Amazon Virtual Private Cloud
Amazon VPC allows us to create our own virtual private network within AWS in following ways
- Help in selecting own private IP subnet space
- Configuring Routing tables
- Network gateway
- Security policies
In a region, multiple VPC can be created and they are logically isolated even if they share IP address Space. Once any address space is assigned it cannot be changes after VPC is created.
There are two types of Network Platform available within AWS.
- EC2 VPC
EC2-Classic was originally launched with a single, flat network shared between another AWS customers.
Below figure describes Amazon VPC, with address space of 10.0.0.0/16 with two different subnets 10.1.1.0/24 and 10.1.2.0/24 placed in different availability zone.
An amazon VPC consists of the following components
- Route tables
- DHCP options sets
- Security groups
An Amazon VPC has following optional components.
- Internet Gateways
- Elastic IP (EIP) address
- Elastic Network Interfaces
- NAT & NAT Gateway
- Virtual private gateway
Subnets are the IP address ranges which is assigned to EC2 Instances, Amazon RDS databases, and other AWS resources.
Once VPC is created, one or more than one subnets is assigned in each availability zones, subnets present in one availability zones cannot be spanned to another availability zones. Subnets may be public , private and VPN-only.
- Pubic Subnets: Associated to routing table which directs the subnets traffic to VPC IGW.
- Private Subnets: Associated to routing table which does not directs the subnets traffic to VPC IGW.
- VPN-only: Associated to routing table which directs the subnets traffic to VPG and does not have route to IGW.
Route table is collection of destination routes, which is looked up by Network device to route traffic from one destination to another. Route table can be modified and we can add your own custom routes. Route table can also be used to specify which subnets are public, private and VPN-only. Each route table contains a default route which is also called as local routes.
There are some important characteristics of route tables.
- Each VPC has in build implicit router and comes with main route table for your VPC.
- In any VPC route table, custom routes can be added manually
- Each subnets are associated to route table, if any subnets are not associated to route table , subnet uses main route table
- Main route table can be replaced with custom route table.
When there is requirement that your Instance want to communicate with other amazon VPC and internet, Internet gateways is used. AN IGW provides the destination in VPC route table for Internet –routable traffic and also perform NAT for instances that have been assigned public IP address.
When any instance send traffic to the internet , the IGW convert the Private IP address of instance to Public IP address and keep this one to one mapping for reverse traffic in return.
Following steps must be used to create public subnet with Internet access:
- Attach an IGW to your Amazon VPC.
- Create subnets route table rule to send all non-local traffic (0.0.0.0/0) to IGW.
- Configure ACL and security group’s rules to allow traffic flow to and from your instance.
- Assign a public IP address or EIP address for traffic from instance to internet.
An Amazon VPC is configured with address space of 10.0.0.0/16, an instance is configured which has private IP address 10.1.1.5/24 and has one public EIP address 188.8.131.52. This VPC has route table and has one IGW. Route table contains two routes, one local routes that helps in inter-VPC communication and another route which sends all internet based traffic to IGW. The EC2 instance has public IP address (184.108.40.206) which can be accessed from internet.
DHCP Option Sets
DHCP provide network related information to Host like IP address, Subnet mask, Gateway and the DHCP option field contains configuration parameters like domain name, DNS and the netbios-node-type details.
As soon as the VPC is created, DHCP is automatically created and there are two option sets provided:
- Domain-name –servers : ( default to Amazon provided DNS)
- Domain name : ( default domain name of your region)
There are following values for DHCP option sets:
- Domain-name-servers: IP address of up to four domain name servers separated by commas.
- Domain-name: provides desired domain name.
- NTP servers: four NTP servers separated by commas
- Netbios-name-servers: Four NetBIOS name servers
- Netbios-node-type: this is set to 2.
Elastic IP address (EIPs)
AWS has pool of public IP address in each region which is used to associate to resources within your Amazon VPC. It is static public IP address in pool that you allocate to your account and release after use.
- An EIP for use must be allocated and is assigned to an instance.
- EIPs are specific to region
- There is always one to one relation between interface and EIPs.
- EIP can be moved from one instance to another to another instance either in same amazon VPC or different VPC with in same region
- EIP is allocated to your account till the time it is released.
Elastic Network Interface (ENIs)
It is the virtual network interface that is attached to an instance in VPC. ENIs are associated with a subnet upon creation. Each ENIs can have one public IP address and multiple private address.
Endpoints helps to create a private connection between your VPC and another AWS service without requiring access over internet , VPN connection or AWS direct .
Currently it supports communication with Amazon Simple storage service (Amazon S3) and other services which is expected to be added in future.
Following steps are needed to create VPC endpoints.
- Specify the Amazon VPC.
- Specify the service. A service is identified by a prefix list of the form amazonaws.<region>.<service>.
- Specify the policy. You can allow full access or create a custom policy. This policy can be changed at any time.
- Specify the route tables. A route will be added to each specified route table, which will state the service as the destination and the endpoint as the target.
Peering is a connection between two different instance from two different VPC in a such a way that they are in same network. Peering between two different VPC are done within same single region.
Request/accept protocols are used for Peering between different VPC. Initiator VPC send request to peer VPC , and if Peer VPC is on same account , generally identified by VPC ID , and if VPC peer is in different account is identified by Account ID , . There is one week time to accept the request or reject the request for peering. Peering is one to one relation between different VPC and they don’t support transit routing.
Following are some important points to remember on peering:
- You cannot create a peering connection between Amazon VPCs that have matching or overlapping CIDR blocks.
- You cannot create a peering connection between Amazon VPCs in different regions.
- Amazon VPC peering connections do not support transitive routing.
- You cannot have more than one peering connection between the same two Amazon VPCs at the same time.
It is a virtual statefull firewall that controls inbound and outbound traffic. All Amazon EC2 instance must be launched in to a security groups, if an instance is not launched with specific security groups than a default security group is applied on to it. Default security group allows communication between all resources within security groups, allow all outbound traffic and denies all other traffic .
Security groups example:
Following are important points must be known for security groups :
- You can create up to 500 security groups for each Amazon VPC.
- You can add up to 50 inbound and 50 outbound rules to each security group. If you need to apply more than 100 rules to an instance, you can associate up to five security groups with each network interface.
- You can specify allow rules, but not deny rules. This is an important difference between security groups and ACLs.
- You can specify separate rules for inbound and outbound traffic.
- By default, no inbound traffic is allowed until you add inbound rules to the security group.
- By default, new security groups have an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only.
- Security groups are stateful. This means that responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules and vice versa. This is an important difference between security groups and network ACLs.
- Instances associated with the same security group can’t talk to each other unless you add rules allowing it (with the exception being the default security group).
- You can change the security groups with which an instance is associated after launch, and the changes will take effect immediately.
Network Access Control Lists:
A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level.
Amazon VPCs are created with a modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic. When you create a custom network ACL, its initial configuration will deny all inbound and outbound traffic until you create rules that allow otherwise.
NAT Instances and NAT Gateways:
Any instance that is in private network in VPC cannot be able to communicate to internet through IGW. For this to happen, AWS provides NAT instance and NAT gateways to allow instance deployed in private subnets to gain internet access.
NAT Instance: It is a Linux Amazon machine that is designed to accept traffic from instance with in a private subnet, translate the source address to public IP address of NAT instance and forwards traffic to IGW.
NAT instance maintains the state of the forwarded traffic in order to return response traffic from the Internet to the proper instance in the private subnet. These instances have the string amzn-ami-vpc-nat in their names, which is searchable in the Amazon EC2 console.
To allow instances within a private subnet to access Internet resources through the IGW via a NAT instance, you must do the following:
- Create a security group for the NAT with outbound rules that specify the needed Internet resources by port, protocol, and IP address.
- Launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it with the NAT security group.
- Disable the Source/Destination Check attribute of the NAT.
- Configure the route table associated with a private subnet to direct Internet-bound traffic to the NAT instance (for example, i-1a2b3c4d).
- Allocate an EIP and associate it with the NAT instance.
NAT Gateways: A NAT gateway is an Amazon managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.
To allow instances within a private subnet to access Internet resources through the IGW via a NAT gateway, you must do the following:
- Configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT gateway (for example, nat-1a2b3c4d).
- Allocate an EIP and associate it with the NAT gateway.
Virtual Private Gateways (VPGs), Customer Gateways (CGWs), and Virtual Private Networks (VPNs)
A virtual private gateway (VPG) is the virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks. A customer gateway (CGW) represents a physical device or a software application on the customer’s side of the VPN connection. After these two elements of an Amazon VPC have been created, the last step is to create a VPN tunnel. The VPN tunnel is established after traffic is generated from the customer’s side of the VPN connection.
Amazon VPC also supports multiple CGWs, each having a VPN connection to a single VPG (many-to-one design). In order to support this topology, the CGW IP addresses must be unique within the region.
Following are the important points to understand about VPGs, CGWs, and VPNs for the exam:
- The VPG is the AWS end of the VPN tunnel.
- The CGW is a hardware or software application on the customer’s side of the VPN tunnel.
- You must initiate the VPN tunnel from the CGW to the VPG.
- VPGs support both dynamic routing with BGP and static routing.
- The VPN connection consists of two tunnels for higher availability to the VPC.