Skip to content
AWS Physical Networking
Virtual Private Cloud (VCP)
- VPC is an isolated virtual network inside the AWS cloud that resembles a traditional data center.
- VPC belongs to a region and spans all Availability Zones (AZs).
- Foundation of high-availability and fault-tolerance architecture.
- VPC consists of subnets.
- A subnet is in a single AZ and does not span to multi-AZ.
- EC2 instances are launched in a subnet.
- A custom CIDR (Classless Inter-Domain Routing) blocks can be assigned in each subnet.
- Routes can be configured between subnets via route tables.
- An internet gateway is used to provide a route to the internet for resources launched inside the VPC.
- VPN (Virtual Private Network) and VPG (Virtual Private Gateway) are used for on-premise networks to extend to AWS VPCs.
- VPC provides layered Security
- Security Group: instance-level
- Network ACL (Access Control List): subnet-level
Private (Internal) IP Addresses
- An Internal IPv4 address range is required for VPC and Subnets.
- Allowed CIDR Blocks:
- Max: /16 (65,536 IPs)
- Min: /28 (16 IPs)
- For each subnet block, AWS reserves 5 IPs (first 4 + last).
- IP range of each subnet cannot be overlapped.
Public (External) IP Addresses
- Public IP should be specified when an instanced is created.
- Assigned by AWS: one of AWS IP pools – IP will change when the instance stops and restarts.
- Elastic IP: can be pre-allocated and stays assigned – for a long-term instance or when a static IP is required by scripts.
- Default VPC is an easy way to create all necessary network environment but lacks the security.
- Preconfigured with all required networking/security in a specified region.
- Configured using /16 CIDR block (172.31.0.0/16)
- One /20 public subnet (4,096 IPs) in each AZ with a public IP
- All subnets are attached to an Internet Gateway (IGW).
- Main route table sending all IP4 traffic (0.0.0.0/0) to Internet Gateway.
- Default Security Group has the following rules:
- Inbound: allow traffics from itself
- Outbound: allow all traffic to outside
- Default NACL allows all inbound and outbound.
- A DHCP is automatically added.
- You need to create subnets, allocate IP ranges, provide Internet Gateway, and setup securities.
- The best practice is not to use the default VPC. Create a custom VPC.
- When a custom VPC is created, the following components are also created:
- main route table: for local route only
- default network access control list (NACL): allow all inbound and outbound traffic
- default security group: allow inbound traffic from itself (the same security group), allow all outbound traffic
- Internet Gateway is NOT created.
- Up to 5 VPCs are allowed in each AWS region.
- Login to AWS and Go to the “EC2” Service
- Check the Limits for your region.