Virtual Private Cloud

About

It manages how your applications are distributed inside AWS servers, and more importantly, how will be the network access of these applications for in and out network connections.

The AWS Cloud is distributed in regions and availability zones (AZ) around the world. With VPC we can get access to this infrastructure, a logically isolated section, to control the virtual networking environment, including resource placement, connectivity, and security.

In the example above, network traffic is being shared between two VPCs in single Region.

VPC Components

The VPC is made from the following services:

Public Subnets
Private Subnets
VPC Peering
Routing Tables
Internet Gateway (IGW)
Security Groups (SG)
Network Access Control Lists (NACLs)
Nat Gateway
VPC Endpoints

A simple schema with core components:

Default VPC

Each Amazon account comes with a default VPC that is pre-configured for you to start using immediately.

This is the diagram of a default VPC:

A VPC can span multiple availability zones in a region.

VPC Peering

Allows you to connect one VPC with another over a direct network route using private IP addresses.

Instances on peered VPCs behave just like they are on the same network

Connect VPCs across the same or different AWS accounts and regions:

No Transitive Peering (peering must take place directly between VPCs) and no Overlapping CIDR Blocks.

Route tables

It is used to determine where network traffic is directed.

Each subnet in your VPC must be associated with a RouteTable.

A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Internet Gateway

The Internet Gateway allows your VPC access to the internet.

IGW does two things:

provide a target in your VPC route tables for internet
routable traffic perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

To route out to the internet you need to add in your route tables the internet gateway address and set the Destination to be 0.0.0.0/0.

Security Groups

Acts as a virtual firewall at the instance level.

Security Groups are associated with EC2 instances.

Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances.

There are no ‘Deny’ rules: All traffic is blocked by default unless a rule specifically allows it.

Multiple Instances across multiple subnets can belong to a Security Group.

Uses Cases

You can specify the source to be an IP range or A specific ip (/32 is a specific IP Address): case 1

You can specify the source to be another security group: case 2

An instance can belong to multiple Security Groups, and rules are permissive (instead of restrictive). Meaning if you have one security group which has no Allow and you add an allow to another than it will Allow: case 3

NACLs

Network Access Control List (NACLs) acts as a virtual firewall at the subnet level: nacl

VPCs automatically get a default NACL. The Subnets are associated with NACLs. Subnets can only belong to a single NACL.

Each NACL contains a set of rules that can allow or deny traffic into (inbound) and out of (outbound) subnets. You can allow or deny traffic:

Rule # determines the order of evaluation. From lowest to highest.

The highest rule # can be 32766 and it’s recommended to work in 10 or 100 increments.

You could block a single IP address (You can’t do this with Security Groups)

Network Address Translation (NAT)

Network Address Translation (NAT) is the method of re-mapping one IP address space into another.

If you have a private network and you need to help gain outbound access to the internet, you would need to use a NAT gateway to re-map the Private IPs

If you have two networks that have conflicting network addresses, you can use a NAT to make the addresses more agreeable

VPC endpoints

Think of a secret tunnel where you don’t have to leave the AWS network.

VPC Endpoints allow you to privately connect your VPC to other AWS services, and VPC endpoint services.

There are two types of VPC Endpoints:

Interface Endpoints
Gateway Endpoints

Eliminates the need for an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect connections.

Instances in the VPC do not require a public IP address to communicate with service resources.

Traffic between your VPC and other services does not leave the AWS network.

Horizontally scaled, redundant, and highly available VPC component.

Allows secure communication between instances and services - without adding availability risks or bandwidth constraints on your traffic.

Interface endpoint

Interface Endpoints are Elastic Network Interfaces (ENI) with a private IP address.

They serve as an entry point for traffic going to a supported service.

Access services hosted on AWS easily and securely by keeping your network traffic within the AWS network.

Interface Endpoints support the following AWS Services:

API Gateway
CloudFormation
CloudWatch
Kinesis
SageMaker
Codebuild
AWS Config
EC2 API
ELB API
AWS KMS
Secrets Manager
Security Token Service
Service Catalog
SNS
SQS
Systems Manager
Marketplace Partner Services
Endpoint Services in other AWS accounts

Gateway endpoint

A Gateway Endpoint is a gateway that is a target for a specific route in your route table, used for traffic destined for a supported AWS service.

To create a Gateway Endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection.

AWS Gateway Endpoint currently only supports two services:

Amazon S3
DynamoDB

VPC Gateway Endpoints are Free!

Extra

VPC Flow Logs

Allow you to capture IP traffic information in and out of Network Interfaces within your VPC.

You can create flow logs for network interfaces that are created by other AWS services, such as:

Elastic Load Balancing
Amazon RDS
Amazon ElastiCache
Amazon Redshift
Amazon WorkSpaces
NAT gateways
Transit gateways

All log data is stored using Amazon CloudWatch Logs or S3 bucket.

After a Flow Log is created it can be viewed in detail within CloudWatch Logs.

Direct Connect

AWS solution for establishing dedicated network connections from on-premises locations to AWS.

Helps reduce network costs and increase bandwidth throughput. (great for high traffic networks).

Provides a more consistent network experience than a typical internet-based connection. (reliable and secure).

Very fast network Lower Bandwidth 50M-500M or Higher Bandwidth 1GB or 10GB.

References

Main AWS page: https://aws.amazon.com/vpc/
Pricing: https://aws.amazon.com/vpc/pricing/
Features: https://aws.amazon.com/vpc/features/
FAQs: https://aws.amazon.com/vpc/faqs/
AWS Solutions Architect tutorial video: https://www.youtube.com/watch?v=Ia-UEYYR44s/
AWS VPC tutorial: https://www.simplilearn.com/tutorials/aws-tutorial/aws-vpc/
Direct Connect: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html
Flow Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Interface Endpoint (Private Link): https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html
Gateway Endpoints: https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html

Marcelo Gaioso Werneck