AWS CSA
  • Introduction
  • 1. AWS Overview
    • 1.1 AWS global Infrastructure
    • 1.2 Networking and Content Delivery
    • 1.3 Computing
    • 1.4 Storage
    • 1.5 Databases
    • 1.6 Migration Services
    • 1.7 Analytics
    • 1.8 Security and Identity
    • 1.9 Management Tools
    • 1.10 Application Services
    • 1.11 Developer Tools
    • 1.12 Mobile Services
    • 1.13 Desktop and App Streaming
    • 1.14 Artificial Intelligence
    • 1.15 Messaging
  • 2. IAM - Identity Access Management
    • 2.1 IAM Introduction
    • 2.2 IAM Labs
    • 2.3 Create a billing alart
    • 2.4 IAM Conclusion
  • 3. S3 - Simple Storage Service
    • 3.1 S3 Introduction
    • 3.2 S3 Labs
    • 3.3 Version Control Labs
    • 3.4 Cross Region Replication
    • 3.5 Life Cycle Management
    • 3.6 CloudFront
    • 3.7 CloudFront Labs
    • 3.8 S3 Security and Encryption
    • 3.9 Storage Gateway
    • 3.10 Snowball
    • 3.11 Snowball Labs
    • 3.12 S3 Transfer Acceleration
    • 3.13 Create a static web page using S3
    • 3.14 Storage Summary
  • 4. EC2 - Elastic Compute Cloud
    • 4.1 EC2 Introduction I
    • 4.2 EC2 Introduction II
    • 4.3 EC2 Lab 1
    • 4.4 EC2 Lab 2
    • 4.5 Security Groups Lab
    • 4.6 Upgrade EBS Volume Types - Lab1
    • 4.7 Upgrade EBS Volume Types - Lab2
    • 4.8 RAID, Volumes & Snapshots
    • 4.9 Create An AMI - Lab
    • 4.10 AMI's EBS Root Volumes vs. Instance Store
    • 4.11 Elastic Load Balancer & Health Check - Lab
    • 4.12 CloudWatch EC2 - Lab
    • 4.13 The AWS Command Line & EC2
    • 4.14 Using IAM Roles with EC2
    • 4.15 S3 CLI & Regions
    • 4.16 Using Bootstrap Scripts
    • 4.17 EC2 Instance Metadata
    • 4.18 Launch Configurations & Auto Scaling Groups
    • 4.19 EC2 Placement Groups - Exam Must Know
    • 4.20 Elastic File System (EFS) Lab
    • 4.21 Lambda Concepts
    • 4.22 Build A Serverless Webpage Using API Gateway & Lambda
    • 4.23 Use Polly to Pass Your Exam - Lab of a Serverless Application
    • 4.24 Use Polly to Pass Your Exam - Lab of a Serverless Application
    • 4.25 EC2 - Summary & Exam Tips
  • 5. Route53
    • 5.1 DNS 101
    • 5.2 Route53 - Register A Domain Name - Lab
    • 5.3 Setup Our EC2 Instances - Lab
    • 5.4 Routing Policies - Lab
  • 6. Databases on AWS
    • 6.1 Databases 101
    • 6.2 Launching an RDS Instance - Lab
    • 6.3 RDS - Backups, Multi-AZ & Read Replicas
    • 6.4 DynamoDB
    • 6.5 Redshift
    • 6.6 ElastiCache
    • 6.7 Aurora
    • 6.8 Database Summary
  • 7. VPC
    • 7.1 VPC Overview
    • 7.2 VPC Lab - Part 1
    • 7.3 VPC Lab - Part 2
    • 7.4 NAT Instances & NAT Gateways
    • 7.5 Network Access Control Lists vs. Security Groups
    • 7.6 Load Balancers & Custom VPCs
    • 7.7 VPC Flow Logs
    • 7.8 NATs vs. Bastions
    • 7.9 VPC End Points
    • 7.10 VPC Clean Up
    • 7.11 VPC Summary
  • 8. Application Services
    • 8.1 SQS - Simple Queue Service
    • 8.2 SWF - Simple Workflow Service
    • 8.3 SNS - Simple Notification Service
    • 8.4 Elastic Transcoder
    • 8.5 API Gateway
    • 8.6 Kinesis 101
    • 8.7 Kinesis Streams Lab
    • 8.8 Application Services Summary
  • 9. White Paper Reviews
    • 9.1 Overview of AWS
    • 9.2 Overview of Security Processes - Part 1
    • 9.3 Overview of Security Processes - Part 2
    • 9.4 Risk & Compliance Whitepaper
    • 9.5 Storage Options in the Cloud Whitepaper
    • 9.6 Architecting For The Cloud Best Practices Whitepaper
  • 10. Well Architected Framework
    • 10.1 Introduction of Well Architected Framework
    • 10.2 Pillar One - Security
    • 10.3 Pillar Two - Reliability
    • 10.4 Pillar Three - Performance
    • 10.5 Pillar Four - Cost Optimization
    • 10.6 Pillar Five - Operational Excellence
    • 10.7 Well Architected Framework - Summary
  • 11. Additional Exam Tips
    • 11.1 Exam Tips Based On Student Feedback
    • 11.2 Consolidated Billing
    • 11.3 AWS Organizations - Lab
    • 11.4 Cross Accounts Access
    • 11.5 Resource Groups & Tagging
    • 11.6 VPC Peering & ClassicLink
    • 11.7 Direct Connect
    • 11.8 Security Token Service
    • 11.9 Active Directory Integration
    • 11.10 Workspaces
    • 11.11 ECS - Part 1 - What is Docker
    • 11.12 ECS - Part 2 - What is ECS
    • 11.13 CloudFormation - A Brief Introduction
    • 11.14 Step Functions - A Brief Introduction
  • 12. Practice Tests Questions Summary
    • 12.1 Whizlabs - Free Test
    • 12.2 Whizlabs - Diagnosis Test
    • 12.3 Whizlabs - Practice Test I
    • 12.4 Whizlabs - Practice Test II
    • 12.5 Whizlabs - Practice Test III
    • 12.6 Whizlabs - Practice Test IV
    • 12.7 Whizlabs - Practice Test V
    • 12.8 Whizlabs - Practice Test VI
    • 12.9 Whizlabs - Practice Test VII
    • 12.10 Whizlabs - Section Tests - Part 1
    • 12.11 Whizlabs - Section Tests - Part 2
    • 12.12 Udemy - Final Quiz
  • 13. The Real World - Creating a fault tolerant Word Press Site
    • 13.1 Getting Setup
Powered by GitBook
On this page
  • What is VPC?
  • VPC Diagram
  • What can you do with a VPC?
  • Default VPC vs. Custom VPC
  • VPC Peering
  • Exam Tips - VPC:

Was this helpful?

  1. 7. VPC

7.1 VPC Overview

Previous7. VPCNext7.2 VPC Lab - Part 1

Last updated 5 years ago

Was this helpful?

What is VPC?

Think of a VPC as a virtual data center in the cloud. Whenever we have been deploying the EC2 instances, we have been doing that into our default VPCs, so every Region in the world has a default VPC, and you get that set up when you first set up your AWS account, Amazon provide it for you automatically.

Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your web servers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Additionally, you can create a hardware virtual private network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

VPC Diagram

Here is a diagram of VPC to show its structure:

Internet Gateway is for the connection from the whole Internet. The virtual private gateway is for the connection from a VPN.

Network ACL stands for network access control list.

SN stands for subnet. Public SN means it has Internet access. Private SN means it is only accessible via VPN or some other mechanism. You could go in through the Internet and then SSH from your public into your private.

Obviously, one Subnet always equals one Availability Zone.

Amazon basically allow you to use a bunch of different internal IP address ranges. There is a website called "CIDR.xyz", which can help you to visualize the IP address and CIDR range. You can use:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)

  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

At most you can go up to with Amazon is /28. That is the smallest IP address range that you can have with Amazon, and that will give you a count of 16 IP addresses.

You can have multiple VPCs inside a Region. The soft limit is 5 VPCs in one Region, but you can email AWS to increase it.

What can you do with a VPC?

We learnt that VPC is basically a virtual data center in the cloud, and we can create subnets and each subnet can go into different AZs and then our subnets can have different network address (for example, 10.0.1.0/24 and 10.0.2.0/24, etc).

What we can do with VPC:

  • Launch instances into a subnet of your choosing

  • Assign custom IP address ranges in each subnet

  • Configure route tables between subnets

  • Create Internet Gateway and attach it to our VPC. Be aware that you can only have one Internet Gateway per VPC. Internet Gateways by default is highly available, so they are spread across all availability zones.

  • Much better security control over your AWS resources. This is because you can use things like (private) subnets to block traffics, or you can use things like network ACL to block specific IP addresses.

  • Instance security groups. We can deploy inside our VPC. Remember a security group can span availability zones. You can have a security group across multiple availability zones and therefore by the definition you can have security groups spanning multiple subnets as well.

  • Subnet network access control lists (ACLS). Using these ways that you can go in and block IP addresses.

Default VPC vs. Custom VPC

  • Default VPC is user friendly, allowing you to immediately deploy instances. Amazon provision that for us in every single Region when we first set up our account. At the beginning, a default VPC components including:

    • VPC with a size /16 IPv4 CIDR block (172.31.0.0/16), this provides up to 65536 private IPv4 addresses.

    • Default subnet in each AZ with size /20. This provides 4096 addresses per subnet (but 5 reserved for each subnet).

    • Internet Gateway.

    • Main Route Table with a rule dest: 0.0.0.0/0, target: IGW-ID.

    • Security Group associated with default VPC.

    • NACL associated with default VPC.

    • Associate the default DHCP options set for your AWS account with your default VPC.

  • At the beginning, a custom VPC components including:

    • VPC with a size you defined.

    • Main Route Table has a rule dest: 10.0.0.0/16, target: local which allows the traffic within the VPC only.

    • NACL. This is a private NACL which deny all inbound and outbound traffic.

    • Security Group. It allows all outbound traffic but deny all inbound traffic.

  • All subnets in default VPC have a route out to the Internet (Internet accessible by default).

  • Each EC2 instance has both a public and private IP address when we deploy them into our default VPC. But if we have a custom VPC and if we have a private subnet, we will not get a public IP address. We will only get a private IP address. You need to go to the subnet (usually a public subnet), click Actions -> Modify Auto-assign IP settings. If you didn't set it, you still can assign Elastic IP to the instances in the subnet.

VPC Peering

  • Allows you to connect one VPC with another via a direct network route using private IP addresses. So I can have an instance on one subnet inside a different VPC that could communicate to another instance inside another subnet inside another VPC and that will do that over a private IP address.

  • Instances behave as if they were on the same private network when you peer VPCs.

  • You can peer VPC's with other AWS accounts as well as with other VPCs in the same account. So you can have a completely separate AWS account with a completely separate VPC and you are able to peer directly to that VPC in that other AWS account as well.

  • VPC peering connection allows you to route traffic between two VPCs using private IPv4 addresses or IPv6 addresses.

  • The VPCs can be in different Regions (a.k.a. inter-region VPC peering connection).

  • Peering is in a star configuration: i.e. 1 central VPC peers with 4 others. NO TRANSITIVE PEERING! It means if we have the structure as below:

  • Invalid VPC Peering connection configurations:

    • Overlapping CIDR blocks

    • Transitive Peering

    • Edge to edge routing through a gateway or private connection

Exam Tips - VPC:

  • You must be able to deploy a VPC on your own before you go to the exam.

  • Think of a VPC as a logical datacenter in AWS.

  • Consists of IGWs (Or virtual private gateways), route tables, network access control lists, subnets, and security groups.

  • 1 Subnet = 1 Availability Zone (usually).

  • Few important points about VPC:

    • When you create a VPC, it spans all the AZs in the Region.

    • After creating a VPC, you can add one or more subnets in each AZ.

  • Security groups are stateful; Network access control lists are stateless. So if I was to open port 80 of my security group, automatically I can both send and receive port 80. I don't have to open up port 80 on my inbound rule list as well as my outbound rule list. With network access control lists, I have to open both inbound and outbound ports.

  • NO transitive peering.

The instance in VPC B can communicate with the instance in VPC C only if we directly peer VPC B with VPC C, otherwise they cannot communicate with each other.