Open in app

Sign in

Write

Sign in

An Introduction to AWS VPCs And Its Components

Tech Writers
10 min readJun 9, 2021

--

What is a VPC?

An Amazon VPC is a logically isolated and secure virtual network defined within your own network space in the Amazon cloud. A VPC can span multiple availability zones within one region.

When you create a VPC, you define a CIDR block or IPV4 address range for the VPC. For example, imagine you define 10.0.0/16. It means you have 65,536 IP addresses for your VPC. You can launch AWS resources within VPC, set rules and access controls, and connect your VPC to an existing on-premise data center.

Subnets

After creating a VPC, you can define one or more ‘subnets’ inside it. Then you can launch resources like EC2 instances and databases inside a subnet. Subnets are like separate smaller networks where you can apply a set of rules for the resources in them.

In simple terms, when you create subnets, you divide the VPC network into smaller networks with subsets of the range of IP addresses you defined for your VPC. A subnet can span only one availability zone.

  • Public Subnet

If the subnet exposes to the internet, it is known as a public subnet. If you want the resources within your subnet to be accessible via the internet, you should connect an internet gateway to the subnet and route traffic. The subnet should have a public IPv4 or IPv6 address or an Elastic IP address attached to it to make it a public subnet.

  • Private Subnet

The private subnet is not reachable via the internet. Simply put, if a subnet does not have an internet gateway or does not have a route in the Route table for the internet gateway, then it is a private subnet.

Elastic IP Address

The Elastic IP address is a public IPv4 address created for your account, which you can attach to a subnet to make it a public subnet reachable via the internet. Unlike regular IPv4 addresses, a static IP address does not change if you terminate the instance you have attached the elastic IP and later relaunch it.

You own it until you release it. Once you remove it, you can connect it to another instance.

Make sure to release the Elastic IP address if you do not attach to any instance. Otherwise, Amazon will charge you for that.

IPV4 and IPV6 CIDR Blocks

A Classless Inter-Domain Routing or CIDR block ranges from IPV4 or IPv6 addresses with the following format.

a:b:c:d / e

a,b,c and d are 8-bit binary numbers which can be numbers from 0–255. It indicates how many bits should allocate for the network block. So the 10.0.0.0 could be represented like this in binary:

0000 1010. 0000 1010. 0000 0000. 0000 0000

The CIDR 10.0.0.0/16 indicates that the first 16 bits are for the network block.

0000 1010 . 0000 1010 . 0000 0000 . 0000 0000

Therefore, you can change only the last two bytes of the CIDR block.

Amazon currently allows CIDR blocks between 10.0.0.0/16 to 10.0.0.0/28 which have 65,536 and 16 IP addresses, respectively. However, you cannot use the first four IP addresses and the last IP address Amazon reserved. For example, in a 10.0.0.0/16 CIDR block.

10.0.0.0: Network address.

10.0.0.1: Reserved for the VPC router.

10.0.0.2: Reserved by AWS.

10.0.0.3: Reserved by AWS for future use.

10.0.0.255: Network broadcast address.

You can allocate more than one IPV4 CIDR block for your VPC.

Route Table

A Route table is a collection of routes that define how to route the network traffic from the VPC subnets or the gateways. When you create a VPC, it will automatically get a Route Table called the ‘main route table.’ You can create your own ‘custom route table’ and associate one or more subnets to it. Every subnet should be related to a subnet-only route table or the main route table. One subnet can be associated with only one route table, but a Route Table can have routes for more than one subnet.

A Route Table contains the destination and target association.

Destination — The range of IP addresses.

Target — The gateway, network interface, or connection to send the destination traffic; for example, an internet gateway.

You can associate a Route Table with an internet gateway or a virtual private gateway.

Local Route

By default, every route table contains a local route for communication within the VPC. If your VPC has more than one IPV4 CIDR block or IPv6 CIDR block, it will contain a local route for each of them.

This entry enables the instances in the VPC to communicate with each other

How to enable an IPv4 address of a subnet to access the internet?

Add the destination 0.0.0.0/0, representing all IPv4 addresses and the target as the id of the internet gateway you have attached to the public subnet.

Destination: 0.0.0.0/0

Target: igw-12345678901234567

How to enable an IPv6 address of a subnet to access the internet?

Destination : ::/0

Target: igw-12345678901234567

Internet Gateway

An Internet Gateway acts as a virtual router that enables the communication between your VPC and the internet. If you want to create a public subnet, make an internet gateway, attach to the subnet, and define the route table route. The subnet should have a public IPv4 or public IPv6 or Elastic IP address to connect to the internet via an internet gateway. After that, create a security group and set inbound traffic rules to the public subnet and attach the security group to the instance.

NAT Gateway

If you want to make the public subnets access the internet, but prevent resources on the internet from accessing the private subnet, then you can use NAT gateway. Network Address Translation (NAT) gateways should be defined in public subnets and associate a public IPv4 or elastic IP in the subnet where it resides. When traffic from the source device in your private subnet goes to the internet, the NAT device replaces the devices’ private IPv4 with its address. Similarly, it translates the address back to its original private IPv4 address when it receives a response. NAT devices only support IPv4 traffic.

Egress-Only Internet Gateway

If your devices have IPv6 traffic and do not want resources on the internet to access your VPC resources, then an egress-only gateway can do that. Create an Egress-only internet and attach it to your subnet. Then define the route of all IPv6 traffic to the egress-only internet gateway. These gateways are only for IPv6 traffic since all of them are internet routable.

VPC Security

Network Access Control Lists (NACLs)

Network Access Control Lists (NACLs) is another security layer you can add optionally to your VPC. It acts as a firewall that controls traffic in and out of a subnet. When you create a subnet in your VPC, it will automatically contain an NACL. This NACL, by default, allows all inbound and outbound IPv4 and IPv6 traffic. But you can define your custom NACL in which all inbound and outbound traffic deny by default.

One subnet can have only one NACL, but you can associate an NACL with multiple subnets. They are stateless, meaning that they will not automatically allow return response traffic if you allow traffic. You have to allow that specifically. For example, following inbound rules 1 and 2 allow all IPv4 inbound traffic to the subnet.

The following outbound rules 1 and 2 allow all outbound IPv4 traffic from the subnet.

There is a rule number with an asterisk sign which you cannot change. It means that if a packet does not match the rules defined, the VPC will deny it.

Security Groups

Security Groups use to control inbound and outbound traffic from instances in the VPC. They are stateless meaning that, if you allow an instance to send a request, you do not need to define allow rules for the response traffic. One instance can have multiple security groups with a maximum of 5 security groups.

VPC Private Link

VPC private links provide the technology that enables private connectivity between your VPCs, AWS services, and on-premises networks. It avoids exposing your traffic to the internet. VPC private Links power VPC interface and network load balancer endpoints.

VPC Endpoints

A VPC endpoint acts as the entry point that allows a VPC to privately and securely connect to an AWS service powered by AWS PrivateLink. Endpoints use a private IP address within the private IP address range defined for your subnet.

If you use a VPC endpoint, you do not need any other method like an internet gateway, NAT device, or AWS Direct Connect to establish this connection. The traffic between the VPC and the service will never leave the amazon network. There are three types of VPC endpoints.

Gateway Endpoints

A gateway endpoint provides access to only the following services

  • Amazon S3
  • DynamoDB

Interface Endpoints

Uses an Elastic Network Interface (ENI) with a private IP address as an entry point to connect to another amazon service. AWS PrivateLink powers it

Gateway Load Balancer Endpoints

Powered by AWS PrivateLink, It uses an Elastic Network Interface(ENI) with a private IP address to connect to a service configured using Gateway load balancers.

How to connect to a VPC endpoint?.

  1. Create an endpoint. (You will get a list of services available to connect with it. It shows which endpoint type it belongs to)
  1. Then choose the VPC to which it should attach. For this example, we will select the gateway endpoint for AWS DynamoDB.
  2. Then it will automatically add a route to the Route Table to associate that endpoint with the selected service. If you select an interface endpoint, choose the subnets.

(Destination is the chosen service, and the target is the endpoint)

Destination : pl-02cd2c6b (com.amazonaws.us-east-1.dynamodb)

Target : vpce-12345678

3. If you select an interface endpoint, enable DNS names for the endpoint

4. Define Security Groups

5. Define the access policies for the endpoint. You can add the default access policy or your custom access policy.

6. Add a tag to the endpoint.

VPC Flow Logs

VPC Flow Logs enable capturing traffic flowing in and out of network interfaces of your VPC and publish them in either AWS Cloudwatch Logs or Amazon S3. You can capture accepted, rejected, or all traffic. Take a look at the following example.

VPC flow log 1 — captures traffic for the network interface for EC2 instance and publishes to Amazon S3 bucket.

VPC flow log 2 — captures all the traffic in the subnet and publishes to Amazon CloudWatch Logs

Bastions

If you want to eliminate exposing your VPCs’ Linux EC2 instances to the internet but access them securely, then you can use a Bastion Host to do that. A bastion host provides Secure Shell (SSH) access to Linux instances deployed in your private and public subnets. A bastion host is deployed in a public subnet and acts as a jump server or a proxy that forwards outbound and inbound SSH traffic to private EC2 instances.

When creating a bastion host, you need to attach a security group defining inbound and outbound rules for SSH traffic from the internet.

Carrier Gateway

If you want to connect your VPC to a telecommunication carrier network, you must opt-out from the region and extend the VPC to the wavelength zone. Wavelength Zones are AWS infrastructure deployments with AWS compute and storage services within communications service providers’ (CSP) data centers at the edge of the 5G network.

Then create subnets in that wavelength zone. Carrier gateways are only for VPCs with subnets in a wavelength Zone and are similar to internet gateways.

It establishes the connectivity between the Wavelength Zone and the telecommunication carrier network. It performs the Network Address Translations of instances in the wavelength zone to the IP addresses in the carrier network.

DHCP Option Sets

The Dynamic Host Configuration Protocol (DHCP) is a standard way of passing configuration information hosts on a TCP/IP network. When you create a VPC, AWS will automatically create and associate DHCP options sets. You can create your DHCP options for your VPC.

DHCP message contains ‘options’ filed that contain the configuration parameters. Configuration parameters Include

  • Domain-name
  • Domain-name-servers
  • NTP-servers
  • NetBIOS-name-servers
  • NetBIOS-node-type

Managed Prefix Lists

A Manage Prefix List is a list of CIDR blocks created from IPv4 or PV6 addresses you frequently use. With prefix lists, it is easier to configure and maintain security groups and route tables. AWS provides AWS-managed prefix lists, which you cannot change. You can define your own managed prefix list and share it with other AWS accounts to reference them in their resources.

Transit Gateway (TGW)

Before introducing transit gateway, connecting multiple VPNs with an on-premises network required multipleVPC peering connections, and it increased the complexity when scaling the network. Amazon introduced the transit gateway as a solution for this. A Transit gateway acts as a connection hub that connects multiple VPCs with the on-premises network eliminating the need for complex VPC-peering connections simplifying the network.

AWS
Aws Certification
Cloud Computing

--

--

Tech Writers
Tech Writers

Written by Tech Writers

4 Followers
23 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams