Definition

Its a service that provides a logically isolated section of AWS Cloud where you can launch
AWS resources in a virtual network that you define. It is your own private network in AWS
where you can place EC2 instances and ELBs

It can have multiple types of gateways for multiple types of resources all in the same VPC,
but different subnets.

VPC Components

Route tables
Implicit router that routes all traffic in the VPC (default router) = all traffic that is for its
CIDR IP address range to be router locally
“Any traffic that goes to destination should be routed through target.”
A target can be:
Specific instance ID
Elastic network interface ID
Internet Gateway
Virtual private gateway
Classless Inter-Domain Routing (CIDR) notation
Primary CIDR block:
non overlapping IP address ranges
Ranges defined in RFC1918 (This standard exists to prevent potential IP collisions
between resources in your private network, and public resources that might be
available on the internet
IPv4 address only between /16 and /28 (16 –65,536 IP addresses) Optional - IPv6
CIDR fixed prefix length of /56, assigned from the pool of IPv6 addresses from AWS
Add up to 4 secondary CIDR blocks

x.x.x.x is an IP address. An IPv4 IP address is a 32 bit number that is represented as

four numbers, which are separated by periods. Therefore, each x is an 8-bit number (a
byte) that can have a value in the range 0-255. The IP address is logically divided into a
network prefix and a host identifier, which identify the network and the host within the
network, respectively.
/n specifies the length in bits of the network prefix portion of the IP address (starting
from the leftmost bit). For an IPv4 IP address, the value of n can be in the range 0–32.
 In a VPC, the value of n is restricted to 16–28. n larger <=> the smaller the range size,
smaller number of usable IP addresses.

Subnet
Definition
A range of IP addresses, either public or private for grouping resources inside a VPC.

#packet = unit of data sent over the internet or a network

Further segment the VPC address range and to provide logical groupings for resources
(by types, by team, by department)
Exist in one and only one AZ
Subnet CIDR blocks within a VPC must not overlap
Max 200 subnets / VPC
IPv4 min size /28 (16 IP Addresses)
IPv6 fixed size /64, and only one CIDR block/subnet

Primary network interface (elastic network interface)

Definition
An elastic network interface is a virtual network interface (NIC) that connects an instance to
a network. Each instance in a VPC has a default network interface, the primary network
interface,
which cannot be detached from the instance. Each network interface has one primary IP
address, plus additional secondary IP addresses. It also has its own media access control
(MAC) address and security groups

the number of NICs depends on the instance type

attached to one instance, detach form it and attached to another one (the attributes are
preserved) => network traffic is redirected to the new instance
Use cases:

Using network and security appliances in a VPC: Some network and security
appliances such as load balancers, network address translation (NAT) servers, and
proxy servers prefer to be configured with multiple NICs. You can create and attach
secondary NICs to instances in a VPC that run these types of applications. Then,
configure the additional interfaces with their own public and private IP addresses, and
security groups.
Creating a management only network interface: To ensure that bandwidth on a
customer facing interface is not impacted by management activities (uploading new
versions of software, downloading log files, and so on) a separate ENI is used for
administrative work.

Network access control lists (ACLs)

Definition

A network access control list (ACL) is a virtual firewall the control #inbound and
#outbound traffic at the subnet level. Aka passport AWS
Certification/CloudPractitioner/Security officer

Each AWS account includes a default network ACL,

default: allows all #inbound and #outbound traffic; modifiable with rules
custom: denies all #inbound and #outbound traffic, until rules are added that specify
which traffic to allow
all network ACLs have an explicit deny rule: #packet doesn't match any of the other
rules on the list => denied
 #stateless #packet filtering => remember nothing, check #packets that cross the Subnet
each way: #inbound and #outbound .

Security group
Definition
VPC component that check #packet permissions for Amazon EC2 instances. Its a virtual
firewall that controls #inbound and #outbound traffic for #EC2-instances Aka doorman at
your building

default: denies all #inbound traffic and allows all #outbound traffic => the doorman
checks a list at arrival, but not when the #packets leave

#statefull #packet filtering => remember previous decisions made for incoming #packets

Summary
 Security group
Operates at the instance
level
Applies to an instance only if
it is associated with the
instance
Supports allow rules only
Evaluates all rules before
deciding whether to allow
traffic
Stateful: Return traffic is
allowed, regardless of the
rules
Network ACL
Operates at the subnet level
Applies to all instances deployed in the associated
subnet (providing an additional layer of defense if
security group rules are too permissive)
Supports allow rules and deny rules
Evaluates rules in order, starting with the lowest
numbered rule, when deciding whether to allow traffic
Stateless: Return traffic must be explicitly allowed by the
rules

The following diagram illustrates the layers of security provided by Security group groups
and network ACLs. For example, traffic from an internet gateway is routed to the appropriate
subnet using the routes in the routing table. The rules of the network ACL that is associated
with the subnet control which traffic is allowed to the subnet. The rules of the Security group
that is associated with an instance control which traffic is allowed to the instance.

Internet gateway (IG)

Definition
Aka public doorway. Its connected to the internet.
Virtual private gateway
Definition
A virtual private gateway is the component that is defined on the AWS side of a virtual
private network connection.

Only allows connection from an approved network (eg. on-premises data center or internal
corporate network). It allows you to create a virtual private network (VPN) connection.
The VPN encrypts the internet traffic from all the other requests around it. They still use
regular internet connection that has a bandwidth that is being shared by many people using
the internet.
VPC Connectivity options
Network-to-Amazon VPC connectivity options

Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud

Connectivity Options

Network Address Translation (NAT)

NAT Gateway

Definition
You can use a NAT gateway so that instances in a private subnet can connect to services
outside your VPC but external services cannot initiate a connection with those instances.

When you create a NAT gateway, you specify one of the following connectivity types:

Public – (Default) Instances in private subnets can connect to the internet through a
public NAT gateway, but cannot receive unsolicited inbound connections from the
internet. You create a public NAT gateway in a public subnet and must associate an
elastic IP address with the NAT gateway at creation. You route traffic from the NAT
gateway to the internet gateway for the VPC. Alternatively, you can use a public NAT
gateway to connect to other VPCs or your on-premises network. In this case, you route
traffic from the NAT gateway through a transit gateway or a virtual private gateway.
Private – Instances in private subnets can connect to other VPCs or your on-premises
network through a private NAT gateway. You can route traffic from the NAT gateway
through a transit gateway or a virtual private gateway. You cannot associate an elastic
IP address with a private NAT gateway. You can attach an internet gateway to a VPC
with a private NAT gateway, but if you route traffic from the private NAT gateway to the
internet gateway, the internet gateway drops the traffic.

NAT Instance

Definition

Its an EC2 instance with a NAT AMI that is configured to allow resources in a private subnet
to communicate with destinations outside the VPC, such as the internet or an on-premises
network. The resources in the private subnet can initiate outbound IPv4 traffic to the internet,
but they can't receive inbound traffic initiated on the internet.

Resources

NAT gateways - Amazon Virtual Private Cloud

NAT instances - Amazon Virtual Private Cloud
Compare NAT gateways and NAT instances - Amazon Virtual Private Cloud

Connect a VPC to another VPC - VPC peering

A VPC peering connection is a networking connection between two VPCs that enables
routing using each VPC’s private IP addresses as if they were in the same network. VPC
peering connections can be created between your own VPCs or with a VPC in another AWS
account. VPC peering also supports inter-region peering.
Limitations:

No overlapping IP address ranges.

No transitive peering, edge-to-edge routing, or internet gateway access.
 No NAT routing between VPCs.
No Domain Name System (DNS) lookup resolution of private IP addresses.
No cross referencing of peer security groups across Regions.

Resources

VPC peering basics - Amazon Virtual Private Cloud

VPC peering scenarios - Amazon Virtual Private Cloud
VPC peering configurations with routes to an entire VPC - Amazon Virtual Private
Cloud

Connect a VPC to an external network

AWS Site-to-Site VPN

Resources:

AWS Site-to-Site VPN - Amazon Virtual Private Cloud Connectivity Options

How AWS Site-to-Site VPN works

Customer gateway

Definition

A customer gateway is a physical device or software application that is defined on the client
side
of a VPN connection. And a AWS resource

Resources

Your customer gateway device - AWS Site-to-Site VPN

AWS Direct Connect + VPN

AWS Direct Connect is a networking service that provides an alternative to using the internet
to connect to AWS. Using AWS Direct Connect, data that would have previously been
transported over the internet is delivered through a private network connection between your
facilities and AWS

Resources:

AWS Direct Connect + AWS Site-to-Site VPN - Amazon Virtual Private Cloud
Connectivity Options

Connect a VPC to AWS services

VPC endpoints

A VPC endpoint enables customers to privately connect to supported AWS services and
VPC endpoint services powered by AWS PrivateLink. Amazon VPC instances do not require
public IP addresses to communicate with resources of the service. Traffic between an
Amazon VPC and a service does not leave the Amazon network.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly
available Amazon VPC components that allow communication between instances in an
Amazon VPC and services without imposing availability risks or bandwidth constraints on
network traffic. There are two types of VPC endpoints:

interface endpoints (use AWS PrivateLink)

gateway endpoints (link to S3 and Amazon DynamoDB)

AWS PrivateLink

AWS PrivateLink enables customers to access services hosted on AWS in a highly available
and scalable manner, while keeping all the network traffic within the AWS network. Service
users can privately access services powered by PrivateLink from their Amazon Virtual
Private Cloud (VPC) or their on-premises, without using public IPs, and without requiring
traffic to traverse across the Internet. Service owners can register their Network Load
Balancers to PrivateLink services in order to provide their services to other AWS customers.

Resources:

What are VPC endpoints? - Securely Access Services Over AWS PrivateLink
Use-case examples - Securely Access Services Over AWS PrivateLink
AWS PrivateLink FAQs – Amazon Web Services

Connect a VPC to multiple VPCs and external networks

AWS Transit Gateway
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-
premises networks through a central hub. This connection simplifies your network and puts
an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud
router—each new connection is made only once.