A VPC(Virtual Private Cloud) is a logically isolated portion of the AWS cloud within a chosen single region. In a VPC, you can define your own network such as IP address range, subnets, route tables, and security settings.
AWS Physical Networking
Virtual Private Cloud (VCP)
- VPC is an isolated virtual network inside the AWS cloud that resembles a traditional data center.
- You define a VPC’s IP address space from the ranges you select.
- VPC belongs to a region and spans all Availability Zones (AZs) within a region.
- Foundation of high-availability and fault-tolerance architecture.
- A subnet is created within an AZ.
- A virtual server (an EC2 instance) can be launched within a subnet.
- Subnet: A subnet is a segment of a VPC’s IP address range. It is in a single AZ and does not span to multi-AZs.
- Internet Gateway: VPC’s connection to the Internet.
- NAT Gateway: A managed Network Address Translation (NAT) service for resources in a private subnet to access the Internet.
- Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
- Peering Connection: Traffic can be routed via private IP addresses between two peered VPCs.
- Virtual Private Gateway: A VPN connection in a VPC side.
- VPC Endpoints: Endpoints allow private connection to AWS services from within a VPC without using an Internet Gateway, VPN, NAT devices, or firewall proxies.
- A custom CIDR (Classless Inter-Domain Routing) blocks can be assigned in each subnet.
- Routes can be configured between subnets via route tables.
- An internet gateway is used to provide a route to the internet for resources launched inside the VPC.
- VPN (Virtual Private Network) and VPG (Virtual Private Gateway) are used for on-premise networks to extend to AWS VPCs.
- VPC provides layered Security
VPC can be used:
- to create a layered network – through subnets – of resources
- to launch an instance into a (public or private) subnet
Private (Internal) IP Addresses
- An Internal IPv4 address range is required for VPC and Subnets.
- Allowed CIDR Blocks:
- Max: /16 (65,536 IPs)
- Min: /28 (16 IPs)
- IPv6 does not have a private IP. The VPC has a fixed size of /56, and the subnet has a fixed size of /64.
- For each subnet block, AWS reserves 5 IPs (first 4 + last).
- IP range of each subnet cannot be overlapped.
Public (External) IP Addresses
- Public IP should be specified when an instanced is created.
- Assigned by AWS: one of AWS IP pools – IP will change when the instance stops and restarts.
- Elastic IP: can be pre-allocated and stays assigned – for a long-term instance or when a static IP is required by scripts.
Default VPC is an easy way to create all necessary network environment but lacks the security.
- A default VPC allows users easy access to a VPC without configuring it from scratch
- All subnets are attached to an Internet Gateway (IGW).
- A default VPC is attached to the Internet .
- Each instance launched in the default VPC has a private and a public IP address.
- You can have only 1 default VPC within a region and you can delete the default VPC.
A default VPC is pre-configured with all required networking/security in a specified region.
- Configured using /16 CIDR block (172.31.0.0/16)
- One /20 public subnet (4,096 IPs) in each AZ with public IP enabled
- Main route table sending all IP4 traffic (0.0.0.0/0) to Internet Gateway.
- Default Security Group has the following rules:
- Inbound: allow traffics from itself
- Outbound: allow all traffic to outside
- Default NACL allows all inbound and outbound.
- A DHCP is automatically added.
- You need to create subnets, allocate IP ranges, provide Internet Gateway, and setup securities.
- The best practice is not to use the default VPC. Create a custom VPC.
- When a custom VPC is created, the following components are also created:
- route table: local route only
- default network access control list (NACL): allows all inbound and outbound traffic
- default security group: allows inbound traffic from itself (the same security group), allows all outbound traffic
- Internet Gateway or NAT Gateway is NOT created.
- Up to 5 VPCs are allowed in each AWS region.
- Login to AWS and Go to the “EC2” Service – Check the Limits for your region.