AWS VPC Networking

Amazon Virtual Private Cloud is a commercial cloud computing service that provides users with a virtual private cloud by provisioning an isolated section of Amazon Web Services Cloud. Enterprise customers can access the Amazon Elastic Compute Cloud over an IPsec-based virtual private network. Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you have defined. This virtual network resembles a traditional network that you operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

AWS VPC Concepts

Many components will be created by a user or by AWS as part of a default VPC. Some of these components include:

  • VPC CIDR Block
  • Subnet
  • Gateways
  • Route Table
  • Network Access Control Lists (ACLs)
  • Security Group

Security groups act as a firewall for Amazon EC2 instances. A company can use Security Groups to implement a stateful firewall to limit traffic to the private corporate network and to limit network traffic directly to its RDS instance for a recently deployed Amazon RDS instance in its VPC. Security groups act as an instance-level firewall to control inbound and outbound access.

AWS VPC Subnets

A subnet is a range of IP addresses in your VPC. You can attach AWS resources to subnets, EC2 instances, and RDS DB instances. Currently, you can make 200 subnets per VPC. Virtual Private Cloud (VPC) networks are global resources. Each VPC network consists of one or more IP address range called subnets. Subnets are regional resources and have IP address ranges associated with them. In Google Cloud, the terms subnet and subnetwork are synonymous.

• VPC -Virtual Private Cloud: private network to deploy your resources (regional resource)
• Subnets allow you to partition your network inside your VPC (Availability Zone resource)
• A public subnet is a subnet that is accessible from the Internet
• A private subnet is a subnet that is not accessible from the Internet
• To define access to the Internet and between subnets, we use Route Tables.

A company can create separate VPCs to host the resources when an isolated environment within AWS is required for security purposes.

AWS Internet Gateway

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the Internet. The internet gateway supports IPv4 and IPv6 traffic. An internet gateway must be attached to the VPC. The route tables associated with your public subnet (including custom route tables) must have a route to the internet gateway. The security groups and network access control lists (ACLs) associated with the VPC must allow traffic to flow to and from the Internet. The purpose of having an internet gateway within a VPC is to allow communication between the VPC and the internet.

• Internet Gateways helps our VPC instances connect with the Internet
• Public Subnets have a route to the internet gateway.

AWS Transit Gateway can help a large enterprise with multiple VPCs in several AWS Regions around the world to connect and centrally manage network connectivity between its VPCs. AWS Transit Gateway can be used to help simplify management and reduce operational costs for a pharmaceutical company that operates its infrastructure in a single AWS Region with thousands of VPCs in various AWS accounts that it wants to interconnect.

AWS NAT Gateways

NAT Gateway is a highly available AWS-managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet. A NAT device forwards traffic from the instances in the private subnet to the Internet or other AWS services and then sends the response back to the instances. In contrast, Internet Gateway allows resources in your VPC to access the Internet.

• NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the Internet while remaining private

AWS Security Groups

A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules govern the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. AWS Security Groups help you secure your cloud environment by controlling how traffic will be allowed into your EC2 machines. With Security Groups, you can ensure that all the traffic that flows at the instance level is only through your established ports and protocols. Network ACL acts as a VPC firewall at the subnet level.

• A firewall that controls traffic to and from an ENI / an EC2 Instance
• Can have only ALLOW rules
• Rules include IP addresses and other security groups

AWS Network Access Control List

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. A network access control list (NACL) is a layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You’ve set up network ACLs with rules similar to your security groups to add a layer of security to your VPC.

• A firewall that controls traffic from and to subnet
• Can have ALLOW and DENY rules
• Are attached at the Subnet level
• Rules only include IP addresses

ACLs are stateless and they process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic as they are used in the AWS Cloud.

AWS VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you create a flow log, you can retrieve and view its data in the chosen destination. New Flow Logs will appear in the Flow Logs tab of the VPC dashboard. The log group will be created approximately 15 minutes after you create a new Flow Log. You can access them via the CloudWatch Logs dashboard.

• Capture information about the IP traffic going into your interfaces:

• VPC Flow Logs
• Subnet Flow Logs
• Elastic Network Interface Flow Logs
• Helps to monitor & troubleshoot connectivity issues. Example:

• Subnets to the Internet
• Subnets to subnets
• Internet to subnets
• Captures network information from AWS-managed interfaces: Elastic Load Balancers, ElastiCache, RDS, Aurora, etc.
• VPC Flow logs data can go to S3 / CloudWatch Logs

VPC Flow Logs can be used to capture information about inbound and outbound traffic in an Amazon VPC.

AWS VPC Peering

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. A VPC peering connection is a networking connection between two VPCs that allows you to route traffic between them using private IPv4 addresses or IPv6 addresses. You must associate an IPv6 CIDR block with each VPC, enable the instances in the VPCs for IPv6 communication, and add routes to your route tables that route IPv6 traffic intended for the peer VPC to the VPC peering connection.

• Connect two VPCs, privately using AWS’ network
• Make them behave as if they were in the same network
• Must not have overlapping CIDR (IP address range)
• VPC Peering connection is not transitive (must be established for each VPC that needs to communicate with one another)

VPC peering is designed for when a company needs to establish a connection between two VPCs. This lets the company use the existing infrastructure of the VPCs for this connection even if The VPCs are located in two different AWS Regions.

AWS VPC Endpoints

A VPC endpoint lets you connect your VPC to privately supported AWS services. It doesn’t require deploying an internet gateway, network address translation (NAT) device, Virtual Private Network (VPN) connection, or AWS Direct Connect connection. Amazon VPC offers two types of endpoints: gateway type endpoints and interface type endpoints. AWS Direct Connect can be used to create a private connection between an on-premises workload and an AWS Cloud workload.

• Endpoints allow you to connect to AWS Services using a private network instead of the public www network
• This gives you enhanced security and lower latency to access AWS services
• VPC Endpoint Gateway: S3 & DynamoDB
• VPC Endpoint Interface: the rest

If a company that is generating large sets of critical data in its on-premises data center needs to securely transfer the data to AWS for processing they can use AWS Direct Connect so that transfers occur daily over a dedicated connection.

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public Internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to simplify your network architecture significantly. AWS PrivateLink allows connectivity to services across other accounts and Amazon VPCs without requiring route table modifications. There is no longer a need to configure an internet gateway, VPC peering connection, or Transit VPC to enable connectivity.

• Most secure & scalable way to expose a service to 1000s ofVPCs
• Does not require VPC peering, internet gateway, NAT, route tables…
• Requires a network load balancer (Service VPC) and ENI (Customer VPC)

AWS Direct Connect

AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services. AWS Direct Connect enables customers to have low latency, secure and private connections to AWS for workloads that need higher speed or lower latency than the Internet. Direct Connect provides Amazon Web Services (AWS) customers with a way to transfer data that does not involve using the public Internet. According to Amazon, private network connections provide a safer, more consistent network experience than Internet-based connections.

• Direct Connect (DX)
• Establish a physical connection between on-premises and AWS
• The connection is private, secure, and fast
• Goes over a private network
• Takes at least a month to establish

A company would need to create a VPN connection between an on-premises device and a virtual private gateway in the VPC and set up an AWS Direct Connect connection between the on-premises data center and AWS to migrate its applications from its on-premises data center to a VPC in the AWS Cloud if these applications will need to access on-premises resources.

AWS Site-to-Site VPN

AWS Site-to-Site VPN is a fully-managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels.

Site-to-Site VPN Components
Virtual Private Gateway.
Transit gateway.
Customer gateway device.
Customer gateway.

• Site to Site VPN
• Connect an on-premises VPN to AWS
• The connection is automatically encrypted
• Goes over the public Internet

• On-premises: must use a Customer Gateway (CGW)
• AWS: must use a Virtual Private Gateway (VGW)

Virtual private gateway and Customer gateway are two components of an AWS Site-to-Site VPN connection.

AWS Client VPN

AWS Client VPN is a fully-managed remote access VPN solution used by your remote workforce to access resources within both AWS and your on-premises network securely. Fully elastic, it automatically scales up or down based on demand. AWS VPN consists of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN lets you securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN lets you securely connect users to AWS or on-premises networks.

• Connect from your computer using OpenVPN to your private network in AWS and on-premises
• Allow you to connect to your EC2 instances over a private IP (just as if you were in the private VPC network)

A company that is moving its office and must establish an encrypted connection to AWS can use AWS VPN to meet their requirement.

AWS Transit Gateway

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router, with each new connection being created once.

• For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
• One single Gateway to provide this functionality
• Works with Direct Connect Gateway, VPN connections

In Summary

• VPC: Virtual Private Cloud
• Subnets: Tied to an AZ network partition of the VPC
• Internet Gateway: at the VPC level, provide Internet Access
• NAT Gateway / Instances: give internet access to private subnets
• NACL: Stateless, subnet rules for inbound and outbound
• Security Groups: Stateful, operate at the EC2 instance level or ENI. Security groups make network routing and traffic between the various applications follow the security principle of least privilege. This is perfect for a company that has multiple applications and is now building a new multi-tier application hosted on Amazon EC2 instances.
• VPC Peering: Connect two VPCs with non-overlapping IP ranges, nontransitive

• VPC Endpoints: Provide private access to AWS Services within VPC
• PrivateLink: Privately connect to a service in a 3rd party VPC
• VPC Flow Logs: network traffic logs
• Site to Site VPN: VPN over the public Internet between on-premises DC and AWS
• Client VPN: OpenVPN connection from your computer into your VPC
• Direct Connect: direct private connection to AWS
• Transit Gateway: Connect thousands of VPC and on-premises networks together

A VPC can span all Availability Zones within an AWS Region.