Amazon VPC is the networking layer, which allows you to build your own
virtual network within AWS t0 launch AWS resources that you define. VPC allows
the user to select IP address range, create subnets, and configure route tables,
network gateways, and security settings. Within a region, you can create
multiple Amazon VPCs, and each Amazon VPC is logically isolated even if it
shares its IP address space.
When you create an Amazon VPC, you must specify
the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR)
block, such as 10.0.0.0/16. The address range of the Amazon VPC cannot be
changed after the Amazon VPC is created. An Amazon VPC address range may be as
large as /16 (65,536 available addresses) or as small as /28 (16
availableaddresses) and should not overlap any other network with which they are
to be connected.
VPC default limits
- Maximum of 5 VPC per region.
- Each VPC have a max of 1
Internet gateway and 1 Virtual private getaway.
- Each VPC hosting a maximum
200 subnet per VPC (Increase limit by requesting AWS).
- 200 Network ACL per
VPC by default
- 200 Route table per VPC by default
- 500 Security Group per
VPC by default.
- 50 Active VPC peering connection per VPC by default. (Max
125)
- 10 VPN connections per VPC.
Amazon VPC components
A
subnet is a segment of an Amazon VPC's IP address range where you can launch the
AWS resources like Amazon EC2, Amazon RDS etc.
After creating an Amazon VPC,
you can add one or more subnets in each Availability Zone. Subnets reside within
one Availability Zone and cannot span zones. One subnet equals one Availability
Zone. You can have multiple subnets in one Availability Zone. Default Amazon
VPCs contain one public subnet in every Availability Zone within the region.
Subnet can be classified as below.
Public subnet: A public subnet is one in
which the associated route table directs the subnet's traffic to the Amazon
VPC's IGW.
Private subnet: A private subnet is one in which the associated
route table does not direct the subnet's traffic to the Amazon VPC's
IGW.
VPN-only subnet: A VPN-only subnet is one in which the associated route
table directs the subnet's traffic to the Amazon VPC's VPG and does not have a
route to the IGW.
Route tables
A route table is contains
a set of rules (called routes) that are applied to the subnet and used to
determine where network traffic is directed. A route table's routes are what
permit Amazon EC2 instances within different subnets within an Amazon VPC to
communicate with each other. You can modify route tables and add your own custom
routes. You can also use route tables to specify which subnets are Public and
which subnets are private.
You should remember the following points about route tables:
- Your VPC has an
implicit router.
- Your VPC automatically comes with a main route table that
you can modify.
- You can create additional custom route tables for your
VPC.
- Each subnet must be associated with a route table, which controls the
routing for the subnet. If you don't explicitly associate a subnet with a
particular route table, the subnet uses the main route table.
- Each Subnet
within a VPC must be associated with a single route table at a time, while a
route table can have multiple subnets associated with it.
- You can replace the
main route table with a custom table that you've created so that each new subnet
is automatically associated with it.
- Each route in a table specifies a
destination CIDR and a target.
Dynamic
Host Configuration Protocol (DHCP)
Dynamic Host Configuration
Protocol (DHCP) provides a standard for passing configuration information to
hosts on a TCP/IP network. The options field of a DHCP message contains the
configuration parameters. AWS automatically creates and associates a DHCP option
set for your Amazon VPC upon creation and sets two options: domain-name-servers
(defaulted to AmazonProvidedDNS) and domain-name (defaulted to the domain name
for your region).
The DHCP option sets element of an Amazon VPC allows you to direct
Amazon EC2 host name assignments to your own resources. To assign your own
domain name to your instances, create a custom DHCP option set and assign it to
your Amazon VPC.
- Domain-name: Specify the desired domain name here (for
example, mycompany.com).
- Ntp-servers: The IP addresses of up to four Network
Time Protocol (NTP) servers, separated by commas.
- Netbios-name-servers: The
IP addresses of up to four NetBIOS name servers, separated by
commas.
- Netbios-node-type: Set this value to 2.
Security Groups
security group is a virtual stateful firewall that controls inbound
and outbound network traffic to AWS resources and Amazon EC2 instances. All
Amazon EC2 instances must be launched into a security group. If a security group
is not specified at launch, then the instance will be launched into the default
security group for the Amazon VPC. The default security group allows
communication between all resources within the security group, allows all
outbound traffic, and denies all other traffic. You may change the rules for the
default security group, but you may not delete the default security
group.
- You can create up to 500 security groups for each Amazon VPC.
- You
can add up to 50 inbound and 50 outbound rules to each security group.
- You
can specify allow rules, but not deny rules By default, no inbound traffic is
allowed until you add inbound rules to the security group.
- By default, new
security groups have an outbound rule that allows all outbound
traffic.
- Security groups are statefull.
Network Access Control
Lists (ACLs)
A network access control list (ACL) is another layer of
security that acts as a stateless firewall on a subnet level. A network ACL is a
numbered list of rules that AWS evaluates in order, starting with the lowest
numbered rule, to determine whether traffic is allowed in or out of any subnet
associated with the network ACL.
- Default network ACL associated with every
subnet that allows all inbound and outbound traffic.
- Custom network ACL, its
initial configuration will deny all inbound and outbound traffic.
- A network
ACL associate with multiple subnet but subnet can be associate with only one
network ACL at a time.
Amazon VPC optional
components
Internet Gateways (IGWs)
An Internet
Gateway (IGW) is a VPC component that allows communication between instances in
your Amazon VPC and the Internet. An IGW provides a target in your Amazon VPC
route tables for Internet-routable traffic, and it performs network address
translation for instances that have been assigned public IP addresses.
Amazon
EC2 instances within an Amazon VPC are only aware of their private IP addresses.
When traffic is sent from the instance to the Internet, the IGW translates the
reply address to the instance's public IP address (or EIP address, covered
later) and maintains the one-to-one map of the instance private IP address and
public IP address.
When an instance receives traffic from the Internet, the
IGW translates the destination address (public IP address) to the instance's
private IP address and forwards the traffic to the Amazon VPC.
- You must do
the following to create a public subnet with Internet access:Attach an IGW to
your Amazon VPC.
- Create a subnet route table rule to send all non-local
traffic (0.0.0.0/0) to the IGW.
- Configure your network ACLs and security
group rules to allow relevant traffic to flow to and from your
instance.
Elastic IP (EIP) addresses
An Elastic IP
Addresses (EIP) is a static, public IP address in the pool for the region that
you can allocate to your account (pull from the pool) and release (return to the
pool). AWS maintains a pool of public IP addresses in each region and makes
them available for you to associate to resources within your Amazon VPCs.
You
must first allocate an EIP for use within a VPC and then assign it to an
instance. EIPs are specific to a region (that is, an EIP in one region cannot be
assigned to an instance within an Amazon VPC in a different region).
- There is
a one-to-one relationship between network interfaces and EIPs.
- You can move
EIPs from one instance to another, either in the same Amazon VPC or a different
Amazon VPC within the same region.
- EIPs remain associated with your AWS
account until you explicitly release them. There are charges for EIPs allocated
to your account, even when they are not associated with a
resource.
Elastic Network Interfaces (ENIs)
An Elastic
Network Interface (ENI) is a virtual network interface that you can attach to an
instance in an Amazon VPC. ENIs are only available within an Amazon VPC, and
they are associated with a subnet upon creation. They can have one public IP
address and multiple private IP addresses. If there are multiple private IP
addresses, one of them is primary. Assigning a second network interface to an
instance via an ENI allows it to be dual-homed.
- ENI
can be attached to an instance, detached from that instance.
- Primary
ENIs (eth0) are created automatically when an EC2 instance is launched and also
deleted when the instance is terminated
- An
instance in a VPC always has a default primary ENI attached (eth0) with a
private ip address assigned from vpc range and cannot be detached.
- ENI
can be attached to an instance when it’s running (hot attach), when
it’s stopped (warm attach), or when the instance is being launched (cold
attach).
- ENI in
one subnet can be attached to an instance in another subnet, but the same AZ
and same VPC
- Primary
(eth0) interface can’t be detached.
- Secondary
(ethN) ENI can be detached when the instance is running or stopped.
Network Address
Translation (NATs) instances and NAT gateways
By default, any
instance that you launch into a private subnet in VPC is not able to communicate
with the Internet through the IGW. This is problematic if the instances within
private subnets need direct access to the Internet from the VPCin toapply
security updates, download patches, or update application software. AWS provides
NAT instances and NAT gateways to allow instances deployed in private subnets to
access Internet.
NAT Instance
A network address translation (NAT) instance
is an Amazon Linux Amazon Machine Image (AMI) that is designed to accept traffic
from instances within a private subnet, translate the source IP address to the
public IP address of the NAT instance, and forward the traffic to the
IGW.
- NAT instance allow in private subnet to send outbound internet
communication, but it prevent the instance from receiving inbound traffic
initiate by someone to the internet.
- When creating a NAT Instance, Disable
Source/Destination check on the instance.
- NAT instance must be in public
subnet.
- There must be a route out of the private subnet to the NAT instance,
in order for this work.
- The amount of traffic that NAT instance can support
depend on the instance size.
NAT Gateway
A NAT gateway is an Amazon
managed resource that is designed to operate just like a NAT instance, but it is
simpler to manage and highly available within an Availability Zone.
- Less
administrative effort than NAT instances.
- Scale automatically up to 10Gbps
and Not associated with security group.
- Automatically assign a public Ip
address.
- No need to disable Source/Destination check.
- Configure the route
table associate with the private subnet to direct internet-bound traffic to the
NAT gateway.
- Amazon VPC offer two way to connect a corporate network to a
VPC.
- Virtual Private Gateway (VPG): VPG is the virtual private Network
concentrator on the AWS side of the VPN connection between the two
network.
- Customer Gateways (CGWs): Represent a physical device or a software
application on the customer side of VPN
connection.
Peering
An Amazon VPC peering connection is a
networking connection between two Amazon VPCs that enables instances in either
Amazon VPC to communicate with each other as if they are within the same
network. You can create an Amazon VPC peering connection between your own Amazon
VPCs or with an Amazon VPC in another AWS account within a single region.
A
peering connection is neither a gateway nor an Amazon VPN connection and does
not introduce a single point of failure for communication.
- You cannot create
a peering connection between Amazon VPC that have matching or overlapping CIDR
block.
- You cannot create a peering connection between Amazon VPC in different
region.
- You cannot have more than one peering connection between the same two
Amazon VPC at the same time.
Endpoints
An
Amazon VPC endpoint create
a connection between your Amazon VPC and another AWS service via private
network without requiring access over the Internet or through a NAT instance,
VPN connection, or AWS Direct Connect.
- In VPC do not require public IP
addresses for the Instance to communicate with other services.
- Ensure that the endpoint is created in the same region as
your bucket created. Endpoints currently do not support cross-region requests.
- AWS
currently supports endpoints for S3 service and DynamoDB services.
- Multiple endpoint routes to different services can be
specified in a route table.
- Multiple endpoint routes to the same service can be specified
in different route tables.
- You cannot have multiple endpoints to the same service in a
single route table.
- Security groups needs to be modified
to allow Outbound traffic from the VPC to the service that’s specified in the
endpoint.
- A route is automatically added
to the Route table