AMAZON VPC & NETWORKING

YOUR LOGICALLY ISOLATED NETWORK IN THE CLOUD

INTRODUCTION VIRTUAL PRIVATE CLOUDS CIDR SUBNETS ROUTE TABLES
Amazon Virtual Private Cloud (VPC) enables you to define Each VPC is created for a region and always spans across all Your VPC needs a range of IPv4 addresses that can be used We separate between public and private subnets Traffic inside your VPC needs directions. That’s why you can
and launch AWS resources in a logically isolated virtual availability zones.

by attached network interfaces. They are defined as public: for publicy available resources create route tables, which are sets of rules that you can
network. It can imitate your local data center, but with all the AWS Region Classless Inter-Domain Routing (CIDR) blocks.
private: for resources that only need to be access associate with a subnet (custom route tables).

benefits of the cloud's scalable infrastructure. They are made up of two number sets internally and therefore do not need a public IP address.

Availability Zone Availability Zone Availability Zone

prefix: the binary representation of the addres Resources in each subnet can be protected with multiple Each route table entry needs a destination and target which
10.0.0.0/16 suffix: the total number of bits in the entire address

layers of security, e.g. with Security Groups (SGs) or

INTERNET GATEWAYS
VPC defines how traffic is routed
172 16 0 0 Network Access Control Lists (ACLs).

destination: a range of IP addresses where traffic should

An Internet Gateway (IGW) is an AWS-managed highly- Public
Subnet
Public
Subnet
Private
Subnet 10101100 . 00010000 . 00000000 . 00000000 go to defined as a CIDR block. e.g.an external corporate
available VPC component that allows resources that reside
Private Public Private
172.0.0.0/8 There are a lot of services that can only be launched into defined as 172.16.0.0/12
in public subnets to communicate with the internet.

Subnet Subnet Subnet

172.16.0.0/16 a VPC like EC2 instances - some even require a private target: the gateway, network interface, or connection
172.16.0.0/20
172.16.0.0/24 subnet like an ElastiCache cluster. through which to send the destination traffic, e.g. an
Private subnets do not have a routing connection to the IGW.
Each of the availability zones can contain subnets that are The allowed block size for a VPC is between 65,536 internet gateway.

(netmask /16) and 16 IP (netmask /24) addresses.

VPC FLOW LOGS
another break down of your VPC.
NAT DEVICES Some requests are not reaching your instance? Do you want
Each of your VPCs comes with a default route table (= main

SECURITY GROUPS NETWORK ACLS

If you need resources in your private subnets to access the route table) that controls traffic for subnets which do not
to get insights into how traffic is flowing within your VPC?

internet, you need a Network Address Translations (NAT) have a custom route table attached.
Security Groups (SG) define allow rules for your traffic - Network Access Control Lists (NACLs) act as a firewall on
device that maps multiple of your private IPv4 addresses to
inbound or outbound. They enable traffic filtering based on network level. They can hold one or multiple allow and/or You can monitor your VPC via Flow Logs. Those logs capture
a single public IPv4.

protocols and port numbers.

deny rules which are ordered via priority numbers.

details about how IP traffic is going to and from network DEFAULT VPC
Evaluation starts with the lowest rule number and the first Each AWS account created after the end of 2013 comes with
There are two different types of NAT devices at AWS
Inbound Rules ↓ Outbound Rules ↑ interfaces in your VPC. The logs can be shipped to either
match will be executed.

CloudWatch, S3, or Kinesis Data Firehose.

Source Protocol Port Range Destination Protocol Port Range

a default VPC per region.

NAT Gateway - an AWS-managed gatewa 0.0.0.0/0

TCP 80 0.0.0.0/0

TCP 1433
Inbound Rules ↓
HTTP
SSH

/80 /22
NAT Instance - your own NAT device, running on EC2

::/0

TCP 80 ::/0

TCP 1433
Rule Type Protocol Port Range Source Allow/Deny
0.0.0.0/0

TCP 22 0.0.0.0/0

TCP 3306
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
[...] eni-5123b7ac012345678 219.42.22.48 172.16.0.101 [...] ACCEPT OK
Each of those default VPCs also has a public subnet in each
SGs operate on instance level and are stateful. 110 SSH TCP 22 192.0.2.0/24 ALLOW [...] eni-5123b7ac012345678 172.31.16.139 219.42.22.48 [...] REJECT OK

availability zone, an internet gateway and settings to enable

The AWS-managed version can result in huge costs, as * All traffic All All 192.0.2.0/24 DENY
you're billed for each running hour & GB of traffic that is x Looking at the example flow logs above, an incoming DNS resolution.
request was accepted, but the response rejected. This could
VPC SHARING
Outbound Rules ↑
processed. Rule Type Protocol Port Range Source Allow/Deny
happen even if you’ve defined allow rules for inbound traffic
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
Share a VPC with other accounts that are part of the same 110 SSH TCP 1024-655535 192.0.2.0/24 ALLOW
in your security group and network ACLs. As security groups DHCP OPTION SETS
✓ are stateful, responses are allowed. ACLs are not stateful, so
VPC PEERING
AWS Organization, so that multiple accounts can launch All traffic 192.0.2.0/24 Each device in a VPC requires an IP address to communicate
a missing outbound allow rule does result in a rejection.
* All All DENY

resources into the centrally-managed subnets but still be in over the network. You don’t need to manually assign them
Peering connections allow you to route traffic between two Each subnet must be assigned to a network ACL and return
full control of their resources. Participating accounts can’t but rely on DHCP servers that are using the Dynamic Host
traffic must be explicitly allowed (NACLs are stateless).
IAM INTEGRATION
VPCs as if they were in the same VPC. It also allows you to
modify resources in shared subnets that they do not own.

Configuration Protocol.

not only connect to VPCs in other regions but also in other

Amazon VPC is fully integrated with IAM and there are no
AWS accounts.

PREFIX LISTS
Organization Root
Account A additional costs. Create roles and policies to define which Amazon VPC allows you to further control information
Account A Account B You’re able to bind one or several CIDR blocks into a prefix principal can perform actions on what resources, and under returned by the AWS-managed DHCP servers via DHCP
Account B
list that can be later used within your security groups or what conditions.

option sets. This for example allows you to use your own
This allows for a fine-grained separation of accounts for route tables. This reduces the efforts of referencing each of domain name server that should be used for domain name
billing and access control, but still having components with the CIDR blocks individually. VPC shares its API namespace with Amazon EC2. resolution in your network.
CIDR blocks for your VPCs can't overlap.
high interconnectivity.