AWS UNIT IV Virtual Private Cloud

Amazon VPC
A virtual private cloud (VPC) is a virtual network dedicated to your AWS
account. It is logically isolated from other virtual networks in the AWS Cloud.
You can specify an IP address range for the VPC, add subnets, add gateways,
and associate security groups. A subnet is a range of IP addresses in your VPC.
Amazon VPC enables you to build a virtual network in the AWS cloud - no
VPNs, hardware, or physical datacenters required. You can define your own
network space, and control how your network and the Amazon EC2 resources
inside your network are exposed to the Internet.

VPC is a virtual network that you use to connect your virtual servers, and other
resources.
There are two launch models within EC2. They're known as EC2-Classic and
EC2-VPC. If you have account(s) opened before the end of 2013, you have
access to both EC2-Classic and EC2-VPC. Within Classic, you can launch
instances “naked”, with direct connection to the internet, without a VPC.
While there is no additional charge for creating and using an Amazon Virtual
Private Cloud (VPC) itself, you can pay for optional VPC capabilities with usage-
AWS UNIT IV Virtual Private Cloud

based charges. AWS provides features and services that give you the ability to
customize control, connectivity, monitoring, and security for your Amazon VPC.

Amazon Virtual Private Cloud (VPC) is the networking layer for Amazon
Elastic Compute Cloud (EC2). It's a virtual network that allows users to launch
AWS resources in a logically isolated environment.

Here are some features of Amazon VPC:

• IP addresses
Users can specify an IP address range for their VPC, and can use both IPv4 and
IPv6 for most resources.
• Subnets
A subnet is a range of IP addresses within a VPC, and can only exist in one
availability zone. Users can add subnets to their VPC, and launch AWS
resources into them.
• Route tables
Users can configure route tables to route traffic to and from their subnets.
• Security
Users can use security groups and network access control lists (ACLs) to control
access to instances in their VPC.
• Connectivity
Users can connect subnets to the internet, other VPCs, and their own data
centers.
Users can customize their VPC's network configuration to meet their needs,
such as creating public-facing subnets for web servers and private-facing
subnets for backend systems.
AWS UNIT IV Virtual Private Cloud

IP addressing for your VPCs and subnets

IP addresses enable resources in your VPC to communicate with each other,
and with resources over the internet.
Classless Inter-Domain Routing (CIDR) notation is a way to represent an IP
address and its network mask. The format of these addresses is as follows:
• An individual IPv4 address is 32 bits, with 4 groups of up to 3 decimal
digits. For example, 10.0.1.0.
• An IPv4 CIDR block has four groups of up to three decimal digits, 0-255,
separated by periods, followed by a slash and a number from 0 to 32. For
example, 10.0.0.0/16.
• An individual IPv6 address is 128 bits, with 8 groups of 4 hexadecimal
digits. For example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
• An IPv6 CIDR block has four groups of up to four hexadecimal digits,
separated by colons, followed by a double colon, followed by a slash and
a number from 1 to 128. For example, 2001:db8:1234:1a00::/56.

CIDR Notations in VPC

Classless Inter-Domain Routing (CIDR) notation is a method of representing IP
addresses and their network masks in a virtual private cloud (VPC):
• IPv4
An IPv4 address is 32 bits long, with four groups of up to three decimal
digits. For example, 10.0.1.0. An IPv4 CIDR block is made up of the same
format, but with a slash and a number from 0 to 32 after it. For example,
10.0.0.0/16.
• IPv6
An IPv6 address is 128 bits long, with eight groups of four hexadecimal
digits. For example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. An IPv6 CIDR
block is made up of the same format, but with a double colon after the groups,
and a number from 1 to 128 after the slash. For example,
2001:db8:1234:1a00::/56.
AWS UNIT IV Virtual Private Cloud

A VPC must have at least one IPv4 CIDR block, but you can also add IPv6 CIDR
blocks. You can create subnets within a VPC by using a subset of the VPC's CIDR
block. The CIDR blocks of subnets cannot overlap.
To add or remove a CIDR block from a VPC, you can:
1. Select the VPC
2. Choose Actions, then Edit CIDRs
3. To add a CIDR, choose Add new IPv4 CIDR or Add new IPv6 CIDR
4. To remove a CIDR, choose Remove next to the CIDR
AWS UNIT IV Virtual Private Cloud

Components of VPC
Amazon Virtual Private Cloud (VPC) is a virtual network environment in
the AWS cloud that isolates your AWS account. The components of an
Amazon VPC include:
• Subnets: Segments of a VPC's IP address range where you can place
groups of isolated resources
• Internet Gateway: The Amazon VPC side of a connection to the public
internet
• NAT Gateway: A managed Network Address Translation (NAT) service
that allows instances in private subnets to access the internet
• Security Groups: Act as virtual firewalls for your EC2 instances
• Network Access Control List (NACL): A stateless firewall that's used on
the subnet level
• Route tables: Each subnet has a logical construct called an Implicit
Router, and each router has a route table associated with it
• IP addressing: A set of CIDR blocks in IPV4 or IPv6 format
• VPC peering: Connects two VPCs securely over the AWS network
• Egress-only Internet Gateway: Allows outbound communication to the
internet from instances in private subnets
• VPC endpoints: Enables private connectivity to services hosted in AWS,
from within your VPC
Amazon Virtual Private Cloud
• VPC CIDR blocks.
• Subnet CIDR blocks.
• Compare IPv4 and IPv6.
• Managed prefix lists. Customer-managed prefix lists. Work with
customer-managed prefix lists. ...
• AWS IP address ranges. Find address ranges. Syntax. ...
• IPv6 support for your VPC. Add IPv6 support for your VPC. ...
AWS UNIT IV Virtual Private Cloud

Security in AWS VPC

Amazon VPC lets you to use multiple layers of security, including security
groups and network access control lists, to help control access to Amazon
Elastic Compute Cloud (Amazon EC2) instances in each subnet.
A security group controls the traffic that is allowed to reach and leave the
resources that it is associated with. For example, after you associate a security
group with an EC2 instance, it controls the inbound and outbound traffic for
the instance. When you create a VPC, it comes with a default security group.

Amazon VPC lets you to use multiple layers of security, including security
groups and network access control lists, to help control access to Amazon
Elastic Compute Cloud (Amazon EC2) instances in each subnet.
In AWS, VPC is an acronym for Virtual Private Cloud. A VPC is a virtual space
that you can use to launch AWS resources into virtual networks.
The virtual network is similar to a traditional on-prem data center operated
network, but it comes with all the features & benefits we now closely associate
with AWS hosting.
Because an AWS VPC is essentially moving IP traffic into and around your AWS
Regions, it's also your first line of defence. When configured correctly, a VPC
acts as an extra layer of protection - the result is a scalable, secure, logically
isolated non-public area inside your public cloud.
Amazon doesn't charge to use a VPC, but there are charges for using some elements,
e.g. NAT gateways and traffic mirroring.
Here are the key ways to create, access and manage your VPCs:
AWS Management Console: AWS' own web interface.
AWS CLI (Command Line Interface): A command-based option that supports a wide
range of AWS services on Windows, Mac, and Linux.
AWS UNIT IV Virtual Private Cloud

AWS SDKs: Language-specific APIs that take care of connection details, including
calculating signatures and error handling.
AWS Query API: Low-level API actions that you call using HTTPS requests. This is the most
direct way to access Amazon VPC, but you'll need to handle low-level details
such as signature hash generation, and error handling.
Cloud Management Tools: Powerful tools, like Hyperglance, utilize AWS' APIs to
deliver you insightful views, security monitoring, cost optimization, and best-in-
class automation options.

Types of VPC
A virtual private cloud (VPC) is a secure, isolated private cloud hosted within a
public cloud. VPC customers can run code, store data, host websites, and do
anything else they could do in an ordinary private cloud, but the private cloud
is hosted remotely by a public cloud provider.
VPC endpoints also provide you with much finer control over how users and
applications access AWS services. There are three types of VPC
endpoints: gateway load balancer endpoints, gateway endpoints, and interface
endpoints. Let's take a look at each type of endpoint and how it is used.
Here are some types of VPC components:
• Subnets
A segment of a VPC that's contained within a single availability zone. Subnets
allow users to divide their VPC into smaller network segments and control
traffic flow between them.
• VPC endpoints
Virtual devices that allow communication between instances in your VPC and
services. You can create the type of VPC endpoint that is required by the
supported service.
• NAT Gateway
A component that provides egress-only internet connectivity for the resources
associated or routed to the NAT Gateway.
AWS UNIT IV Virtual Private Cloud

• Virtual Private Gateway

A component that allows encrypted traffic to enter the VPC. It's used to access
private resources in the VPC and has extra layers of protection.
• AWS PrivateLink
An AWS service that allows direct, secure connectivity between your AWS VPCs
and other VPCs without traversing the public Internet.
• AWS VPC peering
A networking connection between two VPCs that enables you to route traffic
between them using private IPv4 addresses or IPv6 addresses.
• Elastic IP
A static, public IPv4 address that you can associate with any instance or
network interface in your VPC.
• VPC Flow Logs
A feature that helps you capture information about the IP traffic going to and
from network interfaces in your VPC.

Subnet in VPC
A subnet is a range of IP addresses within a virtual private cloud (VPC):
• Definition
A subnet is a logical network that divides a VPC into multiple logical networks.
• Purpose
Subnets can be used to isolate resources, control access to resources, and
segment a VPC into different environments.
• Types
Subnets can be public or private, with public subnets having access to the
internet and private subnets not having access to the internet.
AWS UNIT IV Virtual Private Cloud

• Creation
In Google Cloud, you can create VPC networks in auto mode or custom
mode. In auto mode, one subnet from each region is automatically created. In
custom mode, you have complete control over the subnets and IP ranges.
Here are some other things you can do with subnets:
• Launch AWS resources, such as Amazon EC2 instances, into your subnets.
• Connect a subnet to the internet, other VPCs, and your own data
centers.
• Route traffic to and from your subnets using route tables.

What is VPC peering

A virtual private cloud (VPC) is a virtual network dedicated to your AWS
account. It is logically isolated from other virtual networks in the AWS Cloud.
You can launch AWS resources, such as Amazon EC2 instances, into your VPC.
A VPC peering connection is a networking connection between two VPCs that
enables you to route traffic between them using private IPv4 addresses or IPv6
addresses. Instances in either VPC can communicate with each other as if they
are within the same network. You can create a VPC peering connection
AWS UNIT IV Virtual Private Cloud

between your own VPCs, or with a VPC in another AWS account. The VPCs can
be in different Regions (also known as an inter-Region VPC peering connection).

AWS uses the existing infrastructure of a VPC to create a VPC peering

connection; it is neither a gateway nor a VPN connection, and does not rely on
a separate piece of physical hardware. There is no single point of failure for
communication or a bandwidth bottleneck.
A VPC peering connection helps you to facilitate the transfer of data. For
example, if you have more than one AWS account, you can peer the VPCs
across those accounts to create a file sharing network. You can also use a VPC
peering connection to allow other VPCs to access resources you have in one of
your VPCs.
When you establish peering relationships between VPCs across different AWS
Regions, resources in the VPCs (for example, EC2 instances and Lambda
functions) in different AWS Regions can communicate with each other using
private IP addresses, without using a gateway, VPN connection, or network
appliance. The traffic remains in the private IP address space. All inter-Region
traffic is encrypted with no single point of failure, or bandwidth bottleneck.
Traffic always stays on the global AWS backbone, and never traverses the public
internet, which reduces threats, such as common exploits, and DDoS attacks.
Inter-Region VPC peering provides a simple and cost-effective way to share
resources between Regions or replicate data for geographic redundancy.
Pricing for a VPC peering connection
There is no charge to create a VPC peering connection. All data transfer over a
VPC Peering connection that stays within an Availability Zone (even if it's
between different accounts) is free. Charges apply for data transfer over a VPC
Peering connections that cross Availability Zones and Regions.
AWS UNIT IV Virtual Private Cloud

VPC endpoints
A VPC endpoint enables customers to privately connect to supported AWS
services and VPC endpoint services powered by AWS PrivateLink. Amazon VPC
instances do not require public IP addresses to communicate with resources of
the service. Traffic between an Amazon VPC and a service does not leave the
Amazon network.
An endpoint is the URL of the entry point for an AWS web service. The AWS
SDKs and the AWS Command Line Interface (AWS CLI) automatically use the
default endpoint for each service in an AWS Region. But you can specify an
alternate endpoint for your API requests.
For example, let's say you have an Amazon S3 bucket that stores sensitive data.
Without a VPC endpoint, you would have to access the S3 bucket over the
internet, which can be a security risk. With a VPC endpoint, you can access the
S3 bucket directly from your VPC without ever leaving the private network.
AWS UNIT IV Virtual Private Cloud

AWS VPC Design Best Practices

Designing a Virtual Private Cloud (VPC) on Amazon Web Services (AWS) is
fundamental for associations trying to leverage cloud infrastructure efficiently.
A VPC serves in as the foundation of AWS cloud environments, giving a secure
and isolated network space where different AWS resources can be deployed.
Understanding the prescribed procedures for planning an AWS VPC is crucial to
ensure scalability, reliability, and security for cloud-based applications and
services. By sticking to these best procedures, organizations can advance
resource usage, improve network performance, and moderate potential
security risks.
This far reaching guide expects to investigate the fundamental parts of AWS
VPC configuration, covering terminology, step by step processes, diagrams, and
useful models. Through careful planning and implementation, associations can
tackle the maximum capacity of AWS VPC to create strong, high-performing
cloud architectures that meet the unique requirements of current
organizations. Whether sending web applications, databases, or microservices,
a very much planned AWS VPC foundation for a strong and agile cloud
infrastructure.
AWS UNIT IV Virtual Private Cloud

Understanding Of Primary Terminologies

• VPC (Virtual Private Cloud): A Virtual Private Cloud is a logically isolated
segment of the AWS Cloud where you can send off AWS resources in a
virtual network that intently looks like a traditional network setup. It
allows you to characterize a virtual network environment, including IP
address ranges, subnets, route tables, and network gateways, giving you
full command over your network configuration.
• Subnet: A Subnet is a divided part of an IP network within a VPC. It isolates
the VPC’s IP address range into smaller, reasonable blocks, allowing you
to sort out resources and apply different network designs, for example,
access control policies and routing rules, to each subnet.
• Route Table: A Route Table is a bunch of decides that decide how
organization traffic is coordinated inside a VPC. It indicates the ways (or
courses) for traffic leaving or entering subnets, characterizing whether
traffic should to be route locally inside the VPC, to a internet gateway for
outside access, or to other network passages for explicit objections.
• Internet Gateway: A Internet Gateway is an evenly scaled, redundant
gateway that permits communication between resources inside a VPC
and the web. It fills in as the passage and leave point for internet bound
traffic, empowering instances in public subnets to get to the internet and
permitting external users to get to resources hosted in the VPC.
• NAT Gateway: An Network Address Translation (NAT) Gateway is an
managed service that empowers instances in private subnets to start
outbound internet traffic while keeping up with security by keeping
inbound associations from the internet. It permits private cases to get to
programming updates, patches, and other outside administrations
without uncovering their private IP addresses.
• Security Group: A Security Group goes about as a virtual firewall for
controlling inbound and outbound traffic to AWS assets, for example,
EC2 occasions, inside a VPC. It comprises of inbound and outbound
principles that determine which kinds of traffic are permitted or denied
in light of IP addresses, port reaches, and protocols.
• Network Access Control List (NACL): An Network Access Control list is a
discretionary layer of security that works at the subnet level in a VPC. It
AWS UNIT IV Virtual Private Cloud

goes about as a stateless firewall, permitting you to control traffic

entering and leaving subnets in view of client characterized rules. NACLs
give an extra layer of safety past security groups, permitting you to filter
traffic in view of IP addresses and conventions.