INTRODUCTION👋

Amazon Virtual Private Cloud (VPC) enables you to define and launch AWS resources in a logically isolated virtual network. It can mimic your local data center, but with all the benefits of the cloud's scalable infrastructure.

VIRTUAL PRIVATE CLOUDS☁️

Each VPC is created for a region and always spans across all availability zones.

Each of the availability zones can contain subnets that are another break down of your VPC.

CIDR📝

Your VPC needs a range of IPv4 addresses that can be used by attached network interfaces. They are defined as Classless Inter-Domain Routing (CIDR) blocks.

They are made up of two number sets:

• prefix: the binary representation of the address
• suffix: the total number of bits in the entire address

The allowed block size for a VPC is between 65,536 (netmask /16) and 16 IP addresses (netmask /28).

SUBNETS🔄

We separate between public and private subnets:

• public: for publicly available resources
• private: for resources that only need to be access internally and therefore do not need a public IP address.

Resources in each subnet can be protected with multiple layers of security (e.g. with Security Groups (SGs) or Network Access Control Lists (ACLs)).

ℹ️ There are a lot of services that can only be launched into a VPC like EC2 instances - some even require a private subnet like an ElastiCache cluster.

ROUTE TABLES📒

Traffic inside your VPC needs directions. That's why you can create route tables, which are sets of rules that you can associate with a subnet (custom route tables).

Each route table entry has a destination and target which defines how traffic is routed.

• destination: a range of IP addresses where traffic should to be defined as a CIDR block, e.g. an external computer or defined as 172.16.0.0/12
• target: a gateway, network interface, or connection through which to send the destination traffic, e.g. an internet gateway

Each of your VPCs comes with a default route table (= main route table) that controls traffic for subnets which do not have a custom route table attached.

INTERNET GATEWAYS🌐

An Internet Gate-way (IGW) is an AWS-managed highly-available VPC component that allows resources that reside in public subnets to communicate with the internet.

Private subnets do not have a routing connection to the IGW.

NAT DEVICES📡

If you need resources in your private subnets to access the internet, you need a Network Address Translation (NAT) device that maps multiple of your private IPv4 addresses to a single public IPv4.

There are two different types of NAT devices at AWS:

• NAT Gateway - AWS-managed service with dedicated gateway
• NAT Instance - your own NAT device, running on EC2

The AWS-managed version can result in huge costs, as you're billed for each running hour & GB of traffic that is processed.

SECURITY GROUPS🔒

Security Groups (SG) define allow rules for your traffic - inbound or outbound. They enable traffic filtering based on protocols and port numbers.

SGs operate on instance level and are stateful.

NETWORK ACLS🔐

Network Access Control Lists (NACLs) act as a firewall on subnet level. They can hold one or multiple allow and/or deny rules which are ordered via priority numbers.

Evaluation starts with the lowest rule number and the first match will be executed.

Each subnet must be assigned to a network ACL and return traffic must be explicitly allowed (NACLs are stateless).

VPC SHARING💝

Share a VPC with other accounts that are part of the same organization, so that multiple accounts can launch resources into the centrally-managed subnets but still be in full control of their resources. Participating accounts can't modify resources in shared subnets that they do not own.

This allows for a fine-grained separation of accounts for billing and access control, but still having components with high interconnectivity.

VPC PEERING🔄

Peering connections allow you to route traffic between two VPCs in the same VPC. It also allows you to not only connect to VPCs in other regions but also in other AWS accounts.

⚠️ CIDR blocks for your VPCs can't overlap.

PREFIX LISTS📋

You're able to bind one or several CIDR blocks into a prefix list that can be later used within your security groups or route tables. This reduces the efforts of referencing each of the CIDR blocks individually.

VPC FLOW LOGS📊

Some requests are not reaching your instance? Do you want to get insights into how traffic is flowing within your VPC?

Start monitoring your VPC via Flow Logs. Those logs capture details about how the traffic is going to and from network interfaces in your VPC. The logs can be shipped to either CloudWatch, S3, or Kinesis Data Firehose.

With the example flow logs above, an incoming request was accepted, but the response rejected. This could happen even if you've defined allow rules for inbound traffic in your security group and network ACLs. As security groups are stateful, responses are allowed. But if you're violating outbound network rules, requests will be blocked.

DEFAULT VPC🏭

Each AWS account created after the end of 2013 comes with a default VPC per region.

Each of those default VPCs also has a public subnet in each availability zone, an internet gateway and settings to enable DNS resolution.

DHCP OPTION SETS🔧

Each device in a VPC requires an IP address to communicate over the network. You don't need to manually assign them but rely on DHCP servers that use the Dynamic Host Configuration Protocol.

Amazon VPC allows you to further control information returned by the AWS-managed DHCP servers via DHCP option sets. This for example allows you to use your own domain name server that should be used for domain name resolution in your network.

IAM INTEGRATION🔐

Amazon VPC is fully integrated with IAM and there are no additional costs. Create roles and policies to define which principal can perform actions on what resources, and under what conditions.

ℹ️ VPC shares its API namespace with Amazon EC2.