AWS VPC
AWS Virtual Private Cloud (VPC) Notes
Purpose
Why/When do we need VPC?
- Isolating networks
Characteristics
- Limitted to one
AWS Region
- One default VPC comes with each
AWS Region
. - Span accross all
Avalability Zones
within theRegion
. - Default CIDR 172.31.0.0/16 (Range 172.31.0.0 - 172.31.255.255 - 65,536 IPs in this range)
- Availability zone name (ex: us-east-1) does not represent physical location of the servers. Its a logical name per aws account.
AvailabilityZoneId
(ex: use1-az1) associated with a physical location which is common for all AWS account. This is best to compare if we ever work with two different accounts/partners.
AWS VPC FAQ
- Is there a way to generate diagram from existing infrastructure?
- No out of the box solution from AWS.
- How to look at the AS-IS network map?
- Go to your VPC and explore the
Resource map
.
- Go to your VPC and explore the
- What resources are available within a given VPC?
- Drill through the subnet which is might span across availability zones.
- How do I debug challenging network issue?
- Flow logs is available at VPC and Subnet level.
VPC Diagram
Useful AWS commands
aws ec2 describe-vpcs
aws ec2 describe-internet-gateways
aws ec2 describe-subnets
AWS VPC User Guide
VPC and Features
- Logically isolated virtual network.
- Limitted to one region
- Gateways connects your VPC to another network.
- VPC peering - routes traffic between two VPCs.
- Transit gateways - central hub.
Route tables
- One or more can be defined
- used to direct the network traffic from your VPC
- subnet implicitly associated with main route table
Designing VPC
- IAM permissions
- Define strategy to maintain IaC
- Define policies to get the team informed about change in network.
- Choose the size of your VPC - how many IP addresses you will need across your AWS accounts and VPCs.
- IP Address Manager (IPAM) makes it easier to plan, track and monitor IP addresses of your application.
Internet traffic
- To receive traffic from internet, VPC must have an internet gateway.
- Subnet route table must have an entry to route to internet gateway.
- AWs resournces (instances) have public IP address and associated security group that allow traffic from internet.
Aleternatively, use ELB with with public NAT gateway.
Questions
- How do we plan IP addressing when HA is a major concern?
- 750 hours of Public IPv4 usage is free. How do we monitor its usage?
- For production environment, are you deploying AWS resources evenly in more than one Avalability Zone?
- For a development or test environment, Are you saving by using one Availability Zone?
- How do you maintain network security settings in compliance with best practices and cyber sec team’s requirement all the time?
- What is the Amazon VPC quotas?
Resources
- https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html
- https://mxtoolbox.com/subnetcalculator.aspx
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html
- https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html
- https://docs.aws.amazon.com/vpc/latest/ipam/
- Amazon EC2 User Guide for Linux Instances.