The Amazon Virtual Private Cloud(Amazon VPC)is a custom-defined virtual network with in the AWS Cloud.You can provision your own logically isolated section of AWS,similar to designing and implementing a separate independent network that would operate in an on premises data center. Amazon VPC is the networking layer for Amazon Elastic Compute Cloud(Amazon EC2),and it allows you to build your own virtual network within AWS.
You will have complete control over your virtual networking environment,including selection of your own IP address range,creation of subnets,and configuration of route tables and network gateways.
You can easily customize the network configuration for your Amazon Virtual Private Cloud.
For example,you can create a public-facing subnet for your web servers that has access to the Internet,and place your backend systems such as databases or application servers in a private- facing subnet with no Internet access.
VPCs also have a few limits set on them by default.For example,you can have a maximum of five
VPCs per region.
Each VPC can have a max of one Internet gateway as well as one virtual private gateway.Also,each VPC has a limit of hosting a maximum of up to 200 subnets per VPC. You can increase these limit by simply requesting AWS to do so.
Dynamic Host Configuration Protocol(DHCP) option sets
Network Access Control Lists(ACLs)
An Amazon Virtual Private Cloud has the following optional components:
Elastic IP (EIP)addresses
Elastic Network Interfaces(ENIs)
Network Address Translation(NATs) instances and NAT gateways.
Virtual Private Gateway (VPG), Customer Gateways (CGWs), and Virtual Private Networks (VPNs).
By default,AWS will create a Virtual Private Cloud for you in your particular region the first time you sign up for the service.This is called as the default VPC. The default Virtual Private Cloud comes pre configured with the following set of configurations
The default Virtual Private Cloud is always created with a CID R block of/16,which means it supports 65,536 IP addresses in it.A default subnet is created in each AZ of your selected region.Instances launched in these default subnets have both a public and a private IP address by default as well.An Internet Gateway is provided to the default VPC for instances to have Internet connectivity.A few necessary route tables,security groups,and ACLs are also created by default that enable the instance traffic to pass through to the Internet.Refer to the following figure:
Classless Inter-Domain Routing(CIDR):
When you create an Amazon Virtual Private Cloud ,you must specify the IPv4 address range by choosing a Classless Inter-Domain Routing(CIDR)block,such as 10.0.0.0/16.The address range of the Amazon VPC can not be changed after the Amazon VPC is created.An Amazon VPC address range may be as large as/16(65,536 available addresses)or as small as/28(16 available addresses) and should not overlap any other network with which they are to be connected.
A subnet is a segment of an Amazon Virtual Private Cloud ’s IP address range where you can launch Amazon EC2 instances, Amazon Relational Database Service (Amazon RDS) databases, and other AWS resources.
After creating an Amazon Virtual Private Cloud ,you can add one or more subnets in each Availability Zone. Subnets reside with in one Availability Zone and can not span zones.
Remember that one subnet equals one Availability Zone You can,however,have multiple subnets in one Availability Zone.
Subnets can be classified as public, private, or VPN-only.
A public subnet is one in which the associated route table directs the subnet’s traffic to the Amazon VPC’s IGW.
A private subnet is one in which the associated route table does not direct the subnet’s traffic to the Amazon VPC’s IGW.
A VPN-only subnet is one in which the associated route table directs the subnet’s traffic to the Amazon VPC’s VPG and does not have a route to the IGW.
A route table is a logical construct with in an Amazon VPC that contains a set of rules(called routes) that are applied to the subnet and used to determine where network traffic is directed.
You can modify route tables and add your own custom routes.
You can also use route tables to specify which subnets are public(by directing Internet traffic to the IGW) and which subnets are private(by not having a route that directs traffic to the IGW).
Each route table contains a default route called the local route, which enables communication within the Amazon VPC, and this route cannot be modified or removed.
Additional route scan be added to direct traffic to exit the Amazon VPC via the IGW, the VPG,or the NAT instance.
You should remember the following points about route tables:
Your VPC has an implicit router.
Your VPC automatically comes with a main route table that you can modify.
You can create additional custom route tables for your VPC.
Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet uses the main route table.
You can replace the main route table with a custom table that you’ve created so that each new subnet is automatically associated with it.
An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available Amazon VPC component that allows communication between instances in your Amazon VPC and the Internet.
Amazon EC2 instances with in an Amazon VPC are only aware of their private IP addresses.When traffic is sent from the instance to the Internet, the IGW translates the reply address to the instance’s public IP address(or EIP address,covered later)and maintains the one-to-one map of the instance private IP address and public IP address.
When an instance receives traffic from the Internet,the IGW translates the destination address (public IP address)to the instance’s private IP address and forwards the traffic to the Amazon VPC
You must do the following to create a public subnet with Internet access:
Attach an IGW to your Amazon VPC
Create a subnet route table rule to send all non-local traffic(0.0.0.0/0)to the IGW.
Configure your network ACLs and security group rules to allow relevant traffic to flow to and from your instance.
An Elastic IP Addresses(EIP)is a static,public IP address in the pool for the region that you can allocate to your account(pull from the pool)and release(return to the pool).
AWS maintains a pool of public IP addresses in each region and makes them available for you to associate to resources within your Amazon VPCs.
EIPs are specific to a region(that is,an EIP in one region can not be as signed to an instance with in an Amazon VPC in a different region).
There is a one-to-one relationship between network interfaces and EIPs.
You can move EIPs from one instance to another,either in the same Amazon VPC or a different Amazon VPC with in the same region.
EIPs remain associated with your AWS account until you explicitly release them.
There are charges for EIPs allocated to your account,even when they are not associated with are source.
An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are with in the same network.You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon VPC in another AWS account with in a single region.
An Amazon VPC may have multiple peering connections,and peering is a one-to-one relationship between Amazon VPCs,meaning two Amazon VPCs can not have two peering agreements between them.
Peering connections are created through a request/accept protocol. The owner of the requesting Amazon VPC sends a request to peer to the owner of the peer Amazon VPC.If the peer Amazon VPC is with in the same account,it is identified by its VPC ID.If the peer VPC is with in a different account, it is identified by Account ID and VPC ID.The owner of the peer Amazon VPC has one week to accept or reject the request to peer with the requesting Amazon VPC before the peering request expires.
You can not create a peering connection between Amazon VPCs that have matching or overlapping CIDR blocks.
You can not create a peering connection between Amazon VPCs in different regions.
Amazon VPC peering connections do not support transitive routing.
You can not have more than one peering connection between the same two Amazon VPCs at the same time.
A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level.
A network ACL is a numbered list of rules that AWS evaluates in order,starting with the lowest numbered rule,to determine whether traffic is allowed in or out of any subnet associated with the network ACL. Here is a small example of how ACL looks like
When you create a custom network ACL,its initial configuration will deny all inbound and out bound traffic until you create rules that allow otherwise.
|Security Group||Network ACL|
|Operates at the instance level (first layer of defense)||Operates at the subnet level(second layer of defense)|
|Supports allow rules only||Supports allow rules and deny rules|
|Stateful:Returntrafficis automaticallyallowed, regardlessofanyrules||Stateless: Return traffic must be explicitly allowed by rules|
|AWS evaluates all rules before deciding whether to allow traffic||AWS processes rules in number order when deciding whether toallow traffic.|
|Applied selectively to individual instances||Automatically applied to all instances in the associated subnets; this is a backup layer of defense,so you don’t have to rely on someone specifying the security group.|
Network Address Translation (NAT) Instances and NAT Gateways
By default,any instance that you launch into a private subnet in an Amazon Virtual Private Cloud is not able to communicate with the Internet through the IGW. AWS provides NAT instances and NAT gate ways to allow instances deployed in private subnets to gain Internet access.
A network address translation(NAT)instance is an Amazon Linux Amazon Machine Image(AMI)that is designed to accept traffic from instances with in a private subnet,translate the source IP address to the public IP address of the NAT instance, and forward the traffic to the IGW.
NAT Instances allows in private subnets to send out bound Internet communication,but it prevents the instances from receiving inbound traffic initiated by someone on the Internet.
Create a security group for the NAT without bound rules that specify the needed Internet resources by port,protocol,and IP address.
Launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it with the NAT security group.
Disable the Source/Destination Check attribute of the NAT.
ConfiguretheroutetableassociatedwithaprivatesubnettodirectInternet-boundtraffic totheNATinstance(for example,i-1a2b3c4d).
A NAT gateway is an Amazon managed resource that is designed to operate just like a NAT instance,but it is simpler to manage and highly available with in an Availability Zone.
Allocate an EIP and associate it with the NAT gateway.
Configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT gateway.
You can connect an existing data center to Amazon VPC using either hardware or software VPN connections,which will make Amazon VPC an extension of the data center. Amazon VPC offers two ways to connect a corporate network to a VPC :VPG and CGW.
A virtual private gateway: VPG is the virtual private network(VPN) concentrator on the AWS side of the VPN connection between the two networks.
A customer gateway (CGW) represents a physical device or a software application on the customer’s side of the VPN connection.
VPC with a single public subnet: This is by far the simplest of the four deployment scenarios.Using this scenario,we will get a VPC will provision a single public subnet with a default Internet Gateway attached to it.The subnet will also have a few simple and basic route tables,security groups, and network ACLs created. This type of deployment is ideal for small-scaled web applications or simple websites that don’t require any separate application or subnet tiers.
VPC with public and private subnets and hardware VPN access: This deployment scenario is very much similar to the VPC with public and private subnets,however,with one component added additionally,which is the Virtual Private Gateway.This Virtual Private Gateway connects to your on premise network’s gateway using a standard VPN connection.This type of deployment is well suited for organizations that wish to extend their on premise data centers and networks in to the public clouds while allowing their instances to communicate with the Internet.
VPC with a private subnet only and hardware VPN access:Unlike the previous deployment scenario,this scenario only provides you with a private subnet that can connect to your on premise data centers using standard VPN connections.There is no Internet Gateway provided and thus your instances remain isolated from the Internet.This deployment scenario is ideal for cases where you wish to extend your on premise data centers into the public cloud but do not wish your instances to have any communication with the outside world.
More Information :https://www.fgrade.com/amazon-web-services/