What is VPC

•Virtual private cloud (VPC) — A virtual network dedicated to your AWS account.

Subnet — A range of IP addresses in your VPC.

•Route table — A set of rules, called routes, that are used to determine where network traffic is directed.

•Internet gateway — A gateway that you attach to your VPC to enable communication between resources in
your VPC and the internet.

•VPC endpoint — Enables you to privately connect your VPC to supported AWS services and VPC endpoint
services powered by Private Link without requiring an internet gateway, NAT device, VPN connection, or AWS
Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with
resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
VPC
INTERNET GATEWAY
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows
communication between your VPC and the internet.

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable
traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4
addresses.

An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints
on your network traffic. There's no additional charge for having an internet gateway in your account.
Egress Internet Gateway

 An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC
component that allows outbound communication over IPv6 from instances in your VPC to the
internet, and prevents the internet from initiating an IPv6 connection with your instances.
VPC PEERING

 A VPC peering connection is a networking connection between two VPCs that

enables you to route traffic between them privately. Instances in either VPC
can communicate with each other as if they are within the same network.
You can create a VPC peering connection between your own VPCs, with a VPC
in another AWS account, or with a VPC in a different AWS Region.
VPC peering limitations

To create a VPC peering connection with another VPC, be aware of the following
limitations and rules:

•You cannot create a VPC peering connection between VPCs that have matching or
overlapping IPv4 or IPv6 CIDR blocks. Amazon always assigns your VPC a unique
IPv6 CIDR block. If your IPv6 CIDR blocks are unique but your IPv4 blocks are not,
you cannot create the peering connection.

•You have a quota on the number of active and pending VPC peering connections that
you can have per VPC.

•VPC peering does not support transitive peering relationships. In a VPC peering
connection, your VPC does not have access to any other VPCs with which the peer
VPC may be peered. This includes VPC peering connections that are established
entirely within your own AWS account.

•You cannot have more than one VPC peering connection between the same two
VPCs at the same time.
What is NAT GATEWAY

You can use a network address translation (NAT) gateway to enable instances in a
private subnet to connect to the internet or other AWS services, but prevent the
internet from initiating a connection with those instances
NAT gateway rules and limitations
A NAT gateway has the following characteristics and limitations:

•A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps.

If you require more, you can distribute the workload by splitting your resources into
multiple subnets, and creating a NAT gateway in each subnet.

•You can associate exactly one Elastic IP address with a NAT gateway. You cannot
disassociate an Elastic IP address from a NAT gateway after it's created. To use a
different Elastic IP address for your NAT gateway, you must create a new NAT gateway
with the required address, update your route tables, and then delete the existing NAT
gateway if it's no longer required.

•A NAT gateway supports the following protocols: TCP, UDP, and ICMP.

•You cannot associate a security group with a NAT gateway. You can use security
groups for your instances in the private subnets to control the traffic to and from those
instances.

•You can use a network ACL to control the traffic to and from the subnet in which the
NAT gateway is located. The network ACL applies to the NAT gateway's traffic. A NAT
gateway uses ports 1024–65535. For more information,
•When a NAT gateway is created, it receives a network interface that's automatically assigned a private IP
address from the IP address range of your subnet. You can view the NAT gateway's network interface in
the Amazon EC2 console. You cannot modify the attributes of this network interface.

•A NAT gateway cannot be accessed by a ClassicLink connection that is associated with your VPC.
•You cannot route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN
connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of
these connections.

•A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This
limit also applies if you create approximately 900 connections per second to a single destination (about
55,000 connections per minute). If the destination IP address, the destination port, or the protocol
(TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000
connections, there is an increased chance of connection errors due to port allocation errors.
NAT INSTANCE
VPC FLOW LOG
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going
to and from network interfaces in your VPC. Flow log data can be published to Amazon
CloudWatch Logs or Amazon S3. After you've created a flow log, you can retrieve and view
its data in the chosen destination.

Flow logs can help you with a number of tasks, such as:

•Diagnosing overly restrictive security group rules

•Monitoring the traffic that is reaching your instance

•Determining the direction of the traffic to and from the network interfaces
Flow log data is collected outside of the path of your network traffic, and therefore does not
affect network throughput or latency. You can create or delete flow logs without any risk of
impact to network performance
Security Groups

 A security group acts as a virtual firewall for your instance to control inbound

and outbound traffic. When you launch an instance in a VPC, you can assign
up to five security groups to the instance. Security groups act at the instance
level, not the subnet level. Therefore, each instance in a subnet in your VPC
can be assigned to a different set of security groups.
Security Group Rules

 The following are the basic characteristics of security groups for your VPC:
 You can specify allow rules, but not deny rules.
 You can specify separate rules for inbound and outbound traffic.
 Security group rules enable you to filter traffic based on protocols and port
numbers.
 Security groups are stateful — if you send a request from your instance, the
response traffic for that request is allowed to flow in regardless of inbound
security group rules. Responses to allowed inbound traffic are allowed to flow
out, regardless of outbound rules.