VPC
Table of Contents
VPC - Virtual Private Cloud #
Amazon Virtual Private Cloud (VPC) enables you to provision logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you defined.
- VPC, Subnets, Internet Gateways, NAT Gateways
- Security Groups, Network ACS (NACL), VPC Flow Logs
- VPC Peering, VPC Endpoints
- Site to Site VPN and Direct Connect
- Transit Gateway
IP Addresses in AWS #
IPv4 (4.3 Billion Addresses)
- Public IPv4 - can be used on the Internet
- EC2 instance gets a new public IP address every time it’s started
- Private IPv4 - can be used on private networks (LAN) such as internal AWS networking
- Private IPv4 is fixed for EC2 instances even after stopping / starting
- Public IPv4 - can be used on the Internet
Elastic IP - allows to attach a fixed public IPv4 address to an EC2 instance
Note: Every public IPv4 address on AWS will be charged $0.005 per hour (including Elastic IP)
IPv6 - Number of addresses: 3.4 x 10^38
- Every IP address is public in AWS (no private range) (??)
- Free
VPC and Subnets Primer #
VPC - Virtual Private Cloud - private network to deploy resources (regional resource)
- Subnets allow to partition the network inside of VPC (Availability Zone Resource)
- Subnets allow to partition the network inside of VPC (Availability Zone resource)
- A public subnet is a subnet that is accessible from the internet
- A private subnet is a subnet that is not accessible from the internet
- To define access to the internet and between subnets, we use Route Tables
Internet Gateway & NAT Gateways #
Internet Gateways help our VPC instances connecting with the internet
- Public Subnets will have a route to the internet gateway
NAT Gateways (AWS Managed) & NAT Instances (self managed) allow instances in Private Subnets to access the internet while remaining private
VPC > Subnets
EC2 Instance created in a Public Subnet will have Public IPv4 address associated. All Public Subnets have Internet Gateway (IGW) associated with them.
VPC > Virtual Private Cloud > Subnets > subnet-ID > Route table
Creating Private Subnet #
# For Private Subnet we don't associate it with any Internet Gateway. Traffic OUT goes via the NAT Gateway.
VPC > Virtual Private Cloud > Subnets > Create subnet
Security Groups & Network ACL #
- Security Groups
- A firewall that controls traffic to and from an EC2 Instance
- Can only have allow rules
- Rules include IP addresses and other security groups
- NACL (Network ACL)
- A firewall that controls traffic to and from a SUBNET
- Can have allow and deny rules
- Are attached at the Subnet level
- Rules only include IP addresses
VPC > Security > Security Groups
VPC > Security > Network ACLs
| Security Group | Network ACL |
|---|---|
| Operates at the instance level | Operates at the subnet level |
| Supports ALLOW rules ONLY | Supports ALLOW and DENY rules |
| Is stateful (return traffic is automatically allowed, regardless of any rules) | Is stateless (return traffic must be explicitly allowed by rules) |
| All rules are evaluated before deciding whether to allow the traffic | Rules are processed in a number order when deciding to allow the traffic |
| Applies to an instance only if someone specified the Security Group when launching the instance (or associates it with the instance later on) | Automatically applies to all instances in the subnets to which Network ACL is associated with |
| More info: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html |
VPC Flow Logs #
Helps to monitor and troubleshoot connectivity issues #
Capture information about IP traffic going into your interfaces
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface Flow Logs
Helps to monitor and troubleshoot connectivity issues
- Subnets to internet
- Subnets to subnets
- Internet to subnets
Captures network information from AWS managed interfaces too:
- Elastic Load Balancers
- ElastiCache
- RDS
- Aurora
- etc…
VPC Flow Logs must first be created for each VPC #
VPC > Virtual Private Cloud > Your VPCs > Flow Logs > Create flow log
VPC Peering #
Connect to VPC privately using AWS Network and make them behave as if they were in the same network.
- Must NOT have overlapping CIDR (IP address range)
- VPC Peering connection is NOT transitive (must be established for each VPC that needs to communicate with one another)
VPC > Virtual Private Cloud > Your VPCs > Peering Connections > Create peering connection
VPC Endpoints #
Endpoints allow connecting to AWS Services using a private network instead of the public www network.
This gives enhanced security and lower latency to access AWS services.
- VPC Endpoint Gateway - for Amazon S3 and DynamoDB only
- VPC Endpoint Interface - most services (including S3 and DynamoDB)
Private Link #
Most secure and scalable way to expose a service to 1000s of VPCs. Using VPC Peering (see above) is not practical because of the management overhead.
- Does not require VPC peering, internet gateway, NAT, route tables…
- Requires a Network Load Balancer (NLB) - Service VPC and Elastic Network Interface (ENI) - Customer VPC
Site to Site VPN & Direct Connect #
Site to Site VPN #
- Connect to an on-premises VPN to AWS
- The connection is automatically encrypted
- Goes over the public internet (cheaper and slower than Direct Connect)
Direct Connect (DX) #
- Establish a physical connection between on-premises and AWS
- The connection is private, secure and fast
- Goes over a private network (more expensive but faster than Site to Site VPN)
- Takes at least a month to establish
AWS Client VPN #
Connect from your computer using OpenVPN to your private network in AWS and on-premises.
Allows connecting to your EC2 instances over a private IP (just as you were in the private VPC network).
Goes over the public Internet.
Transit Gateway #
Transit Gateway is used for having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection. #
Works with Direct Connect Gateway, VPN connections.
Summary #
- VPC: Virtual Private Cloud
- Subnets: Tied to and AZ, network partition of the VPC
- Internet Gateway: at the VPC level, provide Internet Access
- NAT Gateway / Instances: give internet access to private subnets
- Security Groups: Stateful, operate at the EC2 instance level for ENI
- NACL: Stateless, subnet rules for inbound and outbound
- VPC Peering: Connect two VPC with non overlapping IP ranges, non-transitive (must be established for each VPC that needs to communicate with one another)
- Elastic IP: Fixed public IPv4
- VPC Endpoints: Provide private access to AWS Services within VPC
- Private Link: Privately connect to a service in a 3rd party VPC
- VPC Flow Logs: Network traffic logs
- Site to Site VPN: VPN over public internet between on-premises DC and AWS
- Client VPN: OpenVPN connection from your computer into your VPC
- Direct Connect: Direct private connection to AWS
- Transit Gateway: Connect thousands of VPC and on-premises networks together
» Sources « #
- Amazon VPC Documentation: https://docs.aws.amazon.com/vpc/
- Internetwork traffic privacy in VPC: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html
» References « #
» Table of contents (CLF-C02) « #
» Disclaimer « #
Disclaimer: Content for educational purposes only, no rights reserved.
Most of the content in this series is coming from Stephane Maarek’s Ultimate AWS Certified Cloud Practitioner CLF-C02 2025 course on Udemy.
I highly encourage you to take the Stephane’s courses as they are awesome and really help understanding the subject.
More about Stephane Maarek:
This article is just a summary and has been published to help me learning and passing the practitioner exam.