Which of the below are components that can be configured in the VPC section of the AWS Management Console?

What is AWS VPC?

Table of Contents

What is VPC

Components of AWS VPC

Features of AWS VPC

Use Cases of AWS VPC

General Best Practices of AWS VPC

Pricing of AWS VPC

Bonus !

We all know the benefits of Public Cloud and the private Data centre. What if you get good from both worlds ? When you get some private cloud liberty (get own IP ADDRESS, Define routes etc) with Public Cloud’s power. A Virtual Private Cloud (VPC) asthe name suggests, gives you a private environment inside a public cloud. It is provided by all big 3 cloud providers namely AWS VPC, AZURE VPC & GCP VPC .

To understand VPC practically, in this article we will have a introduction to AWS VPC and its features. The service names & pricing changes but the concept of VPC remains almost same among different cloud providers. Knowledge of CIDR notation, Subnets and basic AWS services will be helpful in understanding this article.

What is VPC ?

The Virtual Private Cloud (VPC) service lets you provision a private, isolated section of the Cloud where you can launch cloud services and other resources in a virtual network that you define (like 10.0.0.0/16). You have complete control over your virtual networking environment, including selection of an IP address range, creation of subnets, and configuration of route tables and network gateways.

Now let’s start exploring AWS VPC

How to set up a AWS VPC

Setting up a VPC is straightforward through the AWS Management Console by choosing the VPC option. Once chosen, the VPC becomes operational after

(1) Choosing an IP address range

(2) Creating Subnets

(3) Creating routes to the Internet

(4) Authorizing traffic to and from the VPC.

Components of AWS VPC

There are various sub - services of AWS VPC . Every service adds to the functionality of VPC, let us see how

1.Subnet : Subnet is a range of IP addresses in your VPC. You can launch AWS resources, such as EC2 instances, into a specific subnet.

Type of Subnets :

• Public Subnet : Accessible via Internet. Uses a Internet Gateway to reach Internet.
• Private Subnet : Non accessible via internet. Can use a NAT GATEWAY to have only inbound resources outside your VPC. It can also connect to internet by using NAT GATEWAY + INTERNET GATEWAY.

AWS Specific VPC TYPES :

• IPv4 : Defined by describing Ipv4 address space
• IPv6: Defined by describing Ipv6 address space
• Dual stack : Uses both i.e ipv4 + ipv6

2.Security Groups : a virtual firewall. This Helps filter network traffic to a resource within VPC (like EC2, RDS Database etc)

3.Network ACL : Associated with a Subnet in a VPC to filter the traffic to and from subnet.

Stateful means both to and fro traffic is allowed.

While stateless means you seperately have to allow both request and response.

4.Internet Gateway : A gateway which connects public subnet to public internet.

5.NAT Gateway : Provides one way connection from private subnet to external resources (resource not in your VPC). External resource can’t initiative a connection to your resources in private subnet. It also performs NAT.

6.Resources : The resources which reside within Subnets (like EC2 instance, RDS database etc)

Features of AWS VPC

AWS VPC spans multiple Availability Zones. AWS VPC can have /16 to /28 CIDR address spaces. You can expand VPC by adding 4 secondary address space.

The subnets should have min /28 CIDR address. Total 5 IP Address from the subnet is reserved by AWS VPC for its use.

Some FAQ :

Is data transfer in AWS VPC encrypted ?— no

Do NAT GATEWAY or INTERNET GATEWAY affects bandwidth ? — Both are horizontally scalable and highly available virtual device, which do not effect bandwidth.

The traffic between two instances in the same VPC is private and isolated.

VPC flowlogs : It is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.

VPC Reachability Analyser: It performs connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). If reachable then gives hop to hop detail. If not tells which security group, network ACL, route table, or load balancer blocks traffic.

Traffic Mirroring: Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for:

• Content inspection
• Threat monitoring
• Troubleshooting

VPC endpoints : It enables private connections between a virtual private cloud (VPC) and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Therefore, your VPC is not exposed to the public internet.

VPC PEERING: It is a networking connection between two VPCs (even in different AWS accounts) that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.

AWS VPC Use Cases

According to Aviatrix

Some common use cases for VPCs include:

•Hosting Web Applications
•Hosting a Web or E-commerce site
•Migrating workloads to the AWS cloud
•Extending a Data Center to the cloud (Hybrid Cloud)
•Backup or Disaster Recovery

Common networking use cases for VPCs include:

•VPC to VPC peering
•VPC to On-premise data center
Branch location to VPC connectivity
•Remote User to VPC based application
•Multicloud Peering (AWS VPC to Azure VNET or Google Cloud VPC)
•VPC to an Internet resource (VPC egress traffic)

General VPC Best Practices :

The following are general best practices:

•Plan for your IP Addresses need (with future needs in mind) then choose CIDR Range for VPC.

•Use multiple Availability Zone deployments so you have high availability.

•Least Privilege given to users/services equals better security. So, Use security groups and network ACLs accordingly.

•Keep Network ACL simple, as each additional rule increases complexity.

•Use IAM policies to control access.

•Use Amazon CloudWatch to monitor your VPC components and VPN connections.

•Use flow logs to capture information about IP traffic going to and from network interfaces in your VPC.

AWS VPC Pricing

There is No additional charge for AWS VPC itself but :-

NAT Gateway charged for hourly basis. Data processing charges apply for each gigabyte processed through the NAT gateway regardless of the traffic’s source.

💡 To avoid the NAT Gateway Data Processing charge in this example, you could set up a gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There are no data processing or hourly charges for using Gateway Type VPC endpoint

There’s also pricing for Transfer of data among different availability zones within a VPC.

Amazon VPC Reachability Analyzer charges you each time you analyze connectivity between a given source and destination.

There is NO change in Pricing for each resource provisioned within a VPC. Normal resource rate + data transfer rates apply.

For details please check here.

BONUS

As per my experience so far ; Nothing can match the level of confidence you gain after hands on with cloud services. So, I have created a GitHub repo with AWS VPC. This will certainly help you apply the concept in action that you learned here by creating a simple web address book.

Architecture

Hope You like it !!

Let’s connect -

More content at plainenglish.io. Sign up for our free weekly newsletter here.

Which components that can be configured in the VPC section of the AWS Management Console?

What are the components of VPC in AWS?

What type of services are associated with an AWS VPC?

Which component is used to connect a VPC to the Internet?