9
Jan
Amazon VPC: Deep dive
Depending on your current network designs and requisites, Amazon VPC offers a variety of network connectivity alternatives. These connectivity alternatives encompass using the internet or an AWS Direct Connect connection as the core network and removing the connection in either AWS or user-managed network endpoints. Furthermore, with AWS, you can choose how network routing is distributed between Amazon VPC and your networks, utilizing either AWS or user-managed network equipment and routes.
Amazon VPC (Virtual Private Cloud) enables users to initiate AWS resources within the user-defined virtual network. Each VPC you create is fully customizable and logically isolated from other virtual networks in the AWS cloud. You can configure the IP address range, create subnets, configure root tables, customize network gateways, and define security settings with security groups and network access control lists. Other AWS resources, such as Amazon EC2 instances, can be launched using VPC. This virtual network resembles a traditional network that a user might have in their own data center but enables you to leverage the scalable infrastructure in AWS. You can connect your on-premises resources to AWS infrastructure using Amazon VPC.
Default Amazon VPC #
Also every Amazon account comes with a default VPC that is pre-configured and ready for use right away. A VPC can cover various availability zones in a region. When you’re testing AWS, the default VPC is perfect for launching new instances, but developing a custom VPC allows you to:
- Make things safer
- Personalize your virtual network by defining your own IP address range
- Develop private and public subnets
- Toughen security settings
Hardware VPN Access #
Instances launched into an Amazon VPC cannot interact with your network by default. You can use hardware VPN access to link your VPCs to your current data center. You can efficiently broaden your data center into the cloud and develop a modified environment in this manner. You’ll have to establish up a virtual private gateway to accomplish this. On the Amazon end of the VPN connection, there is a VPN concentrator. A customer gateway, that is either a physical device or a software application that resides on the customer end of the VPN connection, is required for your data center. When you establish a VPN connection, a VPN tunnel is created when traffic is generated on the customer’s side of the connection.
VPC Peering #
Peering connections can be established between your own VPCs or with VPCs in another AWS account, as long as they are in the same region. If you have instances in VPC A, they will be unable to interact with instances in VPC B or C until a peering connection is established. Peering is a one-to-one connection; a VPC may have various peering connections to other VPCs, but syntactic peering is not allowed. In other words, VPC A can interact to VPCs B and C in the illustration below, but C cannot interact with B until they are directly paired.
VPC A — — — — — — — — — — — — — -> VPC B — — — — — — — — — — — — — -> VPC C
Furthermore, VPCs with intersecting Classless interdomain routing (CIDRs) cannot be paired. All VPCs with varying IP ranges can be paired, but if they have the identical IP address, they cannot. AWS VPC peering offers a reliable safe, and dependable connection between VPCs, allowing for better control and resource sharing. Contingent on how your VPCs are set up, you may want to integrate such an architecture into your environment. AWS provides some peering simulations that are certainly worth discovering.
Terminologies of Amazon VPC #
VPC can also be considered of as an Amazon EC2 networking layer that is geared to the user’s AWS account. Terms associated with Amazon VPC include:
- Subnet: A range of IP addresses intended for use by VPC. AWS resources can be initiated in different subnets. Public subnets are used for resources that must stay linked to the Internet whereas private subnets are utilized for resources that will not be connected to the Internet Various levels of security are made available to guarantee the safety of the AWS resources existing in each subnet. Security groups and network access control lists (NACL) are examples.
- Route table: It encompasses a series of guidelines or rules known as routes that are used to ascertain where network traffic is focused.
- Internet gateway: It is a laterally scaled, redundant, and easily deployable element of the VPC that aids in interaction among VPC instances and the internet.
- VPC endpoint: It allows the user to link the VPC confidentially to AWS resources that permit it — and to VPC endpoint services, which are propelled by PrivateLink and allow this interaction to happen without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connection. The VPC instances do not require a public IP address to interact with the service’s resources. The traffic flowing between the VPC and the other services would remain within the Amazon network.
Features of Amazon VPC #
- Static IPV4 addresses can be allocated to user instances that exist between a start and a stop.
- An IPV6 CIDR block can alternatively be linked with the user’s VPC.
- The user’s instance can be assigned an IPV6 address.
- A user’s instance can have numerous IP addresses assigned to it.
- Network interfaces can be classified, and these (single or multiple interfaces) can be connected to the user’s instance.
- When the user’s instance is operating, the security group membership can be altered.
- In particular with respect to regulating inbound traffic to the instances (which is already controlled), egress filtration can be used to regulate outgoing traffic from the user’s instance.
- Users’ instances can be configured to operate on single-tenant hardware.
- NACLs (network access control lists) can be employed to incorporate an additional layer of access control to the instances.
Accessing Amazon VPC #
Amazon VPC can be created, accessed, and controlled using any of the following interfaces:
- AWS Management Console: It offers a web interface for accessing VPCs.
- AWS Command Line Interface (AWS CLI): It aids in the utilization of commands for numerous AWS services, including AWS VPC. It is compatible with Windows, MacOS, and Linux.
- AWS SDK: It also offers language-specific APIs, which take care of granular linkage details such as (but not restricted to) evaluating signatures, demand retries handling, and error handling
- Query API: It offers low API actions that can be invoked by the user with the assistance of HTTPS requests The Query API provides full access to Amazon VPC, but it demands the application to manage low-level specifics such as hash generation, which is required to sign the request, and error handling.
Conclusion #
Amazon VPC provides a variety of tools that offer you greater influence over your AWS infrastructure. You can classify your own network topology inside a VPC by specifying subnets and routing tables, and you can limit access at the subnet and resource levels using network ACLs and VPC security groups. You can use a VPN to dissociate your resources from the Internet and link them to your own data center. You can assign elastic IP addresses to some instances and connect them to the public Internet through an Internet gateway, while keeping the rest of your infrastructure in private subnets. VPC makes it easier to protect your AWS resources while you keep the benefits of AWS with regards to flexibility, scalability, elasticity, performance, availability, and the pay-as-you-use pricing model.
