Learn about AWS part 1: VPC – Virtual Private Cloud

Tram Ho

Overview of the VPC

What is Virtual Private Cloud?

Amazon Virtual Private Cloud (Amazon VPC) is a service that allows you to launch AWS resources in an isolated virtual network according to the logic you define. You have complete control over your virtual network environment, including IP address range selection, subnet creation, and configuration of routing tables and gateway. You can use both IPv4 and IPv6 for most resources in virtual private clouds, providing strict security and easy access to resources and applications.

As one of the AWS platform services, Amazon VPC makes it easy to customize your VPC network configuration. You can create a public subnet for web servers with internet access. This service also allows you to place backend systems, such as application servers or databases, in private subnets that do not have access to the internet. With Amazon VPC, you can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Components of the VPC

IPv4 and IPv6 address blocks

VPC IP address ranges are defined with Classless interdomain routing (CIDR) blocks. You can add primary and secondary CIDR blocks to the VPC, if the secondary CIDR block has the same address range as the primary block.

AWS recommends using CIDR blocks from private address ranges defined in RFC 1918:


Subnet, is understood as a sub network (virtual subnet). After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you need to specify a CIDR block for that subnet. Each subnet must lie completely within an Availability Zone and cannot extend to other zones. Availability Zones are separate locations designed to be isolated to avoid being affected by problems in other zones.

There are 2 types of subnets:

  • Public Subnet: A subnet that is routed to an internet gateway. An instance in a public subnet can communicate with the internet via an IPv4 address (public IPv4 address or Elastic IP address).
  • Private Subnet: Contrary to Public Subnet, Private Subnet is a subnet that is not routed to an internet gateway. You cannot access instances on a Private Subnet from the internet.

Route tables

A routing table, consisting of a set of rules (called routes), is used to determine the path and destination of packets from the subnet or gateway.

Internet connectivity

  • Internet Gateway: is a component that allows communication between VPC and Internet. In a way that is easier to understand, if a server in the VPC wants to communicate with the Internet, it needs an Internet Gateway.
  • NAT Gateway: is a component that allows a virtual server on a private network to connect to the Internet or other AWS services, but prevents the Internet from connecting to that server.
  • NAT Instance: is a virtual server that we create and manage that functions similar to NAT Gateway. You can refer to the difference between NAT Gateway and NAT Instance described in detail here

Elastic IP addresses

An IPv4, connectable public address from the Internet is used for:

  • EC2 instance
  • AWS elastic network interface (ENI)
  • Some other services need a public IP address

Network / subnet security

AWS provides two features that you can use to enhance security in your VPC: Security Group and Network ACLs.

  • Security Group controls the incoming and outgoing traffic for the instances
  • Network ACLs help control the incoming and outgoing traffic to the subnet.

Some other networking services

  • Virtual Private Networks (VPNs)
  • Direct connectivity between VPCs (VPC peering)
  • Gateways
  • Mirror sessions

Several VPC scenarios are commonly used

Scenario 1 – VPC with a single public subnet

Details: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario1.html

Scenario 2 – VPC with public and private subnets (NAT)

Details: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

Scenario 3 – VPC with public and private subnets and AWS Site-to-Site VPN access

Details: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario3.html

Scenario 4 – VPC with a private subnet only and AWS Site-to-Site VPN access

Details: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario4.html

Practice lab exercises with scenario 1

Create VPC

Create 2 public subnets in 2 different availability zones

Create a subnet lab-architect-public-a at us-east-1a:

Create subnet lab-architect-public-b at us-east-1b:

Create custom route table

Assign the subnet to the route table just created:

Create Internet Gateway

Attach to VPC:

Assign the Internet Gateway to the route table:

Create Network ACL for the public subnet

Assign ACLs to 2 subnets:

Create Security Group

Create EC2 instance and attach SG just created

Install nginx and check the results with the public ip of the instance




Share the news now

Source : Viblo