AWS Virtual Private Cloud — VPC

VPC Overview & Components

• A virtual private cloud (VPC) is a virtual network dedicated to the AWS account. It is logically isolated from other virtual networks in the AWS cloud.
• VPC allows the user to select IP address range, create subnets, and configure route tables, network gateways, and security settings.
• VPC Sizing
• VPC needs a set of IP addresses in the form of a Classless Inter-Domain Routing (CIDR) block for e.g,10.0.0.0/16, which allows 2¹⁶ (65536) IP address to be available
• Allowed CIDR block size is between
• /28 netmask (minimum with 2⁴ — 16 available IP address) and
• /16 netmask (maximum with 2¹⁶ — 65536 IP address)
• CIDR block from private (non-publicly routable) IP address can be assigned
• 10.0.0.0–10.255.255.255 (10/8 prefix)
• 172.16.0.0–172.31.255.255 (172.16/12 prefix)
• 192.168.0.0–192.168.255.255 (192.168/16 prefix)
• It’s possible to specify a range of publicly routable IP addresses; however, direct access to the Internet is not currently supported from publicly routable CIDR blocks in a VPC
• CIDR block once assigned to the VPC cannot be modified. You can now resize VPC.
• Each VPC is separate from any other VPC created with the same CIDR block even if it resides within the same AWS account
• VPC allows VPC Peering connections with other VPC within the same or different AWS accounts
• Connection between your VPC and corporate or home network can be established, however the CIDR blocks should be not be overlapping for e.g. VPC with CIDR 10.0.0.0/16 can communicate with 10.1.0.0/16 corporate network but the connections would be dropped if it tries to connect to 10.0.37.0/16 corporate network cause of overlapping ip addresses.
• VPC allows you to set tenancy option for the Instances launched in it. By default, the tenancy option is shared. If dedicated option selected, all the instances within it are launched on a dedicated hardware overriding the individual instance tenancy setting
• Deletion of the VPC is possible only after terminating all instances within the VPC, and deleting all the components with the VPC for e.g. subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options.

IP Addresses

Instances launched in the VPC can have Private, Public and Elastic IP address assigned to it and are properties of ENI (Network Interfaces)

• Private IP Addresses
• Private IP addresses are not reachable over the Internet, and can be used for communication only between the instances within the VPC
• All instances are assigned a private IP address, within the IP address range of the subnet, to the default network interface
• Primary IP address is associated with the network interface for its lifetime, even when the instance is stopped and restarted and is released only when the instance is terminated
• Additional Private IP addresses, known as secondary private IP address, can be assigned to the instances and these can be reassigned from one network interface to another
• Public IP address
• Public IP addresses are reachable over the Internet, and can be used for communication between instances and the Internet, or with other AWS services that have public endpoints
• Public IP address assignment to the Instance depends if the Public IP Addressing is enabled for the Subnet.
• Public IP address can also be assigned to the Instance by enabling the Public IP addressing during the creation of the instance, which overrides the subnet’s public IP addressing attribute
• Public IP address is assigned from AWS pool of IP addresses and it is not associated with the AWS account and hence is released when the instance is stopped and restarted or terminated.
• Elastic IP address
• Elastic IP addresses are static, persistent public IP addresses which can be associated and disassociated with the instance, as required
• Elastic IP address is allocated at an VPC and owned by the account unless released
• A Network Interface can be assigned either a Public IP or an Elastic IP. If you assign an instance, already having an Public IP, an Elastic IP, the public IP is released
• Elastic IP addresses can be moved from one instance to another, which can be within the same or different VPC within the same account
• Elastic IP are charged for non usage i.e. if it is not associated or associated with a stopped instance or an unattached Network Interface

Elastic Network Interface (ENI)

• Each Instance is attached with default elastic network interface (Primary Network Interface eth0) and cannot be detached from the instance
• ENI can include the following attributes
• Primary private IP address
• One or more secondary private IP addresses
• One Elastic IP address per private IP address
• One public IP address, which can be auto-assigned to the network interface for eth0 when you launch an instance, but only when you create a network interface for eth0 instead of using an existing ENI
• One or more security groups
• A MAC address
• A source/destination check flag
• A description ENI’s attributes follow the ENI as it is attached or detached from an instance and reattached to another instance. When an ENI is moved from one instance to another, network traffic is redirected to the new instance.
• Multiple ENIs can be attached to an instance and is useful for use cases:
• Create a management network.
• Use network and security appliances in your VPC.
• Create dual-homed instances with workloads/roles on distinct subnets.
• Create a low-budget, high-availability solution.

Route Tables

• Route table defines rules, termed as routes, which determine where network traffic from the subnet would be routed
• Each VPC has a implicit router to route network traffic
• Each VPC has a Main Route table, and can have multiple custom route tables created
• Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it
• Subnet, if not explicitly associated to a route table, is implicitly associated with the main route table
• Every route table contains a local route that enables communication within a VPC which cannot be modified or deleted
• Route priority is decided by matching the most specific route in the route table that matches the traffic
• Route tables needs to be updated to defined routes for Internet gateways, Virtual Private gateways, VPC Peering, VPC Endpoints, NAT Device etc.

Internet Gateways — IGW

• An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the Internet.
• IGW imposes no availability risks or bandwidth constraints on the network traffic.
• An Internet gateway serves two purposes:
• To provide a target in the VPC route tables for Internet-routable traffic,
• To perform network address translation (NAT) for instances that have been NOT been assigned public IP addresses.
• Enabling Internet access to an Instance requires
• Attaching Internet gateway to the VPC
• Subnet should have route tables associated with the route pointing to the Internet gateway
• Instances should have a Public IP or Elastic IP address assigned
• Security groups and NACLs associated with the Instance should allow relevant traffic

NAT

• NAT device enables instances in a private subnet to connect to the Internet or other AWS services, but prevents the Internet from initiating connections with the instances.
• NAT devices do not support IPv6 traffic, use an egress-only Internet gateway instead.

Egress-only Internet gateway

• Egress-only Internet gateway works as a NAT gateway, but for IPv6 traffic
• Egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in the VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with the instances.
• An egress-only Internet gateway is for use with IPv6 traffic only. To enable outbound-only Internet communication over IPv4, use a NAT gateway instead.

VPC & Subnet Sizing

• VPC supports IPv4 and IPv6 addressing, and has different CIDR block size limits for each
• IPv6 CIDR block can be optionally associated with the VPC
• VPC IPv4 CIDR block cannot be modified once created i.e. cannot increase or decrease the size of an existing CIDR block.
• However,secondary CIDR blocks can be associated with the VPC to extend the VPC
• Limitations
• allowed block size is between a /28 netmask and /16 netmask.
• CIDR block must not overlap with any existing CIDR block that’s associated with the VPC.
• CIDR block must not be the same or larger than the CIDR range of a route in any of the VPC route tables for e.g. for a CIDR block 10.0.0.0/24, can only associate smaller CIDR blocks like 10.0.0.0/25

VPC Security within a VPC is provided through

• Security groups — Act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level.
• Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
• Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC.

Subnets

• Subnet spans a single Availability Zone, distinct locations engineered to be isolated from failures in other AZs, and cannot span across AZs
• Subnet can be configured with an Internet gateway to enable communication over the Internet, or virtual private gateway (VPN) connection to enable communication with your corporate network
• Subnet can be Public or Private and it depends on whether it has Internet connectivity i.e. is able to route traffic to the Internet through the IGW
• Instances within the Public Subnet should be assigned a Public IP or Elastic IP address to be able to communicate with the Internet
• For Subnets not connected to the Internet, but has traffic routed through Virtual Private Gateway only is termed as VPN-only subnet
• Subnets can be configured to Enable assignment of the Public IP address to all the Instances launched within the Subnet by default, which can be overridden during the creation of the Instance
• Subnet Sizing
• CIDR block assigned to the Subnet can be the same as the VPC CIDR, in this case you can launch only one subnet within your VPC
• CIDR block assigned to the Subnet can be a subset of the VPC CIDR, which allows you to launch multiple subnets within the VPC
• CIDR block assigned to the subnet should not be overlapping
• CIDR block size allowed is between
• /28 netmask (minimum with 2⁴ — 16 available IP address) and
• /16 netmask (maximum with 2¹⁶ — 65536 IP address)
• AWS reserves 5 IPs address (first 4 and last 1 IP address) in each Subnet which are not available for use and cannot be assigned to an instance. for e.g. for a Subnet with a CIDR block 10.0.0.0/24 the following five IPs are reserved
• 10.0.0.0: Network address
• 10.0.0.1: Reserved by AWS for the VPC router
• 10.0.0.2: Reserved by AWS for mapping to Amazon-provided DNS
• 10.0.0.3: Reserved by AWS for future use
• 10.0.0.255: Network broadcast address. AWS does not support broadcast in a VPC, therefore the address is reserved.
• Subnet Routing
• Each Subnet is associated with a route table which controls the traffic.
• Subnet Security :Subnet security can be configured using Security groups and NACLs
• Security groups works at instance level, NACLs work at the subnet level

Shared VPCs

• VPC sharing allows multiple AWS accounts to create their application resources, such as EC2 instances, RDS databases, Redshift clusters, and AWS Lambda functions, into shared, centrally-managed VPCs.
• In this model, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations.
• After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.