Virtual Private Cloud (Amazon VPC) : Naresh I Technologies Amazon Web Services Avinash Reddy T
Virtual Private Cloud (Amazon VPC) : Naresh I Technologies Amazon Web Services Avinash Reddy T
Virtual Private Cloud (Amazon VPC) : Naresh I Technologies Amazon Web Services Avinash Reddy T
• Subnets
• Route tables
• Dynamic Host Configuration Protocol (DHCP) option sets
• Security groups
• Network Access Control Lists (ACLs)
An Amazon VPC has the following optional components:
• Internet Gateways (IGWs)
• Elastic IP (EIP) addresses
• Elastic Network Interfaces (ENIs)
• Endpoints
• Peering
• Network Address Translation (NATs) instances and NAT gateways
• Virtual Private Gateway (VPG), Customer Gateways (CGWs), and Virtual
Private Networks (VPNs)
Naresh i technologies Amazon Web Services Avinash Reddy T
By default, AWS will create a VPC for you in your particular region the first
time you sign up for the service. This is called as the default VPC. The default
VPC comes preconfigured with the following set of configurations:
The default VPC is always created with a CIDR block of /16, which means it
supports 65,536 IP addresses in it.
A default subnet is created in each AZ of your selected region. Instances
launched in these default subnets have both a public and a private IP address
by default as well.
An Internet Gateway is provided to the default VPC for instances to have
Internet connectivity.
A few necessary route tables, security groups, and ACLs are also created by
default that enable the instance traffic to pass through to the Internet. Refer to
the following figure:
Naresh i technologies Amazon Web Services Avinash Reddy T
Classless Inter-Domain Routing (CIDR): When you create an Amazon VPC, you
must specify the IPv4 address range by choosing a Classless Inter-Domain
Routing (CIDR) block, such as 10.0.0.0/16. The address range of the Amazon
VPC cannot be changed after the Amazon VPC is created. An Amazon VPC
address range may be as large as /16 (65,536 available addresses) or as small
Naresh i technologies Amazon Web Services Avinash Reddy T
as /28 (16 available addresses) and should not overlap any other network with
which they are to be connected.
Subnets: A subnet is a segment of an Amazon VPC’s IP address range where you
can launch Amazon EC2 instances, Amazon Relational Database Service
(Amazon RDS) databases, and other AWS resources.
After creating an Amazon VPC, you can add one or more subnets in each
Availability Zone. Subnets reside within one Availability Zone and cannot span
zones.
Remember that one subnet equals one Availability Zone. You can,
however, have multiple subnets in one Availability Zone.
Subnets can be classified as public, private, or VPN-only
A public subnet is one in which the associated route table directs the subnet’s
traffic to the Amazon VPC’s IGW.
A private subnet is one in which the associated route table does not direct the
subnet’s traffic to the Amazon VPC’s IGW.
A VPN-only subnet is one in which the associated route table directs the
subnet’s traffic to the Amazon VPC’s VPG and does not have a route to the IGW.
Route Tables:
A route table is a logical construct within an Amazon VPC that contains a set of
rules (called routes) that are applied to the subnet and used to determine where
network traffic is directed.
You can modify route tables and add your own custom routes.
You can also use route tables to specify which subnets are public (by
directing Internet traffic to the IGW) and which subnets are private (by not
having a route that directs traffic to the IGW).
Each route table contains a default route called the local route, which
enables communication within the Amazon VPC, and this route cannot be
modified or removed.
Additional routes can be added to direct traffic to exit the Amazon VPC via
the IGW, the VPG, or the NAT instance.
You can create additional custom route tables for your VPC.
Each subnet must be associated with a route table, which controls the
routing for the subnet. If you don’t explicitly associate a subnet with a
particular route table, the subnet uses the main route table.
You can replace the main route table with a custom table that you’ve
created so that each new subnet is automatically associated with it.
Internet Gateways:
An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly
available Amazon VPC component that allows communication between instances
in your Amazon VPC and the Internet.
Amazon EC2 instances within an Amazon VPC are only aware of their private IP
addresses. When traffic is sent from the instance to the Internet, the IGW
translates the reply address to the instance’s public IP address (or EIP address,
covered later) and maintains the one-to-one map of the instance private IP
address and public IP address.
When an instance receives traffic from the Internet, the IGW translates the
destination address (public IP address) to the instance’s private IP address and
forwards the traffic to the Amazon VPC.
You must do the following to create a public subnet with Internet access:
Attach an IGW to your Amazon VPC.
Create a subnet route table rule to send all non-local traffic (0.0.0.0/0) to
the IGW.
Configure your network ACLs and security group rules to allow relevant
traffic to flow to and from your instance.
Elastic IP Addresses (EIP): An Elastic IP Addresses (EIP) is a static, public IP
address in the pool for the region that you can allocate to your account (pull from
the pool) and release (return to the pool).
AWS maintains a pool of public IP addresses in each region and makes them
available for you to associate to resources within your Amazon VPCs.
EIPs are specific to a region (that is, an EIP in one region cannot be
assigned to an instance within an Amazon VPC in a different region).
There is a one-to-one relationship between network interfaces and EIPs.
You can move EIPs from one instance to another, either in the same
Amazon VPC or a different Amazon VPC within the same region.
EIPs remain associated with your AWS account until you explicitly release
them.
Naresh i technologies Amazon Web Services Avinash Reddy T
There are charges for EIPs allocated to your account, even when they are
not associated with a resource.
Peering:
An Amazon VPC peering connection is a networking connection between two
Amazon VPCs that enables instances in either Amazon VPC to communicate with
each other as if they are within the same network. You can create an Amazon
VPC peering connection between your own Amazon VPCs or with an Amazon
VPC in another AWS account within a single region.
An Amazon VPC may have multiple peering connections, and peering is a one-
to-one relationship between Amazon VPCs, meaning two Amazon VPCs cannot
have two peering agreements between them.
Peering connections are created through a request/accept protocol. The owner
of the requesting Amazon VPC sends a request to peer to the owner of the peer
Amazon VPC. If the peer Amazon VPC is within the same account, it is identified
by its VPC ID. If the peer VPC is within a different account, it is identified by
Account ID and VPC ID. The owner of the peer Amazon VPC has one week to
accept or reject the request to peer with the requesting Amazon VPC before the
peering request expires.
You cannot create a peering connection between Amazon VPCs that have
matching or overlapping CIDR blocks.
You cannot create a peering connection between Amazon VPCs in different
regions.
Amazon VPC peering connections do not support transitive routing.
You cannot have more than one peering connection between the same two
Amazon VPCs at the same time.
Network Access Control Lists (ACLs):
A network access control list (ACL) is another layer of security that acts as a
stateless firewall on a subnet level.
A network ACL is a numbered list of rules that AWS evaluates in order, starting
with the lowest numbered rule, to determine whether traffic is allowed in or out
of any subnet associated with the network ACL. Here is a small example of how
ACL looks like.
Naresh i technologies Amazon Web Services Avinash Reddy T
When you create a custom network ACL, its initial configuration will deny all
inbound and outbound traffic until you create rules that allow otherwise.
Security Group Network ACL
Operates at the instance Operates at the subnet level (second
level (first layer of defense) layer of defense)
Supports allow rules only Supports allow rules and deny rules
Stateful: Return traffic is Stateless: Return traffic must be
automatically allowed, explicitly allowed by rules.
regardless of any rules
AWS evaluates all rules AWS processes rules in number order
before deciding whether to when deciding whether to allow traffic.
allow traffic
Applied selectively to Automatically applied to all instances
individual instances in the associated subnets;
this is a backup layer of defense, so
you don’t have to rely on someone
specifying the security group.
You can connect an existing data center to Amazon VPC using either hardware
or software VPN connections, which will make Amazon VPC an extension of the
data center. Amazon VPC offers two ways to connect a corporate network to a
VPC: VPG and CGW.
A virtual private gateway: VPG is the virtual private network (VPN) concentrator
on the AWS side of the VPN connection between the two networks.
A customer gateway (CGW) represents a physical device or a software
application on the customer’s side of the VPN connection.
2. You can select the Start VPC Wizard option to get all the the VPC
deployment methods.
Naresh i technologies Amazon Web Services Avinash Reddy T
VPC with a single public subnet: This is by far the simplest of the four
deployment scenarios. Using this scenario, we will get a VPC will
provision a single public subnet with a default Internet Gateway
attached to it. The subnet will also have a few simple and basic route
tables, security groups, and network ACLs created. This type of
deployment is ideal for small-scaled web applications or simple websites
that don’t require any separate application or subnet tiers.
VPC with public and private subnets (NAT): This is the most commonly
used deployment scenario, this option will provide you with a public
subnet and a private subnet as well. The public subnet will be connected
to an Internet gateway and allow instances launched within it to have
Internet connectivity, whereas the private subnet will not have any access
to the outside world. This scenario will also provision a single NAT instance
inside the public subnet using which your private subnet instances can
connect with the outside world but not vice versa. Besides this, the wizard
will also create and assign a route table to both the public and private
Naresh i technologies Amazon Web Services Avinash Reddy T
VPC with public and private subnets and hardware VPN access: This
deployment scenario is very much similar to the VPC with public and
private subnets, however, with one component added additionally, which
is the Virtual Private Gateway. This Virtual Private Gateway connects to
your on premise network’s gateway using a standard VPN connection. This
type of deployment is well suited for organizations that wish to extend their
on premise datacenters and networks in to the public clouds while
allowing their instances to communicate with the Internet.
VPC with a private subnet only and hardware VPN access: Unlike the
previous deployment scenario, this scenario only provides you with a
private subnet that can connect to your on premise datacenters using
standard VPN connections. There is no Internet Gateway provided and
thus your instances remain isolated from the Internet. This deployment
scenario is ideal for cases where you wish to extend your on premise
datacenters into the public cloud but do not wish your instances to have
any communication with the outside world.
STEP 2: Creating a subnets under custom VPC (One public and one
private subnets)
Naresh i technologies Amazon Web Services Avinash Reddy T
Now creating another subnet and naming it as “Private Subnet” and want
to deploy the instance which doesn’t required internet faced.
Creating this subnet under Custom VPC, and named as “Private Subnet”
then provided CIDR as 192.168.2.0/24 and selecting Avaiablility Zone as
ap-south-1b and click on Create option.
Naresh i technologies Amazon Web Services Avinash Reddy T
And select the “Attach to VPC” option and select the Custom VPC and
click on “Yes, Attach” option.
This is how the IGW dashboard looks like after attaching it to custom
VPC. Remember: One Internet gateway can be attached with only one
VPC.
Newly created route is not enabled with any of the public routes
through IGW, Select the newly created route table to choose Route
option to verify this.
Now we have to add a route by selecting edit option and select “Add
another Route” option and enter 0.0.0.0/0 and when you click on
Target automatically internet gateway will populate, choose the
populated IGW and click on save.
That’s it our custom VPC is ready to deploy the resources. But we have one
additional option.
STEP 5: Enabling Auto-assign IP Settings for Public Subnet (Optional Step).
You can enable auto assign public IP address option for Public Subnet instances,
by editing the subnet settings. Navigate to Subnets dashboard and select the
“Public Subnet” and choose the “Subnet Actions” and choose “Modify auto-
assign IP settings”, select the checkbox and click on save.
Naresh i technologies Amazon Web Services Avinash Reddy T
Now we will get public IP address for every instance when we are
launching it under public subnet, we no need to select the option in
instance launch wizard.
3. Now try to connect to the instance over the internet and verify the status
as this is launched in Public Subnet, you can connect without any issues
and you can browse the internet also in Instance.
5. And try to connect to the Private Subnet launched instance. When you
browse for Username and password for instance connectivity, you’ll get a
Private IP address and we cannot use this to connect to the Launched
instance.
a. But we can connect to the same instance from the Public Subnets
launched Instance.
b. Remember as this is a private subnet instance, we will not get
Internet in the Private Subnet instances.
Naresh i technologies Amazon Web Services Avinash Reddy T
Select one of the instances from the listed instances, and choose NAT
instance with t2.micro and follow the instance launch wizard same as a
regular instance.
Note: The amount of traffic that NAT instances supports, depends on the
instance size. If you are bottlenecking, increase the instance configuration.
Note: Make sure your NAT instance security group is opened with Http
and Https.
Note: NAT Instance must be launched in Custom VPC’s Public Subnet.
Now we have to edit “Custom VPCs Main Route table” and need to add
a route through the NAT Instance, then the private subnet instances will
get the internet connectivity.
Naresh i technologies Amazon Web Services Avinash Reddy T
Select the Edit option and enter the Destination as 0.0.0.0/0 and select
the target as NAT Instance.
Now we will get the internet for our Private subnet instances through the
NAT instances. And here is the output.
Naresh i technologies Amazon Web Services Avinash Reddy T
NAT GATEWAYS: Instead of NAT Instances, we can use NAT Gateways. We have
lot of advantages with NAT gateways compare to NAT instances. Make sure you
terminate the NAT Instance before performing the NAT Gateways, we don’t
required two resources to provide internet to Private subnet.
Here is some advantages listed:
Preferred for the enterprise/Production level
Scale automatically up to 10 Gbps
Not associated with security groups
Automatically assigned a public ip address (EIP)
You have to update route tables to take effect.
No O.S so No need to patch
No Instance so No need to disable Source/Destination Checks
• Select NAT Gateways option from VPC Navigation Pane. And click on
“Create NAT Gateway” option.
• As same as NAT instance, we have to create the NAT Gateway also in
Public Subnet of Custom VPC.
• If you have any Elastic IP without associating to any of the resource, we
can use the same here, if you don’t have select the Create New EIP option
and click on Create a NAT Gateway.
Naresh i technologies Amazon Web Services Avinash Reddy T
• And we have to edit the Route table as same as NAT instance process.
Select the Custom VPCs Main Route table and open the Destination
0.0.0.0/0 and target as NAT Gateway.
• Now go to private subnet instance and verify the internet connectivity. You
will able to browse the internet and try to look for the public Ip information
from the private subnet instance you’ll get the NAT gateway’s IP Address,
That means we are getting internet through NAT Gateway to the Private
subnet instance.
Give a name for the newly creating Network ACL and Create this under
Custom VPC.
Naresh i technologies Amazon Web Services Avinash Reddy T
Newly Created NACL will not have any Subnets Associated with it.
By Default, all the Inbound and outbound traffic will be set to Deny mode.
Here we have to Edit and add the required Protocol and Port Range and
Source same as Security groups.
The following are the parts of a network ACL rule:
Rule number: Rules are evaluated starting with the lowest numbered rule.
As soon as a rule matches traffic, it's applied regardless of any higher-
numbered rule that may contradict it.
Protocol: You can specify any protocol that has a standard protocol
number. For more information, see Protocol Numbers. If you specify ICMP
as the protocol, you can specify any or all of the ICMP types and codes.
[Inbound rules only] The source of the traffic (CIDR range) and the
destination (listening) port or port range.
[Outbound rules only] The destination for the traffic (CIDR range) and the
destination port or port range.
Choice of ALLOW or DENY for the specified traffic.
Perform the same for Outbound Rules also, as the Network ACLs are
Stateless.
We have Deny option also here with Network ACLs. We can create another
rule for same Protocol and we can set it to Allow/Deny based on our
requirement. Lowest Rule will takes the Highest Priority.
VPC Peering
Allows you to connect one VPC with another via a direct network route
using private IP addresses.
Instances behave as if they were on the same private network
You can peer VPC's with other AWS accounts as well as with other VPCs
in the same account.
Peering is in a star configuration, ie 1 central VPC peers with 4 others. NO
TRANSITIVE PEERING!!!
Naresh i technologies Amazon Web Services Avinash Reddy T
VPC Cleanup:
When you delete the VPC, Automatically all the resources attached to the VPC
also deletes. As mentioned below image, Subnets, Security groups, Network
ACLs, interent Gateways, Route tables etc will delete along with VPC.
Naresh i technologies Amazon Web Services Avinash Reddy T