during launch.
NAT Gateways
To allow instances within a private subnet to access Internet resources through the IGW via a
NAT gateway, you must do the following:
- Specify the public subnet in which the NAT gateway should reside
- Configure the route table associated with the private subnet to direct Internet-bound
traffic to the NAT gateway
- Allocate an EIP and associate it with the NAT gateway
VPN Connections
VPN Connection Option |
Description |
AWS Site-to-Site VPN |
On the AWS side of the Site-to-Site VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway on the remote side of the Site-to-Site VPN connection. |
AWS Client VPN |
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources in your on-premises network. With AWS Client VPN, you configure an endpoint to which your users can connect to establish a secure TLS VPN session. This enables clients to access resources in AWS or an on-premises from any location using an OpenVPN-based VPN clien |
AWS VPN CloudHub |
If you have more than one remote network (for example, multiple branch offices), you can create multiple AWS Site-to-Site VPN connections via your virtual private gateway to enable communication between these networks |
Third party software VPN appliance |
You can create a VPN connection to your remote network by using an Amazon EC2 instance in your VPC that’s running a third party software VPN appliance. |