Virtual Private Cloud (VPC)

Icon

Basics

Terminology

VPC : A regional resource which is a logically isolated (private) virtual network that you've defined where resources are deployed in AWS.
- Default VPC is the only VPC created by AWS for us per region.
Subnet : A subnet is a range of IP addresses in your VPC. They help us to partition a network. A subnet must reside in a single Availability Zone.
- There are public subnets (accessible from public internet) and private subnets (NOT accessible from public internet) .
- By default there is only one public subnet per AZ and no private subnet.
- Route tables helps us define access to Public Internet and subnet to subnet communication in VPC.
Gateway : A gateway connects your VPC to another network.
- Internet Gateway : This gateway is what makes a subnet public and hence can connect to public internet. This is done by having entry on Route table to connect the subnet to Internet Gateway.
- NAT Gateway : This AWS managed gateway connects a private subnet to services outside your VPC but external services cannot initiate a connection with those instances.
- NAT Instance : These are self managed, unlike Nat Gateway.
  - The route table associated with the private subnet sends internet traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance then sends the traffic to the internet gateway. The traffic is attributed to the public IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.
NACL : Network Access Control List (NACL) is a firewall that controls the traffic from and to a subnet.
- Can have ALLOW and DENY rules.
- Attached at subnets levels, consist of IP addresses with relevant rules.
- By default a NACL allows all inbound and outbound traffic.
- A NACL is the first layer of defense at subnet level and comes before Security Group.
Security Group : A firewall that controls flow of traffic from and to an ENI/EC2 instance.
- Can only have ALLOW rules.
- Can have IP addresses or other security groups.
- By default allows outbound and blocks all inbound traffic.
- Traffic first comes to NACL and then flows to AWS resource through Security Group as shown below,
- Difference between NACL and SG

Example

Below diagram shows a VPC has one subnet in each of the Availability Zones in the Region, EC2 instances in each subnet, and an internet gateway to allow communication between the resources in your VPC and the internet.

Flow logs

VPC Flow Log

VPC flow log captures all traffic in a VPC.
Subnet flow logs are also present in it.
Elastic Network Interface flow logs are also present in it.
Captures logs from all managed services as well.
These flow logs allow monitor & troubleshoot all connectivity issues.
They capture network information from AWS managed interfaces too.
These logs can be transported to other locations like S3, CloudWatch, Kinesis Data Firehose or tools as well.

VPC Peering

Connect two VPC in different or same AWS account privately using AWS' network.
Connecting them as if they are on same network.
Must not have overlapping CIDR IP blocks.
VPC peering is not transitive in nature, and connection must be explicitly established.

VPC Endpoints

These endpoints helps to connect to AWS services using private network instead of public network.
All AWS services are public, so this gives enhanced security and lower network latency to access AWS services.
VPC Endpoint Gateway** allows private subnets to access public AWS services without going through public network.
- They are only available for S3 and Dynamo DB AWS services.
VPC Endpoint Interface (ENI) is a requester-managed network interface that serves as an entry point for traffic destined to an endpoint service and is available for AWS services other than S3 and DynamoDB.