What is a VPC?
A Virtual Private Cloud or VPC is simply a virtual network modeled after a traditional network that allows you to launch resources in the cloud on Amazon’s infrastructure. Your VPC is made up of several features that enable you to define your network. Things like routing, VPC flow logs, subnets, IP addressing, gateways, endpoints and more. AWS users can create and manage a VPC with either the AWS management console, AWS SDKs, Query API or the AWS Command Line Interface (CLI). Every AWS account comes with a default VPC in AWS Region and is ready to launch and connect to your EC2 instances immediately. You also can create custom VPC with the features you desire. Amazon doesn’t charge for using a VPC but charges for certain components provisioned.
Let’s now dive a little deeper into the features that you can use in your VPC.
Subnets are a key component in your VPC. It provides a range of IP addresses for your VPC. When creating a subnet, you first define an IPv4 CIDR block (Classless Inter-Domain Routing block is used for grouping IP addresses). Subnets can’t span multiple Availability Zones and must live in only one. Subnets come in three types. Public, Private and VPN-only subnets. A public subnet is a subnet whose resources can access the internet through a direct route to an internet gateway. The private subnet is one whose resources can’t access the internet with a direct route to an internet gateway but, instead needs a NAT gateway for its resources to access the internet. The final type is a VPN-only subnet that uses a route to a Site-to-Site VPN connection through a virtual private gateway with no route to an internet gateway. Also, it’s important to note that no matter the type of subnet its internal IPv4 address range is always kept private. You can configure your VPC IP addresses in a few ways, IPv4 only, IPv6 only or Dual stack. You can also change the settings that control how a network interface is assigned a public IPv4 and/or an IPv6 address when it's created. The sizing of your subnet is controlled by you. Every subnet has to be associated with a route table. Each subnet you create is automatically associated with the main table of your VPC. Control of subnet association is with the user and can be changed. You can protect your VPC subnet resources with security groups and network ACLs. Security Groups are stateful and control inbound and outbound traffic for associated resources at the instance level. Network ACLs are an added layer of security, stateless and work at the subnet level. Every subnet must be associated with a network ACL and upon creation is automatically associated with the default network ACL.
Route Tables are used to determine where network traffic is directed from your subnet or gateway. Route Tables accomplish this with a set of rules called routes. All VPCs automatically come with a Main route table. But you can also create a custom table, subnet route table and a gateway route table. Two key components are the destination and target, Destination is the range of IP addresses where you need the traffic to flow. The target is the network interface, the gateway of connection through which to send the destination traffic. Another concept of the Route table service is "route table association" which as its name implies is the association between a virtual private gateway, gateway or subnet. Aside from that there is also Edge association. This is a route table that routes inbound VPC traffic to an appliance. There is also the local route, a default route for communication in the VPC. Route propagation is also a vital concept used to allow a virtual private gateway to automatically propagate routes to the route table. Last but not least, are the Transit gateway and Local gateway route tables. A transit gateway table is associated with a transit gateway while a local gateway table is associated with an Outposts local gateway.
This feature of AWS VPC allows you to copy network traffic from an elastic network interface of type interface. The traffic can then be sent to out-of-bound security and monitoring appliances for troubleshooting, content inspection and threat monitoring. Traffic Mirroring is built with source, target, filter and session. The source is the network interface to monitor. The target is the destination for mirrored traffic while the filter is a set of rules that defines the traffic copied in a TM session. The final piece is the session, an entity that describes the Traffic Mirroring from a source to a target using filters. Traffic Mirroring comes with benefits like enhanced security by capturing packets that can’t be disabled or tampered with at the elastic network interface. As well as Increased monitoring options and simplified operations.
VPN and Peering Connections
You can use Peering Connections to connect and route traffic between two VPCs. While VPN connections are used to connect a VPC to on-premises networks. A Peering connection is neither a gateway nor a VPN connection. There’s no single point of failure and doesn’t rely on a separate piece of hardware. It can help you to transfer data or allow other VPCs to access resources. There is no charge to create a VPC peering connection but there is for the data transferred across the Peering connection. VPN connections provide a few options for connectivity. Site-to-Site, Client VPN, VPN Cloud Hub, Third Party Software or AWS Direct connect. These options allow you to connect your VPC with remote networks and users.
Gateways and Endpoints
We mentioned the use of gateways throughout this article but what are they? Gateways are used to connect your VPC to other networks. There are different types of gateways for various connections. Internet Gateway to connect your subnet resources to the internet. NAT gateway for allowing resources in a private subnet to connect to the internet. Transit gateway for a VPN attachment to a data center. Now endpoints are used to allow resources access to an AWS service.
VPC Flow Log
Flow Logs are super important. They’re used to capture info about the IP traffic going through the network interfaces in your VPC. Flow Logs can be published to CloudWatch Logs or Amazon Kinesis Data Firehose. Flow Log records can be viewed or retrieved records in the log group, bucket or delivery stream your team configured. Data is collected outside of the path of your network traffic, so you don’t have to worry about it affecting your latency or network throughput. Flow Logs help with a few things like monitoring traffic to your instances, and diagnosing restrictive security groups. On top of helping to determine the direction of traffic both ways for the network interfaces. Also, the creation or deletion of flow logs can be done with no risk to network performance.
This concludes our brief look into AWS VPC. This is a key component of any cloud environment, and I would advise you to look further into the concepts and service by reading the AWS documentation and white papers. Also, be on the lookout for further articles by me diving deeper into the Cloud and its many services and providers.