VPC
Last updated
Was this helpful?
Last updated
Was this helpful?
Introduction
Amazon Virtual Private Cloud (Amazon VPC) is like a virtual data center in the cloud.
When a VPC is created, a Route Table, a Network ACL, a Security Group are created also, but not Subnets, a Internet Gateway.
A VPC is created with a primary CIDR block (16~28) but can expand with utmost 4 secondary CIDR blocks.
VPC Overview
Tips
: ${ip}/${digits_of_prefix}, based on the variable-length Subnet masking to allieviate hosts address exhaustion
5 addessses in each Subnet CIDR block are not available. Ex. Subnet: 20.0.0.0
20.0.0.0: Network address.
20.0.0.1: Reserved by AWS for the VPC router.
20.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two
20.0.0.3: Reserved by AWS for future use.
20.0.0.255: Network broadcast address. AWS do not support broadcast in a VPC, so reserve this address.
Subnet
1 Subnet resides within only 1 AZ, however 1 AZ may have multiple Subnets.
When creating new Subnets, those would be associated with the main Route Table, main Network ACL.
The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC).
1 VPC can have 0 or 1 Internet Gateway (a way in/out)
Enabling Subnets of the VPC to initiate outbound IPv4 traffic to the Internet
NAT Gateway for IPv4 / Egress-Only Gateway for IPv6 (recommended)
Must be in a public Subnet (For HA, 1 NAT Gateway per AZ)
Automatically scale up to 10 Gbps
Automatically assign a public IP (AWS Elastic IP)
Not associated with a security group
Remember to update the main Route Table
NAT instance in a public Subnet in your VPC
Must be in a public Subnet
Can increase instances or adding an ELB for performance
Can use a script for failover handling
Always behind a security group
Remember to update the main Route Table
A VPC comes with a default Network ACL which allows all inbound/outbound traffic.
A manually created custom Network ACL by default denys all inbound/outbound traffic.
1 Subnet is associated with 1 Network ACL, however 1 Network ACL may be associated with multiple Subnets.
When creating a Subnet, a default Network ACL is associated.
The rule list in a network ACL is evaluated in ASC order (If conflicts, lower number wins).
Network ACLs are stateless (inbound/outbound traffic rules are required at the same time).
Security Groups are stateful.
Blocking malicious IPs with Network ACLs not Security Groups
VPC Peering (connect 2 VPCs privately with AWS network)
Can connect to your own or another accounts' VPCs
Not allowed matching or overlapping CIDR blocks
Peering is not transitive.
Doesn't support edge to edge routing for NAT devices
Use Transit Gateway instead of NAT Gateway in the case.
Can refer a Security Group of peered VPC (works cross account)
Must update Route Tables in each VPC's Subnets.
Longest Prefix Match for working with multiple VPCs that overlaps.
NAT vs Bastion (Jump Box)
A NAT is to provide network traffic to EC2 instances in private Subnets.
Create NAT in public subnet
Set in Route Table of private subnet to route to NAT
A Bastion is for securely administer EC2 instances in private Subnets through SSH/RDP.
SSM Session Manager is a more secure way to remote control without SSH.
NAT Gateway cannot be a Bastion, but NAT Instance can.
VPC Flow log
Can be defined at VPC level, Subnet level, ENI level.
Can send to CloudWatch, S3.
Traffic not captured:
Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
Traffic generated by a Windows instance for Amazon Windows license activation.
Traffic to and from 169.254.169.254 for instance metadata.
DHCP (Dynamic Host Configuration Protocol) traffic
Traffic to the reserved IP address for the default VPC router.
Limit:
Cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
Cannot tag a flow log
After you've created a flow log, you cannot change its configuration.
VPC Endpoints
Connect your VPC to an AWS service internally (no need for: IGW, NAT, etc.)
Type:
Gateway (for S3, DynamoDB)
A gateway (per VPC) used for traffic destined to S3 or DanamoDB.
Must update Route Tables (ex. specify Destination with S3 url prefix, then Target with VPC Endpoint)
Must enable DNS resolution in the VPC
Gateway endpoint cannot be extended out of a VPC (VPN, DX, TGW peering)
Interface (for the rest)
Provision an Elastic Network Interface (ENI) with a private endpoint interface hostname.
Leverage Security Groups for security
Private DNS (setting when create the endpoint)
The public hostname of a service will resolve to the private endpoint interface hostname
VPC Setting: enableDnsHostNames, enableDnsSupport.
Interface can be accessed from DX / Site-to-site VPN
VPC Endpoint Policies (similar with S3 bucket policy)
Transit VPC (Non-AWS Software VPN)
Not an AWS offering, newer managed solution is Transit Gateway
Uses the public internet with a software VPN running on an EC2 instance.
Other VPCs and on-premise can connect to the Transit VPC with self-managed VPN. (VPN connections can be transitive)
Transit Gateway
For having transitive peering between thousands of VPC and on-premise, hub-and-spoke (star) connection.
A Regional resource but can work cross-region
Share cross-account with Resource Access Manager (RAM)
Route Tables: limit which VPC can talk with other VPC
Works with Direct Connect / VPN Connections
Supports IP Multicasst (not supported by any other AWS Service)
Instances in a VPC can access a NAT Gateway, NLB, PrivateLink, and EFS in other VPCs attached to the AWS Transit Gateway.
