Open in app

Sign in

Write

Sign in

Virtual Private Cloud( VPC )

Vu
AWS Training Certification
Published in
3 min readJun 19, 2020

VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network getaways.

Virtual Private Cloud

What can we do with VPC

  • Launch instances into a subnet of your choosing.
  • Assign custom IP address ranges into each subnet.
  • Config route table between subnets.
  • Create an Internet Gateway and attach it to your VPC.
  • Security with Security Group and Network Access Control List.

Default VPC vs Custom VPC

1. Default VPC

  • a Virtual Network which is automatically created for customer AWS account the very 1st-time EC2 resources are provisioned.
  • Access to the internet by default.
  • Limit 1 vpc per region.

2. Custom VPC

  • Not automatically created.
  • Have not Internet Gateway so it can not connect to the internet by default.
  • 5 vpc per region.

VPC peering

VPC peering
  • Allow you to connect one VPC with another via a direct network route using private IP.
  • You can connect to a VPC of another AWS account as well as the same account.
  • No Transitive peering.

Endpoint

VPC endpoint
  • A VPC endpoint enables you to privately connect your VPC to another AWS services powered by PrivateLink without requiring IG, NAT, VPN connection or Direct Connect.
  • Traffic between services does not leave the AWS network.
  • 2 types: interface endpoint & gateway endpoint
  1. Interface gateway
  • cost money
  • support many AWS resources.
  • use ENI(Elastic Network Interface) with private IP

2. Gateway endpoint

  • free
  • only support DynamoDB & S3.
  • a target for a specific route in the route ‘s table.

Security

  1. Security Group
  • STATEFULL
  • Control traffic in and out of EC2 instance.
  • All inbound traffic is blocked, all outbound traffic is allowed by default.
  • EC2 can belong multi-SG, SG can contain multi-EC2.
  • Only allow rule.

2. NACL (Network Access Control List)

  • STATELESS
  • Control traffic in and out of subnets.
  • Deny all traffic by default when creating new rules.
  • Contain allow and deny rule.
  • NACL associated with 1 subnet (1–1).

Flow Log

a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs.

Not at all IP traffic is monitored:

  • Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
  • Traffic generated by a Windows instance for Amazon Windows license activation
  • Traffic to and from 169.254.169.254 for instance metadata
  • DHCP traffic
  • Traffic to the reserved IP address for the default VPC router

Bastion Host

A Bastion is used to securely administer EC2 instances (Using SSH or RDP). Bastions are called Jumps Boxes in Australia.

Vpc
Vpc Peering
Vpc Endpoint

--

--

Vu
AWS Training Certification

Written by Vu

23 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams