AMAZON VPC & NETWORKING

YOUR LOGICALLY ISOLATED NETWORK IN THE CLOUD

INTRODUCTION VIRTUAL PRIVATE CLOUDS CIDR SUBNETS ROUTE TABLES
Amazon Virtual Private Cloud (VPC) enables you to define Each VPC is created for a region and always spans across all Your VPC needs a range of IPv4 addresses that can be used We separate between public and private subnets Traffic inside your VPC needs directions. That’s why you can
and launch AWS resources in a logically isolated virtual availability zones.

by attached network interfaces. They are defined as public: for publicy available resources create route tables, which are sets of rules that you can
network. It can imitate your local data center, but with all the AWS Region Classless Inter-Domain Routing (CIDR) blocks.
private: for resources that only need to be access associate with a subnet (custom route tables).

benefits of the cloud's scalable infrastructure. They are made up of two number sets internally and therefore do not need a public IP address.

Availability Zone Availability Zone Availability Zone prefix: the binary representation of the addres Resources in each subnet can be protected with multiple Each route table entry needs a destination and target which
VPC 10.0.0.0/16 suffix: the total number of bits in the entire address

layers of security, e.g. with Security Groups (SGs) or defines how traffic is routed
INTERNET GATEWAYS 172 16 0 0 Network Access Control Lists (ACLs).

destination: a range of IP addresses where traffic should

An Internet Gateway (IGW) is an AWS-managed highly- Public
Subnet
Public
Subnet
Private
Subnet 10101100 . 00010000 . 00000000 . 00000000 go to defined as a CIDR block. e.g.an external corporate
available VPC component that allows resources that reside Private Public Private 172.0.0.0/8 There are a lot of services that can only be launched into defined as 172.16.0.0/12
in public subnets to communicate with the internet.

Subnet Subnet Subnet

172.16.0.0/16 a VPC like EC2 instances - some even require a private target: the gateway, network interface, or connection
172.16.0.0/20
172.16.0.0/24 subnet like an ElastiCache cluster. through which to send the destination traffic, e.g. an
Private subnets do not have a routing connection to the IGW.
Each of the availability zones can contain subnets that are The allowed block size for a VPC is between 65,536 internet gateway.

another break down of your VPC. (netmask /16) and 16 IP (netmask /24) addresses.
NAT DEVICES VPC FLOW LOGS Each of your VPCs comes with a default route table (= main
Some requests are not reaching your instance? Do you want
If you need resources in your private subnets to access the route table) that controls traffic for subnets which do not
internet, you need a Network Address Translations (NAT) SECURITY GROUPS NETWORK ACLS to get insights into how traffic is flowing within your VPC?

have a custom route table attached.

Security Groups (SG) define allow rules for your traffic - Network Access Control Lists (NACLs) act as a firewall on
device that maps multiple of your private IPv4 addresses to
inbound or outbound. They enable traffic filtering based on network level. They can hold one or multiple allow and/or You can monitor your VPC via Flow Logs. Those logs capture
a single public IPv4.

protocols and port numbers.

deny rules which are ordered via priority numbers.

details about how IP traffic is going to and from network DEFAULT VPC
Inbound Rules ↓ Outbound Rules ↑ Evaluation starts with the lowest rule number and the first interfaces in your VPC. The logs can be shipped to either Each AWS account created after the end of 2013 comes with
There are two different types of NAT devices at AWS Source Protocol Port Range Destination Protocol Port Range
match will be executed.

CloudWatch, S3, or Kinesis Data Firehose.

a default VPC per region.

NAT Gateway - an AWS-managed gatewa 0.0.0.0/0

TCP 80 0.0.0.0/0

TCP 1433
Inbound Rules ↓
HTT SS
0
/8
P

/
H

22
NAT Instance - your own NAT device, running on EC2

::/0

TCP 80 ::/0

TCP 1433
Rule Type Protocol Port Range Source Allow/Deny
[...] eni-5123b7ac012345678 219.42.22.48 172.16.0.101 [...] ACCEPT OK

0.0.0.0/0

TCP 22 0.0.0.0/0

TCP 3306
100 HTTPS TCP 443 0.0.0.0/0 ALLOW Each of those default VPCs also has a public subnet in each
[...] eni-5123b7ac012345678 172.31.16.139 219.42.22.48 [...] REJECT OK

SGs operate on instance level and are stateful. 110 SSH TCP 22 192.0.2.0/24 ALLOW availability zone, an internet gateway and settings to enable
The AWS-managed version can result in huge costs, as * All traffic All All 192.0.2.0/24 DENY
x Looking at the example flow logs above, an incoming DNS resolution.
you're billed for each running hour & GB of traffic that is Outbound Rules ↑ request was accepted, but the response rejected. This could
processed. VPC SHARING Rule Type Protocol Port Range Source Allow/Deny
happen even if you’ve defined allow rules for inbound traffic
Share a VPC with other accounts that are part of the same 100

110
HTTPS
SSH
TCP

TCP
443 0.0.0.0/0

1024-655535 192.0.2.0/24
ALLOW
ALLOW
in your security group and network ACLs. As security groups
are stateful, responses are allowed. ACLs are not stateful, so
DHCP OPTION SETS
AWS Organization, so that multiple accounts can launch ✓ Each device in a VPC requires an IP address to communicate
VPC PEERING
* All traffic All All 192.0.2.0/24 DENY
a missing outbound allow rule does result in a rejection.
resources into the centrally-managed subnets but still be in over the network. You don’t need to manually assign them
Peering connections allow you to route traffic between two Each subnet must be assigned to a network ACL and return
full control of their resources. Participating accounts can’t but rely on DHCP servers that are using the Dynamic Host
VPCs as if they were in the same VPC. It also allows you to traffic must be explicitly allowed (NACLs are stateless).
not only connect to VPCs in other regions but also in other
modify resources in shared subnets that they do not own.

IAM INTEGRATION Configuration Protocol.

Amazon VPC is fully integrated with IAM and there are no

AWS accounts.

Organization Root
Account A
PREFIX LISTS additional costs. Create roles and policies to define which Amazon VPC allows you to further control information
Account A Account B
Account B You’re able to bind one or several CIDR blocks into a prefix principal can perform actions on what resources, and under returned by the AWS-managed DHCP servers via DHCP
list that can be later used within your security groups or what conditions.

option sets. This for example allows you to use your own
This allows for a fine-grained separation of accounts for route tables. This reduces the efforts of referencing each of domain name server that should be used for domain name
billing and access control, but still having components with the CIDR blocks individually. VPC shares its API namespace with Amazon EC2. resolution in your network.
CIDR blocks for your VPCs can't overlap.
high interconnectivity.