AWS Physical Networking
Virtual Private Cloud (VCP)
- VPC is an isolated virtual network inside the AWS cloud that resembles a traditional data center.
- You define a VPC’s IP address space from the ranges you select.
- VPC belongs to a region and spans all Availability Zones (AZs).
- Foundation of high-availability and fault-tolerance architecture.
- Subnet: A subnet is a segment of a VPC’s IP address range. It is in a single AZ and does not span to multi-AZs.
- Internet Gateway: VPC’s connection to the Internet.
- NAT Gateway: A managed Network Address Translation (NAT) service for resources in a private subnet to access the Internet.
- Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
- Peering Connection: Traffic can be routed via private IP addresses between two peered VPCs.
- Virtual Private Gateway: A VPN connection in a VPC side.
- VPC Endpoints: Endpoints allow private connection to AWS services from within a VPC without using an Internet Gateway, VPN, NAT devices, or firewall proxies.
- EC2 instances are launched in a subnet.
- A custom CIDR (Classless Inter-Domain Routing) blocks can be assigned in each subnet.
- Routes can be configured between subnets via route tables.
- An internet gateway is used to provide a route to the internet for resources launched inside the VPC.
- VPN (Virtual Private Network) and VPG (Virtual Private Gateway) are used for on-premise networks to extend to AWS VPCs.
- VPC provides layered Security
Private (Internal) IP Addresses
- An Internal IPv4 address range is required for VPC and Subnets.
- Allowed CIDR Blocks:
- Max: /16 (65,536 IPs)
- Min: /28 (16 IPs)
- IPv6 does not have a private IP. The VPC has a fixed size of /56, and the subnet has a fixed size of /64.
- For each subnet block, AWS reserves 5 IPs (first 4 + last).
- IP range of each subnet cannot be overlapped.
Public (External) IP Addresses
- Public IP should be specified when an instanced is created.
- Assigned by AWS: one of AWS IP pools – IP will change when the instance stops and restarts.
- Elastic IP: can be pre-allocated and stays assigned – for a long-term instance or when a static IP is required by scripts.
Default VPC is an easy way to create all necessary network environment but lacks the security.
- A default VPC is attached to the Internet, and all instances automatically receive public IP addresses.
- You can have only 1 default VPC within a region and you can delete the default VPC.
A default VPC is preconfigured with all required networking/security in a specified region.
- Configured using /16 CIDR block (172.31.0.0/16)
- One /20 public subnet (4,096 IPs) in each AZ with public IP enabled
- All subnets are attached to an Internet Gateway (IGW).
- Main route table sending all IP4 traffic (0.0.0.0/0) to Internet Gateway.
- Default Security Group has the following rules:
- Inbound: allow traffics from itself
- Outbound: allow all traffic to outside
- Default NACL allows all inbound and outbound.
- A DHCP is automatically added.
- You need to create subnets, allocate IP ranges, provide Internet Gateway, and setup securities.
- The best practice is not to use the default VPC. Create a custom VPC.
- When a custom VPC is created, the following components are also created:
- route table: local route only
- default network access control list (NACL): allows all inbound and outbound traffic
- default security group: allows inbound traffic from itself (the same security group), allows all outbound traffic
- Internet Gateway or NAT Gateway is NOT created.
- Up to 5 VPCs are allowed in each AWS region.
- Login to AWS and Go to the “EC2” Service – Check the Limits for your region.