BERNARDGOLDEN

VIRTUAL PRIVATE CLOUD (VPC)

VPC Overview BERNARDGOLDEN

Amazon Virtual Private Cloud (Amazon VPC) enables you to

launch AWS resources into a virtual network that you've defined.
This virtual network closely resembles a traditional network that
you'd operate in your own data center, with the benefits of using
the scalable infrastructure of AWS.
 
A  virtual private cloud  (VPC) is a virtual network dedicated to
your AWS account. It is logically isolated from other virtual
networks in the AWS Cloud. You can launch your AWS resources,
such as Amazon EC2 instances, into your VPC. You can configure
your VPC by modifying its IP address range, create subnets, and
configure route tables, network gateways, and security settings.
VPC Overview BERNARDGOLDEN

You can optionally connect your VPC to your own corporate data
center using an IPsec AWS managed VPN connection, making
the AWS Cloud an extension of your data center.

A VPN connection consists of a virtual private gateway attached

to your VPC and a customer gateway located in your data
center. A virtual private gateway is the VPN concentrator on the
Amazon side of the VPN connection. A customer gateway is a
physical device or software appliance on your side of the VPN
connection.
VPC Elements BERNARDGOLDEN

Required
•  Subnets
•  Route Table
•  DHCP Option Sets
•  Security Group (Stateful,
instance level)
•  Network Access Control List
(Stateless, subnet level)
Optional
•  Internet Gateway (IGW)
•  Elastic IP (EIP) addresses
•  Elastic Network Interfaces (ENI)
•  Endpoints for AWS services
•  Private Link for non-AWS services (account
and commercial, within AWS or off-site)
•  Peering
•  Network Address Translation (NAT)
instance or gateway
•  Virtual Private Gateway (VPG), Customer
Gateway (CGW), and Virtual Private
Network (VPN)
 BERNARDGOLDEN

VIRTUAL PRIVATE CLOUD (VPC)

Default VPC BERNARDGOLDEN
Non-Default VPC BERNARDGOLDEN
VPC Internet Access BERNARDGOLDEN
VPC Endpoints BERNARDGOLDEN
VPC VPN BERNARDGOLDEN
 BERNARDGOLDEN

VPC AND CIDR RANGES

VPC IP Addresses and CIDR Ranges BERNARDGOLDEN

•  CIDR: Classless Inter-Domain Routing

•  CIDR is a base IP address and range of addresses from that
base
•  VPC allows you to assign an IP address range to your VPC
and subnets within the VPC IP address range
•  Subnet ranges must fall within VPC range
•  Address ranges are private (non-routable) CIDR ranges
•  Available VPC IP addresses depend upon mask
•  Mask is how many bits from left of IP address are masked
•  Private addresses:
–  10.0.0.0 – 10.255.255.255: 10/8 mask
–  172.16.0.0 – 172.16.255.255: 172.16/12 mask
–  192.168.0.0 – 192.168.255.255: 192.168/16 mask
BERNARDGOLDEN
VPC IP Addresses and CIDR Ranges BERNARDGOLDEN

•  Allowable masks 16 (65,536) and 28 (16)

•  The first four IP addresses and the last IP address in each subnet CIDR block are
not available for you to use, and cannot be assigned to an instance. For example,
in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are
reserved:
•  10.0.0.0: Network address.
•  10.0.0.1: Reserved by AWS for the VPC router.
•  10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base
of the VPC network range plus two; however, we also reserve the base of each
subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the
DNS server is located in the primary CIDR. For more information, see 
Amazon DNS Server.
•  10.0.0.3: Reserved by AWS for future use.
•  10.0.0.255: Network broadcast address. We do not support broadcast in a VPC,
therefore we reserve this address.
 BERNARDGOLDEN

VPC PEERING
VPC Peering BERNARDGOLDEN

•  VPC Peering allows VPC from same or different

accounts to be connected
–  Instances in one can communicate to another with private IP
addresses
–  One VPC can be peered with multiple VPCs
–  Not Transitive
–  Watch out for IP address clashes
VPC Peering BERNARDGOLDEN

OK

NOT OK

NOT OK
 BERNARDGOLDEN

CREATING YOUR VPC

 BERNARDGOLDEN

NETWORK ADDRESS TRANSLATION (NAT)

AND BASTION INSTANCES
 BERNARDGOLDEN

NETWORK ACCESS CONTROL LISTS (NACL)

 BERNARDGOLDEN

VPC FLOW LOGS

 BERNARDGOLDEN

VPC ENDPOINTS
 BERNARDGOLDEN

VPC EXAM TIPS

VPC Exam Tips BERNARDGOLDEN

•  VPC is a virtual data center within AWS:

–  Computing resources reside in subnets within VPC
–  VPC can have one or more subnets
•  Subnets:
–  Restricted to single AZ, single AZ can contain multiple subnets
–  Three types: Public, private, VPN-only
–  Public and private “defined” by whether instances have public IP
•  VPC IP addresses:
–  Assigned a private IP address range via CIDR masking
–  Subnets are assigned private IP address range within VPC
address range
•  Network security:
–  Instance: Security Groups (stateful)
–  Subnet: NACL (stateless)
VPC Exam Tips BERNARDGOLDEN

•  Route tables are used to route network traffic

–  Include intra-VPC traffic for all instances across all subnets in
VPC by default
–  All other routes (e.g., access to the Internet) must be defined
–  Default Route Table created with VPC, additional can be created
–  Every subnet associated with one Route Table
•  Flow Logs allow capture and analysis of network
interface traffic
VPC Exam Tips BERNARDGOLDEN

•  Internet Gateway required in VPC to allow internet

access
•  Private subnet access to internet via NAT instances or
NAT Gateway
•  Private data center access via Virtual Private Gateway
–  Virtual Private Gateway, Customer Gateway, VPN connection for
security
VPC Exam Tips BERNARDGOLDEN

•  Endpoints for AWS services

•  Private Link for non-AWS services (account and
commercial, within AWS or off-site)
•  VPC Peering allows VPC from same or different
accounts to be connected
–  Instances in one can communicate to another with private IP
addresses
–  One VPC can be peered with multiple VPCs
–  Not Transitive
–  Watch out for IP address clashes
–  Cross-region via Virtual Gateway

•  No charge for VPC