Amazon Virtual Private Cloud is a commercial cloud computing service that provides users with a virtual private cloud by provisioning an isolated section of Amazon Web Services Cloud. Enterprise customers can access the Amazon Elastic Compute Cloud over an IPsec-based virtual private network. Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you have defined. This virtual network resembles a traditional network that you operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
- AWS VPC Concepts
- AWS VPC Subnets
- AWS Internet Gateway
- AWS NAT Gateways
- AWS Security Groups
- AWS Network Access Control List
- AWS VPC Flow Logs
- AWS VPC Peering
- AWS VPC Endpoints
- AWS PrivateLink
- AWS Direct Connect
- AWS Site-to-Site VPN
- AWS Client VPN
- AWS Transit Gateway
AWS VPC Concepts
Many components will be created by a user or by AWS as part of a default VPC. Some of these components include:
- VPC CIDR Block
- Route Table
- Network Access Control Lists (ACLs)
- Security Group
Security groups act as a firewall for Amazon EC2 instances. A company can use Security Groups to implement a stateful firewall to limit traffic to the private corporate network and to limit network traffic directly to its RDS instance for a recently deployed Amazon RDS instance in its VPC. Security groups act as an instance-level firewall to control inbound and outbound access.
AWS VPC Subnets
A subnet is a range of IP addresses in your VPC. You can attach AWS resources to subnets, EC2 instances, and RDS DB instances. Currently, you can make 200 subnets per VPC. Virtual Private Cloud (VPC) networks are global resources. Each VPC network consists of one or more IP address range called subnets. Subnets are regional resources and have IP address ranges associated with them. In Google Cloud, the terms subnet and subnetwork are synonymous.
• VPC -Virtual Private Cloud: private network to deploy your resources (regional resource)
• Subnets allow you to partition your network inside your VPC (Availability Zone resource)
• A public subnet is a subnet that is accessible from the Internet
• A private subnet is a subnet that is not accessible from the Internet
• To define access to the Internet and between subnets, we use Route Tables.
A company can create separate VPCs to host the resources when an isolated environment within AWS is required for security purposes.
- Subnets for your VPC – Amazon Virtual Private Cloud (docs.aws.amazon.com)
- Amazon VPC Architecture – AWS Quick Start (aws.amazon.com)
- Networking in AWS. VPC, Subnets, Security groups, (towardsaws.com)
- AWS Networking : VPC and Subnets – Medium (medium.com)
- VPC Subnets – AWS Virtual Private Cloud: Subnets and Routing (cloudacademy.com)
- Subnets :: Work with Amazon VPC – AWS Study Group (000003.awsstudygroup.com)
- python – List subnets in an AWS by VPC ID – Stack Overflow (stackoverflow.com)
- What are the differences between AWS Public and Private Subnets? (www.learnaws.org)
- amazon.aws.ec2_vpc_subnet module – Manage subnets in AWS (docs.ansible.com)
- How to create AWS VPC with Public and Private Subnet step by (www.youtube.com)
- AWS: use existing VPC, subnets, CIDRs : Kublr (support.kublr.com)
AWS Internet Gateway
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the Internet. The internet gateway supports IPv4 and IPv6 traffic. An internet gateway must be attached to the VPC. The route tables associated with your public subnet (including custom route tables) must have a route to the internet gateway. The security groups and network access control lists (ACLs) associated with the VPC must allow traffic to flow to and from the Internet. The purpose of having an internet gateway within a VPC is to allow communication between the VPC and the internet.
• Internet Gateways helps our VPC instances connect with the Internet
• Public Subnets have a route to the internet gateway.
- Connect to the internet using an internet gateway (docs.aws.amazon.com)
- What is AWS Internet Gateway and How to Create it? (www.decodingdevops.com)
- AWS Transit Gateway – Amazon Web Services (aws.amazon.com)
- AWS — Difference between Internet Gateway and NAT (medium.com)
- AWS Internet Gateway and VPC Routing – DZone Cloud (dzone.com)
- Creating an AWS internet gateway | Lumen (www.lumen.com)
- What are the differences between Internet Gateway and NAT … – Learn AWS (www.learnaws.org)
- What is an Internet Gateway? AWS VPC Essentials – YouTube (www.youtube.com)
AWS Transit Gateway can help a large enterprise with multiple VPCs in several AWS Regions around the world to connect and centrally manage network connectivity between its VPCs. AWS Transit Gateway can be used to help simplify management and reduce operational costs for a pharmaceutical company that operates its infrastructure in a single AWS Region with thousands of VPCs in various AWS accounts that it wants to interconnect.
AWS NAT Gateways
NAT Gateway is a highly available AWS-managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet. A NAT device forwards traffic from the instances in the private subnet to the Internet or other AWS services and then sends the response back to the instances. In contrast, Internet Gateway allows resources in your VPC to access the Internet.
• NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the Internet while remaining private
- NAT gateways – Amazon Virtual Private Cloud (docs.aws.amazon.com)
- What is AWS NAT Gateway? – KnowledgeHut (www.knowledgehut.com)
- Set up NAT gateway for private subnet in Amazon VPC (aws.amazon.com)
- AWS NAT Gateway Pricing and Cost Reduction Guide (www.cloudforecast.io)
- AWS: NAT-GATEWAY. A Story to explain a link between a… | by (medium.com)
- Using NAT Gateways in AWS | DataNext Solutions (www.datanextsolutions.com)
- AWS NAT Gateway Pricing: How To Reduce Your Costs In 5 Steps (www.cloudzero.com)
- aws_nat_gateway | Resources | hashicorp/aws | Terraform Registry (registry.terraform.io)
- AWS NAT Gateway – See the content – Stack Overflow (stackoverflow.com)
- AWS NAT Gateway | OpsRamp Documentation (jpdemopod2.docs.opsramp.com)
- NAT Gateways – Javatpoint (www.javatpoint.com)
AWS Security Groups
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules govern the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. AWS Security Groups help you secure your cloud environment by controlling how traffic will be allowed into your EC2 machines. With Security Groups, you can ensure that all the traffic that flows at the instance level is only through your established ports and protocols. Network ACL acts as a VPC firewall at the subnet level.
• A firewall that controls traffic to and from an ENI / an EC2 Instance
• Can have only ALLOW rules
• Rules include IP addresses and other security groups
- Work with security groups – Amazon Elastic Compute Cloud (docs.aws.amazon.com)
- What is AWS Security Groups – Check Point Software (www.checkpoint.com)
- What Are AWS Security Groups, and How Do You Use (www.howtogeek.com)
- Cloud Security – Amazon Web Services (AWS) (aws.amazon.com)
- What is a Security Group in AWS? (www.linkedin.com)
- AWS Security Group: Best Practices & Instructions (www.corestack.io)
- AWS Security Groups – Cloudiofy (cloudiofy.com)
- Resource: aws_security_group – Terraform (registry.terraform.io)
- How to Create Security Groups in AWS Using Terraform – Linux Hint (linuxhint.com)
AWS Network Access Control List
A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. A network access control list (NACL) is a layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You’ve set up network ACLs with rules similar to your security groups to add a layer of security to your VPC.
• A firewall that controls traffic from and to subnet
• Can have ALLOW and DENY rules
• Are attached at the Subnet level
• Rules only include IP addresses
ACLs are stateless and they process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic as they are used in the AWS Cloud.
- Control traffic to subnets using Network ACLs – Amazon (docs.aws.amazon.com)
- AWS NACLs – Network Access Control Lists | kevwells.com (kevwells.com)
- AWS Essentials: Network Access Control List (NACLs) (www.youtube.com)
- Network Access Control Lists (NACLs) – Working with (cloudacademy.com)
- What Is a Network Access Control List (Network ACL)? (www.fortinet.com)
- AWS Security Groups and Network Access Control List – A (cloud.in28minutes.com)
- AWS — Difference between Security Groups and Network (medium.com)
- Configure a Network Access Control List (NACL) for an AWS VPC (www.pluralsight.com)
- How To Configure Network Access Control Lists (NACLs) and (www.mydatahack.com)
- AWS Network Access Control List Created with All Open Ports (research.splunk.com)
- AWS VPC – Network Access Control Lists (NACL) Diagram – Quizlet (quizlet.com)
- Security Group vs NACL(Network Access Control List) in AWS (cloudkatha.com)
- Detecting AWS network ACL activity – Splunk Lantern (lantern.splunk.com)
AWS VPC Flow Logs
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you create a flow log, you can retrieve and view its data in the chosen destination. New Flow Logs will appear in the Flow Logs tab of the VPC dashboard. The log group will be created approximately 15 minutes after you create a new Flow Log. You can access them via the CloudWatch Logs dashboard.
• Capture information about the IP traffic going into your interfaces:
• VPC Flow Logs
• Subnet Flow Logs
• Elastic Network Interface Flow Logs
• Helps to monitor & troubleshoot connectivity issues. Example:
• Subnets to the Internet
• Subnets to subnets
• Internet to subnets
• Captures network information from AWS-managed interfaces: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc.
• VPC Flow logs data can go to S3 / CloudWatch Logs
VPC Flow Logs can be used to capture information about inbound and outbound traffic in an Amazon VPC.
AWS VPC Peering
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. A VPC peering connection is a networking connection between two VPCs that allows you to route traffic between them using private IPv4 addresses or IPv6 addresses. You must associate an IPv6 CIDR block with each VPC, enable the instances in the VPCs for IPv6 communication, and add routes to your route tables that route IPv6 traffic intended for the peer VPC to the VPC peering connection.
• Connect two VPCs, privately using AWS’ network
• Make them behave as if they were in the same network
• Must not have overlapping CIDR (IP address range)
• VPC Peering connection is not transitive (must be established for each VPC that needs to communicate with one another)
VPC peering is designed for when a company needs to establish a connection between two VPCs. This lets the company use the existing infrastructure of the VPCs for this connection even if The VPCs are located in two different AWS Regions.
- What is VPC peering? – Amazon Virtual Private Cloud (docs.aws.amazon.com)
- AWS VPC peering connection explained with an example (www.linkedin.com)
- New – Inter-Region VPC Peering | AWS News Blog (aws.amazon.com)
- Peering an AWS VPC with HashiCorp Cloud Platform (HCP) (learn.hashicorp.com)
- What is AWS VPC & Peering – AWS VPC Tutorial – FavTuts (www.favtuts.com)
- AWS VPC peering vs Transit Gateway | Ably Blog: Data in Motion (ably.com)
- Resource: aws_vpc_peering_connection – Terraform (registry.terraform.io)
- How to use VPC Peering in AWS CDK construct with Python (medium.com)
- What is difference between AWS PrivateLink and VPC Peering? (stackoverflow.com)
AWS VPC Endpoints
A VPC endpoint lets you connect your VPC to privately supported AWS services. It doesn’t require deploying an internet gateway, network address translation (NAT) device, Virtual Private Network (VPN) connection, or AWS Direct Connect connection. Amazon VPC offers two types of endpoints: gateway type endpoints and interface type endpoints. AWS Direct Connect can be used to create a private connection between an on-premises workload and an AWS Cloud workload.
• Endpoints allow you to connect to AWS Services using a private network instead of the public www network
• This gives you enhanced security and lower latency to access AWS services
• VPC Endpoint Gateway: S3 & DynamoDB
• VPC Endpoint Interface: the rest
If a company that is generating large sets of critical data in its on-premises data center needs to securely transfer the data to AWS for processing they can use AWS Direct Connect so that transfers occur daily over a dedicated connection.
AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public Internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to simplify your network architecture significantly. AWS PrivateLink allows connectivity to services across other accounts and Amazon VPCs without requiring route table modifications. There is no longer a need to configure an internet gateway, VPC peering connection, or Transit VPC to enable connectivity.
• Most secure & scalable way to expose a service to 1000s ofVPCs
• Does not require VPC peering, internet gateway, NAT, route tables…
• Requires a network load balancer (Service VPC) and ENI (Customer VPC)
AWS Direct Connect
AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services. AWS Direct Connect enables customers to have low latency, secure and private connections to AWS for workloads that need higher speed or lower latency than the Internet. Direct Connect provides Amazon Web Services (AWS) customers with a way to transfer data that does not involve using the public Internet. According to Amazon, private network connections provide a safer, more consistent network experience than Internet-based connections.
• Direct Connect (DX)
• Establish a physical connection between on-premises and AWS
• The connection is private, secure, and fast
• Goes over a private network
• Takes at least a month to establish
A company would need to create a VPN connection between an on-premises device and a virtual private gateway in the VPC and set up an AWS Direct Connect connection between the on-premises data center and AWS to migrate its applications from its on-premises data center to a VPC in the AWS Cloud if these applications will need to access on-premises resources.
AWS Site-to-Site VPN
AWS Site-to-Site VPN is a fully-managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels.
Site-to-Site VPN Components
Virtual Private Gateway.
Customer gateway device.
• Site to Site VPN
• Connect an on-premises VPN to AWS
• The connection is automatically encrypted
• Goes over the public Internet
• On-premises: must use a Customer Gateway (CGW)
• AWS: must use a Virtual Private Gateway (VGW)
Virtual private gateway and Customer gateway are two components of an AWS Site-to-Site VPN connection.
AWS Client VPN
AWS Client VPN is a fully-managed remote access VPN solution used by your remote workforce to access resources within both AWS and your on-premises network securely. Fully elastic, it automatically scales up or down based on demand. AWS VPN consists of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN lets you securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN lets you securely connect users to AWS or on-premises networks.
• Connect from your computer using OpenVPN to your private network in AWS and on-premises
• Allow you to connect to your EC2 instances over a private IP (just as if you were in the private VPC network)
A company that is moving its office and must establish an encrypted connection to AWS can use AWS VPN to meet their requirement.
AWS Transit Gateway
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router, with each new connection being created once.
• For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
• One single Gateway to provide this functionality
• Works with Direct Connect Gateway, VPN connections
• VPC: Virtual Private Cloud
• Subnets: Tied to an AZ network partition of the VPC
• Internet Gateway: at the VPC level, provide Internet Access
• NAT Gateway / Instances: give internet access to private subnets
• NACL: Stateless, subnet rules for inbound and outbound
• Security Groups: Stateful, operate at the EC2 instance level or ENI. Security groups make network routing and traffic between the various applications follow the security principle of least privilege. This is perfect for a company that has multiple applications and is now building a new multi-tier application hosted on Amazon EC2 instances.
• VPC Peering: Connect two VPCs with non-overlapping IP ranges, nontransitive
• VPC Endpoints: Provide private access to AWS Services within VPC
• PrivateLink: Privately connect to a service in a 3rd party VPC
• VPC Flow Logs: network traffic logs
• Site to Site VPN: VPN over the public Internet between on-premises DC and AWS
• Client VPN: OpenVPN connection from your computer into your VPC
• Direct Connect: direct private connection to AWS
• Transit Gateway: Connect thousands of VPC and on-premises networks together
A VPC can span all Availability Zones within an AWS Region.