Amazon Virtual Private Cloud (Amazon VPC) is an Amazon service that enables clients to make their own virtual network inside the Amazon cloud and utilize this network to dispatch amazon resources. Amazon VPC allows customers to create their own virtual private cloud; which allows them to logically isolate a section of the cloud. Clients can think of a VPC as their own network of machines and databases that live totally inside Amazon’s infrastructure, that can be overseen as if they were in customers’ own data center. Amazon VPC with a virtual private network (VPN) or Direct Connect, it becomes an extension of customers’ data center in the cloud, which enables them to have complete control over how they want to configure the networking.
- A virtual private cloud (VPC) is a virtual network dedicated to customers’ AWS accounts.
- This virtual network closely resembles a traditional network that would operate in customers’ own data center, with the benefits of using the scalable infrastructure of AWS.
- It is logically isolated from other virtual networks in the AWS Cloud.
- Customers can launch their AWS resources, such as Amazon EC2 instances, into their VPC.
- Customers can also specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
- Customers must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block during the creation of an Amazon VPC. The address range of the Amazon VPC can not be changed after the Amazon VPC is created.
- Amazon gives customers complete freedom to host their applications in the cloud and at the same time lets them interact with the applications running in their data center.
- Customers control their virtual networking environment, including a selection of their own IP address range, creation of subnets, and configuration of route tables and network gateways.
- Customers can customize their virtual networking environment as they like, such as selecting their own IP address range; creating their own subnets; and configuring their own route tables, network gateways, and security settings.
- Customers can add an additional layer of control by using security groups and network access control lists. They can store data in Amazon S3 and restrict access so that it’s only accessible from instances inside your VPC.
TYPES OF Amazon Virtual Private Cloud
The Amazon VPC service have two different networking platforms available within AWS:
- EC2-Classic:– Amazon EC2 originally launched with a single, flat network shared with others, thus AWS accounts created prior to the arrival of the Amazon VPC service can launch instances into the EC2-Classic network and EC2-VPC.
- Instance receives a public IPv4 address from the EC2-Classic public IPv4 address pool.
- A non-default (also called Customer VPC) is not automatically created when EC2 resources are provisioned and the customer needs to create their own VPC.
- Non-default VPC needs to be manually configured by each customer and resources need to be provisioned.
- Customers instance doesn’t receive a public IPv4 address by default, unless they specify otherwise during launch, or they modify the subnet’s public IPv4 address attribute.
- IPv4 address are not assigned in non-default VPC.
- Non-default VPC needs to be manually configured by each customer and resources need to be provisioned.
EC2-VPC:– AWS accounts that support EC2-VPC will have a default VPC created in each region with a default subnet created in each Availability Zone. The assigned CIDR block of the VPC will be 172.31.0.0/16.
Default VPC is a Virtual network which is automatically created for customer AWS account the very 1st time EC2 resources are provisioned.
- Default VPC is automatically created by the AWS system
- Default VPC is assigned when an instance is launched without allocating a subnet.
- Default VPC is that access to the Internet is available by default and it has an internet gateway and public subnets with a corresponding route table.
- Customers can immediately start launching Amazon EC2 instances into their default VPC.
- Customers instance launched in a default subnet receives a public IPv4 address by default unless you specify otherwise during launch, or you modify the subnet’s public IPv4 address attribute.
- Customers can also use services such as Elastic Load Balancing, Amazon RDS, and Amazon EMR in your default VPC.
- A default VPC is suitable for getting started quickly, and for launching public instances such as a blog or simple website.
- Some of the features under default VPC are:
- Option to change security group membership almost instantly
- Security group egress filtering
- Multiple IP addresses
- Multiple network interfaces without explicitly creating a VPC
Create multiple Virtual networks (VPC) inside Amazon cloud.
- Connect your VPC with other VPCs and access resources in other VPCs via private IP addresses using VPC Peering.
- Enable both IPv4 and IPv6 in your VPC.
Create multiple subnets within each VPC. Each subnet, however, can be in only one availability zone. The subnet can be private (not publicly accessible) or public (publicly accessible).
- The private subnet generally does not have public IP addresses.
- Customers can create Internet gateways to allow a subnet to be publically accessible.
- Add NAT gateways to allow a private subnet to access the internet.
- Privately connect to AWS services without using an internet gateway, NAT or firewall proxy through a VPC Endpoint.
Allow a secure private connection between a VPC and your own data center using a secure VPN connection. The secured connection as three parts:
- A VPN gateway in VPC
- The actual VPN connection
- A customer gateway in the customer data center.
Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
- Associate VPC Security Groups with instances on EC2-Classic.
- Store data in Amazon S3 and set permissions such that the data can only be accessed from within your Amazon VPC.
Create elastic IPs to attach to NAT gateways or other instances. It enable to assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC.
- Attach one or more Amazon Elastic IP addresses to any instance in your VPC so it can be reached directly from the internet.
- Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
- Divide your VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in your VPC.
Manage ( inbound and outbound) access to the subnet using route tables and Access control list.
- Use Amazon VPC traffic mirroring to capture and mirror network traffic for Amazon EC2 instances.
- Intercept and analyze ingress and egress traffic using a network and security appliance, including third-party offerings.
A subnet is a segment of a VPC’s IP address range where customers can place groups of isolated resources.
- Each subnet must reside entirely within one Availability Zone and cannot span zones.
- When customers create a subnet, they specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.
- Each subnet must be associated with a routing table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that the customers create is automatically associated with the main route table for the VPC.
- Customers use a public subnet for resources that must be connected to the internet.
- A public subnet is a subnet that’s associated with a routing table that has a route to an Internet gateway.
- Public subnets are subnets that have:
- “Auto-assign public IPv4 address” set to “Yes”.
- The subnet route table has an attached Internet Gateway.
- A custom route table associated with the public subnet.
- It enables instances in the subnet to communicate directly with the Internet over IPv4.
- A private subnet is a subnet that doesn’t have a route to the internet gateway..
- Instances with private IPv4 addresses in the subnet range can communicate with each other and other instances in the VPC.
- Instances in the private subnet are back-end servers, and they don’t need to accept incoming traffic from the Internet and therefore do not have public IP addresses; however, they can send requests to the Internet using the NAT gateway.
- The main route table associated with the private subnet.
- It enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.
- If a subnet doesn’t have a route to the internet gateway but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.
- AWS provides two features that customers can use to increase security in their VPC: security groups and network ACLs.
- Security groups control inbound and outbound traffic for customer instances.
- Network ACLs control inbound and outbound traffic for customers’ subnets.
A route table contains a set of rules, called routes, that are used to determine where network traffic from their subnet or gateway is directed. Customers VPC has an implicit router, and they can use route tables to control where network traffic is directed.
Each subnet in their VPC must be associated with a route table, which controls the routing for the subnet (subnet route table).
Customers can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.
A subnet can only be associated with one route table at a time, but it can be associated with multiple subnets with the same subnet route table.
When customers create a VPC, it automatically has a main route table. The main route table controls the routing for all subnets that are not explicitly associated with any other route table.
By default, when customers create a non-default VPC, the main route table contains only a local route.
Customers can add, remove, and modify routes in the main route table. However, they cannot create a more specific route than the local route. They cannot delete the main route table, but it can be replaced by a custom subnet route table
Customers can associate a route table with an internet gateway or a virtual private gateway. When a route table is associated with a gateway, it’s referred to as a gateway route table.
Each subnet in customers’ VPC must be associated with a route table. A subnet can be explicitly associated with a custom route table or implicitly or explicitly associated with the main route table.
- An internet gateway serves two purposes:
- To provide a target in your VPC route tables for internet-routable traffic, and
- To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
- It provides a target in customers Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.
- When an instance receives traffic from the Internet, the Internet Gateway translates the destination address (public IP address) to the instance’s private IP address and forwards the traffic to the Amazon VPC.
- An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with customers instances.
- An egress-only Internet gateway is stateful: it forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances.
- An egress-only Internet gateway has the following characteristics:
- Customers cannot associate a security group with an egress-only Internet gateway.
- Customers can use security groups for your instances in the private subnet to control the traffic to and from those instances.
- Customers can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.
- To use an internet gateway, the customer’s subnet’s route table must contain a route that directs internet-bound traffic to the internet gateway.
- To enable communication over the internet for IPv4, customers’ instances must have a public IPv4 address or an Elastic IP address that’s associated with a private IPv4 address on their instance.
- To enable communication over the internet for IPv6, customers’ VPC and subnet must have an associated IPv6 CIDR block, and their instance must be assigned an IPv6 address from the range of the subnet.
An endpoint is a network component that connects EC2 instances in a VPC to certain AWS services without requiring public IP addresses. With a VPC endpoint, instances don’t need a NAT device, VPN connection, internet gateway, or AWS Direct Connect to communicate with supported services — they can communicate solely within AWS. There are two types of VPC endpoints:
- Interface endpoints:– An interface endpoint is an elastic network interface that allows a private IP address in a subnet to connect VPC resources to a number of AWS services, such as CloudFormation, Elastic Load Balancers (ELBs), SNS, and more.
- Traffic from VPC resources to the endpoint network interface is controlled by security group rules
- An interface VPC endpoint (interface endpoint) enables customers to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
- Traffic from VPC resources to the endpoint network interface is controlled by security group rules. AWS PrivateLink then enables the endpoint to connect the traffic to other services without going over the internet.
- AWS charges usage and data processing rates for PrivateLink
- Gateway endpoints:– A gateway endpoint is a target for a route in a route table to connect VPC resources to S3 or DynamoDB. Traffic is then routed from instances in a subnet to one of these two services.
- A VPC may have multiple gateway endpoints to different services in a route table or multiple gateway endpoints to the same service in different route tables.
- Gateway endpoints do not use PrivateLink.
- AWS doesn’t charge extra for using gateway endpoints, unlike interface endpoints.
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances customers VPC and the internet
Dynamic Host Configuration Protocol(DHCP)
Dynamic Host Configuration Protocol(DHCP) is an application layer protocol which is used to provide; Subnet Mask, Router Address, DNS Address, and Vendor Class Identifier.
- The key word in DHCP is “dynamic.” Because instead of having just one fixed and specific IP address, most computers will be assigned one that is available from a subnet or “pool” that is assigned to the network.
- The application layer is present at the top of the OSI model. It is the layer through which customers interact. It provides services to the customers.
- The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a computing system without regard to its underlying internal structure and technology.
- DHCP provides a standard for passing configuration information to hosts on a TCP/IP network.
- DHCP is based on a client-server model and based on discovery, offer, and request.
- A DHCP server is one computer on the network that has a number of IP addresses at its disposal to assign to the computers/hosts on that network.
- AWS automatically creates and associates a DHCP option set for customers’ Amazon VPC upon creation.
- DHCP provides IP addresses that “expire” in a certain time. When DHCP assigns an IP address, it actually leases that connection identifier to the user’s computer for a specific amount of time. The default lease is usually five days.
- AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
- The options field of a DHCP message contains the configuration parameters. Some of those parameters are the
- Domain name:– The IP addresses of up to four domain name servers, separated by commas. The default is AmazonProvidedDNS.
- Domain name server:– Specify the desired domain name. (defaulted to the domain name for your region).
- The netbios-node-type:– The IP addresses of up to four NetBIOS name servers, separated by commas.
Domain Name System (DNS)
The Domain Name System (DNS) is a distributed directory that resolves human-readable hostnames, such as www.example.com, into machine-readable IP addresses likas 10.06.57.203.
- A DNS hostname is a name that is unique and absolute names of a computer.
- A DNS composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
- DNS is also a directory of crucial information about domain names, such as email servers (MX records) and sending verification (DKIM, SPF, DMARC), TXT record verification of domain ownership, and even SSH fingerprints (SSHFP).
- During the launch of customers instance into a default VPC, AWS provides the instance with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance. However, when they launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname.
- Amazon-provided private (internal) DNS hostname resolves to the private IPv4 address of the instance.
DHCP is at the heart of assigning everyone their IP address. The keyword here in DHCP is protocol—the guiding rules and process for Internet connections for everyone, everywhere. DHCP is consistent, accurate, and works the same for every computer. Remember that without an IP address, users would not be able to receive the information they requested. In other words, IP address tells the Internet to send the information that the user requested through a Web page, email, data, etc. right to the computer that they requested it.
Public IP address:- A public IP address is an address that is assigned to a computing device to allow direct access over the Internet. A web server, email server, and any server device directly accessible from the Internet are candidates for a public IP address. A public IP address is globally unique, and can only be assigned to a unique device.
Private IP Address:- A private IP address is the address space allocated by InterNIC to allow organizations to create their own private network. Class A, Class B, and Class C the three IP blocks that are reserved for private use. The computers, tablets, and smartphones sitting behind clients’ homes, and the personal computers within an organization are usually assigned private IP addresses.
Elastic Network Interfaces
An Elastic Network Interface is a virtual interface that can be attached to an instance in a Virtual Private Cloud (VPC). It is referred to as a network interface, that is a logical networking component in a VPC which represents a virtual network card.
- ENI virtual network closely resembles a traditional network that customers would operate in their own data center, with the benefits of using the scalable infrastructure of AWS.
- ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses.
- An ENI can have many attributes, such as a primary private IPv4 address, a MAC address, one or more security groups, one or more IPv6 addresses, and more.
- These attributes will move with ENI when an ENI is attached to an instance; when this ENI is detached from an instance, these attributes will be removed.
- By default, every VPC has a network interface attached to every instance. This ENI is known as a primary network interface (eth0), that is assigned a private IPv4 address from the IPv4 address range of your VPC.
- This default ENI cannot be detached from an instance. You can, however, create and attach many additional ENIs to your instances inside a VPC.
- ENI created independently of a particular instance, which persists regardless of the lifetime of any instance to which it is attached; if an underlying instance fails, the IP address may be preserved by attaching the ENI to a replacement instance.
- ENIs allow customers to create a management network, use network and security appliances in their Amazon VPC, create dual-homed instances with workloads/roles on distinct subnets, or create a low-budget, high-availability solution.
A VPC peering connection is a networking connection between two VPCs that enables customers to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.
- AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.
- There is no single point of failure for communication or a bandwidth bottleneck.
- A VPC peering connection helps customers to facilitate the transfer of data.
- It can also be used in a VPC peering connection to allow other VPCs to access resources, where customers have in one of their me VPCs.
- Customers can establish peering relationships between VPCs across different AWS Regions (also called Inter-Region VPC Peering).
- Inter-Region VPC Peering allows VPC resources including EC2 instances, Amazon RDS databases and Lambda functions that run in different AWS Regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances.
- It also provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
Elastic IP address
An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. Elastic IP addresses are used by AWS to manage its dynamic cloud computing services. Within the AWS infrastructure, customers can create virtual private clouds (EC2-VPCs). Inside the VPCs, they have instances. Thus, customers can associate an Elastic IP address with any instance or network interface for any VPC in their account.
An Elastic IP address is a combination of a public IP address and a static IP address. It allows clients continue to use AWS instances within their AWS network infrastructure.
- A dynamic IP address is the most common for average customers. This means that the IP address changes frequently, which provides customers and ISPs cost savings.
- Static IP addresses are IPs which do not change. They are common for business and cloud computing, which is why AWS includes this within the Elastic IP framework.
- Customers are limited to five Elastic IP addresses;
- An Elastic IP address is accessed through the Internet gateway of a VPC.
- An Elastic IP address is a property of network interfaces. Thus, customers can associate an Elastic IP address with an instance by updating the network interface attached to the instance.
- There are differences between an Elastic IP address that customers use in a VPC and one that they use in EC2-Classic.
- An Elastic IP is disassociated from customers instance when they stop it.
- An Elastic IP remains associated with customers instance when they stop it.
Network Access Control Lists (ACLs)
A network access control list (ACL) is an optional layer of security for customers VPC that acts as a firewall for controlling traffic in and out of one or more subnets. In other words Access Control Lists “ACLs” are network traffic filters that control incoming or outgoing traffic.
- Clients VPC automatically comes with a modifiable default network ACL. Which allows all inbound and outbound traffic.
- In order to allow inbound and outbound traffic, clients need to create a custom network ACL and associate it with a subnet. However, each subnet in their VPC must be explicitly associated with a subnet in the network ACL, otherwise, the subnet is automatically associated with the default network ACL.
- A network ACL is a numbered list of rules that AWS evaluates in order, usually, it starts with the lowest numbered rule to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
- A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
- ACLs work on a set of rules that define how to forward or block a packet at the router’s interface.
- An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination.
- The main idea behind using an ACL is to provide security to the customers’ networks. Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic.
- ACLs are directly configured in a device’s forwarding hardware, so they do not compromise the end performance