[AWS Architect] (3) VPC Basics

AWS Physical Networking

Virtual Private Cloud (VCP)

  • VPC is an isolated virtual network inside the AWS cloud that resembles a traditional data center.
  • You define a VPC’s IP address space from the ranges you select.
  • VPC belongs to a region and spans all Availability Zones (AZs).
    • Foundation of high-availability and fault-tolerance architecture.

VPC Components

  • Subnet: A subnet is a segment of a VPC’s IP address range. It is in a single AZ and does not span to multi-AZs.
  • Internet Gateway: VPC’s connection to the Internet.
  • NAT Gateway: A managed Network Address Translation (NAT) service for resources in a private subnet to access the Internet.
  • Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
  • Peering Connection: Traffic can be routed via private IP addresses between two peered VPCs.
  • Virtual Private Gateway: A VPN connection in a VPC side.
  • VPC Endpoints: Endpoints allow private connection to AWS services from within a VPC without using an Internet Gateway, VPN, NAT devices, or firewall proxies.

VPC Features

  • EC2 instances are launched in a subnet.
  • A custom CIDR (Classless Inter-Domain Routing) blocks can be assigned in each subnet.
  • Routes can be configured between subnets via route tables.
  • An internet gateway is used to provide a route to the internet for resources launched inside the VPC.
  • VPN (Virtual Private Network) and VPG (Virtual Private Gateway) are used for on-premise networks to extend to AWS VPCs.
  • VPC provides layered Security

Private (Internal) IP Addresses

  • An Internal IPv4 address range is required for VPC and Subnets.
  • Allowed CIDR Blocks:
    • Max: /16 (65,536 IPs)
    • Min: /28 (16 IPs)
  • IPv6 does not have a private IP. The VPC has a fixed size of /56, and the subnet has a fixed size of /64.
  • For each subnet block, AWS reserves 5 IPs (first 4 + last).
  • IP range of each subnet cannot be overlapped.

Public (External) IP Addresses

  • Public IP should be specified when an instanced is created.
  • Assigned by AWS: one of AWS IP pools – IP will change when the instance stops and restarts.
  • Elastic IP: can be pre-allocated and stays assigned – for a long-term instance or when a static IP is required by scripts.

Default VPC

Default VPC is an easy way to create all necessary network environment but lacks the security.

  • A default VPC is attached to the Internet, and all instances automatically receive public IP addresses.
  • You can have only 1 default VPC within a region and you can delete the default VPC.

A default VPC is preconfigured with all required networking/security in a specified region.

  • Configured using /16 CIDR block (172.31.0.0/16)
  • One /20 public subnet (4,096 IPs) in each AZ with public IP enabled
  • All subnets are attached to an Internet Gateway (IGW).
  • Main route table sending all IP4 traffic (0.0.0.0/0) to Internet Gateway.
  • Default Security Group has the following rules:
    • Inbound: allow traffics from itself
    • Outbound: allow all traffic to outside
  • Default NACL allows all inbound and outbound.
  • A DHCP is automatically added.

Custom VPC

  • You need to create subnets, allocate IP ranges, provide Internet Gateway, and setup securities.
  • The best practice is not to use the default VPC. Create a custom VPC.
  • When a custom VPC is created, the following components are also created:
    • route table: local route only
    • default network access control list (NACL): allows all inbound and outbound traffic
    • default security group: allows inbound traffic from itself (the same security group), allows all outbound traffic
    • Internet Gateway or NAT Gateway is NOT created.

VPC Limits

  • Up to 5 VPCs are allowed in each AWS region.
  • Login to AWS and Go to the “EC2” Service – Check the Limits for your region.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s