Virtual Private Clouds (VPC)

  1. virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC by modifying its IP address range, create subnets, and configure route tables, network gateways, and security settings.
  2. Can span multiple AZ, but can’t span multiple regions.
  3.  Every region has one default VPC for your account.
  4. VPC contains default route table and default ACL which will be associated with every new subnet by default
  5. VPC has to be assigned a CIDR (Range of private ips). Custom VPC can have a CIDR with a maximum /16 which is 2^16= 6536 addressable ips to a minimum /28 which is 2^4=16 addressable ips.
  6. When you create Custom VPC it creates default security group, default network ACL and default route table, it doesn’t create default Subnet though.
  7. Subnets are logical groups of private ip addresses that are represented by a CIDR which is subset of VPC CIDR
    1. You can assign a custom route table for your newly created subnets
    2. EC2 instances are launched into a subnet
    3. VPC can have upto 200 subnets and you can request AWS support to increase this limit
    4. One Subnet resides in one AZ. Unlike security groups, NACLs, Route Tables and VPCs which span across multiple AZs within the region.
    5. A subnet CIDR can have smallest range of /28 which is 2^4-5=11 ip addresses. Remember that every subnet, five ips (the first 4 ips and the last 1 ip) are reserved by AWS allowing the remaining ips to be assignable to resources.
  8. Network ACL: A network access control list (ACL) is an optional layer of security for your VPC that acts as a virtual firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.  Read more about NACLs
  9. Three types of subnets are possible
    1. If the assigned route table points to internet gateway (one igw per VPC) for 0.0.0.0/0 then your subnet is a public subnet
    2. If RT Points to NAT for 0.0.0.0/0  then its a private subnet
    3. If the RT points to VPG for 0.0.0.0/0 then its is a VPN only subnet
  10. DHCP Option set
    1. VPC points to a default DHCP optionset
    2. Using this you can assign names to private ips
    3. Only one DHCP option set can be active at any given point for a VPC
    4. DHCP Option Sets can’t edited after creation
    5. DHCP options sets are associated with your AWS account so that you can use them across all of your virtual private clouds (VPC).
  11. Rout Tables:
    1. Rout table has OUT bound records telling where outbound traffic (remember easily as rOUT table) is going from a subnet. (No mention of inbound traffic…only outbound traffic)
    2. Route contains DT records with Destination (ip range CIDR) and Target
    3. Rout table has associated subnets
      1. explicitly associated (newly created non-default RTs of a VPC need to be explicitly associated with a Subnet)
      2. non-explicitly associated (all SNs by deafult point to VPC’s default RT)
    4. A route table guides all network packets originating from your resources in your subnet, which way they need to go to get to their destination. Route tables are like intersections on a road, having multiple sign boards telling which direction (target eg: igwXXXXX) to choose to reach a destination.
    5. route table contains a set of rules, called routes, that are used to determine where outbound network traffic is directed.
    6. (local to connect to resources hosted within the subnet, internet gateway to connect to internet, NAT Instance/NAT Gateway to one way connect to internet for downloading patches/packages, VPC Peering Connection to connect to another VPC, VPC endpoint to connect to S3 using the private network, ClassicLink to connect classic EC2s, Egress-Only Internet Gateway for downloading patches, Virtual Private Gateway to connect to on-premise data center etc.)Rout table routes
    7. Each subnet in your VPC must be associated with one (and only one) route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
    8. When you create a VPC, a default routetable (Main Routable) is created where the default Routes are VPC CIDR Local <— all subnets inside VPC will be able to talk to each other
    9. Don’t touch Main route table, instead create another routetable for route out to internet (0.0.0.0/0 IGW)
    10. Last thing you associate this new route table to one of the subnet which will make it public. (you can enable auto assign public IP for the public subnet)
  12. Internet Gateways, NAT instances/gateways and Bastion hosts enable your resources in your VPC communicate with outside internet world.
  13. VPC flow logs
    1. Helps you to capture information about the IP traffic going to and from network interfaces in your VPC.
    2. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
    3. Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.
    4. There is no additional charge for using flow logs; however, standard CloudWatch Logs charges apply.
    5. They can be created at three levels: VPC or subnet or eni
    6. Traffic to the following can’t be monitored
      1. Reserved ips used by AWS (router, broadcast etc)
      2. DNS/DHCP/MS License/169.254.169.254 metadata requests
  14. VPC endpoints
    1. Used to connect EC2 instances in your VPC with AWS services such as S3 (only S3 is supported as of now) without going thru internet using NAT gateways
    2. Your private ip address is used in the communication thru end point. Public ip addresses are not used.
    3. Two types VPC end points
      1. ENI endpoint
        1. works at the EC2 instance level
      2. Gateway endpoint
        1. works at the route table level for the entire subnet (one or more subnets that are associated with the route table)
    4. You can specify a policy at the endpoint to allow/deny traffic
  15. When you launch a EC2 in a VPC
    1. In private subnet: You get private ip and no public ip and these private ips persist thru start/stop and reboots
    2. In a public subnet: You get a private ip and a public ip.  private ips persist thru start/stop and reboots and public ips do not persist.
    3. However you can assign a public elastic ip which will persist
  16. VPC Peering
    1. Lets you connect VPCs in the same region across multiple accounts using private ips
    2. Must have non conflicting CIDRs
    3. No gateway/VPN/hardware required
    4. Not transitive A<->B  B<->C does not mean A is peered to C
    5. No edge to edge routing thru a gateway or private connection (Eg. if VPC 1 has a NAT, VPC2 resources can’t use that NAT even though VPC1 and VPC2 are peered)
  17. Direct connect
    1. Dedicated connection from your local data center to AWS VPC over private ips and private network (NOT using internet)
    2. Connections go to DX facility and then to AWS
    3. Dedicated line is provided by your ISP
  18. VPN
    1. Connection from your local data center to AWS VPC using private ips and over public network (internet)
    2. Hardware or software based VPNs are possible
    3. Virtual Private Gateway (VPG) is VPN concentrator on AWS side
    4. Customer Gateway (CGW) is hardware or software solution that resides in the client data center and communicates with VPG
    5. VPNs use two IP-Sec tunnels between CGW and VPG for high availability
  19. Expanding VPC
    1. You can expand your existing VPC by adding four (4) secondary IPv4 IP ranges (CIDRs) to your VPC.
    2. You can shrink your VPC by deleting the secondary CIDR blocks you have added to your VPC.
    3. You cannot however change the size of the IPv6 address range of your VPC.
  20. Can I use Elastic Network Interfaces as a way to host multiple websites requiring separate IP addresses on a single instance?  Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed.
  21. VPC Flow logs
    1. VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
    2. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
    3. Flow logs can help you troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules.
    4. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.
    5. There is no additional charge for using flow logs; Just CloudWatch Logs charges.
  22. Can’t delete VPC if you have active running instance or resources such as ELB are running
  23. configure a backup VPN connection for failover with my AWS Direct Connect connection. To configure the hardware VPN as a backup for your Direct Connect connection:
    1. Be sure that you use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC.
    2. If you are configuring a Border Gateway Protocol (BGP) VPN, advertise the same prefix for Direct Connect and the VPN.
    3. If you are configuring a static VPN, add the same static prefixes to the VPN connection that you are announcing with the Direct Connect virtual interface.
    4. If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always be preferred, regardless of AS path prepending.
<<< Storage GatewayNetwork Access Control Lists (NACL) >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .