Amazon VPC: Deep dive

Depend­ing on your cur­rent net­work designs and req­ui­sites, Ama­zon VPC offers a vari­ety of net­work con­nec­tiv­i­ty alter­na­tives. These con­nec­tiv­i­ty alter­na­tives encom­pass using the inter­net or an AWS Direct Con­nect con­nec­tion as the core net­work and remov­ing the con­nec­tion in either AWS or user-man­aged net­work end­points. Fur­ther­more, with AWS, you can choose how net­work rout­ing is dis­trib­uted between Ama­zon VPC and your net­works, uti­liz­ing either AWS or user-man­aged net­work equip­ment and routes.

Ama­zon VPC (Vir­tu­al Pri­vate Cloud) enables users to ini­ti­ate AWS resources with­in the user-defined vir­tu­al net­work. Each VPC you cre­ate is ful­ly cus­tomiz­able and log­i­cal­ly iso­lat­ed from oth­er vir­tu­al net­works in the AWS cloud. You can con­fig­ure the IP address range, cre­ate sub­nets, con­fig­ure root tables, cus­tomize net­work gate­ways, and define secu­ri­ty set­tings with secu­ri­ty groups and net­work access con­trol lists. Oth­er AWS resources, such as Ama­zon EC2 instances, can be launched using VPC. This vir­tu­al net­work resem­bles a tra­di­tion­al net­work that a user might have in their own data cen­ter but enables you to lever­age the scal­able infra­struc­ture in AWS. You can con­nect your on-premis­es resources to AWS infra­struc­ture using Ama­zon VPC

Default Ama­zon VPC #

Also every Ama­zon account comes with a default VPC that is pre-con­fig­ured and ready for use right away. A VPC can cov­er var­i­ous avail­abil­i­ty zones in a region. When you’re test­ing AWS, the default VPC is per­fect for launch­ing new instances, but devel­op­ing a cus­tom VPC allows you to: 

  • Make things safer
  • Per­son­al­ize your vir­tu­al net­work by defin­ing your own IP address range 
  • Devel­op pri­vate and pub­lic subnets 
  • Tough­en secu­ri­ty settings

Hard­ware VPN Access #

Instances launched into an Ama­zon VPC can­not inter­act with your net­work by default. You can use hard­ware VPN access to link your VPCs to your cur­rent data cen­ter. You can effi­cient­ly broad­en your data cen­ter into the cloud and devel­op a mod­i­fied envi­ron­ment in this man­ner. You’ll have to estab­lish up a vir­tu­al pri­vate gate­way to accom­plish this. On the Ama­zon end of the VPN con­nec­tion, there is a VPN con­cen­tra­tor. A cus­tomer gate­way, that is either a phys­i­cal device or a soft­ware appli­ca­tion that resides on the cus­tomer end of the VPN con­nec­tion, is required for your data cen­ter. When you estab­lish a VPN con­nec­tion, a VPN tun­nel is cre­at­ed when traf­fic is gen­er­at­ed on the customer’s side of the connection.

VPC Peer­ing #

Peer­ing con­nec­tions can be estab­lished between your own VPCs or with VPCs in anoth­er AWS account, as long as they are in the same region. If you have instances in VPC A, they will be unable to inter­act with instances in VPC B or C until a peer­ing con­nec­tion is estab­lished. Peer­ing is a one-to-one con­nec­tion; a VPC may have var­i­ous peer­ing con­nec­tions to oth­er VPCs, but syn­tac­tic peer­ing is not allowed. In oth­er words, VPC A can inter­act to VPCs B and C in the illus­tra­tion below, but C can­not inter­act with B until they are direct­ly paired.

VPC A — — — — — — — — — — — — — -> VPC B — — — — — — — — — — — — — -> VPC C

Fur­ther­more, VPCs with inter­sect­ing Class­less inter­do­main rout­ing (CIDRs) can­not be paired. All VPCs with vary­ing IP ranges can be paired, but if they have the iden­ti­cal IP address, they can­not. AWS VPC peer­ing offers a reli­able safe, and depend­able con­nec­tion between VPCs, allow­ing for bet­ter con­trol and resource shar­ing. Con­tin­gent on how your VPCs are set up, you may want to inte­grate such an archi­tec­ture into your envi­ron­ment. AWS pro­vides some peer­ing sim­u­la­tions that are cer­tain­ly worth discovering.

Ter­mi­nolo­gies of Ama­zon VPC #

VPC can also be con­sid­ered of as an Ama­zon EC2 net­work­ing lay­er that is geared to the user’s AWS account. Terms asso­ci­at­ed with Ama­zon VPC include:

  • Sub­net: A range of IP address­es intend­ed for use by VPC. AWS resources can be ini­ti­at­ed in dif­fer­ent sub­nets. Pub­lic sub­nets are used for resources that must stay linked to the Inter­net where­as pri­vate sub­nets are uti­lized for resources that will not be con­nect­ed to the Inter­net Var­i­ous lev­els of secu­ri­ty are made avail­able to guar­an­tee the safe­ty of the AWS resources exist­ing in each sub­net. Secu­ri­ty groups and net­work access con­trol lists (NACL) are examples.
  • Route table: It encom­pass­es a series of guide­lines or rules known as routes that are used to ascer­tain where net­work traf­fic is focused. 
  • Inter­net gate­way: It is a lat­er­al­ly scaled, redun­dant, and eas­i­ly deploy­able ele­ment of the VPC that aids in inter­ac­tion among VPC instances and the internet. 
  • VPC end­point: It allows the user to link the VPC con­fi­den­tial­ly to AWS resources that per­mit it — and to VPC end­point ser­vices, which are pro­pelled by Pri­vateLink and allow this inter­ac­tion to hap­pen with­out the need for an inter­net gate­way, NAT device, VPN con­nec­tion, or AWS Direct Con­nec­tion. The VPC instances do not require a pub­lic IP address to inter­act with the service’s resources. The traf­fic flow­ing between the VPC and the oth­er ser­vices would remain with­in the Ama­zon network.

Fea­tures of Ama­zon VPC #

  • Sta­t­ic IPV4 address­es can be allo­cat­ed to user instances that exist between a start and a stop. 
  • An IPV6 CIDR block can alter­na­tive­ly be linked with the user’s VPC
  • The user’s instance can be assigned an IPV6 address. 
  • A user’s instance can have numer­ous IP address­es assigned to it. 
  • Net­work inter­faces can be clas­si­fied, and these (sin­gle or mul­ti­ple inter­faces) can be con­nect­ed to the user’s instance. 
  • When the user’s instance is oper­at­ing, the secu­ri­ty group mem­ber­ship can be altered. 
  • In par­tic­u­lar with respect to reg­u­lat­ing inbound traf­fic to the instances (which is already con­trolled), egress fil­tra­tion can be used to reg­u­late out­go­ing traf­fic from the user’s instance.
  • Users’ instances can be con­fig­ured to oper­ate on sin­gle-ten­ant hardware. 
  • NACLs (net­work access con­trol lists) can be employed to incor­po­rate an addi­tion­al lay­er of access con­trol to the instances.

Access­ing Ama­zon VPC #

Ama­zon VPC can be cre­at­ed, accessed, and con­trolled using any of the fol­low­ing interfaces:

  • AWS Man­age­ment Con­sole: It offers a web inter­face for access­ing VPCs. 
  • AWS Com­mand Line Inter­face (AWS CLI): It aids in the uti­liza­tion of com­mands for numer­ous AWS ser­vices, includ­ing AWS VPC. It is com­pat­i­ble with Win­dows, MacOS, and Linux. 
  • AWS SDK: It also offers lan­guage-spe­cif­ic APIs, which take care of gran­u­lar link­age details such as (but not restrict­ed to) eval­u­at­ing sig­na­tures, demand retries han­dling, and error handling 
  • Query API: It offers low API actions that can be invoked by the user with the assis­tance of HTTPS requests The Query API pro­vides full access to Ama­zon VPC, but it demands the appli­ca­tion to man­age low-lev­el specifics such as hash gen­er­a­tion, which is required to sign the request, and error handling.

Con­clu­sion #

Ama­zon VPC pro­vides a vari­ety of tools that offer you greater influ­ence over your AWS infra­struc­ture. You can clas­si­fy your own net­work topol­o­gy inside a VPC by spec­i­fy­ing sub­nets and rout­ing tables, and you can lim­it access at the sub­net and resource lev­els using net­work ACLs and VPC secu­ri­ty groups. You can use a VPN to dis­so­ci­ate your resources from the Inter­net and link them to your own data cen­ter. You can assign elas­tic IP address­es to some instances and con­nect them to the pub­lic Inter­net through an Inter­net gate­way, while keep­ing the rest of your infra­struc­ture in pri­vate sub­nets. VPC makes it eas­i­er to pro­tect your AWS resources while you keep the ben­e­fits of AWS with regards to flex­i­bil­i­ty, scal­a­bil­i­ty, elas­tic­i­ty, per­for­mance, avail­abil­i­ty, and the pay-as-you-use pric­ing model.