Virtual Private Clouds (VPC)

  1. Every region has one default VPC for your account.
  2. VPC contains default route table and default ACL which will be associated with every new subnet by default
  3. Subnets are logical groups of private ip addresses that are represented by a CIDR which is subset of VPC CIDR
    1. You can assign a custom route table for your newly created subnets
    2. EC2 instances are launched into a subnet
    3. VPC can have upto 200 subnets and you can request AWS support to increase this limit
  4. Three types of subnets are possible
    1. If the assigned route table points to internet gateway (one igw per VPC) for then your subnet is a public subnet
    2. If RT Points to NAT for  then its a private subnet
    3. If the RT points to VPG for then its is a VPN only subnet
  5. DHCP Option set
    1. VPC points to a default DHCP optionset
    2. Using this you can assign names to private ips
    3. Only one DHCP option set can be active at any given point for a VPC
    4. DHCP Option Sets can’t edited after creation
  6. VPC flow logs
    1. log traffic flow from eni (elastic network interface) to VPC and save the logs in CloudWatch.
    2. They can be created at three levels: VPC or subnet or eni
    3. Traffic to the following can’t be monitored
      1. Reserved ips used by AWS (router, broadcast etc)
      2. DNS/DHCP/MS License/ metadata requests
  7. VPC endpoints
    1. Used to connect EC2 instances in your VPC with AWS services such as S3 (only S3 is supported as of now) without going thru internet using NAT gateways
    2. Your private ip address is used in the communication thru end point. Public ip addresses are not used.
    3. Two types VPC end points
      1. ENI endpoint
        1. works at the EC2 instance level
      2. Gateway endpoint
        1. works at the route table level for the entire subnet
      3. You can specify a policy at the endpoint to allow/deny traffic
  8. When you launch a EC2 in a VPC
    1. In private subnet: You get private ip and no public ip and these private ips persist thru start/stop and reboots
    2. In a public subnet: You get a private ip and a public ip.  private ips persist thru start/stop and reboots and public ips do not persist.
    3. However you can assign a public elastic ip which will persist
  9. VPC Peering
    1. Lets you connect VPCs in the same region across multiple accounts using private ips
    2. Must have non conflicting CIDRs
    3. No gateway/VPN/hardware required
    4. Not transitive A<->B  B<->C does not mean A is peered to C
  10. Direct connect
    1. Dedicated connection from your local data center to AWS VPC over private ips and private network (NOT using internet)
    2. Connections go to DX facility and then to AWS
    3. Dedicated line is provided by your ISP
  11. VPN
    1. Connection from your local data center to AWS VPC using private ips and over public network (internet)
    2. Hardware or software based VPNs are possible
    3. Virtual Private Gateway (VPG) is VPN concentrator on AWS side
    4. Customer Gateway (CGW) is hardware or software solution that resides in the client data center and communicates with VPG
    5. VPNs use two IP-Sec tunnels between CGW and VPG for high availability
  12. Expanding VPC
    1. You can expand your existing VPC by adding four (4) secondary IPv4 IP ranges (CIDRs) to your VPC.
    2. You can shrink your VPC by deleting the secondary CIDR blocks you have added to your VPC.
    3. You cannot however change the size of the IPv6 address range of your VPC.
  13.  Can I use Elastic Network Interfaces as a way to host multiple websites requiring separate IP addresses on a single instance?  Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed.
<<< Storage GatewayNetwork Access Control Lists (NACL) >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .