Understanding Amazon VPC - Overview and Fundamentals
Amazon VPC (Virtual Private Cloud) is the networking foundation for your AWS resources. This article provides an overview of VPC concepts and components that we'll implement in this series.
What is Amazon VPC?
Amazon VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Think of it as your own private data center in the cloud, but with the flexibility and scalability of AWS.
Key Characteristics
- Isolated Network Environment: Your VPC is logically isolated from other VPCs and the public internet
- Full Control: You control IP address ranges, subnets, route tables, and network gateways
- Security: Security groups and network ACLs provide layered security
- Connectivity Options: Connect to the internet, other VPCs, or your on-premises network
VPC Fundamentals
CIDR Blocks and IP Addressing
A VPC is defined by a CIDR (Classless Inter-Domain Routing) block, which determines the IP address range for your network.
Example CIDR blocks:
-
10.0.0.0/16- Provides 65,536 IP addresses (10.0.0.0 to 10.0.255.255) -
172.16.0.0/16- Provides 65,536 IP addresses (172.16.0.0 to 172.16.255.255) -
192.168.0.0/16- Provides 65,536 IP addresses (192.168.0.0 to 192.168.255.255)
The /16 notation means the first 16 bits are the network portion, leaving 16 bits for host addresses.
Important considerations:
- Choose a CIDR block that doesn't overlap with other networks (only relevant if connecting to other VPCs or on-premises networks via VPN, Direct Connect, or VPC peering)
- Plan for future growth when selecting the block size
- AWS reserves some IP addresses in each subnet (first 4 and last 1)
Isolated Network Environment
Each VPC is completely isolated from other VPCs by default. Resources in one VPC cannot communicate with resources in another VPC unless you explicitly configure:
- VPC Peering: Direct network connection between two VPCs
- Transit Gateway: Central hub for connecting multiple VPCs
- VPN or Direct Connect: Connect VPCs to on-premises networks
Visual: VPC Isolation and Connectivity Options
Video Slideshow:
https://www.youtube.com/watch?v=N_P-SiX8wp4
NAT Gateways
NAT (Network Address Translation) Gateways enable resources in private subnets to access the internet while remaining private.
How NAT Gateways Work
Video Slideshow:
https://www.youtube.com/watch?v=DXGOl3m9ibU
Key Points
- One-way communication: Private resources can initiate connections, but external resources cannot initiate connections to private resources
- High availability: NAT Gateways are automatically deployed in a specific Availability Zone with redundancy
- Cost: NAT Gateways incur hourly charges and data processing fees
- Scaling: Each NAT Gateway can handle up to 55,000 concurrent connections
Placement
- NAT Gateways are placed in public subnets (they need internet access)
- One NAT Gateway per Availability Zone is recommended for high availability
- Single NAT Gateway can serve multiple private subnets in the same AZ
VPC Flow Logs
VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC.
What Flow Logs Capture
- Source and destination IP addresses
- Ports and protocols
- Packet and byte counts
- Action taken (ACCEPT or REJECT)
- Timestamp
Use Cases
- Security Monitoring: Identify suspicious traffic patterns
- Troubleshooting: Diagnose connectivity issues
- Compliance: Meet regulatory requirements for network monitoring
- Cost Analysis: Understand data transfer patterns
Log Destinations
- CloudWatch Logs: Real-time monitoring and alerting
Important Notes
- Flow Logs don't capture all traffic (e.g., DNS traffic to Route 53, traffic to Amazon Time Sync Service)
- Enabling Flow Logs doesn't impact network performance
- Logs are created after traffic is observed (not real-time)
VPC Components Summary
| Component | Purpose | Placement |
|---|---|---|
| VPC | Isolated network environment | Regional |
| Subnet | Subdivision of VPC IP range | Availability Zone specific |
| Internet Gateway | Internet access for public subnets | VPC level |
| NAT Gateway | Outbound internet for private subnets | Public subnet |
| Route Table | Traffic routing rules | Subnet association |
| Security Group | Instance-level firewall | ENI/Instance level |
| Network ACL | Subnet-level firewall | Subnet level |
| VPC Flow Logs | Network traffic logging | VPC/Subnet/ENI level |
What's Next?
In the upcoming articles, we'll dive deeper into:
- VPC Design & CIDR Planning - VPC creation, CIDR block selection, and IP address allocation strategy
- Subnet Architecture - Subnet configuration, route tables, and network ACLs implementation
- NAT Gateways & Internet Gateways - Internet Gateway and NAT Gateway setup, placement strategies, and cost optimization
- VPC Flow Logs & Network Monitoring - Flow log configuration, log analysis, and network troubleshooting
Repositories:
- terraform-aws-content-delivery-stack - Infrastructure code
- geomag-web-image - Web dashboard container image
- geomag-api-image - API service container image
Top comments (0)