AWS Virtual Private Cloud (VPC) Notes

Purpose

Why/When do we need VPC?

  • Isolating networks

Characteristics

  • Limitted to one AWS Region
  • One default VPC comes with each AWS Region.
  • Span accross all Avalability Zones within the Region.
  • Default CIDR 172.31.0.0/16 (Range 172.31.0.0 - 172.31.255.255 - 65,536 IPs in this range)
  • Availability zone name (ex: us-east-1) does not represent physical location of the servers. Its a logical name per aws account.
  • AvailabilityZoneId (ex: use1-az1) associated with a physical location which is common for all AWS account. This is best to compare if we ever work with two different accounts/partners.

AWS VPC FAQ

  • Is there a way to generate diagram from existing infrastructure?
    • No out of the box solution from AWS.
  • How to look at the AS-IS network map?
    • Go to your VPC and explore the Resource map.
  • What resources are available within a given VPC?
    • Drill through the subnet which is might span across availability zones.
  • How do I debug challenging network issue?
    • Flow logs is available at VPC and Subnet level.

VPC Diagram

Useful AWS commands

aws ec2 describe-vpcs
aws ec2 describe-internet-gateways
aws ec2 describe-subnets

AWS VPC User Guide

VPC and Features

  • Logically isolated virtual network.
  • Limitted to one region
  • Gateways connects your VPC to another network.
  • VPC peering - routes traffic between two VPCs.
  • Transit gateways - central hub.

Route tables

  • One or more can be defined
  • used to direct the network traffic from your VPC
  • subnet implicitly associated with main route table

Designing VPC

  • IAM permissions
  • Define strategy to maintain IaC
  • Define policies to get the team informed about change in network.
  • Choose the size of your VPC - how many IP addresses you will need across your AWS accounts and VPCs.
  • IP Address Manager (IPAM) makes it easier to plan, track and monitor IP addresses of your application.

Internet traffic

  • To receive traffic from internet, VPC must have an internet gateway.
  • Subnet route table must have an entry to route to internet gateway.
  • AWs resournces (instances) have public IP address and associated security group that allow traffic from internet.

Aleternatively, use ELB with with public NAT gateway.

Questions

  • How do we plan IP addressing when HA is a major concern?
  • 750 hours of Public IPv4 usage is free. How do we monitor its usage?
  • For production environment, are you deploying AWS resources evenly in more than one Avalability Zone?
  • For a development or test environment, Are you saving by using one Availability Zone?
  • How do you maintain network security settings in compliance with best practices and cyber sec team’s requirement all the time?
  • What is the Amazon VPC quotas?

Resources

  • https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html
  • https://mxtoolbox.com/subnetcalculator.aspx
  • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html
  • https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html
  • https://docs.aws.amazon.com/vpc/latest/ipam/
  • Amazon EC2 User Guide for Linux Instances.