Things you must know about VPC

Amazon VPC

• Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
• Provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways.
• A VPC is logically isolated from other VPCs on AWS.
• Possible to connect the corporate data center to a VPC using a hardware VPN (site-to-site).
• VPCs are region wide.
• A default VPC is created in each region with a subnet in each AZ.
• By default, you can create up to 5 VPCs per region.
• You can define dedicated tenancy for a VPC to ensure instances are launched on dedicated hardware (overrides the configuration specified at launch).
• A default VPC is automatically created for each AWS account the first time Amazon EC2 resources are provisioned.
• The default VPC has all-public subnets. Public subnets are subnets that have:

`1. “Auto-assign public IPv4 address” set to “Yes”.

1. The subnet route table has an attached Internet Gateway.`

• Instances in the default VPC always have both a public and private IP address.
• AZs names are mapped to different zones for different users (i.e. the AZ “ap-southeast-2a” may map to a different physical zone for a different user).

Components of a VPC:

A Virtual Private Cloud: A logically isolated virtual
network in the AWS cloud. You define a VPC’s IP address space from ranges you select.
Subnet: A segment of a VPC’s IP address range where you
can place groups of isolated resources (maps to an AZ, 1:1).Internet Gateway: The Amazon VPC side of a connection to
the public Internet.
NAT Gateway: A highly available, managed Network
Address Translation (NAT) service for your resources in a private subnet to access the Internet.
Hardware VPN Connection: A hardware-based VPN
connection between your Amazon VPC and your datacenter,
home network, or co-location facility.
Virtual Private Gateway: The Amazon VPC side of a VPN
connection.
Customer Gateway: Your side of a VPN connection.
Router: Routers interconnect subnets and direct traffic
between Internet gateways, virtual private gateways, NAT
gateways, and subnets.
Peering Connection: A peering connection enables you to
route traffic via private IP addresses between two peered VPCs.
VPC Endpoints: Enables private connectivity to services
hosted in AWS, from within your VPC without using an an
Internet Gateway, VPN, Network Address Translation (NAT)
devices, or firewall proxies.
Egress-only Internet Gateway: A stateful gateway to
provide egress only access for IPv6 traffic from the VPC to the Internet.

Options for connecting to a VPC are:

1. Hardware based VPN
2. Direct Connect
3. VPN CloudHub
4. Software VPN

Routing

• The VPC router performs routing between AZs within a region.
• The VPC router connects different AZs together and connects the VPC to the Internet Gateway.
• Each subnet has a route table the router uses to forward traffic within the VPC.
• Route tables also have entries to external destinations.
• Up to 200 route tables per VPC.
• Up to 50 route entries per route table.
• Each subnet can only be associated with one route table.
• Can assign one route table to multiple subnets.
• If no route table is specified a subnet will be assigned to the main route table at creation time.
• Cannot delete the main route table.
• You can manually set another route table to become the main route table.
• There is a default rule that allows all VPC subnets to communicate with one another – this cannot be deleted or modified.
• Routing between subnets is always possible because of this rule – any problems communicating is more likely to be security groups or NACLs.

Internet Gateways

• An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

• An Internet Gateway serves two purposes:

• To provide a target in your VPC route tables for internetroutable traffic.

• To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

• Internet Gateways (IGW) must be created and then attached to a VPC, be added to a route table, and then associated with the relevant subnet(s).

• No availability risk or bandwidth constraints.

• If your subnet is associated with a route to the Internet, then it is a public subnet.

• You cannot have multiple Internet Gateways in a VPC.

• IGW is horizontally scaled, redundant and HA.

• IGW performs NAT between private and public IPv4 addresses.

• IGW supports IPv4 and IPv6.

• IGWs must be detached before they can be deleted.

• Can only attach 1 IGW to a VPC at a time.
  Gateway terminology:

1. Internet gateway (IGW) – AWS VPC side of the connection to the public Internet.
2. Virtual private gateway (VPG) – VPC endpoint on the AWS side.
3. Customer gateway (CGW) – representation of the customer end of the connection. - To enable access to or from the Internet for instances in a VPC subnet, you must do the following:
4. Attach an Internet Gateway to your VPC.
5. Ensure that your subnet’s route table points to the Internet Gateway (see below).
6. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
7. Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

Must update subnet route table to point to IGW, either:

1. To all destinations, e.g. 0.0.0.0/0 for IPv4 or ::/0for IPv6.
2. To specific public IPv4 addresses, e.g. your company’s public endpoints outside of AWS.

Egress-only Internet Gateway:

1. Provides outbound Internet access for IPv6 addressed instances.
2. Prevents inbound access to those IPv6 instances.
3. IPv6 addresses are globally unique and are therefore public by default.
4. Stateful – forwards traffic from instance to Internet and then sends back the response.
5. Must create a custom route for ::/0 to the Egress-Only Internet Gateway

NAT Gateway vs NAT Instance:

VPC Wizard
VPC with a Single Public Subnet:

• Your instances run in a private, isolated section of the AWS cloud with direct access to the Internet.
• Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to your instances.
• Creates a /16 network with a /24 subnet. Public subnet instances use Elastic IPs or Public IPs to access the Internet.

VPC with Public and Private Subnets:

• In addition to containing a public subnet, this configuration adds a private subnet whose instances are not addressable from
• the Internet.
• Instances in the private subnet can establish outbound connections to the Internet via the public subnet using Network Address Translation (NAT).
• Creates a /16 network with two /24 subnets.
• Public subnet instances use Elastic IPs to access the Internet.
• Private subnet instances access the Internet via Network Address Translation (NAT).

Security Groups

• Security groups act like a firewall at the instance level.
• Specifically, security groups operate at the network interface level.
• Can only assign permit rules in a security group, cannot assign deny rules.
• There is an implicit deny rule at the end of the security group.
• All rules are evaluated until a permit is encountered or continues until the implicit deny.
• Can control ingress and egress traffic.
• Security groups are stateful.
• By default, custom security groups do not have inbound allow rules (all inbound traffic is denied by default).
• By default, default security groups do have inbound allow rules (allowing traffic from within the group).
• All outbound traffic is allowed by default in custom and default security groups.
• You cannot delete the security group that’s created by default within a VPC.
• You can use security group names as the source or destination in other security groups.
• You can use the security group name as a source in its own inbound rules.
• Security group members can be within any AZ or subnet within the VPC.
• Security group membership can be changed whilst instances are running.
• Any changes made will take effect immediately.
• Up to 5 security groups can be added per EC2 instance interface.
• There is no limit on the number of EC2 instances within a security group.
• You cannot block specific IP addresses using security groups, use NACLs instead.
• You can associate a network ACL with multiple subnets; however, a subnet can only be associated with one network ACL at a time.
• Network ACLs do not filter traffic between instances in the same subnet.
• NACLs are the preferred option for blocking specific IPs or ranges.
• Security groups cannot be used to block specific ranges of IPs.
• NACL is the first line of defense, the security group is the second line.

Network ACL's

• Network ACL’s function at the subnet level.
• The VPC router hosts the network ACL function.
• With NACLs you can have permit and deny rules.
• Network ACLs contain a numbered list of rules that are evaluated in order from the lowest number until the explicit deny.
• Recommended to leave spacing between network ACL numbers.
• Network ACLs have separate inbound and outbound rules and each rule can allow or deny traffic.
• Network ACLs are stateless, so responses are subject to the rules for the direction of traffic.
• NACLs only apply to traffic that is ingress or egress to the subnet not to traffic within the subnet.
• A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic.
• A custom NACL denies all traffic both inbound and outbound by default.
• All subnets must be associated with a network ACL.
• You can create custom network ACL’s. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
• Each subnet in your VPC must be associated with a network ACL. If you don’t do this manually it will be associated with the default network ACL.