AWS Virtual Private Cloud (VPC)
DEVESH NEMADELearn about the key components, types, and configuration steps of AWS VPC, and how it enables secure, scalable networking in the cloud.
Virtual Private Cloud (VPC)
Introduction to VPC
A VPC is a virtual network that closely resembles a traditional networking that we operate in our own Data Centre, with the benefits of using the scalable infrastructure of AWS.
To simply say, VPC is a Virtual Network or Data Center inside AWS for one client.
It is logically isolated from other virtual networks in the AWS Cloud.
Max 5 VPC can be created inside one region and 200 subnets in 1 VPC.
We can allocate max 5 elastic IPs.
Once we created a VPC, DHCP, NACL, and Security Group will be automatically created.
A VPC is confined to an AWS region and does not extend between regions. Once the VPC is created, we cannot change its CIDR Block Range.
If you need a different CIDR Size, create a new VPC.
The different subnets within a VPC can't overlap.
We can, however, expand our VPC CIDR by adding new /extra IP Address Ranges (except American Gov Cloud & AWS China).
Components of VPC
CIDR & IP
Implied Router
Internet Gateway
Security Groups
Address Space
Network ACL
Subnets
Routing Table
Virtual Private Gateway
Peering Connections
Elastic IP
Types of VPC
Default VPC
Created in each AWS Region when an AWS Account is created.
Has an Internet Gateway by Default.
Has its own Default Security group, NACL, and Route Table.
Custom VPC
Is an AWS Account Admin creates.
AWS user creating custom VPC can decide the CIDR.
Does not have an Internet Gateway by Default, one needs to be created when needed.
Has Default CIDR, Security Group, NACL, and Route Table Settings.
Steps to Create VPC
Create VPC
Subnet
Internet Gateway
Route Table
Public and Private Subnets
Public Subnet
If a subnet's traffic is routed to an Internet Gateway, the Subnet is known as Public Subnet.
If we want our instance in a public subnet to communicate with the internet over IPv4, it must have a Public IPv4 Address or an Elastic IP address.
Private Subnet
If a subnet does not have a route to the Internet Gateway, the Subnet is Known as a Private Subnet.
Note: When we create a VPC, we must specify an IPv4 CIDR Block for the VPC.
The allowed block size is between /16 to /28 and the first four & last IP Address of a subnet cannot be assigned.
Example: 10.0.0.0/24 address following are reserved as follows:
10.0.0.0 ---> Network Address
10.0.0.1 ---> Reserved by AWS for the VPC Router.
10.0.0.2 ---> Reserved by AWS, The IP Address of DNS Server.
10.0.0.3 ---> Reserved for future use.
10.0.0.255 ---> Broadcast Address.
AWS does not support broadcast in a VPC, but reserves the address.
Implied Router & Route Table
It is the central routing function.
It connects the different AZ together and connects the VPC to the Internet Gateway.
We can have up to 200 route tables per VPC.
We can have up to 50 route entries per route table.
Each subnet must be associated with only one route table at any given time.
If we do not specify a subnet-to-route table association, the subnet will be associated with the default VPC route table.
We can also edit the main route table if we need, but we cannot delete the main route table.
However, we can make a custom route table manually, make it the main route table, then delete the former main route table, as it is no longer the main route table.
We can associate multiple subnets with the same route table.
**Note:**If you add an IGW to the main route table, the private subnets would also be able to access the IGW, which is not ideal. Therefore, it’s better to create a separate route table for private subnets and associate it accordingly.
Internet Gateway (IGW)
An IGW is a virtual router that connects a VPC to the Internet.
Default VPC is already attached with an IGW.
If we create a new VPC, then we must attach the IGW in order to access the Internet.
Ensure that our subnet's route table points to the Internet Gateway.
It performs NAT between our private and public IPv4 addresses.
It supports both IPv4 and IPv6.
NAT Gateway
NAT Gateway also does PAT (Port Address Translation).
We can use a Network Address Translation Gateway to enable instances in a private subnet to connect to the Internet or other AWS Services, but prevent the Internet from initiating a connection with those instances.
We are charged for creating and using NAT Gateway in our account. NAT Gateway hourly usage and data purchase rates apply. Amazon EC2 charges for data transfer also apply.
To create a NAT Gateway, we must specify the public subnet in which NAT Gateway resides.
We must also specify an Elastic IP Address to associate with NAT Gateway when we create it.
No need to assign public IPs to our private instances.
After we have created a NAT Gateway, we must update the route table associated with one or more of our private subnets to point Internet-bound traffic to the NAT Gateway.
Deleting a NAT Gateway disassociates its Elastic IP Address but does not release the address from your account.
Security Groups
It is a virtual firewall that works at the ENI (Elastic Network Interface) level.
Up to 5 security groups per EC2 instance interface can be applied.
Can only have permit rules, cannot have deny rules.
Stateful (If inbound is allowed then automatically outbound is also allowed and vice versa): return traffic is allowed, then inbound traffic is also allowed, even if there are no rules to allow it.
Network ACL
It is a function performed on the implied router.
NACL is an optional layer of security for our VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Our VPC automatically comes with a modifiable default NACL. By default, it allows all inbound and outbound IPv4 traffic and if applicable, IPv6 traffic.
We can create a custom NACL and associate it with a subnet.
By default, each custom NACL denies all inbound and outbound traffic until we add rules.
Each subnet in your VPC must be associated with a NACL. If we don't explicitly associate a subnet with a NACL, the subnet is automatically associated with the default NACL.
We can associate NACL with multiple subnets; however, a subnet can be associated with only one NACL at a time. When we associate a NACL with a subnet, the previous association is removed.
A NACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule.
The highest number that we can use for a rule is 32766. Recommended that we start by creating rules with rule numbers that are multiples of 100, so that we can insert new rules where needed later.
It functions at the subnet level.
NACLs are stateless: outbound traffic for allowed inbound traffic must be explicitly allowed too.
We can have permit and deny rules in a NACL.
Difference Between Security Groups & NACL
| Security Group | Network ACL |
| Operates at the instance level | Operates at the subnet level |
| Supports allow rules only | Supports both allow and deny rules |
| Stateful (return traffic automatically allowed) | Stateless (return traffic must be explicitly allowed) |
| Applies to an instance only | Applies to all instances in the subnet |
VPC Peering
A VPC Peering connection is a networking connection between two VPCs that enables us to route traffic between them using private IPv4 Addresses or IPv6 Addresses.
Instances in either VPC can communicate with each other as if they are within the same network.
We can create a VPC Peering connection between our own VPC, or with a VPC in another AWS account. The VPC can be in a different region.
Transitive peering is not possible: i.e., if VPC-A peers with VPC-B and VPC-B peers with VPC-C, by default, VPC-A is not peered with VPC-C.
VPC Endpoint
A VPC Endpoint enables us to privately connect our VPC to supported AWS services. Instances in our VPC do not require a public IP address to communicate with resources in the services.
Endpoint is a virtual device.
Virtual Private Gateway, Customer Gateway & Site-to-Site VPN Connection
By default, instances that we launch into an Amazon VPC can't communicate with our own (corporate or home network) network. To enable the communication, we have to establish a Site-to-Site VPN connection.
VPN Connection: A secure connection between our on-premises equipment and our VPCs.
VPN Tunnel: An encrypted link where data can pass from the customer network to or from AWS. Each VPN connection includes two VPN tunnels, which we can simultaneously use for high availability.
Customer Gateway: An AWS resource that provides information to AWS about our customer gateway device.
Customer Gateway Device: A physical or software application on the customer's side.
Configuring NAT Instance
Configuring NAT Instance for Private Subnets & Internet Access:
We can use a NAT instance in a public subnet in our VPC to enable instances in the
private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
Note: NAT is not supported for IPv6 traffic. Use an egress-only Internet Gateway.
Subscribe to my newsletter
Read articles from DEVESH NEMADE directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by