Skip to main content

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

You can easily customize the network configuration of your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. You can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

The following are the key concepts for VPCs:

  • A virtual private cloud(VPC) is a virtual network dedicated to your AWS account.
  • A subnet is a range of IP addresses in your VPC.
  • A route table contains a set of rules, calledroutes, that are used to determine where network traffic from your subnet or gateway is directed.
  • An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
  • A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

Amazon VPC design - IPv6 on AWS

Route Tables

  • Main route table The route table that automatically comes with your VPC. It controls the routing for all subnets that are not explicitly associated with any other route table.
  • Custom route table A route table that you create for your VPC.
  • Edge association A route table that you use to route inbound VPC traffic to an appliance. You associate a route table with the internet gateway or virtual private gateway, and specify the network interface of your appliance as the target for VPC traffic.
  • Route table association The association between a route table and a subnet, internet gateway, or virtual private gateway.
  • Subnet route table A route table that's associated with a subnet.
  • Gateway route table A route table that's associated with an internet gateway or virtual private gateway.
  • Local gateway route table A route table that's associated with an Outposts local gateway. For information about local gateways, see Local Gateways in the AWS Outposts User Guide.
  • Destination The destination CIDR where you want traffic to go. For example, an external corporate network with a 172.16.0.0/12 CIDR.
  • Propagation Route propagation allows a virtual private gateway to automatically propagate routes to the route tables. This means that you don't need to manually enter VPN routes to your route tables. For more information about VPN routing options, see Site-to-Site VPN Routing Options in the Site-to-Site VPN User Guide.
  • Target The target through which to send the destination traffic; for example, an internet gateway.
  • Local route A default route for communication within the VPC.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

image

Internet Gateways (IGW)

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

An internet gateway supports IPv4 and IPv6 traffic.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

Security Groups

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

If you launch an instance using the Amazon EC2 API or a command line tool and you don't specify a security group, the instance is automatically assigned to the default security group for the VPC. If you launch an instance using the Amazon EC2 console, you have an option to create a new security group for the instance.

For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

Security > Data Protection > Internetwork Traffic Privacy in Amazon VPC

Amazon Virtual Private Cloud provides features that you can use to increase and monitor the security for your virtual private cloud (VPC):

  • Security groups: Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. When you launch an instance, you can associate it with one or more security groups that you've created. Each instance in your VPC could belong to a different set of security groups. If you don't specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC. For more information, see Security Groups for Your VPC.
  • Network access control lists (NACLs): Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. For more information, see Network ACLs.
  • Flow logs: Flow logs capture information about the IP traffic going to and from network interfaces in your VPC. You can create a flow log for a VPC, subnet, or individual network interface. Flow log data is published to CloudWatch Logs or Amazon S3, and it can help you diagnose overly restrictive or overly permissive security group and network ACL rules. For more information, see VPC Flow Logs.
  • Traffic mirroring: You can copy network traffic from an elastic network interface of an Amazon EC2 instance. You can then send the traffic to out-of-band security and monitoring appliances. For more information, see the Traffic Mirroring Guide.
Security groupNetwork ACL (NACL)
Operates at the instance levelOperates at the subnet level
Supports allow rules onlySupports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rulesIs stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow trafficWe process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later onAutomatically applies to all instances in the subnets that it's associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

VPC Endpoints

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.

VPC Endpoint vs VPC Peering

VPC Endpoint

  • Purpose: VPC endpoints allow you to privately connect your VPC to supported AWS services without traversing the public internet. This enhances security and can improve data transfer performance.
  • Use Case: Commonly used for accessing AWS services like Amazon S3, DynamoDB, and other AWS services that support VPC endpoints.
  • Traffic Path: Traffic between your VPC and the AWS service does not leave the Amazon network. It stays within the AWS network.

VPC Peering

  • Purpose: VPC peering allows you to connect two VPCs privately, enabling communication between instances in different VPCs as if they were on the same network.
  • Use Case: Useful for scenarios where you have resources in separate VPCs that need to communicate with each other, such as connecting resources in a production VPC with those in a development VPC.
  • Traffic Path: Traffic between instances in different VPCs travels across the AWS network, and there is no need to go over the public internet.

In summary, VPC endpoints are primarily used for connecting your VPC to AWS services, ensuring a private and direct connection. On the other hand, VPC peering is used to establish private connections between instances in different VPCs, allowing them to communicate with each other over the AWS network.

Establish connectivity between VPCs and AWS services without exposing data to the internet

  • Secure your traffic by using private IP addresses when exchanging data with your software as a service (SaaS) applications.
  • Connect with simplified network and firewall management rules and reduced data output and NAT costs.
  • Accelerate cloud migrations by combining PrivateLink with AWS Direct Connect or a VPN.

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Interface VPC endpoints, powered by PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace.

Scope

  • VPC endpoints are specific to certain AWS services and can be Interface or Gateway endpoints.
  • AWS PrivateLink is a broader service that allows you to connect to multiple AWS services securely.

Traffic Isolation

  • VPC endpoints keep the traffic within the AWS network but may involve traversing the public internet to reach certain services.
  • AWS PrivateLink ensures that traffic does not leave the AWS network at any point.

Service Types

  • VPC endpoints are specific to certain AWS services that support them.
  • AWS PrivateLink is a framework for accessing various AWS and third-party services.

In summary, VPC endpoints are specific to certain AWS services, while AWS PrivateLink is a broader solution that provides a consistent and private way to access various services over the AWS network. You might use VPC endpoints for specific services and AWS PrivateLink for a more comprehensive approach to secure, private connectivity.

Interface Endpoint

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.

Gateway Endpoints

A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html

NACL - Network Access Control List - Control traffic to subnets using network ACLs - Amazon Virtual Private Cloud

SG - Security Groups

VPC NAT Gateway Costs

Using a single natgateway that exists in only mumbai-1a az. Due to this other applications which are in other 2 az’s of mumbai region server through the mumbai-1a az. This architecture may be the cause of regional data transfer costs. We can save this cost by creating az specific natgateway.

Interface Endpoint vs Gateway Endpoint

Interface EndpointGateway Endpoint
Supports many AWS Managed services, endpoint services hosted by other AWS customers and partners, and supported AWS Marketplace partner services.It only supports connectivity to Amazon S3 and Amazon DynamoDB
Acts as an entry point for traffic to reach supported services through AWS PrivateLink.
Use a private IP addressDoes not require an elastic network interface.
Allow access from on-premiseRequests must only originate from a VPC
Allow cross-region access through VPC peering via Transit GatewayCross-region access is not allowed
Additional chargesNo Cost
Associated on a subnet levelAssociated on a VPC Level
Traffic flows directly to the specific service through the interface endpoint.Traffic is routed through the gateway endpoint to the specified AWS service.

VPC Interface Endpoint vs. Gateway Endpoint in AWS - Tutorials Dojo

Elastic IP Addesses

  • Limited to five Elastic IP addresses per account

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html

AWS supports dynamically removing and adding auto assigned public IPv4 address

Changes (Migrate from ipv4 to ipv6)

Effective February 1, 2024 there will be a charge of $0.005 per IP per hour for all public IPv4 addresses, whether attached to a service or not (there is already a charge for public IPv4 addresses you allocate in your account but don’t attach to an EC2 instance).

This will cost around $4 month per IP per month

New - AWS Public IPv4 Address Charge + Public IP Insights | AWS News Blog

Identify and optimize public IPv4 address usage on AWS | Networking & Content Delivery

Amazon IPv6

Migrate your VPC from IPv4 to IPv6 - Amazon Virtual Private Cloud

StepNotes
Step 1: Associate an IPv6 CIDR block with your VPC and subnetsAssociate an Amazon-provided or BYOIP IPv6 CIDR block with your VPC and with your subnets.
Step 2: Update your route tablesUpdate your route tables to route your IPv6 traffic. For a public subnet, create a route that routes all IPv6 traffic from the subnet to the internet gateway. For a private subnet, create a route that routes all internet-bound IPv6 traffic from the subnet to an egress-only internet gateway.
Step 3: Update your security group rulesUpdate your security group rules to include rules for IPv6 addresses. This enables IPv6 traffic to flow to and from your instances. If you've created custom network ACL rules to control the flow of traffic to and from your subnet, you must include rules for IPv6 traffic.
Step 4: Assign IPv6 addresses to your instancesAssign IPv6 addresses to your instances from the IPv6 address range of your subnet.

Is the Public Cloud Ready for IPv6? | by Eyal Estrin ☁️ | AWS in Plain English

Brace yourself, IPv6 is coming

Amazon EC2 instance IP addressing - Amazon Elastic Compute Cloud

Others

What is AWS Direct Connect? - AWS Direct Connect

AWS Transit Gateway

What is VPC peering? - Amazon Virtual Private Cloud

Overview of Data Transfer Costs for Common Architectures | AWS Architecture Blog