[AWS] VPC Basics

A VPC(Virtual Private Cloud) is a logically isolated portion of the AWS cloud within a chosen single region. In a VPC, you can define your own network such as IP address range, subnets, route tables, and security settings.

AWS Physical Networking

Virtual Private Cloud (VCP)

  • VPC is an isolated virtual network inside the AWS cloud that resembles a traditional data center.
  • You define a VPC’s IP address space from the ranges you select.
  • VPC belongs to a region and spans all Availability Zones (AZs) within a region.
    • Foundation of high-availability and fault-tolerance architecture.
  • A subnet is created within an AZ.
    • A virtual server (an EC2 instance) can be launched within a subnet.

VPC Components

  • Subnet: A subnet is a segment of a VPC’s IP address range. It is in a single AZ and does not span to multi-AZs.
  • Internet Gateway: VPC’s connection to the Internet.
  • NAT Gateway: A managed Network Address Translation (NAT) service for resources in a private subnet to access the Internet.
  • Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
  • Peering Connection: Traffic can be routed via private IP addresses between two peered VPCs.
  • Virtual Private Gateway: A VPN connection in a VPC side.
  • VPC Endpoints: Endpoints allow private connection to AWS services from within a VPC without using an Internet Gateway, VPN, NAT devices, or firewall proxies.

VPC Features

  • A custom CIDR (Classless Inter-Domain Routing) blocks can be assigned in each subnet.
  • Routes can be configured between subnets via route tables.
  • An internet gateway is used to provide a route to the internet for resources launched inside the VPC.
  • VPN (Virtual Private Network) and VPG (Virtual Private Gateway) are used for on-premise networks to extend to AWS VPCs.
  • VPC provides layered Security

VPC can be used:

  • to create a layered network – through subnets – of resources
  • to launch an instance into a (public or private) subnet

CIDR Blocks – Rules

You need to make sure your CIDR (Classless Inter-Domain Routing) Block of your VPC:

  • CIDR Block size can be from /16 to /28
  • Only Private IP CIDR ranges are allowed
  • CIDR Blocks must not overlap with those of any existing VPCs
  • You cannot modify existing CIDR blocks of your VPCs.

Private (Internal) IP Addresses

  • An Internal IPv4 address range is required for VPC and Subnets.
  • Allowed CIDR Blocks:
    • Max: /16 (65,536 IPs)
    • Min: /28 (16 IPs)
  • IPv6 does not have a private IP. The VPC has a fixed size of /56, and the subnet has a fixed size of /64.
  • For each subnet block, AWS reserves 5 IPs (first 4 + last).
  • IP range of each subnet cannot be overlapped.

Public (External) IP Addresses

  • Public IP should be specified when an instanced is created.
  • Assigned by AWS: one of AWS IP pools – IP will change when the instance stops and restarts.
  • Elastic IP: can be pre-allocated and stays assigned – for a long-term instance or when a static IP is required by scripts.

Default VPC

Default VPC is an easy way to create all necessary network environment but lacks the security.

  • A default VPC allows users easy access to a VPC without configuring it from scratch
  • All subnets are attached to an Internet Gateway (IGW).
    • A default VPC is attached to the Internet .
    • Each instance launched in the default VPC has a private and a public IP address.
  • You can have only 1 default VPC within a region and you can delete the default VPC.

A default VPC is pre-configured with all required networking/security in a specified region.

  • Configured using /16 CIDR block (172.31.0.0/16)
  • One /20 public subnet (4,096 IPs) in each AZ with public IP enabled
  • Main route table:
    • Allows the traffic inside VPC (local traffic)
    • Sends all other IP4 traffic (0.0.0.0/0) to Internet Gateway.
  • Default NACL (Network Access Control List)
    • Inbound: allows all traffic
    • Outbound: allows all traffic
  • Default Security Group:
    • Inbound: allow traffic from itself (the same security group)
    • Outbound: allow all traffic to outside
  • A DHCP is automatically added.
Default VPC Subnets
Default VPC Route Tables
Default VPC NACL Inbound Rules
Default VPC NACL Outbound Rules
Default VPC SG Inbound Rules
Default VPC SG Outbound Rules

Custom VPC

  • You need to create subnets, allocate IP ranges, provide Internet Gateway, and setup securities.
  • The best practice is not to use the default VPC. Create a custom VPC.
  • When a custom VPC is created, the following components are also created:
    • Route Table: local route only
    • NACL: allows all inbound and outbound traffic (default)
    • Security Group: allows inbound traffic from itself – the same security group-, allows all outbound traffic (default)
    • Internet Gateway or NAT Gateway is NOT created.

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment