AWS – Amazon Virtual Private Cloud (VPC)
What’s AWS VPC?
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Figure 1 – AWS Virtual Private Cloud
AWS VPC provides us availabilities to
- Divide your private IP address range into one or more public or private subnet
- Control inbound and outbound access to and from individual instances
- Assign multiple IP address and attach multiple ENIs and EIPs to EC2 instances
- Bridge your VPC and your premise IT infrastructure with a VPN connect
- Specify your own private IP address range from any range you choose
What’s wrong if we don’t have VPC?
Before launch VPC Amazon still had Classic EC2 and other services but they have some disadvantages
- All instances, nodes and services are internet addressable. For example: a database node should not have any public internet hostname/IP.
- All instance, nodes and services are on a shared network, and addressable to each other. Having no public and private interface.
VPC Related Components
Figure 2 – VPC Related Components
|The Amazon VPC side of connection to public internet. By default all instances in VPC cannot communicate with Internet, you must attach an Internet gateway to the VPC and ensuring that your instance have a public IP address to enable the availability to access to EC2 instance via internet connection.|
|VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses.With VPC peering you cannot
|The VPN Connection helps to create connection that links your data center to VPC. In this scenario we must have
The address of external interface for your customer gateway must be a static address. Basically, you can establish multiple VPC connections to a single virtual private gateway from multiple customer gateways.
Virtual private gateway
AWS Direct Connect
|Make easy to establish a dedicated network connection from your premise to AWS. Direct Connect helps to reduce your bandwidth costs, consistent network performance, establish private connection from premise IT infrastructure to VPC.|
|Amazon EC2 presents a true virtual computing environment, allowing you to use web service interfaces to launch instances with a variety of operating systems, load them with your custom application environment, manage your network’s access permissions, and run your image using as many or few systems as you desire.|
Elastic IP Address
|An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. Your EIP is associated with your AWS account, not a particular instance, and it remains associated with your account until you choose to explicitly release it.|
|Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.Your VPC have main route table, if a given subnet doesn’t associate with a particular route table, it uses the main route table.|
Elastic network interface
|An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. You can create a network interface, attach it to an instance, detach it from an instance and attach it to another one (ENIs have a lifetime that is independent of any particular EC2 instance).Another important thing is a single EC2 can now be attached to two ENIs, each one on a distinct subnet.|
|Subnet is a segment of a VPC’s IP address range from a range you select. If a subnet’s traffic is routed to an Internet gateway, the subnet is known as a public subnet. Otherwise it’s a private subnet.When work with subnet you need to consider about subnet sizing. With AWS VPC, it allows us to manage the size between a /28 (16 IP addresses) net-mask and /16 (65536 IP addresses) net-mask.|
|Security group acts as a virtual firewall for your instance. It helps to control inbound and outbound traffic. For each group we can manage rules that control the inbound traffic to instances, and separate set of rules that control the outbound traffic.Basically, security group operates the rules at instance level and it evaluates the rules before deciding whether to allow traffic or not. One more important thing is security group supports allow rules only.|
|Network ACL||Similar with Security group but ACL operates at the subnet level. It supports both allow and deny rules.Network ACL processes rules in number order when deciding whether to allow traffic or not. And it applies to all instances in a given subnet.|
|Availability Zone is isolated, but in a region are connected through low latency link. Within VPC, when use create a given subnet you must determine which Availability Zone it will associate with.By launching EC2 instances, creating subnets in separate Availability Zones (AZ), we can protect our applications from the failure of a single location.|
|You can use Route 53 to manage internal DNS hostname for your resources (application servers, database servers or web servers). Using custom internal DNS names rather than IP addresses or AWS-provided name has benefit of
Elastic Load Balancing (ELB)
|Be used to monitor and route traffic to your EC2 instances launched within VPC. You must crate and attach an Internet gateway (IGW) to your VPC if want to enable communication between the Internet and the load balancer in your subnet.ELB just supports Internet Protocol version 4 (IPv4), IPv6 is currently not available.|
Four main VPC options
AWS provides 4 basic options for network architectures, you can create your infrastructure with few clicks and few minutes.
Figure 3 – Few clicks to create your own IT infrastructure
|#||Option||The obvious choice when|
|1||VPC with a Single Public Subnet Only||
|2||VPC with Public and Private Subnets||
|3||VPC with Public and Private Subnets and Hardware VPN Access||
|4||VPC with a Private Subnet Only and Hardware VPN Access||
Figure 4 – VPC with VNP Connections
The common cases of using VPC
- Host a PCI-compliant e-commerce website
- Build a development and test environment
- Plan for disaster recovery and business continuity
- Extend your data center into the cloud
- Create branch office and business unit networks
There’s no additional charge for AWS VPC, you just need to pay for VPC’s related components if you use them.
In case you create a Hardware VPN Connection to your VPC using a Virtual private gateway, you are charged for each VPN Connection-hour (about $0.05 per hour). Amazon also charge you data transferred via VPN Connection (about $0.01 per GB).
You also need to consider about VPC limitations before using it, I list here the most important things only and please refer here for more detail information.
|VPCs per region||5||This limit can be increased upon request. The limit for Internet gateways per region is directly correlated to this one. Increasing this limit will increase the limit on Internet gateways per region by the same amount.|
|Internet gateways per region||5||This limit is directly correlated with the limit on VPCs per region. You cannot increase this limit individually; the only way to increase this limit is to increase the limit on VPCs per region. Only one Internet gateway can be attached to a VPC at a time.|
|Virtual private gateways per region||5||Only one virtual private gateway can be attached to a VPC at a time. This limit can be increased upon request.|
|Elastic IP addresses per region for each AWS account||5||This is the limit for the number of VPC Elastic IPs you can allocate within a region. This is a separate limit from the EC2 Elastic IP address limit. This limit can be increased upon request.|
|Expiry time for an unaccepted VPC peering connection request||168 hours||This limit can be increased via special request to AWS Support.|
Best practices for using VPC
- Automate the deployment of your infrastructure
- Use Multi-AZ deployments in VPC for high availability
- Use security groups and network ACLs
- Control access with IAM users and policies
- Use Amazon CloudWatch to monitor the health of your VPC instances and VPN link
- Amazon VPC
- Should I use Amazon’s AWS Virtual Private Cloud (VPC)
- Your Customer Gateway
- Extend your IT infrastructure with Amazon VPC