AWS – Amazon Virtual Private Cloud (VPC)

Difficulty Level:    

What’s AWS VPC?

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.


Figure 1 – AWS Virtual Private Cloud

AWS VPC provides us availabilities to

  • Divide your private IP address range into one or more public or private subnet
  • Control inbound and outbound access to and from individual instances
  • Assign multiple IP address and attach multiple ENIs and EIPs to EC2 instances
  • Bridge your VPC and your premise IT infrastructure with a VPN connect
  • Specify your own private IP address range from any range you choose

What’s wrong if we don’t have VPC?

Before launch VPC Amazon still had Classic EC2 and other services but they have some disadvantages

  • All instances, nodes and services are internet addressable. For example: a database node should not have any public internet hostname/IP.
  • All instance, nodes and services are on a shared network, and addressable to each other. Having no public and private interface.

VPC Related Components


 Figure 2 – VPC Related Components


Internet gateway

The Amazon VPC side of connection to public internet. By default all instances in VPC cannot communicate with Internet, you must attach an Internet gateway to the VPC and ensuring that your instance have a public IP address to enable the availability to access to EC2 instance via internet connection.


VPC peering

VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses.With VPC peering you cannot

  • Create connection between VPCs that have matching or overlap CIRD blocks.
  • Create connection between VPCs in different regions
  • Reference a security group from the peer VPC as a source or destination for ingress or egress rules in your security group


VPN connection

The VPN Connection helps to create connection that links your data center to VPC. In this scenario we must have

  • A customer gateway is the anchor on the premise network of that connection.
  • A virtual private gateway is the anchor on the VPC of that connection.

The address of external interface for your customer gateway must be a static address. Basically, you can establish multiple VPC connections to a single virtual private gateway from multiple customer gateways.


Customer gateway


Virtual private gateway


AWS Direct Connect

Make easy to establish a dedicated network connection from your premise to AWS. Direct Connect helps to reduce your bandwidth costs, consistent network performance, establish private connection from premise IT infrastructure to VPC.


EC2 Instance

Amazon EC2 presents a true virtual computing environment, allowing you to use web service interfaces to launch instances with a variety of operating systems, load them with your custom application environment, manage your network’s access permissions, and run your image using as many or few systems as you desire.


Elastic IP Address

An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. Your EIP is associated with your AWS account, not a particular instance, and it remains associated with your account until you choose to explicitly release it.


Route table

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.Your VPC have main route table, if a given subnet doesn’t associate with a particular route table, it uses the main route table.


Elastic network interface

An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. You can create a network interface, attach it to an instance, detach it from an instance and attach it to another one (ENIs have a lifetime that is independent of any particular EC2 instance).Another important thing is a single EC2 can now be attached to two ENIs, each one on a distinct subnet.


VPC subnet

Subnet is a segment of a VPC’s IP address range from a range you select. If a subnet’s traffic is routed to an Internet gateway, the subnet is known as a public subnet. Otherwise it’s a private subnet.When work with subnet you need to consider about subnet sizing. With AWS VPC, it allows us to manage the size between a /28 (16 IP addresses) net-mask and /16 (65536 IP addresses) net-mask.


Security group

Security group acts as a virtual firewall for your instance. It helps to control inbound and outbound traffic. For each group we can manage rules that control the inbound traffic to instances, and separate set of rules that control the outbound traffic.Basically, security group operates the rules at instance level and it evaluates the rules before deciding whether to allow traffic or not. One more important thing is security group supports allow rules only.
Network ACL Similar with Security group but ACL operates at the subnet level. It supports both allow and deny rules.Network ACL processes rules in number order when deciding whether to allow traffic or not. And it applies to all instances in a given subnet.


Availability Zone

Availability Zone is isolated, but in a region are connected through low latency link. Within VPC, when use create a given subnet you must determine which Availability Zone it will associate with.By launching EC2 instances, creating subnets in separate Availability Zones (AZ), we can protect our applications from the failure of a single location.


Route 53

You can use Route 53 to manage internal DNS hostname for your resources (application servers, database servers or web servers). Using custom internal DNS names rather than IP addresses or AWS-provided name has benefit of

  • Flip from one database to another just by changing the mapping of a domain name such as to point to a new IP address.
  • Configure public and private hosted zones to return different external and internal IP addresses for the same domain names.


Elastic Load Balancing (ELB)

Be used to monitor and route traffic to your EC2 instances launched within VPC. You must crate and attach an Internet gateway (IGW) to your VPC if want to enable communication between the Internet and the load balancer in your subnet.ELB just supports Internet Protocol version 4 (IPv4), IPv6 is currently not available.

Four main VPC options

AWS provides 4 basic options for network architectures, you can create your infrastructure with few clicks and few minutes.


Figure 3 – Few clicks to create your own IT infrastructure

# Option The obvious choice when
1 VPC with a Single Public Subnet Only
  • Single tier application
  • Public-facing web application
  • Blog or simple website
2 VPC with Public and Private Subnets
  • Multi-tier website
  • Database and application server in private subnet
3 VPC with Public and Private Subnets and Hardware VPN Access
  • Extend existing network into cloud
  • Also need direct access from internet to VPC
  • In-house database
4 VPC with a Private Subnet Only and Hardware VPN Access
  • Extend existing infrastructure
  • No internet access to VPC


Figure 4 – VPC with VNP Connections

The common cases of using VPC

  • Host a PCI-compliant e-commerce website
  • Build a development and test environment
  • Plan for disaster recovery and business continuity
  • Extend your data center into the cloud
  • Create branch office and business unit networks

VPC Pricing

There’s no additional charge for AWS VPC, you just need to pay for VPC’s related components if you use them.

In case you create a Hardware VPN Connection to your VPC using a Virtual private gateway, you are charged for each VPN Connection-hour (about $0.05 per hour). Amazon also charge you data transferred via VPN Connection (about $0.01 per GB).


You also need to consider about VPC limitations before using it, I list here the most important things only and please refer here for more detail information.

Component Limit Comments
VPCs per region 5 This limit can be increased upon request. The limit for Internet gateways per region is directly correlated to this one. Increasing this limit will increase the limit on Internet gateways per region by the same amount.
Internet gateways per region 5 This limit is directly correlated with the limit on VPCs per region. You cannot increase this limit individually; the only way to increase this limit is to increase the limit on VPCs per region. Only one Internet gateway can be attached to a VPC at a time.
Virtual private gateways per region 5 Only one virtual private gateway can be attached to a VPC at a time. This limit can be increased upon request.
Elastic IP addresses per region for each AWS account 5 This is the limit for the number of VPC Elastic IPs you can allocate within a region. This is a separate limit from the EC2 Elastic IP address limit. This limit can be increased upon request.
Expiry time for an unaccepted VPC peering connection request 168 hours This limit can be increased via special request to AWS Support.

Best practices for using VPC

  • Automate the deployment of your infrastructure
  • Use Multi-AZ deployments in VPC for high availability
  • Use security groups and network ACLs
  • Control access with IAM users and policies
  • Use Amazon CloudWatch to monitor the health of your VPC instances and VPN link


Related Links


Son Nguyen

Son Nguyen

Son Nguyen is a Cloud Consultant working for FPT Software’s Cloud Innovation team. With deep knowledge in AWS and MS Azure, Son acts as a cloud consultant in various areas, ranging from assessment to architecture design, supporting customers from Japan, EU to US.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *