VPC - AWS Study Guide (v2.0)

VPC

Priority Tier 2 Domain 1: Design Secure Architectures Domain 3: Design High-Performing Architectures Domain 4: Design Cost-Optimized Architectures

Learning Objectives

Define a Virtual Private Cloud (VPC) and explain its benefits, including logical isolation, security, and control over network resources. (source_page: 1, 2)

Identify and describe the purpose and function of key VPC components, such as subnets, Internet Gateways, Route Tables, Network ACLs, Security Groups, and Elastic Network Interfaces (ENIs). (source_page: 1, 2)

Understand how to configure a VPC, including specifying CIDR blocks, creating public and private subnets, and setting up routing rules for network traffic. (source_page: 1, 2)

Explain various VPC connectivity options, including NAT Gateways/Instances, VPC Peering, VPC Endpoints, AWS Direct Connect, Site-to-Site VPN, and Transit Gateway, and their suitable use cases. (source_page: 1, 2, 3)

Differentiate between Security Groups and Network ACLs, understanding their operational layers (instance vs. subnet), statefulness, rule processing, and default behaviors. (source_page: 1, 2, 4)

Learn best practices for securing a VPC using a layered approach and understand systematic troubleshooting steps for common VPC network issues, including the use of VPC Flow Logs. (source_page: 1, 2)

Be able to provision and configure a custom VPC with public and private subnets, an Internet Gateway, a NAT Gateway, and a Bastion Host. (source_page: 1, 2)

VPC Fundamentals

This section introduces the core concept of Amazon Virtual Private Cloud (VPC), its foundational role within AWS, and essential attributes.

A Virtual Private Cloud (VPC) is a logically isolated section of the AWS Cloud that allows you to launch AWS resources into a virtual network that you define. It provides you with more control over your network environment compared to using AWS resources without a VPC. This isolation enhances security and control over your network resources. VPCs are virtual data centers in the cloud that allow you to define your own network with complete control over virtual networks, IP address ranges, subnets, route tables, and network gateways. (source_page: 1, 2)

Amazon VPC is a virtual network within the AWS cloud that provides a logically isolated section for deploying and managing AWS resources. It allows you to create a customizable virtual network, offering greater control and security than the default VPC. This isolation ensures better security and resource management. (source_page: 1)

VPCs are regional resources, meaning a VPC spans all the Availability Zones in a region. (source_page: 2, 3)

By using VPC, you can have more control over your network architecture, including IP address range, subnets, and routing tables. VPCs can leverage multiple layers of security including security groups and network access control lists to control access to EC2 instances in each subnet. You can create hardware virtual private network connections between your corporate data center and your VPC to leverage the AWS cloud as an extension of your corporate data center. You can launch instances into a subnet of your choosing, create custom IP address ranges for each subnet, configure route tables between subnets, and attach an Internet gateway to your VPC. (source_page: 2, 4)

AWS creates a default VPC (172.31.0.0/16) when you create an account. This includes an internet gateway, a default route table, and public subnets in each Availability Zone with auto-assign public IP enabled. The default VPC is user-friendly and has all subnets with a route out to the Internet. (source_page: 1, 2, 4)

Custom VPCs are fully customizable but take more time to set up. Creating additional VPCs provides good advantages from a security perspective. (source_page: 2, 4)

IP Addressing and CIDR

This section covers the fundamentals of IP addressing within a VPC, including CIDR notation, private and public IP ranges, and AWS-reserved IP addresses.

When creating a VPC, you must specify a primary CIDR block (a range of IP addresses) and a region. It is critical to use non-overlapping IP address ranges within your VPCs and between VPCs. Adhere to RFC 1918 standards for private IP addresses to avoid conflicts with public IP addresses. You can add up to four secondary CIDR blocks to a VPC. (source_page: 1, 2, 4)

Technical Specs: Valid RFC 1918 private IP ranges: 10.0.0.0/8 (Class A), 172.16.0.0/12 (Class B), and 192.168.0.0/16 (Class C). Primary CIDR block size: /16 to /28 for IPv4 VPCs. (source_page: 1, 3, 4) Maximum IP address ranges per VPC: 5 (1 primary, 4 secondary). (source_page: 2)

CIDR notation (x.x.x.x/n) specifies an IP address range. The 'x.x.x.x' represents the IP address, and '/n' denotes the number of bits in the network prefix. For IPv4, 'n' ranges from 0-32. The larger the 'n' value, the smaller the address range, as fewer bits are available for defining host addresses. Conversely, the smaller the '/xx' number, the larger the IP address range, as more bits are available for defining the IP address range. (source_page: 1, 4)

Technical Specs: IPv4 network prefix bits: 0-32. (source_page: 1)

AWS reserves the first four IP addresses and the last IP address in each subnet CIDR block for network, router, DNS server, future use, and broadcast addresses. This means five IP addresses are lost from a traditional network block. (source_page: 2, 4)

Private IP addresses are used within private networks, such as Amazon Virtual Private Clouds (VPCs) or local area networks (LANs). They are not publicly routable from the internet. Every EC2 instance receives at least one private IP address upon launch, which is static and persists even after restarts, facilitating internal communication within the VPC. Each instance must have a primary private IP address from the range specified by the subnet CIDR. You can't change or remove this address, but you can assign secondary private IP addresses to the primary ENI from the same subnet. (source_page: 1, 2, 7, 10)

Public IP addresses are used for resources that need to be accessible from the internet and are routable globally. While an EC2 instance can be assigned a public IP for external access (requiring it to be in a public subnet or have auto-assign public IP enabled), these addresses are dynamic and change if the instance is stopped and started. (source_page: 5, 7, 10)

Elastic IP Addresses (EIPs) are static, public IPv4 addresses allocated to your AWS account. An EIP can be associated with an EC2 instance and reattached to another if needed, providing a consistent public IP that doesn’t change upon instance restart. When an EIP is associated, it replaces any existing public IP on the instance. While useful for legacy applications, for modern, stable applications, alternatives like DNS names or Load Balancers are generally preferred over EIPs for achieving a stable public presence. (source_page: 1, 5, 7, 10)

Technical Specs: IPv6 support: Not supported for EIPs (IPv4 only). (source_page: 4, 7, 10) Quota: AWS accounts typically have a soft limit of 5 EIPs per region, which can be increased. (source_page: 2, 7, 10) Cost: EIPs are charged by AWS regardless of whether they are associated with a resource or remain idle. (source_page: 7, 10)

AWS VPC also supports IPv6 addressing. All IPv6 addresses are public, there are no private address ranges available on IPv6 for you to use with AWS. AWS chooses the IPv6 CIDR block for your VPC, you cannot choose that yourself. (source_page: 1, 4)

Technical Specs: IPv6 format: 128-bit (8 groups of 4 hexadecimal digits). (source_page: 4) VPC CIDR block size fixed at /56. (source_page: 1, 4) Subnet CIDR block size fixed at /64. (source_page: 1, 4) Elastic IPv6 addresses: Not supported. (source_page: 4)

To change the IP range of an existing VPC or subnet (e.g., /24 to /20), you must terminate that existing VPC and create a new one. You can expand an existing VPC by adding up to four secondary IPv4 address ranges to that VPC. You can shrink your VPC by deleting those secondary CIDR blocks at any time. You cannot change the size of an IPv6 address range on your VPC. (source_page: 4)

VPC Core Components

AWS VPCs are built from several interconnected components, each serving a specific networking function. Understanding these components is key to designing and managing your virtual network.

VPC Configuration Procedures

procedure

Configuring a VPC involves a series of steps to define its network space, segment it into subnets, and establish routing rules. The following outlines general and specific procedures mentioned in the source material.

VPC Connectivity Options

AWS provides a rich set of services to connect your VPC to the internet, other VPCs, on-premises networks, and AWS services, addressing various architectural needs from basic internet access to complex hybrid cloud environments.

VPC Security

Security within a VPC is implemented through a layered defense approach, utilizing firewalls at both the subnet and instance levels, along with dedicated secure access points.

VPC Quotas and Limits

Understanding the default quotas and limits for VPC resources is essential for planning and scaling your network architecture within AWS.

AWS imposes default soft limits on various VPC resources, which can often be increased upon request.

Technical Specs: VPCs per Region: 5 (source_page: 2) Subnets per VPC: 200 (source_page: 1, 2) IPv4 & IPv6 CIDR blocks per VPC: 5 (source_page: 2) NACLs per VPC: 200 (source_page: 2) Rules per NACL: 20 (source_page: 2) VPC Security Groups per region: 2,500 (source_page: 2) Inbound and Outbound Rules per Security Group: 60 (source_page: 2) Elastic IPs per region: 5 (source_page: 2) Elastic IPs per public NAT Gateway: 2 (source_page: 2) Egress-only Internet Gateways per Region: 5 (source_page: 2) Internet Gateways per Region: 5 (source_page: 2) NAT Gateways per AZ: 5 (source_page: 2) Minimum subnet size for IPv4: /28 (allows 11 available IP addresses). (source_page: 1, 4) Maximum IP address ranges per VPC: 5 (1 primary, 4 secondary). (source_page: 2) Maximum IP addresses per subnet: 2048. (source_page: 2) Maximum route tables per VPC: 200. (source_page: 2) Maximum rules per security group: 500. (source_page: 2) Maximum security groups per VPC: 500. (source_page: 2)

Troubleshooting VPC Network Issues

Effective troubleshooting of VPC connectivity issues requires a systematic approach, involving the review of network configurations and the use of diagnostic tools.

Hybrid DNS with Route 53 Resolvers

Amazon Route 53 Resolvers facilitate hybrid DNS architectures, enabling seamless resolution of DNS queries between on-premises data centers and AWS VPCs.

Exam Tips

A VPC is a logical data center in AWS. Remember its core components: Internet Gateways, Virtual Private Gateways, route tables, Network Access Control Lists, subnets, and security groups. (source_page: 2)

One subnet is always in one Availability Zone, and a subnet cannot span multiple Availability Zones. (source_page: 2, 7)

NAT Gateways are redundant inside the Availability Zone and do not need patching. They are not associated with security groups and are automatically assigned a public IP address when created. For an Availability Zone-independent architecture, create NAT Gateways in each Availability Zone. (source_page: 2, 7)

Security Groups are stateful (responses to allowed inbound traffic are automatically allowed outbound), while Network ACLs are stateless (responses require explicit rules). (source_page: 1, 2, 7)

Network ACLs contain a numbered list of rules that are evaluated in order, with the first matching rule applied. A subnet must be associated with a Network ACL. (source_page: 2, 7)

Use Network ACLs, not security groups, to block specific IP addresses. (source_page: 2)

VPC Peering connects two VPCs via a direct network route. It is done in a star configuration and cannot be transitive (no indirect peering). Overlapping CIDR address ranges cannot exist between peered VPCs. (source_page: 1, 2, 7)

AWS PrivateLink allows peering VPCs to tens, hundreds, or thousands of customer VPCs without requiring VPC peering or complex network configurations. It requires a Network Load Balancer (NLB) on the service VPC and an Elastic Network Interface (ENI) on the customer VPC. (source_page: 2, 7)

AWS Transit Gateway simplifies network topology by acting as a central hub for connecting multiple VPCs and on-premises networks. Consider it for complex network environments. (source_page: 1, 2, 7)

AWS Wavelength is used for mobile edge computing and 5G to increase application speed at the edge. Think of it in scenarios about ultra-low latency and 5G networks. (source_page: 2, 7)

Troubleshooting internet connectivity issues should start with checking route tables, then Network ACLs, and finally Security Groups. (source_page: 2)

When encountering scenario questions about private, dedicated connections bypassing the Internet with high throughput (e.g., 10 Gbps), AWS Direct Connect is the typical answer. (source_page: 2)

To achieve private API calls to API Gateway from on-premises via Direct Connect, use a private virtual interface and create an Interface VPC Endpoint for Amazon API Gateway. (source_page: 9)

To allow private instances outbound internet access without inbound connections, use a NAT Gateway in a public subnet and an Internet Gateway attached to the VPC. (source_page: 9)

New custom security groups deny all inbound traffic by default and allow all outbound traffic by default (0.0.0.0/0). (source_page: 9)

Network Load Balancer (NLB) and Application Load Balancer (ALB) can distribute traffic to EC2 instances in peered VPCs if IP address-based target registration is used. Classic Load Balancer (CLB) cannot. (source_page: 9)

For PCI compliance requiring private traffic between EC2 instances and Amazon S3, create a VPC Gateway Endpoint for S3. There are no additional charges for gateway endpoints. (source_page: 9)

For secure SSH access to private web servers from a corporate network, use a Bastion Host in a public subnet with security group rules allowing traffic from the corporate network, and configure the private web servers' security group to allow SSH only from the Bastion Host. (source_page: 9)

Enable VPC Flow Logs to capture IP traffic metadata for network interfaces within your VPC, including VPN traffic, for logging and analysis. (source_page: 9)

Glossary

Virtual Private Cloud (VPC)

A logically isolated section of the AWS Cloud that allows you to launch AWS resources into a virtual network that you define. (source_page: 1)

Subnet

A range of IP addresses within your VPC, residing in a single Availability Zone. Can be public or private. (source_page: 1)

Internet Gateway (IGW)

Enables communication between your VPC and the internet. (source_page: 1)

Virtual Private Gateway (VGW)

Enables connection to your on-premises network via a VPN connection; it's the AWS side of the VPN connection. (source_page: 1)

Customer Gateway

The on-premises device or software used for a VPN connection. (source_page: 1)

Route Table

Defines the routing rules for network traffic within your VPC. (source_page: 1)

Network Access Control List (NACL)

Acts as a firewall, controlling inbound and outbound traffic at the subnet level. (source_page: 1)

Security Group

Acts as a firewall, controlling inbound and outbound traffic at the instance level. (source_page: 1)

Elastic Network Interface (ENI)

A virtual network interface card (NIC) connecting an instance to the network. (source_page: 1)

Classless Inter-Domain Routing (CIDR)

A notation (e.g., 10.0.0.0/16) defining IP address ranges. (source_page: 1)

NAT Gateway

An AWS managed service that enables instances in a private subnet to connect to the internet while preventing the internet from initiating a connection with those instances. (source_page: 1)

VPC Peering

Allows connecting two VPCs for private traffic routing using private IP addresses. (source_page: 1)

VPC Endpoint

Provides private connectivity to supported AWS services without traversing the public internet. (source_page: 1)

AWS PrivateLink

Enables private connections between a VPC and supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct connection, using interface endpoints. (source_page: 2)

AWS Transit Gateway

Acts as a central hub, enabling efficient interconnection of multiple VPCs and on-premises networks without using the public internet. (source_page: 1)

AWS Direct Connect

A cloud service solution that establishes a dedicated network connection from a customer's data center to AWS. (source_page: 2)

Bastion Host

An EC2 instance in a public subnet that acts as a secure jump point for accessing resources in a private subnet. (source_page: 1)

VPC Flow Logs

Logs that capture information about the IP traffic flowing through network interfaces within your VPC. (source_page: 1)

Ephemeral Ports

A range of temporary port numbers used by client applications to initiate connections. NAT gateways use ports 1024-65535. (source_page: 2)

Egress-Only Internet Gateway

Used to prevent the internet from initiating an IPv6 connection with your instances by only allowing outbound communication over IPv6 from instances in your VPCs to the Internet. (source_page: 2)

AWS Wavelength

A service that embeds AWS compute and storage services within 5G networks, providing a mobile edge computing infrastructure for ultra-low-latency applications. (source_page: 2)

Key Takeaways

A VPC provides a logically isolated section of the AWS Cloud for launching and managing resources, offering significant control over your network environment. (source_page: 1)

Key VPC components like subnets, route tables, security groups, and Internet Gateways are fundamental for network design and traffic flow. (source_page: 1)

Proper configuration and a layered security approach (using Security Groups and NACLs) are crucial for protecting your VPC resources. (source_page: 1)

VPC connectivity options, such as NAT Gateways, VPC Peering, VPC Endpoints, and Transit Gateway, enable diverse network topologies and hybrid cloud solutions. (source_page: 1)

Troubleshooting involves systematically investigating issues using AWS tools like VPC Flow Logs to diagnose and resolve connectivity problems. (source_page: 1)