Introduction to Virtual Private Cloud (VPC)
In this lecture we will see how cloud infrastructure can be grouped logically in smaller virtual data centers called Virtual Private Clouds. Amazon VPC is the networking layer for Amazon EC2.
Regions, Zones and Edge Locations
| Term | Description |
|---|---|
| Region | A region is a geographic area in the world where AWS operates cloud services (for example, Amazon Elastic Compute Cloud, also known as Amazon EC2).AWS Regions are designed to be completely independent from other regions. This approach provides fault isolation, fault tolerance, and stability.Most AWS Cloud services operate within a region. Since these regions are separated, you only see the resources tied to the region that you have specified. This design also means that customer content that you put into a region stays in that region unless you take an explicit action to move it. |
| Availability Zones | Each region is composed of two or more Availability Zones. Each Availability Zone contains one or more data centers. The zones are engineered such that they have different risk profiles. That is, AWS considers factors like power distribution, floodplains, and tectonics when placing Availability Zones within a region. The zones are connected to one another by low-latency, high-bandwidth fiber optics. Availability Zones are typically less than 2 milliseconds apart. |
| Edge Locations | To deliver content to end users with low latency, AWS provides a global network of edge locations. This content distribution network is called Amazon CloudFront. As end users make requests, the AWS Domain Name System (DNS), Amazon Route 53, routes requests to the Amazon CloudFront edge location that can best serve the user’s request, typically the nearest edge location in terms of latency. |
AWS Regions, Zones and Locations
Introduction to VPC
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically-isolated section of the AWS Region. You can launch AWS resources like Amazon EC2 instances in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your Amazon VPC for secure and easy access to resources and applications.
VPC Subnets
The figure below is indicative of some of the relationships between VPC subnets in a VPC. To simplify the initial user experience with Amazon VPC, AWS accounts have a default VPC created in each region with a default subnet created in each Availability Zone. By default, a default subnet is a public subnet, because the main route table sends the subnet’s traffic that is destined for the internet to the internet gateway. Instances that you launch into a default subnet receive both a public IPv4 address and a private IPv4 address, and both public and private DNS hostnames. The figure illustrates a VPC with an address space of 10.0.0.0/16, two subnets with different address ranges (10.0.0.0/24 and 10.0.1.0/24) placed in different Availability Zones, and a route table with the local route specified.
VPC example
A subnet is a segment of a VPC that resides entirely within a single Availability Zone. While a VPC spans all Availability Zones in a region, a subnet cannot span more than one Availability Zone. You may create zero, one, or more subnets in each Availability Zone. When creating a subnet, you specify the target Availability Zone and allocate a contiguous block of IPv4 addresses from the VPC CIDR block.
The maximum size of a subnet is determined by the size of the VPC IPv4 CIDR range. The smallest subnet that you can create is a /28 (16 IPv4 addresses). For example, if you created a VPC with IPv4 CIDR 10.0.0.0/16, you could create multiple subnets of /28. You could also create a single subnet in a single Availability Zone of size /16. AWS reserves the first four IPv4 addresses and the last IPv4 address of every subnet for internal networking purposes. For example, a subnet defined as a /28 has 16 available IPv4 addresses; subtract the 5 IPs needed by AWS to yield 11 IPv4 addresses for your use within the subnet.
Subnets can be classified as public, private, or VPN-only as shown below.
| Type | IPv4 Subnets | IPv6 Subnets |
|---|---|---|
| Public | Associated route table (discussed later in this chapter) contains a route entry targeting an Internet gateway. | Associated route table (discussed later in this chapter) contains a route entry targeting an Internet gateway. |
| Private | Associated route table does not contain a route to an Internet gateway. May contain a route to a NAT instance or a NAT gateway (discussed later in this chapter). | Associated route table does not contain a route to an Internet gateway. May contain a route to an Egress-Only Internet gateway (discussed later in this chapter). |
| VPN | Associated route tables direct traffic to the VPC’s VGW (discussed later in this chapter) or an Amazon EC2 instance running a software VPN. | Associated route tables direct traffic to an Amazon EC2 instance running a software VPN. |
VPC Route Tables
A route table contains a set of rules, called routes , that are used to determine where network traffic from your VPC is directed. You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.
Each route table has one or more local route entries associated with the IPv4 and IPv6 CIDR blocks configured for your VPC. Every route table has an entry for the defined CIDR ranges with a target of “Local,” and these entries cannot be removed. You cannot add a more specific route to your route table than the local route. The local route table entries ensure that all resources in your VPC have a route to one another.
| Priority | Route |
|---|---|
| 1 | Local route, even if a more specific route exists for the CIDR |
| 2 | Most specific route (longest-prefix match) |
| 3 | Static routes are preferred over dynamic routes for equivalent prefixes |
| 4 | Dynamic routes propagated from AWS Direct Connect |
| 5 | Static routes configured on a VGW VPN connection |
| 6 | Dynamic routes propagated from a VPN |
Public, Private and VPN VPC subnets
Security Groups
A security group is a stateful virtual firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances. All Amazon EC2 instances are launched with a security group. If a security group is not specified at launch, then the instance will be launched with the default security group for the VPC in which it is launched. An unmodified, default security group allows communication between all resources within the security group, and it allows all outbound traffic; all other traffic is denied implicitly. You may change the rules for the default security group, but you may not delete the default security group.
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
Default SG rules
Example SG rules - suitable for HTTP(S) and SQL database apps
Network ACL
A network ACL is another layer of security that acts as a stateless firewall on a subnet level. A network ACL is an ordered list of rules that AWS evaluates, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. Each network ACL has a final deny all rule that you cannot change.
VPCs are created with a modifiable default network ACL associated with every subnet. The default network ACL allows all inbound and outbound traffic for IPv4. When you create a custom network ACL, its initial configuration will deny all inbound and outbound traffic until you create rules that allow otherwise. You may set up network ACLs with rules similar to your security groups in order to add another layer of security to your VPC, or you may choose to use the default network ACL that does not filter traffic traversing the subnet boundary. Every subnet must be associated with a network ACL. If you associate an IPv6 CIDR block with your VPC, Amazon automatically adds rules that allow all inbound and outbound IPv6 traffic.
Comparison between NACL and SG
Default NACL rules
The following table shows an example of a custom network ACL for a VPC that supports IPv4 only. It includes rules that allow HTTP and HTTPS traffic in (inbound rules 100 and 110). There’s a corresponding outbound rule that enables responses to that inbound traffic (outbound rule 120, which covers ephemeral ports 32768-65535).
The network ACL also includes inbound rules that allow SSH and RDP traffic into the subnet. The outbound rule 120 enables responses to leave the subnet.
Example inbound custom NACL rules
The network ACL has outbound rules (100 and 110) that allow outbound HTTP and HTTPS traffic out of the subnet. There’s a corresponding inbound rule that enables responses to that outbound traffic (inbound rule 140, which covers ephemeral ports 32768-65535).
Example outbound custom NACL rules