Virtual Private Cloud VPC

AWS Virtual Private Cloud (VPC) is an Amazon service that enables clients to make their own virtual network inside Amazon cloud and utilize this network to dispatch amazon resources. Amazon  VPC allows customers to create their own virtual private cloud; that allows them to logically isolate a section of the cloud. Clients can think of a VPC as their own network of machines and databases that live totally inside Amazon’s infrastructure, that can be overseen as if they were in customers own data center.  Amazon VPC with a virtual private network (VPN) or Direct Connect, it becomes an extension of customers data center in the cloud, which enables them to have complete control over how they want to configure the networking. 

  • A virtual private cloud (VPC) is a virtual network dedicated to customers AWS accounts.
    • This virtual network closely resembles a traditional network that would operate in customers own data center, with the benefits of using the scalable infrastructure of AWS.
  • It is logically isolated from other virtual networks in the AWS Cloud. 
    • Customers can launch their AWS resources, such as Amazon EC2 instances, into their VPC. 
    • Customers can also specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
  • Customers must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block during the creation of an Amazon VPC. The address range of the Amazon VPC can not be changed after the Amazon VPC is created

VPC benefits

Customers can customize their virtual networking environment as they like, such as selecting their own IP address range; creating their own subnets; and configuring their own route tables, network gateways, and security settings.

Customers can add additional layer of control by using security groups and network access control lists. They can store data in Amazon S3 and restrict access so that it’s only accessible from instances inside your VPC.

Amazon gives customers complete freedom to host their applications in the cloud and at the same time lets them interact with  the applications running in their data center.

Customers control their virtual networking environment, including selection of their own IP address range, creation of subnets, and configuration of route tables and network gateways. 

Types of VPC

The Amazon VPC service have two different networking platforms available within AWS: 

  1. EC2-Classic:– Amazon EC2 originally launched with a single, flat network shared with others, thus AWS accounts created prior to the arrival of the Amazon VPC service can launch instances into the EC2-Classic network and EC2-VPC. 
    • Instance receives a public IPv4 address from the EC2-Classic public IPv4 address pool. 
  2. A non-default (also called Customer VPC) is not automatically created when EC2 resources are provisioned and the customer needs to create their own VPC.
    • Non-default VPC needs to be manually configured by each customer and resources need to be provisioned.
      • Customers instance doesn’t receive a public IPv4 address by default, unless they specify otherwise during launch, or they modify the subnet’s public IPv4 address attribute.
    • IPv4 address are not assigned in non-default VPC.

EC2-VPC:– AWS accounts that support EC2-VPC will have a default VPC created in each region with a default subnet created in each Availability Zone. The assigned CIDR block of the VPC will be 172.31.0.0/16.

Default VPC is a Virtual network which is automatically created for customer AWS account the very 1st time EC2 resources are provisioned. 

  • Default VPC is automatically created by AWS system 
  • Default VPC is assigned when an instance is launched without allocating subnet. 
  • Default VPC is that access to the Internet is available by default and it has an internet gateway and public subnets with corresponding route table.
  • Customers can immediately start launching Amazon EC2 instances into their default VPC. 
  • Customers instance launched in a default subnet receives a public IPv4 address by default, unless you specify otherwise during launch, or you modify the subnet’s public IPv4 address attribute. 
  • Customers can also use services such as Elastic Load Balancing, Amazon RDS, and Amazon EMR in your default VPC.
  • A default VPC is suitable for getting started quickly, and for launching public instances such as a blog or simple website. 
  • Some of features under default VPC are:
    • Option to change security group membership almost instantly 
    • Security group egress filtering 
    • Multiple IP addresses 
    • Multiple network interfaces without explicitly creating a VPC

These are the list of AWS services that can be used with Amazon VPC:

VPC Features

Create multiple Virtual networks (VPC) inside Amazon cloud.

  • Connect your VPC with other VPCs and access resources in other VPCs via private IP addresses using VPC Peering.
  • Enable both IPv4 and IPv6 in your VPC.

Create multiple subnets within each VPC. Each subnet, however, can be in only one availability zone. The subnet can be private (not publicly accessible) or public (publicly accessible). 

  • The private subnet generally does not have public IP addresses.
  • Customers can create Internet gateways to allow a subnet to be publically accessible.
  • Add NAT gateways to allow a private subnet to access the internet.
  • Privately connect to AWS services without using an internet gateway, NAT or firewall proxy through a VPC Endpoint.

Allow a secure private connection between a VPC and your own data center using a secure VPN connection. The secured connection as three parts:

  • A VPN gateway in VPC
  • The actual VPN connection
  • A customer gateway in the customer data center.

Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.

  • Associate VPC Security Groups with instances on EC2-Classic.
  • Store data in Amazon S3 and set permissions such that the data can only be accessed from within your Amazon VPC.

Create elastic IPs to attach to NAT gateways or other instances. It enable to assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC.

  • Attach one or more Amazon Elastic IP addresses to any instance in your VPC so it can be reached directly from the internet.
  • Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
  • Divide your VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in your VPC.

Manage ( inbound and outbound) access to the subnet using route tables and Access control list.

  • Use Amazon VPC traffic mirroring to capture and mirror network traffic for Amazon EC2 instances.
  • Intercept and analyze ingress and egress traffic using a network and security appliance, including third-party offerings.

Subnets 

The above diagram shows a VPC that has been configured with subnets in multiple Availability Zones.

The above diagram shows a VPC that has been configured with subnets in multiple Availability Zones.

A subnet is a segment of a VPC’s IP address range where customers can place groups of isolated resources.

  • Each subnet must reside entirely within one Availability Zone and cannot span zones. 
  • When customers create a subnet, they specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.
  • Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that the customers  create is automatically associated with the main route table for the VPC.
  • Customers use a public subnet for resources that must be connected to the internet.
  • A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.
  • Public subnets are subnets that have: 
    • “Auto-assign public IPv4 address” set to “Yes”. 
    • The subnet route table has an attached Internet Gateway.
    • A custom route table associated with the public subnet.
      • It enables instances in the subnet to communicate directly with the Internet over IPv4.
  • Private subnet is a subnet that doesn’t have a route to the internet gateway.. 
    • Instances with private IPv4 addresses in the subnet range can communicate with each other and other instances in the VPC.
    • Instances in the private subnet are back-end servers, and they don’t need to accept incoming traffic from the Internet and therefore do not have public IP addresses; however, they can send requests to the Internet using the NAT gateway.
    • The main route table associated with the private subnet.
      • It enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.
  • If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.
  • AWS provides two features that customers can use to increase security in their VPC: security groups and network ACLs. 
    • Security groups control inbound and outbound traffic for customers instances.
    • Network ACLs control inbound and outbound traffic for customers subnets.

Route Tables

A route table contains a set of rules, called routes, that are used to determine where network traffic from their subnet or gateway is directed. Customers VPC has an implicit router, and they can use route tables to control where network traffic is directed. 

  • Each subnet in their VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). 
  • Customers can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table. 
  •  A subnet can only be associated with one route table at a time, but it can be associated with multiple subnets with the same subnet route table.
  • When customers create a VPC, it automatically has a main route table. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. 
  • By default, when customers create a non-default VPC, the main route table contains only a local route.
  • Customers can add, remove, and modify routes in the main route table. However, they cannot create a more specific route than the local route. They cannot delete the main route table, but it can be replaced by a custom subnet route table
  • Customers can associate a route table with an internet gateway or a virtual private gateway. When a route table is associated with a gateway, it’s referred to as a gateway route table.
  • Each subnet in customers VPC must be associated with a route table. A subnet can be explicitly associated with custom route table, or implicitly or explicitly associated with the main route table. 
You can also create multiple endpoints for a single service, and use different route tables to enforce different access policies from different subnets to the same service.

You can also create multiple endpoints for a single service, and use different route tables to enforce different access policies from different subnets to the same service.

Internet Gateway 

VPC Endpoint

An endpoint is a network component that connects EC2 instances in a VPC to certain AWS services without requiring public IP addresses. With a VPC endpoint, instances don’t need a NAT device, VPN connection, internet gateway, or AWS Direct Connect to communicate with supported services — they can communicate solely within AWS. There are two types of VPC endpoints: 

  1. Interface endpoints:– An interface endpoint is an elastic network interface that allows a private IP address in a subnet to connect VPC resources to a number of AWS services, such as CloudFormation, Elastic Load Balancers (ELBs), SNS, and more.
    • Traffic from VPC resources to the endpoint network interface is controlled by security group rules
    • An interface VPC endpoint (interface endpoint) enables customers to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
    • Traffic from VPC resources to the endpoint network interface is controlled by security group rules. AWS PrivateLink then enables the endpoint to connect the traffic to other services without going over the internet.
    • AWS charges usage and data processing rates for PrivateLink
  2. Gateway endpoints:– A gateway endpoint is a target for a route in a route table to connect VPC resources to S3 or DynamoDB. Traffic is then routed from instances in a subnet to one of these two services.
    • A VPC may have multiple gateway endpoints to different services in a route table or multiple gateway endpoints to the same service in different route tables.
    • Gateway endpoints do not use PrivateLink. 
    • AWS doesn’t charge extra for using gateway endpoints, unlike interface endpoints.

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances customers VPC and the internet

  • An internet gateway serves two purposes: 
    • To provide a target in your VPC route tables for internet-routable traffic, and 
    • To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
  • It provides a target in customers Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.
  • When an instance receives traffic from the Internet, the Internet Gateway translates the destination address (public IP address) to the instance’s private IP address and forwards the traffic to the Amazon VPC.
  • An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with customers instances.
  • An egress-only Internet gateway is stateful: it forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances. 
  • An egress-only Internet gateway has the following characteristics: 
    • Customers cannot associate a security group with an egress-only Internet gateway. 
    • Customers can use security groups for your instances in the private subnet to control the traffic to and from those instances. 
    • Customers  can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.
  • To use an internet gateway, customers subnet’s route table must contain a route that directs internet-bound traffic to the internet gateway.
  • To enable communication over the internet for IPv4, customers instance must have a public IPv4 address or an Elastic IP address that’s associated with a private IPv4 address on their instance.
  • To enable communication over the internet for IPv6, customers VPC and subnet must have an associated IPv6 CIDR block, and their instance must be assigned an IPv6 address from the range of the subnet.

Dynamic Host Configuration Protocol (DHCP)

Domain Name System (DNS)

The Domain Name System (DNS) is a distributed directory that resolves human-readable hostnames, such as www.example.com, into machine-readable IP addresses likas 10.06.57.203. 

  • A DNS hostname is a name that is unique and absolute names of a computer.
  • A DNS composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
  • DNS is also a directory of crucial information about domain names, such as email servers (MX records) and sending verification (DKIM, SPF, DMARC), TXT record verification of domain ownership, and even SSH fingerprints (SSHFP).
  • During the launch of customers instance into a default VPC, AWS provides the instance with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance. However, when they launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname.
  • Amazon-provided private (internal) DNS hostname resolves to the private IPv4 address of the instance.

In Summary

DHCP is at the heart of assigning everyone their IP address. The key word here in DHCP is protocol—the guiding rules and process for Internet connections for everyone, everywhere. DHCP is consistent, accurate and works the same for every computer. Remember that without an IP address, users would not be able to receive the information they requested. In other words IP address tells the Internet to send the information that the user requested through Web page, email, data, etc. right to the computer that they requested it.

Dynamic Host Configuration Protocol(DHCP) is an application layer protocol which is used to provide; Subnet Mask, Router Address, DNS Address, and Vendor Class Identifier. 

    • The key word in DHCP is “dynamic.” Because instead of having just one fixed and specific IP address, most computers will be assigned one that is available from a subnet or “pool” that is assigned to the network.
    • The application layer is present at the top of the OSI model. It is the layer through which customers interact. It provides services to the customers.
      • The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a computing system without regard to its underlying internal structure and technology.
    • DHCP provides a standard for passing configuration information to hosts on a TCP/IP network. 
    • DHCP is based on a client-server model and based on discovery, offer, and request.
    • A DHCP server is one computer on the network that has a number of IP addresses at its disposal to assign to the computers/hosts on that network.
    • AWS automatically creates and associates a DHCP option set for customers’ Amazon VPC upon creation.
    • DHCP provides IP addresses that “expire” in a certain time. When DHCP assigns an IP address, it actually leases that connection identifier to the user’s computer for a specific amount of time. The default lease is usually five days.
    • AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
    • The options field of a DHCP message contains the configuration parameters. Some of those parameters are the 
  • Domain name:– The IP addresses of up to four domain name servers, separated by commas. The default is AmazonProvidedDNS.
  • Domain name server:– Specify the desired domain name. (defaulted to the domain name for your region).
  • The netbios-node-type:– The IP addresses of up to four NetBIOS name servers, separated by commas.

IP Address

Public IP address:- A public IP address is the address that is assigned to a computing device to allow direct access over the Internet. A web server, email server and any server device directly accessible from the Internet are candidates for a public IP address. A public IP address is globally unique, and can only be assigned to a unique device.

Private IP Address:- A private IP address is the address space allocated by InterNIC to allow organizations to create their own private network. Class A, Class B and  Class C the the three IP blocks that are reserved for private use. The computers, tablets and smartphones sitting behind clients home, and the personal computers within an organizations are usually assigned private IP addresses.

Elastic Network Interfaces

An Elastic Network Interface is a virtual interface that can be attached to an instance in a Virtual Private Cloud (VPC). It is referred to as a network interface,  that is a logical networking component in a VPC which represents a virtual network card.

  • ENI virtual network closely resembles a traditional network that customers would operate in their own data center, with the benefits of using the scalable infrastructure of AWS.
  • ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses.
  • An ENI can have many attributes, such as a primary private IPv4 address, a MAC address, one or more security groups, one or more IPv6 addresses, and more.
    • These attributes will move with ENI when an ENI is attached to an instance; when this ENI is detached from an instance, these attributes will be removed.
  • By default, every VPC has a network interface attached to every instance. This ENI is known as a primary network interface (eth0), that is assigned a private IPv4 address from the IPv4 address range of your VPC.
    • This default ENI cannot be detached from an instance. You can, however, create and attach many additional ENIs to your instances inside a VPC.
  • ENI created independently of a particular instance, which persists regardless of the lifetime of any instance to which it is attached; if an underlying instance fails, the IP address may be preserved by attaching the ENI to a replacement instance. 
  • ENIs allow customers to create a management network, use network and security appliances in their Amazon VPC, create dual-homed instances with workloads/roles on distinct subnets, or create a low-budget, high-availability solution.

VPC Peering

A VPC peering connection is a networking connection between two VPCs that enables customers to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.

  • AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. 
  • There is no single point of failure for communication or a bandwidth bottleneck.
  • A VPC peering connection helps customers to facilitate the transfer of data.
  • It can also be used in a VPC peering connection to allow other VPCs to access resources, where customers have in one of their me VPCs.
  • Customers can establish peering relationships between VPCs across different AWS Regions (also called Inter-Region VPC Peering). 
    • Inter-Region VPC Peering allows VPC resources including EC2 instances, Amazon RDS databases and Lambda functions that run in different AWS Regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances.
    • It also provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.

Elastic IP address

An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. Elastic IP addresses are used by AWS to manage its dynamic cloud computing services. Within the AWS infrastructure, customers can create virtual private clouds (EC2-VPCs). Inside the VPCs, they have instances. Thus, customers can associate an Elastic IP address with any instance or network interface for any VPC in their account.

An Elastic IP address is a combination of a public IP address and a static IP address. It allows clients continue to use AWS instances within their AWS network infrastructure.

  • A dynamic IP address is the most common for average customers. This means that the IP address changes frequently, which provides customers and ISPs cost savings.
  • Static IP addresses are IPs which do not change. They are common for business and cloud computing, which is why AWS includes this within the Elastic IP framework.
  • Customers are limited to five Elastic IP addresses; 
  • An Elastic IP address is accessed through the Internet gateway of a VPC.
  • An Elastic IP address is a property of network interfaces. Thus, customers can associate an Elastic IP address with an instance by updating the network interface attached to the instance.
  • There are differences between an Elastic IP address that  customers use in a VPC and one that they use in EC2-Classic.
    • An Elastic IP is disassociated from customers instance when they stop it.
    • An Elastic IP remains associated with customers instance when they stop it.

Network Access Control Lists (ACLs)

A network access control list (ACL) is an optional layer of security for customers VPC that acts as a firewall for controlling traffic in and out of one or more subnets. In other words Access Control Lists “ACLs” are network traffic filters that control incoming or outgoing traffic.

  • Clients VPC automatically comes with a modifiable default network ACL. Which allows all inbound and outbound traffic.
  • In order to allow inbound and outbound traffic, clients need to create a custom network ACL and associate it with a subnet. However, each subnet in their VPC must be explicitly associated with a subnet in the network ACL, otherwise, the subnet is automatically associated with the default network ACL.
  • A network ACL is a numbered list of rules that AWS evaluates in order, usually it starts with the lowest numbered rule to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
  • A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
  • ACLs work on a set of rules that define how to forward or block a packet at the router’s interface. 
  • An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination.
  • The main idea behind using an ACL is to provide security to customers network. Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic.
  • ACLs are directly configured in a device’s forwarding hardware, so they do not compromise the end performance

Network Address Translation (NAT)

Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts.

  • NAT allow multiple devices to access the Internet through a single public address. 
  • The main use of NAT is to limit the number of public IP addresses in an organization or company must use, for both economy and security purposes.
  • NAT device enable instances in a private subnet to connect to the internet, or other AWS services, but prevent the internet from initiating connections with the instances. A NAT device forwards traffic from the instances in the private subnet to the internet and sends the response back to the instances.
    • NAT devices are not supported for IPv6 traffic, instead it uses an egress-only Internet gateway.
    • AWS offers two kinds of NAT devices—a NAT gateway or a NAT instance.

A Network Address Translation (NAT) instances

A Network Address Translation(NAT) instance is an EC2 instance that lives inside clients public subnet. However, it allows their private instances outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet.

NAT instances are managed by customers . It is used to enable private subnet instances to access the Internet. When creating NAT instances always disable the source/destination check on the instance. 

  • It must be in a single public subnet. 
  • It need to be assigned to security groups.
  • Use a script to manage failover between instances.
  • Installing software updates, operating system patches on the instance, or any necessary maintenance need to be managed by customers.
  • Security group Associate with customers NAT instance and the resources behind their NAT instance to control inbound and outbound traffic.
  • Use a network ACL to control the traffic to and from the subnet in which your NAT instance resides.
  • Assign a specific private IP address from the subnet’s IP address range when clients launch the instance.
  • Use an Elastic IP address or a public IP address with a NAT instance. Users can change the public IP address at any time by associating a new Elastic IP address with the instance.

Network Address Translation (NAT) Gateway

Network Address Translation (NAT) Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an AWS Virtual Private Cloud (VPC). 

  • Customers can use a NAT gateway to enable instances in a private subnet to connect to the internet or other AWS services,
  • NAT gateways are not supported for IPv6 traffic—use an egress-only internet gateway instead.
  • Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.
  • A NAT gateway supports TCP, UDP,  ICMP protocols, and 5 Gbps of bandwidth, which automatically scales up to 45 Gbps.
  • Security group can’t be associated with a NAT gateway. However, clients can associate security groups with their resources behind the NAT gateway to control inbound and outbound traffic.
  • Customers can use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located.
  • When a NAT gateway is created, it receives a network interface that’s automatically assigned a private IP address from the IP address range of customers subnet. 
  • A NAT gateway can support up to 55,000 simultaneous connections to each with a unique destination.
  • To avoid data processing charges for NAT gateways when accessing Amazon S3 and DynamoDB that are in the same Region, set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway.

Virtual Private Network (VPN)

A virtual private network (VPN) is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. VPN prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely.  VPN technology is widely used in corporate environments

  • VPN connection configure between customer’s Amazon VPC and their data center effectively extending their data center to the cloud while also providing direct access to the Internet for public subnet instances in your Amazon VPC.
  • Traffic on the virtual network can be sent through secured and established encrypted connection across the Internet known as a tunnel. VPN traffic from a device such as a computer, tablet, or smartphone is encrypted as it travels through this tunnel. 
  • Clients can create an IPsec VPN connection between their VPC and their remote network. On the AWS side of the Site-to-Site VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover.
    • Site-to-site VPNs are used when distance makes it impractical to have direct network connections.
    • A virtual private gateway (VPG) is the virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks. 
    • A customer gateway (CGW) represents a physical device or a software application on the customer’s side of the VPN connection.
  • AWS Client VPN is a managed client-based VPN service that enables them to securely access their AWS resources in their on-premises network. This enables clients to access resources in AWS or an on-premises from any location using an OpenVPN-based VPN client.
  • Clients can create a VPN connection to their remote network by using an Amazon EC2 instance their VPC that’s running a third party software VPN appliance.

VPC peering

A VPC peering connection is a networking connection between two VPCs that enables customers to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.

  • AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. 
  • There is no single point of failure for communication or a bandwidth bottleneck.
  • A VPC peering connection helps customers to facilitate the transfer of data.
  • It can also be used in a VPC peering connection to allow other VPCs to access resources, where customers have in one of their me VPCs.
  • Customers can establish peering relationships between VPCs across different AWS Regions (also called Inter-Region VPC Peering). 
    • Inter-Region VPC Peering allows VPC resources including EC2 instances, Amazon RDS databases and Lambda functions that run in different AWS Regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances.
    • It also provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.

AWS Direct Connect

AWS Direct Connect is a network service that provides an alternative to using the Internet to connect a customer’s on premise sites to AWS. Data is transmitted through a private network connection between AWS and a customer’s datacenter or corporate network. Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs). Public VIFs allow access to public services such as S3, EC2, and DynamoDB. In addition it also:

  • Using AWS Direct Connect, customers can establish private connectivity between AWS and their datacenter, office, or colocation environment, which in many cases can reduce their network costs, increase bandwidth throughput, Increase reliability, Increase bandwidth, and Decrease latency.
  • AWS Direct Connect lets customers establish a dedicated network connection between their network and one of the AWS Direct Connect locations.
  • AWS Direct Connect makes it easy to scale customers connection to meet their needs.
  •  With AWS Direct Connect, customers can transfer their business critical data directly from their datacenter, office, or colocation environment into and from AWS bypassing their Internet service provider and removing network congestion.
  • With AWS Direct Connect, customers control how their data is routed, which can provide a more consistent network experience over Internet-based connections.
  • AWS Direct Connect can help customers build hybrid environments that satisfy regulatory requirements requiring the use of private connectivity.

AWS PrivateLink

AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

  • Connect customers VPCs to services in AWS in a secure and scalable manner with AWS PrivateLink. AWS PrivateLink traffic doesn’t traverse the Internet, reducing the exposure to threat vectors such as brute force and distributed denial-of-service attacks.
  • Connect services across different accounts, and VPCs within customers own organization, with no need for firewall rules, path definitions, or route tables.
  • Easily migrate traditional on-premises applications to SaaS offerings hosted in the cloud with AWS PrivateLink.
  • Preventing personally identifiable information (PII) from traversing the Internet helps maintain compliance with regulations such as HIPAA or PCI. 
  • Customers can create their own AWS PrivateLink-powered service (endpoint service) and enable other AWS customers to access their service. 
  • AWS PrivateLink is integrated with AWS Marketplace through an easy lookup of the services that are available over AWS PrivateLink.

Creating VPC

In this step, you’ll use the Amazon VPC wizard in the Amazon VPC console to create a VPC. The wizard performs the following steps for you:

  • Creates a VPC with a /16 IPv4 CIDR block (a network with 65,536 private IP addresses).
  • Attaches an internet gateway to the VPC.
  • Creates a size /24 IPv4 subnet (a range of 256 private IP addresses) in the VPC.
  • Creates a custom route table, and associates it with your subnet, so that traffic can flow between the subnet and the internet gateway.

Create a VPC Security Group

A security group acts as a virtual firewall to control the traffic for its associated instances. To use a security group, add the inbound rules to control incoming traffic to the instance, and outbound rules to control the outgoing traffic from your instance. To associate a security group with an instance, specify the security group when you launch the instance.

Your VPC comes with a default security group. Any instance not associated with another security group during launch is associated with the default security group. In this exercise, you create a new security group, WebServerSG, and specify this security group when you launch an instance into your VPC.