Amazon Web Services –

Virtual Private Cloud

(VPC)
 Amazon Virtual Private Cloud (VPC)

⚫ An Amazon VPC is an isolated portion of the

AWS cloud. You use Amazon VPC to create a
virtual network topology for your Amazon EC2
resources.
⚫ You have complete control over your virtual
networking environment, including selection of
your own IP address range, creation of subnets,
and configuration of route tables and network
gateways.
⚫ You can create a public-facing subnet for your
webservers that has access to the Internet, and
place your backend systems such as databases or
application servers in a private-facing subnet
 Amazon Virtual Private Cloud (VPC)

 Provision a private,
isolated virtual network
on the AWS cloud.
Amazo
n  Have complete control over
VPC
your virtual networking
environment.
 VPCs and subnets

 A subnet defines a range of IP addresses in your

VPC.
 You can launch AWS resources into a subnet
that you select.
 A private subnet should be used for resources
that won’t be accessible over the Internet.
 A public subnet should be used for resources
that will be accessed over the Internet.
 Each subnet must reside entirely within one
Availability Zone and cannot span zones.
 VPC example

Intern Custom
et er
Networ
Interne k Virtual
t Private
Gatewa Gateway
y
R

Web VPC
NAT App
Server DB
Gatewa Server
Server
y
Web App DB
Server Server Server
Public Private VPN Only
Subnet Subnet Subnet
Virtual Private
Cloud

AWS Cloud
 Security in your VPC

instanc instanc instanc instanc

• Security
e e e e

groups Securit
y
Securit
y
Securit
y
Securit
y
Group Group Group Group

• Network Subnet Subnet

access 10.0.0.0/2
4
10.0.1.0/2
4

control lists Network

ACL
Network
ACL

(ACLs) Routing
Table
Routing
Table
VPC

• Key Pairs Router

10.0.0.0/1
6

VPN Internet
Gateway Gateway
 VPN connections

VPN Connectivity Description

option
AWS Hardware VPN You can create an IPsec hardware VPN
connection between your VPC and your
remote network.
AWS Direct Connect AWS Direct Connect provides a dedicated
private
connection from a remote network to your VPC.
AWS VPN CloudHub You can create multiple AWS hardware VPN
connections via your VPC to enable
communications between various remote
networks.
Software VPN You can create a VPN connection to your
remote network by using an Amazon EC2
instance in your VPC that’s running a software
VPN appliance.
 Using One VPC

There are limited use cases where one VPC

could be appropriate:
 High-performance computing
 Identity management
 Small, single applications managed by one person or very
small team

For most use cases, there are two primary patterns for organizing your
infrastructure:

Multi-VPC and Multi-Account

 AWS Infrastructure Patterns

VPC Shared Services

Amazon VPC
Development
Amazon
Test
Amazon
Production
Amazon
pattern VPC VPC VPC

Account
pattern Shared Services Development Test Production
AWS Account AWS AWS AWS
Account Account Account
 Choosing A Pattern

How do you know which pattern to use?

 The primary factors for determining this are
the complexity of your organization and
your workload isolation requirements:
 Single IT team? Multi-VPC
 Large organization with many IT teams?
Multi- account
 High workload isolation required? Multi-
account
 Other Important Considerations

The majority of AWS services do not

actually sit within a VPC.
 For these services, a VPC cannot provide any
isolation outside of connectivity.
 Network traffic between AWS Regions traverse
the AWS global network backbone by default.
 Amazon S3 and DynamoDB offer VPC
endpoints to connect without traversing the
public Internet.
 VPCs And IP Addresses

 When you create your VPC, you specify its

set of IP addresses with CIDR notation

 Classless Inter-Domain Routing (CIDR)

notation is a simplified way to show a specific
range of IP addresses
 Example: 10.0.0.0/16 = all IPs from
10.0.0.0 to 10.0.255.255
 How does that work? What does the
16 define?
 IPs and CIDR

Every set of 4 digits in an IP address represents

a set of 8 binary values (8 bits).

10 . 0 . 0 . 0
0000101
00000000 00000000 00000000
0

10 . 0 . 255 . 255
0000101
0 00000000 11111111 11111111
 IPs and
CIDR

The 16 in the CIDR notation example represents

how many of those bits are "locked down" and
cannot change.

10 . 0 . 0 . 0

/16
00001010 00000000 00000000
00000000

16
 IPs and CIDR

10 . 0 . 0 . 0

/16 The unlocked bits can

change between 1 and 0,
allowing the full range of
00001010 00000000 00000000
possible values.
00000000
 CIDR Example: 10.0.0.0/16

10 . 0 . 0 .
Lowes 0000101 0 0000000
t 0 0

possibl 00000000 00000000

e 10 . 0 . 255 .
IP
Highest
possible IP 0000101 255
0
00000000 11111111
11111111
 VPCs and IP Addresses

 AWS VPCs can use CIDR ranges

between
/16 and /28.
 For every one step a CIDR range
increases, the total number of IPs is
CIDR / Total IPs
cut
/16
in half:
/17 /18 /19 /20 /21 /22
65,536 32,768 16,384 8,192 4,096 2,048 1,024

/23 /24 /25 /26 /27 /28

512 256 128 64 32 16
 What Are Subnets?

Subnets are segments or partitions of a network, divided by

CIDR range.

Example
Subnet Subnet
: 1 2
A VPC with CIDR 251 251
/22 includes 1,024
102
total IPs Subnet 4IPsSubnet
4
3
251
251

Note: In every
subnet, the first
four and last one
IP addresses are
reserved for AWS
use.
 How to Use Subnets

Recommendation: Use
subnets to define Internet
accessibility.
Include asubnets
Public routing table entry Do not have a routing table
Private
to an Internet gateway to entry to an Internet gateway
subnets
support inbound/outbound and are not directly accessible
access to the public Internet. from the public Internet.
Typically use a "jump box"
(NAT/proxy/bastion host) to
support restricted, outbound-
only public Internet access.
 Subnets

Recommendation: Start with one public and one private subnet per
Availability Zone.

10.0.0.0/2 (10.0.0.0-
1 10.0.7.255)

Public Private Public Private

subnet subnet subnet subnet

Availability Zone A Availability Zone A

 Subnets

Recommendation: Start with one public and one private subnet per
Availability Zone.

10.0.0.0/2 (10.0.0.0-
1 10.0.7.255)

Public Private Public Private

subnet subnet subnet subnet
10.0.0.0/2 10.0.2.0/23 10.0.1.0/2 10.0.4.0/23
4 4

10.0.0.0- 10.0.2.0- 10.0.1.0- 10.0.4.0-

10.0.0.255 10.0.3.255 10.0.1.255 10.0.5.255

Availability Zone A Availability Zone A

 Subnet Sizes

Recommendation: Consider larger subnets over smaller ones (/24 and

larger).

Simplifies workload Less likely to waste or run out of

placement: IPs:
Choosing where to place a workload If your subnet runs out of available IPs,
among 10 small subnets is more you can't add more to that subnet.
complicated than with one large
subnet. Example: If you have 251 IPs in a subnet
that's using only 25 of them, you can't
share the unused 226 IPs with another
subnet that's running out.
 Subnet Types

Which subnet type (public or private) should you use for these
resources ?
Publi Privat
c e
Datastore 
instances
Batch processing 
instances
Back-end 
instances
Web application  
instances
How do you control your VPC traffic?

 Route tables
 Security
groups
 Network ACLs
 Internet
gateways
 Route Tables

Directing Traffic Between VPC

Resources 10.0.0.0/1
 Determine 6
where network
traffic is routed
Main route table
 Main and custom
VPC route route tables
table: Local
route Destination
 Only one route table per Target
subnet
10.0.0.0/16
local

Best practice:
Use custom route tables for each subnet to enable granular routing for
destinations.
 Security Groups

Securing VPC Traffic With Security Groups

 Are virtual firewalls that control inbound and outbound

traffic for one or more instances.
 Deny all incoming traffic by default and use allow rules
that can filter based on TCP, UDP, and ICMP protocols.
 Are stateful, which means that if your inbound request is
allowed, the outbound response does not have to be
inspected/tracked, and vice versa.
 Can define a source/target as either a CIDR block or
another security group to handle situations like auto
scaling.
 Security Groups

Use security groups to control traffic into, out of, and between
resources.

ap ap App tier ap ap
p p security p p
group

dat dat
Data tier
a a
security
group

Private Private
subnet subnet
Availability Zone Availability Zone
A B
 How Security Groups Are
Configured

 By default, all newly created security groups allow all

outbound traffic to all destinations.
Modifying the default outbound rule on security groups
increases complexity and is not recommended unless
required for compliance.

 Most organizations create security groups with

inbound rules for
each functional tier (web/app/data/etc.) within an
application.
 Security Group Chaining Diagram

Security group rules per

application tier
Web tier
ELB security
group Inbound Rule Allow TCP
Port 443
Source: 0.0.0.0/0 (Any)
Web tier
we we
security Inbound Rule
b group b Allow TCP Port
80
Source: Web tier
ELB
Inbound Rule
App tier
Allow TCP Port
ELB security 8080 Source: Web
group tier
Inbound Rule
Allow TCP Port
App tier
ap ap 8080 Source: App
security tier ELB
p group p
Inbound Rule
Allow TCP Port
dat Data tier dat 3306 Source: App
tier
a security a
group

Availability Zone Availability Zone

A B
 Network ACLs

 Are optional virtual firewalls that control traffic in and out of

a subnet.
 Allow all incoming/outgoing traffic by default and use
stateless rules to allow or deny traffic.
"Stateless rules" inspect all inbound and outbound traffic and do not
keep track of connections.

 Enforce rules only at the boundary of the subnet, not at the

instance- level, like security groups.
 Internet gateways

Directing Traffic To Your user

VPC s

 Allow communication
between
instances in your VPC
10.0.0.0/1
and the Internet. 6
Interne
t
 Are horizontally scaled, gatewa
redundant, and highly y

available by default.
Instance A
 Provide a target in your VPC with public
IP
route tables for Internet- 10.0.10.0/24
Public
routable traffic. Subnet
 Directing Traffic To Your VPC

To enable access to or from the Internet for instances in a VPC

subnet, you must:

 Attach an Internet gateway to your VPC

 Ensure that your subnet's route table points to the Internet
gateway

 Ensure that instances in your subnet have public IP

addresses or Elastic IP addresses
 Ensure that your NACLs and security groups allow the
relevant traffic to flow to and from your instance
What About Outbound Traffic From Private
Instances?
Network Address Translation services:
 Enable instances in the private subnet to user
initiate outbound traffic to the Internet s
or other AWS services. Interne
t
10.0.0.0/1
 Prevent private instances from receiving 6
gatewa
y
inbound traffic from the Internet.
NAT
instance
Destination Target
with public
10.0.0.0/16 local 10.0.10.0/2
IP
4
Two primary options: 0.0.0.0/0 NAT Public
subnet
Private
 Amazon EC2 instance set up as a instance with
NAT in a public subnet private IP
10.0.20.0/2
4
 VPC NAT Private
Gateway subnet
What About Outbound Traffic From Private
Instances ?

Network Address Translation services: user

s
 Enable instances in the private subnet to
Interne
initiate outbound traffic to the Internet or t
10.0.0.0/1
other AWS services. 6
gatewa
y
 Prevent private instances from receiving
VPC
inbound traffic from the Internet. NAT
gateway
10.0.10.0/2
4
Two primary options: Public
subnet
Private
 Amazon EC2 instance set up as a instance with
NAT in a public subnet private IP
10.0.20.0/2
4
 VPC NAT Private
Gateway subnet
VPC NAT Gateways vs. NAT Instances On
Amazon EC2

VPC NAT gateway NAT instance

Availabilit Highly available by Use script to manage failover

y default

Bursts to 10 Gbps Based on bandwidth of instance

Bandwidt type
Managed by AWS Managed by you
h
NACLs Security groups and NACLs
Maintenan
Not supported Supported
ce

Securit

y Port

forwarding
 Subnets, Gateways, and Routes

Destination Target
10.0.0.0/20 local
Destination Target
0.0.0.0/0 IGW Interne 10.0.0.0/20 local
10.0.0.0/20 t
gatewa 0.0.0.0/0 NAT
y

securit
y
NAT Private
DynamoD group
Instance Instance
B
Private
Public IP 10.0.4.0/2
IP
10.0.0.0/24 3
Private
Destination Target Public Subnet subnet
Availability
10.0.0.0/20 local Zone 1

0.0.0.0/0 NAT

Private
Instance
Private
IP
10.0.2.0/23
security group

Regio Private subnet

Availability Zone 2 route
n
table
 Logging VPC Traffic

Amazon VPC Flow Logs

 Captures traffic flow details in your Use cases:

VPC • Troubleshoot connectivity issues.
Accepted and rejected traffic
• Test network access rules.
 Can be enabled for VPCs, subnets, • Monitor traffic.
and ENIs • Detect and investigate security
incidents.
 Logs published to CloudWatch Logs
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
AWS VPC (Single Public Subnet)

Your instances run in

a private, isolated
section of the AWS
cloud with direct
access to the
Internet. Network
access control lists
and security groups
can be used to
provide strict control
over inbound and
outbound network
traffic to your
AWS VPC (Single Private Subnet H/W
VPN)
Your instances run in
a private, isolated
section of the AWS
cloud with a private
subnet whose
instances are not
addressable from the
Internet. You can
connect this private
subnet to your
corporate data center
via an IPsec Virtual
Private Network
 AWS VPC
⚫ This is a diagram of a typical scenario you
can create full details can be found
here.
AWS VPC
 AWS VPC

You will need to create the following security

groups

• WebServerSG—For the web servers in the

public subnet
• DBServerSG—For the database servers in the
private subnet
 AWS VPC

⚫ From the Your VPCs screen note the details for your
VPC – VPC ID, DHCP Options set, Main Route table,
Default Network ACL.
⚫ Also note the Subnets, Internet Gateways and Elastic
IPs that have been created for your VPC. Your should
clearly name your VPC resources.
 AWS VPC

⚫ You can choose yourself whether you want to

work with Windows or Linux machines or
a mixture of both.
⚫ Launch a web server in the Public subnet in
the VPC. Make sure you enable Auto-Assign
Public IP address.
⚫ You should put in some meaningful details
in the Instance details tags key –
value screen e.g. RFwebserver
⚫ Launch the server in the relevant Security
Group e.g. RFWebServerSG
⚫ You will see both the Private and Public IP
addresses assigned to this server. You can
configure a webserver and connect to the
Public IP address from your own desktop.
 AWS VPC
⚫ Now you can launch a Linux instance – you can choose
a basic AMI - this instance must be launched in the
private. This Server should be launched into the
DBServerSG.
⚫ You DO NOT want to Auto-Assign a Public IP
address to this server.
⚫ If you enable ssh from the WebServerSG to the
DBServerSG you will be able to login from the Server
in the Public subnet to the server in the Private subnet.
⚫ Once you ssh from your webserver instance to your
dbinstance you can check your public IP address
using
wget http://ipinfo.io/ip -qO –
⚫ What is the Public IP address of the server in
 AWS VPC

⚫ When you have investigated this VPC Scenario you

can terminate your instances in the Public and
Private subnets.
⚫ In this exercise you created your own VPC with
Public and Private subnets.
⚫ Note you can delete your VPC and all associated
resources (NAT gateway, instances, Elastic IPs,
etc.)
 References

⚫ http://docs.aws.amazon.com/AmazonVPC/lates
t/Us
erGuide/VPC_Scenario2.html
⚫ How to securely manage AWS credentials
 https://blogs.aws.amazon.com/security/post/
Tx3D6U6WSFG OK2H/A-New-and-Standardized-Way-
to-Manage- Credentials-in-the-AWS-SDKs
⚫ How to login securely to Linux AMI in VPC
Private subnet using ssh agent
forwarding
 https://blogs.aws.amazon.com/security/post/
Tx3N8GFK85U N1G6/Securely-connect-to-Linux-
instances-running-in-a- private-Amazon-VPC