Skip to main content

VPC: Virtual Private Cloud

VPC: Virtual Private Cloud

Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your IP address range, creation of subnets, and configuration of route tables and network gateways.

What is VPC?

A VPC is your own virtual network in the AWS cloud. It's logically isolated from other virtual networks in AWS and provides you with complete control over your virtual networking environment. You can configure your VPC's IP address range, create subnets, route tables, network gateways, and security settings.

VPC Fundamentals

IP Addressing

  • CIDR Blocks: Define IP address ranges using CIDR notation (e.g., 10.0.0.0/16)
  • Private IP Ranges: Use private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Public IP Ranges: Public IP addresses are automatically assigned from AWS pool
  • Multiple CIDR Blocks: You can add multiple IPv4 CIDR blocks and IPv6 CIDR blocks

Default VPC

  • Automatic Creation: AWS automatically creates a default VPC in each region
  • Internet Gateway: Default VPC includes an internet gateway
  • Public Subnets: Default subnets are public with internet access
  • Quick Start: Useful for quick testing but not recommended for production

Custom VPC

  • Full Control: Complete control over network configuration
  • Isolation: Logical isolation from other VPCs
  • Security: Implement security best practices
  • Best Practice: Use custom VPCs for production workloads

VPC Components

Subnets

Subnets are logical subdivisions of your VPC's IP address range where you can place groups of resources.

Public Subnets
  • Internet Gateway: Route traffic through an internet gateway
  • Public IP: Instances can have public IP addresses
  • Internet Access: Direct access to the internet
  • Use Cases: Load balancers, NAT gateways, bastion hosts
Private Subnets
  • No Internet Gateway: No direct route to internet gateway
  • NAT Gateway: Access internet through NAT gateway or NAT instance
  • Better Security: Instances are not directly accessible from internet
  • Use Cases: Application servers, databases, internal services

Route Tables

Route tables control where network traffic from your subnets is directed.

Main Route Table
  • Default Route Table: Automatically created with VPC
  • Local Route: Route for VPC CIDR block (allows VPC communication)
  • Subnet Association: Subnets use main route table by default
Custom Route Tables
  • Create Separate Routes: Different routing for different subnets
  • Subnet Association: Associate subnets with specific route tables
  • Multiple Subnets: One route table can be associated with multiple subnets
Common Routes
  • Local: Traffic within VPC (0.0.0.0/0 → local)
  • Internet Gateway: Route to internet (0.0.0.0/0 → igw-xxxxx)
  • NAT Gateway: Route through NAT (0.0.0.0/0 → nat-xxxxx)
  • VPC Peering: Route to peered VPC (10.1.0.0/16 → pcx-xxxxx)
  • VPN Gateway: Route to on-premises (10.0.0.0/16 → vgw-xxxxx)

Internet Gateway

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.

Features
  • Two-Way Communication: Allows outbound and inbound internet traffic
  • NAT Not Required: Instances in public subnets don't need NAT
  • One Per VPC: One internet gateway per VPC
  • Availability: Highly available and redundant

NAT Gateway

A NAT gateway allows instances in private subnets to connect to the internet or other AWS services while preventing the internet from initiating connections with those instances.

Features
  • Outbound Only: Allows outbound internet access only
  • High Availability: Deploy in multiple Availability Zones
  • Managed Service: Fully managed by AWS
  • Bandwidth: Up to 45 Gbps
NAT Instance vs NAT Gateway
  • NAT Gateway: Managed service, highly available, better performance
  • NAT Instance: Self-managed EC2 instance, more control, requires maintenance

VPC Endpoints

VPC endpoints allow you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Gateway Endpoints
  • S3 and DynamoDB: Only support S3 and DynamoDB
  • Free: No additional charges
  • Route Table: Add routes to route tables
  • No Network Interface: No ENI required
Interface Endpoints
  • All Services: Support for most AWS services
  • PrivateLink: Powered by AWS PrivateLink
  • ENI Required: Network interface in your subnet
  • Charges: Hourly charges and data processing charges

VPC Security

Security Groups

Security groups act as virtual firewalls for your EC2 instances and other resources.

Characteristics
  • Stateful: Return traffic is automatically allowed
  • Allow Rules Only: Can only create allow rules, not deny rules
  • Instance Level: Applied at the instance or ENI level
  • Multiple Groups: Resources can belong to multiple security groups

Network ACLs (NACLs)

Network ACLs are an optional layer of security that act as a stateless firewall for controlling traffic in and out of subnets.

Characteristics
  • Stateless: Must configure both inbound and outbound rules
  • Allow and Deny: Can create both allow and deny rules
  • Subnet Level: Applied at the subnet level
  • Rule Numbers: Rules are evaluated in order by rule number
Security Groups vs NACLs
  • Security Groups: Instance-level, stateful, allow only
  • NACLs: Subnet-level, stateless, allow and deny
  • Use Together: Use both for defense in depth

VPC Connectivity

VPC Peering

VPC peering allows you to connect two VPCs and route traffic between them using private IP addresses.

Features
  • Private Connectivity: Traffic stays on AWS network
  • One-to-One: Peer connection between two VPCs
  • Cross-Region: Support for same-region and cross-region peering
  • CIDR Overlap: VPCs cannot have overlapping CIDR blocks

Transit Gateway

AWS Transit Gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks.

Features
  • Hub-and-Spoke: Central hub for network connectivity
  • Simplify Routing: Simplify network management
  • Route Tables: Support for multiple route tables
  • VPN and Direct Connect: Connect to on-premises networks

VPN Connections

Site-to-Site VPN connects your on-premises network to your VPC over an IPsec VPN connection.

Features
  • IPsec VPN: Standard IPsec VPN tunnel
  • Static or Dynamic: Support for static and dynamic routing
  • Two Tunnels: Two VPN tunnels for redundancy
  • Customer Gateway: Your on-premises VPN device

AWS Direct Connect

AWS Direct Connect establishes a dedicated network connection from your premises to AWS.

Features
  • Dedicated Connection: Private connection to AWS
  • Lower Latency: Reduce network latency
  • Consistent Performance: Predictable network performance
  • Cost Savings: Reduce data transfer costs

VPC Best Practices

Design

  • Separate VPCs: Use separate VPCs for different environments (dev, test, prod)
  • CIDR Planning: Plan CIDR blocks carefully to avoid conflicts
  • Multiple Availability Zones: Use subnets in multiple AZs for high availability
  • Public and Private Subnets: Separate public and private subnets

Security

  • Security Groups: Use security groups with least privilege
  • NACLs: Use NACLs for additional subnet-level protection
  • Flow Logs: Enable VPC Flow Logs for monitoring
  • Default Security Group: Don't use default security group

Networking

  • Internet Gateway: Use internet gateway for public subnets
  • NAT Gateway: Use NAT gateway (not NAT instance) for private subnets
  • VPC Endpoints: Use VPC endpoints for AWS service access
  • Route Tables: Keep route tables simple and well-documented

Monitoring

  • VPC Flow Logs: Enable flow logs for network monitoring
  • CloudWatch: Monitor VPC metrics in CloudWatch
  • Security Monitoring: Use GuardDuty for threat detection

By understanding VPC's capabilities and following best practices, you can build secure, scalable, and highly available network architectures in AWS. Always refer to AWS documentation for the latest features and network limits.