# VPC **Introduction** * Amazon Virtual Private Cloud (Amazon VPC) is like a virtual data center in the cloud. * When a VPC is created, a Route Table, a Network ACL, a Security Group are created also, but not Subnets, a Internet Gateway. * A VPC is created with a primary CIDR block (16\~28) but can expand with utmost 4 secondary CIDR blocks. ![](https://3303577320-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4cDbT2F2VmcAohuhSN%2F-M4cDbsP_Q866yrLCgLp%2F-M4cDdCzu3PjX1Njzc-v%2FCreating%20a%20VPC.png?generation=1586591640640145\&alt=media) **VPC Overview**\ ![](https://3303577320-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4cDbT2F2VmcAohuhSN%2F-M4cDbsP_Q866yrLCgLp%2F-M4cDdD0VGdBLhbc2CMf%2FVPC.png?generation=1586591640539034\&alt=media) **Tips** * [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing): ${ip}/${digits\_of\_prefix}, based on the variable-length Subnet masking to allieviate hosts address exhaustion * 5 addessses in each Subnet CIDR block are not available. Ex. Subnet: 20.0.0.0 * 20.0.0.0: Network address. * 20.0.0.1: Reserved by AWS for the VPC router. * 20.0.0.2: Reserved by AWS. The IP address of the **DNS server** is always the base of the VPC network range plus two * 20.0.0.3: Reserved by AWS for future use. * 20.0.0.255: Network broadcast address. AWS do not support broadcast in a VPC, so reserve this address. * Subnet * 1 Subnet resides within only 1 AZ, however 1 AZ may have multiple Subnets. * When creating new Subnets, those would be associated with the main Route Table, main Network ACL. * The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC). * 1 VPC can have 0 or 1 Internet Gateway (a way in/out) * Enabling Subnets of the VPC to initiate outbound IPv4 traffic to the Internet * NAT Gateway for IPv4 / Egress-Only Gateway for IPv6 (recommended) * Must be in a public Subnet (**For HA, 1 NAT Gateway per AZ**) * Automatically scale up to 10 Gbps * Automatically assign a public IP (AWS Elastic IP) * Not associated with a security group * Remember to update the main Route Table * NAT instance in a public Subnet in your VPC * [When creating a NAT instance, disable source/destination check](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck) * Must be in a public Subnet * Can increase instances or adding an ELB for performance * Can use a script for failover handling * Always behind a security group * Remember to update the main Route Table * [Network ACL vs Security Group](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_Comparison) * A VPC comes with a default Network ACL which allows all inbound/outbound traffic. * A manually created custom Network ACL by default denys all inbound/outbound traffic. * 1 Subnet is associated with 1 Network ACL, however 1 Network ACL may be associated with multiple Subnets. * When creating a Subnet, a default Network ACL is associated. * The rule list in a network ACL is evaluated in ASC order (If conflicts, lower number wins). * Network ACLs are stateless (inbound/outbound traffic rules are required at the same time). * Security Groups are stateful. * Blocking malicious IPs with Network ACLs not Security Groups * VPC Peering (connect 2 VPCs privately with AWS network) * Can connect to your own or another accounts' VPCs * Not allowed matching or overlapping CIDR blocks * Peering is **not transitive**. * Doesn't support edge to edge routing for NAT devices * Use Transit Gateway instead of NAT Gateway in the case. * Can refer a Security Group of peered VPC (works cross account) * Must update Route Tables in each VPC's Subnets. * Longest Prefix Match for working with multiple VPCs that overlaps. ![VPC Peering - Longest Prefix Match](https://3303577320-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4cDbT2F2VmcAohuhSN%2F-MF0GdDgn_1jJWsC11M0%2F-MF0IeGfFAvcaCyZbIj6%2FScreen%20Shot%202020-08-18%20at%207.22.02%20PM.png?alt=media\&token=c7f2e68a-0e88-44c0-8fc0-2b28841c568c) * NAT vs Bastion (Jump Box) * A NAT is to provide network traffic to EC2 instances in private Subnets. * Create NAT in public subnet * Set in Route Table of private subnet to route to NAT * A Bastion is for securely administer EC2 instances in private Subnets through SSH/RDP. * SSM Session Manager is a more secure way to remote control without SSH. * NAT Gateway cannot be a Bastion, but NAT Instance can. * VPC Flow log * Can be defined at VPC level, Subnet level, ENI level. * Can send to CloudWatch, S3. * Traffic not captured: * Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged. * Traffic generated by a Windows instance for Amazon Windows license activation. * Traffic to and from 169.254.169.254 for instance metadata. * DHCP (Dynamic Host Configuration Protocol) traffic * Traffic to the reserved IP address for the default VPC router. * Limit: * Cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account * Cannot tag a flow log * After you've created a flow log, you cannot change its configuration. * VPC Endpoints * Connect your VPC to an AWS service internally (no need for: IGW, NAT, etc.) * Type: * Gateway (for S3, DynamoDB) * A gateway (per VPC) used for traffic destined to S3 or DanamoDB. * Must update Route Tables (ex. specify Destination with S3 url prefix, then Target with VPC Endpoint) * Must enable DNS resolution in the VPC * **Gateway endpoint cannot be extended out of a VPC (VPN, DX, TGW peering)** * Interface (for the rest) * Provision an Elastic Network Interface (ENI) with a private endpoint interface hostname. * Leverage Security Groups for security * Private DNS (setting when create the endpoint) * The public hostname of a service will resolve to the private endpoint interface hostname * VPC Setting: `enableDnsHostNames`, `enableDnsSupport`. * Interface can be accessed from DX / Site-to-site VPN * VPC Endpoint Policies (similar with S3 bucket policy) ![VPC Endpoint Policies for S3 Trouble shooting](https://3303577320-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4cDbT2F2VmcAohuhSN%2F-MF0P5CiDNnTZ6qjmQjo%2F-MF0gx3pDfjAWKsTqQAT%2FScreen%20Shot%202020-08-18%20at%209.11.35%20PM.png?alt=media\&token=f55ec1af-cc46-43fa-9f7d-04321ebd6864) * Transit VPC (Non-AWS Software VPN) * Not an AWS offering, newer managed solution is Transit Gateway * Uses the public internet with a software VPN running on an EC2 instance. * Other VPCs and on-premise can connect to the Transit VPC with self-managed VPN. (VPN connections can be transitive) * Transit Gateway * For having transitive peering between thousands of VPC and on-premise, hub-and-spoke (star) connection. * A Regional resource but can work cross-region * Share cross-account with Resource Access Manager (RAM) * Route Tables: limit which VPC can talk with other VPC * Works with Direct Connect / VPN Connections * Supports IP Multicasst (not supported by any other AWS Service) * Instances in a VPC can access a NAT Gateway, NLB, PrivateLink, and EFS in other VPCs attached to the AWS Transit Gateway. ![Transit Gateway for VPCs](https://3303577320-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4cDbT2F2VmcAohuhSN%2F-MF0GdDgn_1jJWsC11M0%2F-MF0Omw2dAKCW2kNLePn%2FScreen%20Shot%202020-08-18%20at%207.48.59%20PM.png?alt=media\&token=98a6a304-febb-421c-9ed2-bb80f90a6b87)