Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Introduction to Amazon Virtual Private Cloud (Amazon VPC)

  1. Home
  3. AWS Certified Solutions Architect Associate (SAA-C03)
  5. Introduction to Amazon Virtual Private Cloud (Amazon VPC)

Here, we will learn the concepts of Amazon Virtual Private Cloud (Amazon VPC).

  • VPC is networking layer for Amazon EC2,
  • It allows to build own virtual network within AWS.
  • control the various aspects of the Amazon VPC, including –
    • Selecting own IP address range
    • Creating own subnets
    • Configuring own route tables, network gateways, and security settings.
  • In a region, create multiple Amazon VPCs
  • each VPC is logically isolated even if sharing IP address space
  • Specify IPv4 address range during VPC creation
  • Address range of VPC cannot be changed after VPC is created.
  • VPC address range may be large as /16 (65,536 available addresses) or as small as /28 (16 available addresses)
  • Lastly, VPC address range should not overlap any other network with which they are to connect.

VPC Components

Subnets

  • segment of an VPC’s IP address range to launch EC2 instances, Amazon RDS databases, and other AWS resources.
  • smallest subnet is a /28 (or 16 IP addresses).
  • AWS reserves first four IP addresses and the last IP address of every subnet for internal networking purposes.

Route tables

  • A logical construct within VPC having set of rules (or routes) applied to subnet and used to determine where network traffic is directed.
  • With route table EC2 instances in different subnets in a VPC to communicate with each other.
  • Route table has default route called local route, to communication within Amazon VPC, and this route cannot be modified or removed.

Dynamic Host Configuration Protocol (DHCP) option sets –

  • DHCP passes configuration information to hosts on a TCP/IP network like domain name, domain name server, and the netbios-node-type.
  • AWS automatically creates and associates a DHCP option set for the Amazon VPC upon creation and sets two options:
    • domain-name-servers (defaulted to AmazonProvidedDNS)
    • domain-name (defaulted to the domain name for your region).
  • AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
Security groups
  • A virtual stateful firewall controlling inbound and outbound network traffic to AWS resources and EC2 instances.
  • All Amazon EC2 instances must launch into a security group.
  • If not specified at launch, then instance will be in default security group for VPC, which allows communication between all resources within security group, allows all outbound traffic, and denies all other traffic.

Network Access Control Lists (ACLs)

  • Acts as stateless firewall on a subnet level.
  • A list of rules that AWS evaluates in order, starting with lowest number rule, to determine whether traffic allows in or out of any subnet associated with the network ACL.
  • Amazon VPCs have modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic.

Optional Components of Amazon VPC

Internet Gateways (IGWs)

  • A horizontally scaled, redundant, and highly available Amazon VPC component for communication between instances in VPC and Internet.
  • It gives a target in VPC route tables for Internet-routable traffic
  • performs network address translation for instances having public IP addresses.
  • Amazon EC2 instances within an Amazon VPC are only aware of their private IP addresses.
  • For traffic from the instance to the Internet, IGW translates the reply address to the instance’s public IP address (or EIP address) and maintains the one-to-one map of the instance private IP address and public IP address.
Elastic IP (EIP) addresses
  • AWS manages a pool of public IP addresses in each region
  • AWS provides them to associate to resources within VPCs.
  • It is a static, public IP address in pool for region
  • can allocate it to account (pull from the pool)
  • Can release them (return to the pool).
  • It is a set of IP addresses that remain fixed while the underlying infrastructure may change over time.

Elastic Network Interfaces (ENIs)

  • A virtual network interface that can attach to an instance in an Amazon VPC.
  • ENIs are only available within an VPC
  • They are associated with a subnet upon creation.
Endpoints
  • It allows to create a private connection between VPC and another AWS service without access over Internet or NAT instance, VPN connection, or AWS Direct Connect.
  • can create multiple endpoints for a single service

Peering

  • VPC Peering connection is a networking connection between two VPCs
  • It enables instances in either Amazon VPC to communicate with each other as if they are within the same network.
  • Thirdly, it is neither a gateway nor an VPN connection
  • It does not introduce a single point of failure for communication.
  • Peering connections are created through a request/accept protocol.
  • owner of requesting Amazon VPC sends a request to peer to owner of the peer Amazon VPC.
  • If peer Amazon VPC is within same account, it is VPC ID.
  • If peer VPC is within a different account, it is Account ID and VPC ID.
  • The owner of peer Amazon VPC has one week to accept or reject the request to peer with requesting Amazon VPC before the peering request expires.

 

Menu