VPC (Virtual Private Cloud) [VPC FAQ ]
- A VPC is like a logical data center. It lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
- A VPC consists of:
-
- Internet Gateways or Virtual Private Gateways (VPC can have only one internet gateway)
- Route Tables
- NACLs (Network Access Control lists, stateless)
- Subnets (1 Subnet = 1 AZ, we can’t have one subnet stretched across multiple AZs but we can have multiple subnets in one AZ)
- Security Groups (stateful)
- All VPC traffic can be logged via [ VPC Flowlogs ]
- In an Amazon VPC, an EC2 instance retains it’s private IP address when the instance is stopped.
- Amazon doesn’t allow /8 block size, the largest we can have is /16.
[ VPC Scenarios and Examples ]
What can we do with a VPC?
- Launch instances into a subnet of your choosing
- Assign custom IP address ranges in each subnet
- Configure route tables between subnets
- Create internet gateway and attach it to our VPC
- Much better security control over your AWS resources
- Instance security groups
- Subnet network access control lists (ACLs)
Default VPC vs Custom VPC
- Default VPC is user friendly, allowing you to immediately deploy instances
- All subnets in default VPC have a route out to the internet
- Each EC2 instance has both a public and private IP address
VPC Peering
- Allows you to connect one VPC with another via a direct network route using private IP addresses.
- Instances behave as if they were on the same private network
- You can peer VPC’s with other AWS accounts as well as with other VPCs in the same account.
- Peering is in a star configuration: ie 1 central VPC peers with 4 others. No transitive peering!! We can’t peer from one VPC to another through other VPC (middle VPC) we need to create a direct connection for the VPCs to communicate.
- You can peer within regions
Creating a VPC
- When we first create a VPC, we will have security groups, ACL and route table, we will not have subnets and gateway. We need to create subnets later.
- After creating a VPC we need to enable auto-assign public IPV4 address inorder to launch EC2 instances in it.
- Then create a gateway and attach it to a VPC. we can only have one gateway per VPC.
- Then create a route table for the public and edit routes to access the internet
NAT gateways and NAT instances
- NAT is used for traffic routing
- It’s best practice to always enable HTTP and HTTPs traffic.
- Must be provisioned into a public subnet, and it must be part of the private subnet’s route table in order for your instances in the private subnet to communicate with the outside internet.
- Instances within a private subnet cannot communicate with the outside internet by default. In order for your instances within the private subnet to communicate with the internet, you’ll need to add 0.0.0.0/0 with the target pointing to your NAT gateway/instance to the route table in the private subnet.
- The amount of traffic that NAT instance can support depends on the instance size.
- For high availability of NAT instances, you can create Autoscaling Groups, multiple subnets in different AZs, and a script to automate failover.
- Always use NAT gateways instead of instances
NAT instance | NAT Gateway |
Custom EC2 instances provisioned via custom community AMIs | Provisioned and managed by AWS |
The amount of traffic handled by a NAT instance depends on its size – bigger instances handle more traffic. | Managed by AWS and scale automatically up to , and are preferred over NAT instances which are custom community AMIs. |
NAT instances are behind a security groups | Not associated with security groups |
Need to disable source/dest checks disabled via the Actions->Networking menu. | No need to disable source/dest check, no security group is needed; it is all AWS managed, rather than a custom EC2 instance which needs to be maintained. |
Must be in the public subnet and must have a public ip address. | . |
Performance depends on the instance size/td> | Scale automatically up to 45GBPS |
Needs patching of the OS | Doesn’t need patching |
NAT Gateways
- Used to give access for a private subnets to connect to the internet
- Spread across multiple AZs, not dependent on a single instance
- We can only have one NAT gateway in one AZ
- Start with 5Gbps and can scale to 45Gbps
- When creating a NAT gateway you must specify the public subnet in which it should reside, and also specify the Elastic IP (EIP) address to associate with it.
- After creating the NAT gateway, you then need to update the route tables associated with one or more private subnets to point internet traffic to the NAT gateway.
- If the NAT gateway gets created with a failed status, the NAT gateway will be visible for a short period of time (usually an hour), then will be automatically deleted.
- You cannot route traffic to a NAT gateway through a VPC peering connection, a VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections.
- [ More info on VPC NAT Gateways ]
- Source/dest checks (applies to NAT instances only). Source/dest checks are there to ensure that the EC2 instance by default must be the source or destination of any traffic it sends or receives. We want to route any outgoing traffic through our NAT instance, and route any traffic coming back in through our NAT instance. Because of this, we need to disable source/dest checks.
- Amazon provided NAT instances have the string amzn-ami-vpc in their names, so you can easily search for them in the console.
- [ Full comparison between NAT gateways and NAT instances ]
VPC Flow logs
- It is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
- Flow logs can be created at 3 levels:
- VPC
- Subnet
- Network Interface Level
- To create flow logs: VPC -> Actions -> Create Flow Log
- When creating flow logs you will need to;
- Create log group under CloudWatch
- Create IAM role: click set permissions on create flow log page
- After the flow log has been created its configuration can’t be changed
- Not all IP traffic is monitored: e.g traffic to and from 169.254.169.254 for instance metadeta, DHCP traffic
VPC DNS Names
- If you want instances in a VPC subnet to get DNS hostnames, make sure you set DNS hostnames to “yes” in the VPC configuration:
VPC Internet Gateway
- Creating a VPC also creates a route table, but doesn’t create a subnet or internet gateway by default.
- For a VPC route table to point to an internet gateway, you must first attach the internet gateway to the VPC.
- You can attach only one internet gateway to a VPC at a time; if you’re getting an error when trying to attach an Internet Gateway to a VPC, it could be that an Internet Gateway is already attached to the VPC.
- Before deleting an IGW, you must first detach it from the VPC it’s attached to.
- [ More info on VPC Internet Gateways ]
VPC Virtual Private Gateway
- An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
- [ More info ]
VPC Subnets [VPCs and Subnets]
- Use public facing subnets for public facing web servers
- Use private subnets for backend services, databases, etc.
- Each subnet is always mapped to an AZ (Availability Zone); subnets are strongly bound to an AZ
- It’s not possible to span subnets across multiple AZs. However, security groups, NACLs, and Route Tables CAN span multiple subnets and AZs. Remember: 1 subnet = 1 AZ
- Only one internet gateway can be attached to a subnet.
How to access instances in a private subnet
- A Bastion is used to securely administer EC2 instances (using SSH or RDP).
- You can’t use a NAT gateway as a Bastion host.
- You can use a Bastion (Jump Box) located in the public subnet to access instances in the private subnet by:
- SSH into the Bastion
- and then using it to SSH to instances in the private subnet. i.e. via ssh -i MyEC2KeyPair.pem ec2-user@10.0.0.2.215
Direct Connect
- Cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS direct connect, you can establish connectivity between AWS and your datacenter, office or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections.
- Useful for high throughput workloads
VPC Endpoint
-
- Enables you to privelty connect your VPC to support AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection or AWS Direct connect connection. Instances in your VPC don’t require Public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service doesn’t leave the Amazon network.
- Endpoints are virtual devices. They are horizontally scaled, redundant and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
- There are two types of VPC endpoints:
- Interface Endpoints: is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. It supports the following services; link
- Gateway Endpoints: is a gateway that is a target for a specific route in your route table, used for traffic destined to a supported AWS service. It supports Amazon S3 and DynamoDB.
Layers of security
- For multiple layers of security, it’s recommended you use a VPC in addition to security groups and NACLs (Network Access Control Lists).
- Security groups (first layer of defense) exist at the instance level.
- NACLs (second layer of defense) exist at the subnet level.
- It’s possible to implement a private cloud (i.e. a corporate data center) using VPCs.
CIDR – Classless Inter-domain Routing
- The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.
i.e.
- 10.0.0.0: Network address.
- 10.0.0.1: Reserved by AWS for the VPC router.
- 10.0.0.2: Reserved by AWS for DNS.
- 10.0.0.3: Reserved by AWS for future use.
- 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC
- Network masks:
- /16 – supports up to 65,536 IP addresses. Best for large networks.
- /24 – supports up to 256 IP addresses. Best for smaller networks.
- /27 – supports up to 32 IP addresses
- /28 – supports up to 16 IP addresses
- /32 – an absolute ip address – matches exactly one
- It’s possible to split a CIDR block into two subnets:
- one subnet can use CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 – 10.0.0.127)
- and then the other subnet can use the CIDR block 10.0.0.128/ 25 (for addresses 10.0.0.128 – 10.0.0.255)
- The allowed CIDR block size in a VPC is between a /16 and /28 netmask.
- To enable ping, you need to allow ICMP traffic.
- In order to ensure provisioned EC2 instances have a public IP address, enable “Auto-Assign Public IP” for the subnet.
Subnets and route tables
- In order for instances in your subnet to be able to access the internet, ensure that there is appropriate an entry on the route table such as 0.0.0.0/0 -> Internet Gateway
Subnets and CIDR blocks
- Subnets in a VPC cannot have overlapping CIDR blocks:
Security groups vs NACLs
Security Group | NACL |
Supports only Allow rules | Supports Allow and Deny rules |
Stateful | Stateless |
All rules are evaluated before allowing traffic | Evaluates rules in numerical order. As soon as a rule is found allowing the traffic, the traffic is allowed. |
Rules apply to specific instances | Rules apply to ALL instances in the subnet |
Unable to block IP addresses | Able to block IP addresses |
- A NACL can be applied to multiple subnets. If you attempt to assign a NACL to a subnet which already has a NACL, the new NACL will replace the existing NACL for the subnet.
- A subnet can have only one NACL assigned to it
- Types of NACL:
-
- Default – allows all traffic by default
- Custom – denies all traffic by default
- In order to allow outgoing traffic, enable outgoing and incoming ephemeral ports (1024-65535)
AWS Managed VPN Connections
- Virtual Private Gateway – the VPN concentrator on the Amazon side of the VPN connection. You create a VPG and attach it to the VPC from which you want to create the VPN connection
- Customer Gateway – a physical device or software application on your side of the VPN connection.
- To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device.
- AWS supports Internet Protocol security (IPsec) VPN connections.
aws ec2 describe-vpn-connections –vpn-connection-ids vpn-1a2b3c4d
{
“VpnConnections”: [
{
“VpnConnectionId”: “vpn-1a2b3c4d”,
…
“State”: “available”,
“VpnGatewayId”: “vgw-11aa22bb”,
“CustomerGatewayId”: “cgw-ab12cd34”,
“Type”: “ipsec.1”,
“Category”: “VPN”
}
]
}
[ More info on AWS Managed VPN Connections ]
Stateful vs Stateless
- Security groups are stateful. This means that if you add an incoming HTTP rule, there will automatically be a corresponding outgoing one.
- Subnet ACLs are stateless, which means that if you add an incoming HTTP rule, you’ll need to add an outgoing one too, otherwise HTTP traffic won’t be able to get back out of your subnet.
Default VPC
- AWS provides a default VPC. This is intended to make it user friendly to deploy and test EC2 instances on a new account. All default VPCs have routes out to the internet.
- If you delete the default VPC, you’ll need to raise an Amazon support ticket to get it back.
VPC Peering
- VPC peering can be used when a VPC needs to communicate with another VPC.
- VPC Peering is supported across multiple accounts.
- VPC peering allows direct network connection via a private ip address. Instances behave as if they were on the same private network.
- The following peering configurations are invalid:
- Overlapping CIDR blocks
- Transitive peering
- Edge to edge routing through a gateway or private connection
[ More info on invalid peering configurations ]
- VPC peering is only supported in a star configuration.
Transitive peering / edge-to-edge routing is not supported. i.e. if you have VPC A <-> VPC B <-> VPC C, VPC A can communicate with VPC B, and VPC B with C, but A cannot directly communicate with C unless a direct connection is made between A and C.
- You must update both sides of the route tables for VPC peering to work
- In the screenshot below, myPrimaryVPC and myPeeredVPC are peered, and have route tables which allow traffic to be routed between each other. If ICMP rules are enabled in security groups, they can ping each other.
myPrimaryVPC’s Route Table
myPeeredVPC’s route table
Elastic Network Interface (ENI)
- Also referred to as a “Network Interface”, is a virtual network interface that you can attach to an EC2 instance in a VPC. Network interfaces are available only for instances running in a VPC.
- You can attach a network interface to an instance:
- When it’s running (hot attach)
- When it’s stopped (warm attach)
- When the instance is being launched (cold attach)
- Note that an Elastic Network Interface can only be reassigned within the same AZ, and cannot be assigned to an EC2 instance in a different AZ.
Exam tips
Know how to build out a VPC from memory before going into the exam. Even though you don’t actually build a VPC in the exam, the knowledge of how to build it out from memory will be immensely helpful.
VPC
Question 1: VPC stands for
A. Very Private Cloud
B. Virtual Public Cloud
C. Virtual Private Cloud
D. Very Public Cloud
Question 2: Having just created a new VPC and launching an instance into its Public Subnet, you realise that you have forgotten to assign a Public IP to the instance during creation. What is the simplest way to make your instance reachable from the outside world?
A. Create an Elastic IP and new Network Interface. Associate the Elastic IP to the new Network Interface, and the new Network Interface to your instance.
B. Associate the private IP of your instance to the public IP of the internet Gateway
C. Create an ELastic IP address and associate it with your instance
D. Nothing – it will have public IP by default.
Question 3: True or False: A subnet can span multiple Availability Zones.
A. False
B. True
Question 4: Are you permitted to conduct your own vulnerability scans on your own VPC without alerting AWS first?
A. Yes
B. No
Question 5: Can customers do Penetration Testing in their own VPC ?
A. True
B. False
Question 6: True or False: You can accelerate your application by adding a second Internet Gateway to your VPC.
A. True
B. False
Question 7: When peering VPCs, you may peer your VPC only with another VPC in your same AWS account.
A. False
B. True
Question 8: True or False: An Application Load Balancer must be deployed into at least two subnets.
A. True
B. False
Question 9: Which of the following is a chief advantage of using VPC endpoints to connect your VPC to services such as S3?
A. Traffic between your VPC and the other service does not leave the AMazon network
B. VPC endpoints offer a faster path through the public internet than you can realize with a NAT
C. VPC endpoints require public IP addresses, offering rapid connectivity from the public internet
D. VPC endpoints are dedicated hardware devices that can’t be accessed without the correct IAM credentials.
Question 10: Which of the following allows you to SSH or RDP into an EC2 instance located in a private subnet?
A. Bastion Host
B. NAT Instance
C. NAT Gateway
D. Internet Gateway
Question 11: How many internet gateways can I attach to my custom VPC
A. 1
B. 2
C. 3
D. One per Availability Zone
Question 12: You have five VPCs in a ‘hub and spoke’ configuration, with VPC ‘A’ in the center and individually paired with VPCs ‘B’, ‘C’, ‘D’, and ‘E’, which make up the ‘spokes’. There are no other VPC connections. Which of the following VPCs can VPC ‘B’ communicate with directly?
A. VPC ‘A’
B. VPCs ‘A’ and ‘C’
C. VPCs ‘A’ and ‘E’
D. VPCs ‘C’, ‘D’ and ‘E’
Question 13: Which of the following is true?
A. Security Groups are stateful and NACL are stateless
B. Security Groups are stateless and NACL are stateful
C. Both Security Groups and NACL are stateless
D. Both Security Groups and NACL are stateful
Question 14: Which of the following offers the largest range of internal IP addresses?
A. /16
B. /28
C. /24
D. /20
Question 15: Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level
A. Network ACL
B. DB Security Groups
C. VPC security Groups
D. Route tables
Question 16: In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch. What are they?
A. A private IP address and Public IP address
B. A public IP address and secret IP address
C. An elastic IP address and Public IP address
D. An IPv6 address and Elastic IP address
Question 17: When I create a new security group, all outbound traffic is allowed by default.
A. True
B. False
Question 18: By default, how many VPCs am I allowed in each AWS Region?
A. 1
B. 2
C. 6
D. 5
Question 19: Select the incorrect statement.
A. In Amazon VPC. and instance retains its private IP
B. It is possible to have private subnets in a VPC
C. In Amazon VPC, an instance doesn’t retain its private IP
D. You may have only 1 internet gateway per VPC
Question 20: To save administration headaches, a consultant advises that you leave all security groups in web facing subnets open on port 22 to 0.0.0.0/0 CIDR. That way, you can connect wherever you are in the world. Is this a good security design?
A. Yes
B. No
VPC Answers:
1-C 2-C 3-A 4-A 5-A 6-B 7-A 8-A 9-A 10-A 11-A 12-A 13-A 14-A 15-A 16-A 17-A 18-D 19-C 20-B
Explanations:
Q-2 – Although creating a new NIC & associating an EIP also results in your instance being accessible from the internet, it leaves your instance with 2 NICs & 2 private IPs as well as the Public Address and is therefore not the simplest solution. By default, any user-created VPC subnet WILL NOT automatically assign Public IPv4 Addresses to instances – the only subnet that does this is the “Default” VPC subnets automatically created by AWS in your account.
Q-10 – A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don’t confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.
Q-12– As transitive peering is not allowed, VPC ‘B’ can communicate directly only with VPC ‘A’.
Q-20– 0.0.0.0/0 would allow ANYONE from ANYWHERE to connect to your instances. This is generally a bad plan. The phrase ‘Web facing subnets..’ does not mean just web servers. It would include any instances in that subnet some of which you may not strangers attacking. You would only allow 0.0.0.0/0 on port 80 or 443 to to connect to your public facing Web Servers, or preferably only to an ELB. Good security starts by limiting public access to only what the customer needs. Please see the AWS Security white paper for complete details.