Shoin | Let's Share!

AWS Networking - VPC Summary

Abdullah Caliskan -

VPC stands for Virtual Private Cloud. VPC lets you build up your own private network in AWS Cloud. You can define an isolated networks by building up VPC. The private network is the beginning point of robust, secure, reliable and fast infrastructure.

Isolated Network Blast Radius
Let's say something happens in VPC-A such as malware infection or an attack. When you isolate your network, the other VPCs won't be affected from issue in VPC-A. It will decrease you blast radius.

VPC and Subnets

If you have a fresh AWS account, the default VPC will be created for you. The properties of default VPC like following;

  • 172.31.0.0/16 and /20 subnet in each AZ with public IP enabled.
  • Internet Gateway with a configured main route table and DHCP option set
  • NACL: All allow in/out , Security Group: All from itself (ingress) , All egress

VPC has some limitations such as max subnet range could be /16 and min /28 for ipv4. but ipv6 max is /56.

The VPC is software defined network, but these definitions would effect the hardware such as router, gateway, firewalls. AWS offers two way of tenancy to consume network devices.
Default: Shared network. The underlying devices are shared with other tenancies. It could be changed after creation.
Dedicated: Locks this VPC to dedicated hardware and can't be changed later.

In addition to above limitations; you must to be ensure that ip overlapping doesn't exist with other accounts and partners, while designing corporate network.

VPC Routes

To deliver packets from a subnet to other or internet, we need routing.

  • Internet gateway has public IP and performs Static NAT. It translates the private ip addresses with public IP.
  • Route table manages the VPC router. It can route propagation over BGP when you have DirectConnect or VPN connection.
  • Route table is associated with subnets. Specific IP in route table has high priority.

VPC Security

AWS offers different services which they can work in different network levels.

NACL - Layer 4

  • Controls data traffic across subnets. It is consisted list of rules.
  • Impacts only traffic crossing boundary of subnet.
  • It contains explicitly deny or allow rules. Protocol, IP Range, Port for source and destination.
  • Rules are processed in number order. Lowest first. When a match found, process stops.
  • * rule is default. Last processed and implicit deny.
  • NACLs are stateless, you must add your rule ingress and egress appropriately for ephemeral ports.

Security Groups - Layer 5

  • Think like firewall rules. Thanks to Layer 5 capabilities, it stores the session. That means you have stateful firewall.
  • Security groups can be associated with AWS resources such as EC2 instance, EFS mount point. You can associate with each resource that has ENI
  • SG can not deny traffic explicitly. Insert allowed sources and protocols. If you want to explicitly deny, use NACL.

NAT Gateway

If instances or resources inside a VPC don't need incoming internet access, don't give them IPv4 public ip. IPv4 pool is out of space. Use NAT Gateway.

NAT Gateway is used to access public world from private network with a static IP address. It manages the egress traffic. It's suit for your private subnet's resources.
NAT Gateway run in subnet. Subnet is present in AZ. You may provision NAT Gateways for each subnet. Create route tables for each subnet that has been configured to consume NAT Gateways. By doing that your system will be resilient and highly available.

Cross VPC Access

VPC offers the ability of cross access or communication between your VPCs or 3rd part VPCs. I mentioned about the requirement the isolation of VPCs.

If you want to consume 3rd party service which is developed in AWS without public internet access, the only thing that you need is AWS PrivateLink. There will be another post.