This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.
- A VPC is a logically separated section of AWS for you to launch resources in a network you define.
- VPC’s consist of an internet gateway or virtual private gateway, subnets, route tables, network access control lists and security groups.
- A subnet is a range of IP addresses within your VPC. A subnet can not span multiple availability zones.
- When we create a VPC, the following are created by default: a route table, network access control list and security group.
- Subnets or internet gateway are not created by default.
- Auto assigning a public IP Address is turned off by default, this will need to be updated if you want a public subnet.
- You can only have one internet gateway in your VPC
- You are not charged for using a VPC, however you are charged for the components used within it e.g. gateway, traffic monitoring etc.
- One way to save costs when it comes to networking is to use private IP addresses instead of public IP addresses as they utilise the AWS Backbone network.
- If you want to cut all network costs, group all EC2 instances in same AZ and use private IP addresses.
- You can have 5 VPCs per AWS region.
Connecting to a VPC
There are two ways to connect into a VPC:
- Virtual Private Gateway
- Internet Gateway
What you can do with VPC
- Launch instances
- Assign custom IP address ranges
- Configure route tables between subnets
VPC IP Ranges
- Amazon don’t allow /8 prefix as it is too large — the largest they allow is /16
- AWS will always reserve 5 IP Addresses within a CIDR block for:
- Network Address
- Router Address
- DNS Server Address
- Broadcast address
- 1 more for future use
- These are the first four IP addresses and the last IP address
- This is a connection between VPCs, that allows you to route traffic between them using private IP addresses.
- The peering connections allow instances to operate as if they were in the same network.
- It is possible to peer with another AWS account or region.
- Peering connections have to be one-to-one relationships. There is no transitive peering, so you can’t transit between one VPC to connect to another — each VPC has to be directly connected to another.
Types of tenancy
On set up of your VPC you will be asked to choose either:
- Dedicated → Everything on dedicated hardware (Very expensive)
- Default → multi-tenant share underlying hardware with other AWS customers
Network Access Control Lists (NACL)
- Extra layer of security for your VPC as it can be used to control the traffic in and out of subnets.
- Similar to security groups, as they contain rules, but you can you can block IP addresses with a NACL, unlike with security groups.
- A NACL can be associated with many Subnets, but a subnet can only have one NACL
- NACL are stateless, meaning they can have separate inbound and outbound rules, again unlike with security groups.
- A route table is created by default with your VPC.
- Allows subnets to talk to each other. It is a set of rules that determines where the network traffic is directed.
- Every subnet within your VPC must be associated with a route table.
- By default your subnets are associated with the main route table, but this can be a security risk e.g. if you were to put a route out to the public internet in the route table all subnets would automatically be made public.
- To resolve this — keep main route table as private and then have separate route tables that use the main one, but have additional routes.
- Allows your VPC to communicate with the internet.
- For internet communication, you must set up a route in your route table that directs traffic to the Internet Gateway.
- Performs network address translation for instances.
Network Address Translation (NAT) Gateways/ Instances
- NAT gateways/instances provides private subnets access to internet traffic, but ensures internet traffic does not initiate a connection with the instances.
- For example this can enable our EC2 Instances in a private subnet to go out and download software by communicating with our Internet Gateway.
- The NAT gateway or instance must live in a public subnet and then for a private subnet to connect to it, the private subnet must have a route in its route table that directs traffic to it.
- Since NAT Instances send and receive traffic from different sources/destinations, it can cause some issues as EC2 does source/destination checks automatically — so when using a NAT Instance you need to disable source/destination checks on the EC2 instance when creating it.
- NAT instances are managed by you.
- You can associate them with security groups to control inbound and outbound traffic.
- NAT Gateways are preferred by enterprise as they are highly available, can scale and are managed by AWS.
- Can not be associated with security groups, but you can associate the resources behind the NAT Gateway with security groups.
- Automatically assigned public IP Address
- For NAT Gateways you don’t need to worry about disabling source & destination checks on the instance.
- You can create an AZ independent architecture with Network Gateways to reduce the risks of failures. This can be done by creating a NAT Gateway in each AZ and then configuring the routing to ensure resources in the same NAT Gateway are in the same AZ.
VPC Flow Logs
- Capture information about IP traffic entering and leaving interfaces in your VPC.
- You can publish these flow logs with CloudWatch or S3.
- They allow you to monitor the traffic reaching your instances and can help you see if your security groups are restrictive enough.
- Flow logs do not impact latency or network throughput as they are collected outside the path of your network traffic.
- You can have flow logs for peered VPCs, but only if they are in same account.
- Can be created at 3 levels: VPC, Subnet, Network Interface level.
- Directly connects your on-premise datacenter to an AWS VPC using a dedicated network connection over a standard ethernet fiber-optic cable.
- Benefits of using Direct Connect includes: reduced network costs and increase in bandwidth throughput.
- Allows you to improve availability and performance of your applications for global users.
- Can improve performance by up to 60% as it directs traffic to optimal endpoints to avoid congestion.
- You are assigned two static IP address — alternately you can bring your own.
- Can automatically mitigate endpoint failure by re-routing traffic to nearest healthy endpoint.
Allows you to privately connect a VPC to other AWS resources and it is powered by Private Link, so traffic never leaves the AWS Network.
- Interface endpoint →Attach an elastic network interface with a private IP address onto your EC2 instance for it to communicate to services using AWS network.
- Gateway Load Balancer endpoints → Is an entry point that intercepts traffic and routes it to services configured using Gateway Load Balancers.
- Gateway endpoints →Create it as a route table target for traffic to services, like NAT gateways — its supported for only S3 & Dynamo.
VPC Private Link
- Provides private connections between VPC’s, AWS services and on-premise networks.
- Best way to expose your VPC to hundreds or thousands of other VPC’s.
- Can secure your traffic and simplify network management.
- Doesn’t require VPC peering, route tables or NAT gateways
- Requires Network Load Balancer on the service VPC and an elastic network interface on the customer VPC.
- Allows transitive peering between VPCs and on-premises data centres through a central hub.
- Works on regional bases but can span multiple regions.
- Supports IP Multicast, so can distribute the same content to multiple specific destinations (NOT supported by any other service)
- Overall used to simplify network typology.
- With multiple sites all on different VPN connections, you can use VPN CloudHub to securely connect them.
- Low cost easy to manage.
- Operates over public internet, but all traffic is encrypted.