Overview of the VPC
What is Virtual Private Cloud?
Amazon Virtual Private Cloud (Amazon VPC) is a service that allows you to launch AWS resources in an isolated virtual network according to the logic you define. You have complete control over your virtual network environment, including IP address range selection, subnet creation, and configuration of routing tables and gateway. You can use both IPv4 and IPv6 for most resources in virtual private clouds, providing strict security and easy access to resources and applications.
As one of the AWS platform services, Amazon VPC makes it easy to customize your VPC network configuration. You can create a public subnet for web servers with internet access. This service also allows you to place backend systems, such as application servers or databases, in private subnets that do not have access to the internet. With Amazon VPC, you can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Components of the VPC
IPv4 and IPv6 address blocks
VPC IP address ranges are defined with Classless interdomain routing (CIDR) blocks. You can add primary and secondary CIDR blocks to the VPC, if the secondary CIDR block has the same address range as the primary block.
AWS recommends using CIDR blocks from private address ranges defined in RFC 1918:
Subnet, is understood as a sub network (virtual subnet). After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you need to specify a CIDR block for that subnet. Each subnet must lie completely within an Availability Zone and cannot extend to other zones. Availability Zones are separate locations designed to be isolated to avoid being affected by problems in other zones.
There are 2 types of subnets:
- Public Subnet: A subnet that is routed to an internet gateway. An instance in a public subnet can communicate with the internet via an IPv4 address (public IPv4 address or Elastic IP address).
- Private Subnet: Contrary to Public Subnet, Private Subnet is a subnet that is not routed to an internet gateway. You cannot access instances on a Private Subnet from the internet.
A routing table, consisting of a set of rules (called routes), is used to determine the path and destination of packets from the subnet or gateway.
- Internet Gateway: is a component that allows communication between VPC and Internet. In a way that is easier to understand, if a server in the VPC wants to communicate with the Internet, it needs an Internet Gateway.
- NAT Gateway: is a component that allows a virtual server on a private network to connect to the Internet or other AWS services, but prevents the Internet from connecting to that server.
- NAT Instance: is a virtual server that we create and manage that functions similar to NAT Gateway. You can refer to the difference between NAT Gateway and NAT Instance described in detail here
Elastic IP addresses
An IPv4, connectable public address from the Internet is used for:
- EC2 instance
- AWS elastic network interface (ENI)
- Some other services need a public IP address
Network / subnet security
AWS provides two features that you can use to enhance security in your VPC: Security Group and Network ACLs.
- Security Group controls the incoming and outgoing traffic for the instances
- Network ACLs help control the incoming and outgoing traffic to the subnet.
Some other networking services
- Virtual Private Networks (VPNs)
- Direct connectivity between VPCs (VPC peering)
- Mirror sessions
Several VPC scenarios are commonly used
Scenario 1 – VPC with a single public subnet
Scenario 2 – VPC with public and private subnets (NAT)
Scenario 3 – VPC with public and private subnets and AWS Site-to-Site VPN access
Scenario 4 – VPC with a private subnet only and AWS Site-to-Site VPN access
Practice lab exercises with scenario 1
Create 2 public subnets in 2 different availability zones
Create a subnet lab-architect-public-a at us-east-1a:
Create subnet lab-architect-public-b at us-east-1b:
Create custom route table
Assign the subnet to the route table just created:
Create Internet Gateway
Attach to VPC:
Assign the Internet Gateway to the route table:
Create Network ACL for the public subnet
Assign ACLs to 2 subnets: