DEV Community

RK
RK

Posted on

AWS - Default VPC

#aws #vpc #networking #subnetwork

A Default VPC is created in each region when an AWS account is created. The default VPC comes up with few already configured VPC elements. They're:

  • Subnet in each Availability Zone
  • Main Route table
  • Main Network Access Control List (NACL)
  • Internet Gateway
  • Security Group

VPC

VPC

  • In this case, the VPC CIDR (Classless Inter-Domain Routing) range is 172.31.0.0/16
  • /16 means the first 16 bits of this range is fixed. It allows a maximum of 65536 IP addresses, starting with 172.31.0.0 and ending with 172.31.255.255
  • This is the largest VPC that AWS allows.

Subnets

  • Subnet is nothing but Sub network
  • The address space of VPC (In this case, the pool of 65536 addresses) can be sub-divided into multiple networks.

Subnet 1

  • CIDR is 172.31.0.0/20
  • This gives 4096 IP addresses (first 20 bits fixed. This leaves 32 - 20 = 12 bits for the Subnet. 2 Power 12 is 4096)
  • Out of these, AWS reserves 5 addresses for management.
  • This allows 4091 addresses for the subnet.
  • First address in the subnet is 172.31.0.0 and last address is 172.31.15.255

Subnet 2

  • CIDR is 172.31.16.0/20
  • The subnet has 4091 addresses (After leaving 5 for AWS)
  • First address is 172.31.16.0 , last address is 172.31.31.255

Subnet 3

  • CIDR is 172.31.32.0/20
  • The subnet has 4091 addresses (After leaving 5 for AWS)
  • First address is 172.31.32.0, last address is 172.31.47.255

Default Route

  • Route tables are associated with Subnets.
  • Every Subnet in a VPC should be associated with a route table.
  • If a Subnet has no explicit association with a route table, It will be implicitly associated with the main route table.
  • In the Default VPC, all subnets are implicitly associated with the following route table.
  • A Route table directs network traffic in the VPC.

default-route

The way to interpret the following table is:

  • Any traffic destined for any of VPC addresses (the 65K addresses) will remain local to the VPC.

  • Any traffic destined for the internet (0.0.0.0/0), will be directed to the Internet Gateway that is already created and attached to the VPC.

Default NACL

  • NACL is the Security Layer for Subnet.
  • Any Inbound/Outbound rule defined in a NACL impacts all the services defined in the subnet with which the NACL is associated.
  • The Default NACL Inbound rule allows traffic from internet (0.0.0.0/0) on any Protocol/Port. Similarly, the default outbound rule allows traffic to leave the subnet on any Protocol/Port.
  • In other words, the default NACL does not do any favor to protect the Subnet as it allows traffic to enter and leave the subnet.
  • This is the reason the Subnets are dipected as Public Subnets as they're reachable from the Internet.

NACL

Default Security Group

  • Security Groups act as firewalls for Instances in a Subnet.
  • Once traffic pass the screening @ subnet level (via NACLs), It is evaluated again by Security Group Rules before reaching the Destination (For Inbound)
  • Unlike NACLs, there is no DENY configuration for Security Groups. There should be an explicit rule specified in the security group in order for the traffic to be passed. otherwise, traffic is not allowed.
  • As per AWS documentation, the default Inbound rule allows traffic from network interfaces that are assigned to the same security group.
  • The Default Outbound rule allows all traffic to leave the Instance.

default-sg

Finding Default VPC components from CLI

VPC ID 

# Print Default VPC ID (in the region configured when setting up CLI)
aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[].VpcId' --output table
Enter fullscreen mode Exit fullscreen mode 
------------------
|  DescribeVpcs  |
+----------------+
|  vpc-522b2535  |
+----------------+
Enter fullscreen mode Exit fullscreen mode 
VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[].VpcId' --output text) && echo ${VPC_ID}
echo $VPC_ID
Enter fullscreen mode Exit fullscreen mode 
vpc-522b2535
Enter fullscreen mode Exit fullscreen mode

Describe Subnets in the VPC 

# Describe Subnets
aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=${VPC_ID}" \
    --query 'Subnets[].[SubnetId,CidrBlock,AvailabilityZone, Tags[?Key==`Name`]|[0].Value]' \
    --output table
Enter fullscreen mode Exit fullscreen mode 
+-----------------+------------------+-------------------+-------+
|  subnet-f82987a1|  172.31.0.0/20   |  ap-southeast-1c  |  None |
|  subnet-2234d76a|  172.31.32.0/20  |  ap-southeast-1a  |  None |
|  subnet-2c45b64a|  172.31.16.0/20  |  ap-southeast-1b  |  None |
+-----------------+------------------+-------------------+-------+
Enter fullscreen mode Exit fullscreen mode

Describe Security Groups 

# Security Groups
aws ec2 describe-security-groups \
    --filters "Name=vpc-id,Values=${VPC_ID}" \
    --query 'SecurityGroups[].[GroupId, Description]' \
    --output table
Enter fullscreen mode Exit fullscreen mode 
-----------------------------------------------
|           DescribeSecurityGroups            |
+--------------+------------------------------+
|  sg-4b59a835 |  default VPC security group  |
+--------------+------------------------------+
Enter fullscreen mode Exit fullscreen mode

Describe Main Route table 

aws ec2 describe-route-tables \
   --filters "Name=vpc-id,Values=${VPC_ID}" \
   --filters "Name=association.main,Values=true" \
   --query 'RouteTables[].Associations[].{RouteTableId:RouteTableId}' \
   --output table
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

3sky profile image

Local automation

Jakub Wołynko -

joseluissr profile image

Data Streaming Architecture

Jose Luis Sastoque Rey -

saxangel profile image

What does AWS Cloud Architect do?

Gabriel Olaleye -

ahmedzidan profile image

Optimizing EKS Fargate: Exposing K8s Service as a LoadBalancer

Ahmed Zidan -