6)

67
16
93
By Bhupinder Rajput

46
,8
om
l.c
ai
gm
Virtual Private Cloud

6@
59
ry
ha
ud
ha
ac
hn
ris
(k
frj
N
0m
to
n gs
lo
be
F
PD
is
Th
(VPC)
Virtual Private Cloud (VPC)

Th
is
PD
F
be
lo
n
•

gs
A VPC is a virtual network that closely resembles a traditional networking that we

to
0m
operate in our own Data Centre, with the benefits of using the scalable

N
frj
infrastructure of AWS.

(k
ris
•

hn
To Simply say VPC is a Virtual Network or Data Center inside AWS for one client.

ac
ha
• It is logically isolated from other virtual n/w in the AWS Cloud.

ud
ha
• Max 5 VPC can be created inside one region and 200 subnets in 1 VPC.

ry
59
6@
• We can allocate max 5 elastic IPs.

gm
•

ai
Once we created a VPC, DHCP, NACL and Security Group will be automatically

l.c
om
created.

,8
46
• A VPC is confined to an AWS region and does not extend between regions.

93
16
•

67
Once the VPC is created, we cannot change its CIDR, Block Range.

6)
• If you need a different CIDR Size, Create a New VPC.
• The different subnets within a VPC can't overlap.
• We can however expand our VPC CIDR by adding new /extra IP Address Ranges
(Except American Gov Cloud & AWS China). 2
 6)
67
16
93
46
,8
om
l.c
ai
gm
6@
59
ry
ha
ud
ha
ac
hn
ris
(k
frj
N
0m
to
n gs
lo
be
F
PD
is
Th
Components of VPC

Th
is
PD
F
be
lo
ngs
to
0m
N
frj
(k
ris
hn
ac
ha
ud
ha
ry
59
6@
CIDR & IP Implied Virtual

gm
Internet Security Peering
Address router & Network ACL private Elastic IP

ai
gateway groups connections

l.c
Subnets, routing table gateway

om
,8
46
93
16
67
6)
4
Types of VPC

Th
is
PD
F
be
lo
ngs
to
0m
Default VPC Custom VPC

N
frj
(k
ris
hn
ac
ha
ud
ha
ry
Created in each AWS Region when an AWS Is an AWS Account Admin creates.

59
6@
Account is created.

gm
ai
l.c
AWS user creating custom vpc can decide the

om
CIDR.

,8
46
Has Default CIDR, Security Group, NACL and

93
Route Table Settings.

16
Has its own Default Security group, NACL

67
6)
and Route Table.

Has an Internet Gateway by Default. Does not have an Internet Gateway by

5
 6
Route
Table

6)
67
16
93
46
,8
om
Gateway

l.c
Internet

ai
gm
6@
59
ry
ha
ud
ha
ac
hn
ris
(k
frj
N
0m
to
n gs
lo
be
F
PD
Subnet

is
Th
Steps to Create VPC

Create
VPC
Components of VPC

Th
is
PD
F
be
lo
n
Public Subnet

gs
to
0m
• If a subnets traffic is routed to an Internet Gateway, the Subnet is known as Public Subnet.

N
frj
• If we want our instance in a public subnet to communicate with the internet over IPv4, it must

(k
ris
have a Public IPv4 Address or an Elastic IP address.

hn
ac
ha
ud
Private Subnet

ha
ry
59
6@
• If a subnet does not have a route to the Internet Gateway, the Subnet is Known as a Private

gm
Subnet.

ai
l.c
• Note : When we create a VPC, We must specify an IPv4 CIDR Block for the VPC.

om
The allowed block size is between /16 to /28 and the first four & last IP Address of a subnet

,8
46
cannot be assigned

93
16
• Eg: 10.0.0.0/24 address following are reserved as follows:

67
• 10.0.0.0 --->Network Address

6)
• 10.0.0.1--->Reserved by AWS for the VPC Router.
• 10.0.0.2--->Reserved by AWS, The IP Address of DNS Server.
• 10.0.0.3--->Reserved for future use.
• 10.0.0.255--->Broadcast Address.
• Aws does not support broadcast in a VPC, but reserves the address. 7
Components of VPC

Th
is
PD
F
be
lo
n
Implied Router & Route Table Internet Gateway (IGW)

gs
to
0m
• It is the central routing function. • An IGW is virtual router that connects a VPC to

N
frj
• It connects the different AZ together and the internet.

(k
ris
connects the vpc to the internet gateway. • Default vpc is already attached with an IGW.

hn
ac
• We can have upto 200 route tables per vpc. • If we create a new VPC then we must attach the

ha
• We can have upto 50 route entries per route IGW in order to access the internet.

ud
ha
table. • Ensure that our subnet's route table points to the

ry
59
• Each subnet must be associated with only one internet gateway.

6@
• It performs nat between our private and public

gm
route table at any given time.

ai
• If we do not specify a subnet to route IPv4 address.

l.c
om
table association,the subnet will be associated • It supports both ipv4 and IPv6.

,8
with the default vpc route table.

46
93
• We can also edit the main route table if we need,

16
67
but we cannot delete main route table.

6)
• However we can make a custom route table
manually, make it the main route table then we
can delete the former main, as it is no longer a
main route table.
• We can associate multiple subnets with the
same route table 8
Components of VPC

Th
is
PD
F
be
lo
ngs
to
NAT Gateway : Also does PAT(Port Address translation) Security Groups

0m
N
• We can use a network address translation gateway to • It is a virtual firewall works at ENI (Elastic Network Interface)

frj
(k
enable instances in a private subnet to connect to the level.

ris
internet or other AWS Services, but prevent the internet • Upto 5 security gropus per EC2 instances interface can be

hn
ac
from initiating a connection with those instances. applied.

ha
• We are charged for creating and using nat gateway in • Can only have permit rules, cannot have deny rule.

ud
our account.NAT gateway hourly usage and data purchase

ha
• Stateful (If inbound allowed then automatically outbound is

ry
rates apply. Amazon ec2 charges for data transfer also also allowed and vice versa) : return traffic is allowed

59
apply.

6@
then inbound traffic is also allowed, even if there are no
• To create a NAT Gateway, we must specify the public

gm
rules to allow it.

ai
subnet in which NAT gateway reside.

l.c
• We must also specify an elastic IP Address to associate

om
,8
with NAT Gateway when we create it.

46
• No need to assign public IPs to our private instances.

93
• After we have created a NAT gateway we must update the

16
67
route table associated with one or more of our private

6)
subnets to point internet bound traffic to the NAT Gateway.
• This enables instances in your private subnets to
communicate with the internet.
• Deleting a NAT Gateway, disassociates its Elastic IP
address, but does not releases the address from your
account.
9
 10

6)
67
16
93
46
,8
om
l.c
ai
gm
6@
59
ry
ha
ud
ha
ac
hn
ris
(k
frj
N
0m
to
n gs
lo
be
F
PD
is
Th
Components of VPC
Components of VPC

Th
is
PD
F
be
lo
ngs
Network ACL

to
0m
•It is a function performed on the implied router.

N
frj
•NACL is an optional layer of security for our VPC that acts as a firewall for controlling traffic in and

(k
ris
out of one or more subnets.

hn
ac
•Our VPC automatically comes with a modifiable default NACL. By default, it allows all inbound and

ha
ud
outbound IPv4 traffic and if applicable, IPv6 traffic.

ha
•We can create a custom NACL and associate it with a subnet.

ry
59
•By default each custom NACL denies all inbound and outbound traffic untill we add rules.

6@
•Each subnet in your VPC must be associated with a NACL. If we dont explicitly associate a subnet

gm
ai
with a NACL, the subnet is automatically associated with the default NACL.

l.c
om
•We can associate NACL with multiple subnet, however a subnet can be associated with only one

,8
NACL at a time. When we associate a NACL with a subnet, the previous association is removed.

46
•A NACL contains a numbered list of rules that we evaluate in order, starting with the lowest

93
16
numbered rule.

67
6)
•The highest number that we can use for a rule is 32766. Recommended that we start by creating
rules with rule numbered that are multiples of 100,so that we can insert new rules where you need
later.
•It functions at the subnet level.
•NACl are stateless,outbound traffic for an allowed inbound traffic, must be explicitly allowed too.
•We can have permit and deny rules in a NACL.
11
Components of VPC

Th
is
PD
F
be
lo
ngs
Diff between Security Groups & NACL

to
0m
N
frj
• Security group Operate at instance level

(k
ris
hn
and NACL operates at subnet level.

ac
ha
• SG support allows rules only

ud
ha
ry
and NACl permits allow as well as deny

59
6@
rules.

gm
ai
• SG is stateful,return traffic is

l.c
om
,8
automatically allowed

46
93
and NACl is stateless,return traffic must

16
67
be explicitly allowed by rules.

6)
• SG applies to an instance only
and NACL applies to all instances in this
subnet.
12
Components of VPC

Th
is
PD
F
be
lo
ngs
VPC Peering

to
0m
N
frj
• A VPC Peering connection is a networking connection between two VPC that

(k
ris
enables us to route traffic between them using private IPv4 Addresses or IPv6

hn
ac
Addresses.

ha
• Instances in either vpc can communicate with each other as if they are within

ud
ha
the same network.

ry
59
• We can create a vpc peering connection between our own vpc, or with a vpc in

6@
gm
another aws account.The vpc can be in diff region.

ai
l.c
• Transitive peering is not possible i.e if vpc-A peers with vpc-B and vpc-B peers

om
with Vpc-C, but by default vpc-A is not peered with vpc-C.

,8
46
93
16
67
VPC Endpoint

6)
• A VPC Endpoint enables us to privately connect our vpc to
supported aws services.Instances in our vpc do not require public ip address to
communicate with resources in the services.
• Endpoint is a virtual device. 13
Components of VPC

Th
is
PD
F
be
lo
ngs
Virtual Private Gateway, Customer Gateway & Site-

to
0m
to-Site VPN connection

N
frj
(k
• By

ris
default,instances that we launch into an Amazon

hn
ac
VPC cant communicate with our own(our corporate or home

ha
ud
network) Network. To enable the communication we have to establish

ha
ry
site to site VPN connection.

59
6@
• VPN Connection : A secure connection between our on-premises

gm
equipment and our VPC's.

ai
l.c
om
• VPN Tunnel : An encrypted link where data can pass from the

,8
46
customer network to or from AWS. Each VPN connection include two

93
16
VPN tunnels which we can simultaneously use for high availability.

67
6)
• Customer Gateway : An AWS resource which provides information to
AWS about our customer gateway device.
• Customer Gateway Device : A physical or software app on customer
side.
14
Configuring NAT instance

Th
is
PD
F
be
lo
n
✓ Configuring NAT instance for Private Subnets & Internet Access:-

gs
to
0m
N
frj
▪

(k
We can use a NAT instance in a public subnet in our VPC to enable instances in the

ris
hn
private subnet to initiate outbound IPv4 traffic to the internet or other AWS services,

ac
ha
ud
but prevent the instances from receiving inbound traffic initiated by someone on

ha
ry
the internet.

59
6@
gm
ai
l.c
▪ Note : NAT is not supported for ipv6 traffic -use an egress only internet gateway

om
,8
46
93
16
67
6)
15
Steps to Make Connection

Th
is
PD
F
be
lo
ngs
Create two VPC's-One in Mumbai and another in Singapore(customer end).

to
0m
N
frj
(k
Create one linux machine in both the VPC, take RDP of it(Security Group-SSH,TCP,ICMP).

ris
hn
ac
ha
ud
Now go to mumbai region --Create Virtual Private Gateway.

ha
ry
59
6@
Now Create customer gateway---Enter Public IP of Singapore EC2 instance.

gm
ai
l.c
om
,8
Create Site to site VPN Connection,Add subnet of customer end.

46
93
16
67
6)
Now go to route tables ----Route Propagation.

Site to site VPN----Download Configuration.

Now go to Singapore region take access of ec2 using putty. 16

6)
67
Thanks!

16
93
Technical Guftgu

46
,8
om
l.c
ai
Any questions?

gm
6@
59
ry
ha
ud
ha
ac
hn
ris
(k
frj
N
0m
to
n gs
lo
be
F
PD
is
Th