VPC

AMAZON VIRTUAL PRIVATE CLOUD (VPC)

Amazon_Virtual_Private_Cloud__VPC_

• Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

• Inside this virtual network, you can deploy AWS computing resources. These resources include, for example, Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Relational Database Service (Amazon RDS) instances.

---

Why use an Amazon VPC:

• You can spin up a logical environment of what was previously in a data center within minutes in the cloud.

• It is more cost-effective than maintaining equipment in a company data center.

• You pay for only the resources that you use.

• It’s secure, scalable, and reliable.

• You can create multiple Amazon VPCs for testing, owning customer accounts, and more.

WHY_VPC

---

IP addressing in Amazon VPC:

• When you create a VPC, you must specify the IPv4 address range by choosing a CIDR block, such as 10.0.0.0/16.

• An Amazon VPC address range could be as large as /16 (65,536 addresses) or as small as /28 (16 addresses).

• Private IP ranges should be used according to RFC 1918.

• IP addresses should not overlap with the addresses of other networks to which an Amazon VPC is connected.

Private address range:

RFC 1918 range	Example Amazon VPC CIDR block
10.0.0.0–10.255.255.255	10.0.0.0/16
172.16.0.0–172.31.255.255	172.31.0.0/16
192.168.0.0–192.168.255.255	192.168.0.0/16

---

Amazon VPC components:

A VPC can span multiple Availability Zones, and its key component types include:

• Amazon VPC: It is a logically isolated environment for your resources within the cloud. You can choose a Region here.

• Internet gateway: An internet gateway is a VPC component that enables communication between instances in a VPC and the internet.

IGW

• Subnet: Subnets are logical network segments within your VPC. They enable you to subdivide your VPC network into smaller networks inside a single Availability Zone.

  • One subnet per Availability Zone because a subnet cannot span zones.

  • Public Subnet: A public subnet is associated with a route table that has a route to an internet gateway.

  • Private Subnet: A private subnet does not have an internet gateway on the route table that is associated to it. However, a NAT gateway can be a route on this route table.

  • AWS reserves the first four IP addresses and the last IP address of every subnet for internal purposes.

Example:

IP Address	Purpose
10.0.0.0	Network address
10.0.0.1	VPC router
10.0.0.2	Domain Name System (DNS) server
10.0.0.3	Reserved for future use
10.0.0.255	Network broadcast

• Route Table: A route table holds the route and target information required to route traffic within the Amazon VPC.

  • There are destinations and targets. Destinations hold IP addresses and ranges, and targets hold a service.

  • Each route table must be associated to a subnet.

  • A route table associates the subnet and gateways together.

public private route table

• Security group: A security group is a set of firewall rules that secure instances.

  • They allow or block inbound and outbound traffic into an instance.

  • Security groups are stateful.

  • Stateful means that if requests from your instance are sent, the response traffic is allowed to flow back regardless of the inbound rules.

  • A security group blocks all traffic by default; you must allow the protocol, port range, Internet Control Message Protocol (ICMP) type, and source or destination.

  • If you do not specify a particular group at launch time, an instance is automatically assigned to the default security group for the VPC.

  • A security group is associated with an instance.

INBOUND OUTBOUND

• Network Access Control List (NACL): It acts as a firewall at the subnet level.

  • NACL are stateless.

  • Stateless means you seperately have to allow both request and response.

  • Network ACLs have separate inbound and outbound rules.

  • Each rule can either allow or deny traffic by increments of 10 or 100.

Difference between Security Groups & NACL:

Security Group	NACL
Operates at the instance level	Operates at the subnet level
Supports allow rules only	Supports allow & deny rules
Stateful	Stateless
Evaluates all rules	Process rules in order
Applies to an instance only if associated	Automatically applies to all instances in

• Primary network interface (elastic network interface): An elastic network interface is a virtual network interface (NIC) that connects an instance to a network.

  • Each instance in a VPC has a default network interface, the primary network interface, which cannot be detached from the instance.

• Network Address Translation (NAT) Gateway: A NAT gateway permits instances in the private subnet to connect outside the VPC

  • The NAT gateway is assigned an Elastic IP address, which is a public IP address and is located in the public subnet.

NAT

Complete Architecture Diagram:

vpc_architecture_diagram

---

Features:

• IP addressing: You can assign IPv4 addresses and IPv6 addresses to your VPCs and subnets. You can also bring your public IPv4 and IPv6 GUA addresses to AWS and allocate them to resources in your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers.

  Note: You can only define VPCs with CIDR blocks of /16 through /28 inclusive, which means that a VPC can contain 16 – 65,536 IP addresses.

• Routing: Use route tables to determine where network traffic from your subnet or gateway is directed.

• Gateways and endpoints: A gateway connects your VPC to another network. For example, use an internet gateway to connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately, without the use of an internet gateway or NAT device.

• Peering connections: Use a VPC peering connection to route traffic between the resources in two VPCs.

• Traffic Mirroring: Copy network traffic from network interfaces and send it to security and monitoring appliances for deep packet inspection.

• Transit gateways: Use a transit gateway, which acts as a central hub, to route traffic between your VPCs, VPN connections, and AWS Direct Connect connections.

• VPC Flow Logs: A flow log captures information about the IP traffic going to and from network interfaces in your VPC.

• VPN connections: Connect your VPCs to your on-premises networks using AWS Virtual Private Network (AWS VPN).

---

Amazon VPC Use Cases:

• Hosting Web Applications.**

• Hosting a Web or E-commerce site.**

• Migrating workloads to the AWS cloud.**

• Extending a Data Center to the cloud (Hybrid Cloud).**

• Backup or Disaster Recovery.**

• Security and Access Control.**

---

Pricing for Amazon VPC:

• There's no additional charge for using a VPC.

• But there are charges for some of the VPC components, such as

  • NAT gateways

  • IP Address Manager.

  • Traffic mirroring.

  • Reachability Analyzer.

  • Network Access Analyzer.

• For more information, see official Amazon VPC Pricing website.

• Or else you can use AWS Pricing Calculator to calculator your estimates.

---

Steps to create functional Amazon VPC:

For creating functional VPC, we must create these components:

• VPC

• Internet Gateway

• Subnets

• Route table

• Security Groups

• NACL

---

1. Login into AWS Management Console:

LOGIN_PAGE

---

2. Select the region, according to your preferences.

region

---

3. Search VPC on service panel:

SEARCH_VPC

---

4. On VPC management console, click create VPC option:

CREATE_VPC

There will two options to create VPC:

• VPC only: which will create only VPC.

• VPC and more: which will create all the components required for the functional VPC at once.

Here I am selecting VPC only option.

TWO_OPTIONS_VPC

---

Then name and enter the CIDR block for the VPC:

VPC_CIDR_1

---

Then add the tag and click create VPC:

vpc_tag

---

The VPC is created successfully:

VPC_1_CREATED

---

5. Then to create Internet Gateway, on the left side click internet gateway, then click create Internet Gateway option:

igw_vpc

---

Then name the Internet Gateway according to your preferences, click create Internet Gateway:

NAMING_IGW

---

Then attach the created Internet Gateway to the created VPC, by clicking attach to a VPC option:

IGW_ATTACH

---

Then select the VPC and click attach Internet Gateway:

VPC_IGW_ATTACH

---

The Internet Gateway is attached to created VPC:

ATTACHED

---

6. Next we need to create subnet, under left side click subnet. We could able to see subnet page, then click create subnet:

CREATE_SUBNET

---

First select the VPC that we created:

subnet_vpc

---

Then naming the subnet, and selecting Availability Zone according to your preferences:

NAMING_THE_SUBNET_AZ

---

Then entering the CIDR Block according to your VPC CIDR Block, click next:

CIDR_SUBNET

The subnet had been created successfully.

---

7. Creating Route Table:

On the VPC Management Console left side we could able to see Route Table click that, Then click Create Route Table:

ROUTE_TABLE_CREATE_ALTER

---

Name the Route Table & select the VPC, Click create Route Table:

route_table_selectvpc

---

Once the Route Table is created successfully. Under routes click edit routes:

routes_subnet

---

Adding the Internet Gateway in route table for public access:

ROUTE_IGW_SUBNET

---

Assoicating the subnet with the created Route Table, for that under subnet associations, click edit subnet associations:

ALLOCATING_SUBNET_ROUTE

---

Select the subnet, click Save associations:

SUBNET_CLICK_ASSOCIATING

---

The subnet had been associated with the created Route table successfully:

associated_success

---

8. Creating Security Group:

On VPC Management Console left side under security we could able to see Security Groups click that. Then click Create security group:

ALTERING_SECURITY_GROUP

---

Then name the security_group & select the VPC:

sc_naming_vpc

---

Then add Inbound & Outbound rules according to your preferences. Click create security group:

ADD_INBOUND

---

The security_group has been created successfully:

SC_OUTPUT

---

9. Creating NACL (Optional):

On VPC Management Console left side under security we could able to see NACL click that. Then click NACL:

NACL_CREATE

---

Name the NACL & select the VPC. Click create NACL:

NACL_NAMING

---

NACL is created successfully:

NACL_OUTPUT

---

Editing the inbound & outbound rules for allow purpose, for that under inbound rules click inbound rules, then add rule and click save changes:

inbound rules:

nacl_inbound_allow

---

outbound rules:

nacl_inbound_allow

---

Associating the subnet with NACL, for that under subnet assciotions, click edit subnet associations:

NACL_SUBNET_ASSOCIATIONS

---

Then select the subnet & click save changes:

NACL_OUTPUT_SUBNET

---

Subnet has been associated to the NACL successfully:

NACL_FINAL

Fully functional Amazon VPC had been created successfully: