VPC (Virtual Private Cloud)
Amazon VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
More Information
Key Conceptsโ
- VPC: a virtual network dedicated to your AWS account, logically isolated from other virtual networks
- Subnet: a range of IP addresses in your VPC
- Route Table: a set of rules (routes) that determine where network traffic is directed
- Internet Gateway: a gateway that enables communication between your VPC and the internet
- NAT Gateway: a gateway that allows instances in a private subnet to connect to the internet while preventing the internet from initiating connections with those instances
Subnetsโ
- A subnet resides in a single Availability Zone
- A subnet can be public (traffic routed to an Internet Gateway) or private (no direct route to the internet)
- Each subnet must be associated with a route table
- AWS reserves the first four and the last IP address in each subnet CIDR block
Internet Gatewayโ
- Horizontally scaled, redundant, and highly available
- Allows communication between instances in a VPC and the internet
- Only one Internet Gateway can be attached to a VPC at a time
- Instances must have a public IP or Elastic IP to communicate through the Internet Gateway
NAT Gatewayโ
- Enables instances in a private subnet to connect to the internet or other AWS services
- Prevents the internet from initiating connections with those instances
- Must be created in a public subnet
- Must be associated with an Elastic IP address
- Not supported for IPv6 traffic (use an egress-only Internet Gateway instead)
Route Tablesโ
- Each VPC has a main route table that is automatically created
- Each subnet must be associated with a route table (uses the main route table by default)
- A route table contains a set of rules (routes) that determine where network traffic is directed
- The most specific route that matches the traffic is used
Security Groupsโ
- Act as a virtual firewall at the instance level
- Control inbound and outbound traffic
- Stateful: if an inbound rule allows traffic in, the response is automatically allowed out
- By default, all inbound traffic is denied and all outbound traffic is allowed
- You can specify allow rules but not deny rules
Network ACLsโ
- Act as a virtual firewall at the subnet level
- Control inbound and outbound traffic for all instances in the associated subnet
- Stateless: return traffic must be explicitly allowed by rules
- Rules are evaluated in order, starting with the lowest numbered rule
- You can specify both allow and deny rules
- Each VPC has a default Network ACL that allows all inbound and outbound traffic
VPC Peeringโ
- A networking connection between two VPCs that enables routing traffic between them using private IP addresses
- Instances in either VPC can communicate as if they are within the same network
- Can be created between VPCs in different accounts and different regions
- CIDR blocks of peered VPCs cannot overlap
- VPC peering is not transitive (VPC A peered with VPC B, and VPC B peered with VPC C, does not mean VPC A can communicate with VPC C)
VPC Flow Logsโ
- Capture information about the IP traffic going to and from network interfaces in a VPC
- Can be created at three levels: VPC, subnet, or network interface
- Flow log data can be published to Amazon CloudWatch Logs or Amazon S3
- Useful for diagnosing security group rules, monitoring traffic, and troubleshooting connectivity issues
More Information