Virtual Private Cloud (VPC)

Rocky Warren
Rocky Warren
May 25, 20202 min read
  • Logical datacenter within AWS
  • Consist of Subnets, Route Tables, Internet Gateway (IGW, limit one per VPC), NAT Gateway, VPC Endpoints, Network Access Control Lists (NACLs), and Security Groups (cannot span VPCs)
  • By default, creating VPCs in console creates Route Table, NACL, and Security Group
  • Cannot transitively peer VPCs
  • AZs are randomly assigned letters, us-west-2a in one account isn't necessarily the same as us-west-2a in another
  • Subnets
    • AWS reserves first four and last IP addresses in each subnet CIDR block
    • Each must be associated with only one NACL, defaults to default NACL
  • NACLs
    • Stateless, responses to allowed inbound traffic are subject to outbound rules and vice versa
    • List of inbound and outbound allow and deny rules evaluated in order starting with lowest number, put deny rules first
    • Default created with VPC allows all in and outbound traffic
    • Newly created disallow all in and outbound traffic
    • Can block specific IPs, unlike Security Groups
  • NATs
    • Provide internet traffic to instances in private subnets
    • Prefer Gateways to Instances for management and scaling benefits
    • Create in multiple AZs for high availability
    • Must be in public subnet with private subnet route to cooresponding NAT
    • Must disable source/destination checks on Instances and increase instance size for performance
  • Bastion Host/Jump Box
    • Provide SSH and RDP connections to instances in private subnet
    • Must be in public subnet
  • VPC Endpoints
    • Provide private subnet connections to AWS services and PrivateLink services without leaving AWS network
    • Horizontally scaled, highly-available virtual devices
    • Interface and Gateway Endpoints (S3 and DynamoDB)
  • Flow Logs
    • Cannot enable across accounts
    • Cannot change configuration after creation
    • Traffic to reserved IPs, 169.354.169.254, Amazon DNS, Amazon Windows license activation, and DHCP is not monitored
  • Direct Connect
    • Connects your datacenter to AWS for high-throughput and/or reliable connections