Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that we have defined. This virtual network closely resembles a traditional network that you would operate in our own data centre, with the benefits of using the scalable infrastructure of AWS.
VPC is a regional resource, which means we can create a VPC network only within a region, not at a global level. A VPC spans all of the Availability Zones in the Region. One Default VPC per AWS region will be created.
Subnets
Subnets are availability zone resources, which means each subnet must reside entirely within one Availability Zone and cannot span zones. We can add one or more subnets in each availability zone(AZ).
A subnet is a range of IP addresses in your VPC. You can launch AWS resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. VPC and its key concepts like CIDR block are documented well in AWS documentation.
CIDR block: Classless Inter-Domain Routing. An internet protocol address allocation and route aggregation methodology.
Public subnet: The subnet‘s IPv4 or IPv6 traffic is routed to an internet gateway or an egress-only internet gateway and can reach the public internet.
Private subnet: The subnet’s IPv4 or IPv6 traffic is not routed to an internet gateway or egress-only internet gateway and cannot reach the public internet.
VPN-only subnet: The subnet doesn‘t have a route to the internet gateway, but it has its traffic routed to a virtual private gateway for a Site-to-Site VPN connection. Currently, AWS does not support IPv6 traffic over a Site-to-Site VPN connection.
Route Table: A set of rules, called routes, that are used to determine where network traffic is directed. We can use Route Tables to define access to the internet and between subnets.
Internet Gateway: A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet. Public subnets have a route to the internet gateway.
NAT gateway: A managed AWS service that allows EC2 instances in private subnets to connect to the internet, other VPCs, or on-premises networks.
NAT instance: A self-managed service. An EC2 instance in a public subnet that allows instances in private subnets to connect to the internet, other VPCs, or on-premises networks.
Both NAT gateways & NAT instances allow our instances in our private network to access the internet while remaining private. Sometimes, we may need to connect to the internet to get updates for the softwares. We have to deploy a NAT gateway or NAT instance in the public subnet and Create a route from the private subnet to the NAT instance or Gateway. NAT will have the route to the internet gateway.
Network ACLs
An optional layer of security for our VPC that acts as a firewall for controlling traffic in and out of our subnets. It can allow and deny rules. Rules only include IP addresses. For example, we can define all the traffic coming from this IP address is allowed or all traffic coming from these IP addresses are denied.
Security groups
It acts as a virtual firewall to control inbound and outbound traffic for an AWS resource, such as an EC2 instance. Each VPC comes with a default security group, and we can create additional security groups. A security group can be used only in the VPC for which it is created. Security Groups can have only ALLOW rules. Rules include IP addresses and other security groups. Click here to read more about security groups.
VPC flow logs
It captures information about the IP traffic going into our interfaces,
- VPC flow logs
- Subnet flow logs
- Elastic Network Interface(ENI) flow logs
It helps to monitor & troubleshoot connectivity issues. If we have a network issue & we need to troubleshoot, we have to look at the VPC logs. It will give all the information around the allowed and denied traffic. It also captures network information from AWS managed interfaces like ELB, ElasticCache, Aurora, RDS, etc. VPC flow logs can be sent to S3/CloudWatch logs for storage.
VPC Peering
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
We can create a VPC peering connection between our own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection). VPC peering makes all the connected VPCs behave as if they were in the same network. We need to make sure that the IP ranges(CIDR) that are defined for each VPC are not overlapping.
VPC peering connection is not transitive. It must be established for each VPC that need to communicate with one another.
VPC Endpoints
It enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Read more about VPC Endpoint Gateway, VPC Endpoint Interface.
VPN and DX
There are two ways to establish connectivity between the On-Prem data centre to VPC network. Both cannot access VPC endpoints. Below are those two ways.
Site to Site VPN: On-prem network connect to AWS VPC using the VPN connection. The connection is encrypted between the networks. It is through the public network.
Direct Connect(DX): Establish a physical connection between on-prem and AWS. The connection is not through the public network. It is private, secure and fast.