Please enable JavaScript to view the comments powered by Disqus. Everything you need to know about Amazon VPC

 

 

 

Everything you need to know about Amazon VPC

NovelVista

NovelVista

Last updated 21/07/2021


Everything you need to know about Amazon VPC

Amazon Virtual Private Cloud (VPC) is the heart of AWS cloud hosting, yet a very complex concept to understand, especially for developers who have limited infrastructure operations experience. Developers are the most involved team members with cloud projects, yet have limited knowledge about infrastructure operations (in the majority of cases).

vpc

Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your virtual private cloud, helping to ensure secure and easy access to resources and applications.

As one of AWS's foundational services, Amazon VPC makes it easy to customize your VPC's network configuration. You can create a public-facing subnet for your web servers that have access to the internet. It also lets you place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. Amazon VPC lets you to use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Comparison to private clouds

Amazon Virtual Private Cloud aims to provide a service similar to private clouds using technology such as OpenStack or HPE Helion Eucalyptus. However, private clouds typically also use technology such as OpenShift application hosting and various database systems. Cloud security experts warned there can be compliance risks, such as a loss of control or service cancellation in using public resources which do not exist with in-house systems. If transaction records are requested from Amazon about a VPC using a National security letter they may not even be legally allowed to inform the customer of the breach of the security of their system. This would be true even if the actual VPC resources were in another country. The API used by AWS is only partly compatible with that of HPE Helion Eucalyptus and is not compatible with other private cloud systems so migration from AWS may be difficult. This has led to warnings of the possibility of lock-in to a specific technology.

Benefits of Using Amazon Virtual Private Cloud (Amazon VPC)

Secure and monitored network connections

Amazon VPC provides advanced security features that allow you to perform inbound and outbound filtering at the instance and subnet level. Additionally, you can store data in Amazon S3 and restrict access so that it’s only accessible from instances inside your VPC. Amazon VPC also has monitoring features that let you perform functions like out-of-band monitoring and inline traffic inspection, which help you screen and secure traffic.

Simple set-up and use

With Amazon VPC's simple set-up, you spend less time setting up, managing, and validating, so you can concentrate on building the applications that run in your VPCs. You can create a VPC easily using the AWS Management Console or Command Line Interface (CLI). Once you select from common network setups and find the best match for your needs, VPC automatically creates the subnets, IP ranges, route tables, and security groups you need. After configuring your network, you can easily validate it with Reachability Analyzer.

Customizable virtual network

Amazon VPC helps you control your virtual networking environment by letting you choose your own IP Address range, create your own subnets, and configure route tables to any available gateways. You can customize the network configuration by creating a public-facing subnet for your web servers that has access to the internet. Place your backend systems, such as databases or application servers, in a private-facing subnet. With Amazon VPC, you can ensure that your virtual private cloud is configured to fit your specific business needs.

Features of VPC

  • Many connectivity options− There are various connectivity options that exist in Amazon VPC.
    • Connect VPC directly to the Internet via public subnets.
    • Connect to the Internet using Network Address Translation via private subnets.
    • Connect securely to your corporate datacenter via encrypted IPsec hardware VPN connection.
    • Connect privately to other VPCs in which we can share resources across multiple virtual networks through AWS account.
    • Connect to Amazon S3 without using an internet gateway and have good control over S3 buckets, its user requests, groups, etc.
    • Combine connection of VPC and datacenter is possible by configuring Amazon VPC route tables to direct all traffic to its destination.
  • Easy to use− Ease of creating a VPC in very simple steps by selecting network set-ups as per requirement. Click "Start VPC Wizard", then Subnets, IP ranges, route tables, and security groups will be automatically created.
  • Easy to backup data− Periodically backup data from the datacenter into Amazon EC2 instances by using Amazon EBS volumes.
  • Easy to extend network using Cloud− Move applications, launch additional web servers and increase storage capacity by connecting it to a VPC.

Use cases

Host a simple, public-facing website

Host a basic web application, such as a blog or simple website, in a VPC and gain the additional layers of privacy and security afforded by Amazon VPC. You can help secure the website by creating security group rules which allow the web server to respond to inbound HTTP and SSL requests from the internet while simultaneously prohibiting the web server from initiating outbound connections to the internet. Create a VPC that supports this use case by selecting "VPC with a Single Public Subnet Only" from the Amazon VPC console wizard.

Host multi-tier web applications

Host multi-tier web applications and strictly enforce access and security restrictions between your web servers, application servers, and databases. Launch web servers in a publicly accessible subnet while running your application servers and databases in private subnets. This will ensure that application servers and databases cannot be directly accessed from the internet. You control access between the servers and subnets using inbound and outbound packet filtering provided by network access control lists and security groups. To create a VPC that supports this use case, you can select "VPC with Public and Private Subnets" in the Amazon VPC console wizard.

Back up and recover your data after a disaster

By using Amazon VPC for disaster recovery, you receive all the benefits of a disaster recovery site at a fraction of the cost. You can periodically back up critical data from your data center to a small number of Amazon EC2 instances with Amazon Elastic Block Store (EBS) volumes, or import your virtual machine images to Amazon EC2. To ensure business continuity, Amazon VPC allows you to quickly launch replacement compute capacity in AWS. When the disaster is over, you can send your mission critical data back to your data center and terminate the Amazon EC2 instances that you no longer need.

Extend your corporate network into the cloud

Move corporate applications to the cloud, launch additional web servers, or add more compute capacity to your network by connecting your VPC to your corporate network. Because your VPC can be hosted behind your corporate firewall, you can seamlessly move your IT resources into the cloud without changing how your users access these applications. Furthermore, you can host your VPC subnets in AWS Outposts, a service that brings native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility. Select "VPC with a Private Subnet Only and Hardware VPN Access" from the Amazon VPC console wizard to create a VPC that supports this use case.

Securely connect cloud applications to your datacenter

An IPsec VPN connection between your Amazon VPC and your corporate network encrypts all communication between the application servers in the cloud and databases in your data center. Web servers and application servers in your VPC can leverage Amazon EC2 elasticity and Auto Scaling features to grow and shrink as needed. Create a VPC to support this use case by selecting "VPC with Public and Private Subnets and Hardware VPN Access" in the Amazon VPC console wizard.

Get started with Amazon VPC

You can automatically provision AWS resources in a ready-to-use default VPC. Configure this VPC by adding or removing subnets, attaching network gateways, changing the default route table, and modifying the network ACLs.

Create additional VPCs from the Amazon VPC page on the AWS Management Console by selecting the "Start VPC Wizard" button. You will be presented with four basic network topologies. Select the one that most closely resembles the network topology that you’d like to create and click the "Create VPC" button. You can then customize the topology further to fit your needs more closely. Shortly after, you can start launching Amazon EC2 instances inside your VPC.

Security

AWS VPC's security is two-fold: firstly, AWS VPC uses security groups as a firewall to control traffic at the instance level, while it also uses network access control lists as a firewall to control traffic at the subnet level. As another measure of privacy, AWS VPC provides users with ability to create "dedicated instances" on hardware, physically isolating the dedicated instances from non-dedicated instances and instances owned by other accounts.

AWS VPC is free, with users only paying for the consumption of EC2 resources. However, if choosing to access VPC via a Virtual Private Network (VPN), there is a charge.

Other associated terminologies

There are few more terms you need to understand while learning AWS VPC and launching EC2 instances.

Security groups:

Image result for Public VPC with Restricted security groups:

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances.

We can think of office access cards, as equivalent to “security groups”. Depending on how granular you want the security, you can apply security groups at different levels in AWS. Same applicable for office building too. You can put access cards at the building level (or) floor level (or) some other measures.

Public VPC with OPEN security groups:

Public VPC with OPEN security groups

This is the case where you launch instances into a VPC and the security groups associated with VPC/instance open up ALL ports; this is a VERY BAD practice. The equivalent in our office building analogy would be a building without any access cards. EVERYONE can come and go to any floor or suite.

Public VPC with Restricted security groups:

This is the case where you launch instances into a VPC and the security groups associated with a VPC/instance restricts open ports; this is a GOOD practice. The equivalent in our office building analogy would be a building with access cards. Only people who have access cards can enter into the building and get around inside.

Private VPC:

Image result for Private VPC

Private VPC is a VPC with ONLY private subnets. These resources within a private VPC aren’t accessible to the outside world without either special tools (or) VPC peering.

Though this is not a perfect analogy, we can think of “washrooms” in your office building as private VPC (in other words VPC with private subnets). People who don’t have access to building can’t access the washrooms.

In summary, the combination of VPC + Availability Zone + Subnet + private/public ip addresses +security groups are the AWS resources which form the required infrastructure to support EC2 instances running in a secured and scalable environment. Understanding working principles of these resources will help users in properly configuring and utilizing these resources.

Default VPC Deletion

In the event that the default VPC gets deleted, it is advised to reach out to AWS support for restoration. Therefore, you’ll only want to delete the default VPC only if you have a good reason.

Topic Related Post

Azure Security Best Practices for AZ-104 Certified Professionals
Cloud Cost Optimization Advanced Strategies in FinOps
How to Use FinOps to Optimize Your AWS Cloud Costs?

About Author

NovelVista Learning Solutions is a professionally managed training organization with specialization in certification courses. The core management team consists of highly qualified professionals with vast industry experience. NovelVista is an Accredited Training Organization (ATO) to conduct all levels of ITIL Courses. We also conduct training on DevOps, AWS Solution Architect associate, Prince2, MSP, CSM, Cloud Computing, Apache Hadoop, Six Sigma, ISO 20000/27000 & Agile Methodologies.

Tags

 
 

SUBMIT ENQUIRY

* Your personal details are for internal use only and will remain confidential.

 
 
 
 
 
 

Upcoming Events

ITIL-Logo-BL
ITIL

Every Weekend

AWS-Logo-BL
AWS

Every Weekend

Dev-Ops-Logo-BL
DevOps

Every Weekend

Prince2-Logo-BL
PRINCE2

Every Weekend

Topic Related

Take Simple Quiz and Get Discount Upto 50%

Popular Certifications

AWS Solution Architect Associates
SIAM Professional Training & Certification
ITILŽ 4 Foundation Certification
DevOps Foundation By DOI
Certified DevOps Developer
PRINCE2Ž Foundation & Practitioner
ITILŽ 4 Managing Professional Course
Certified DevOps Engineer
DevOps Practitioner + Agile Scrum Master
ISO Lead Auditor Combo Certification
Microsoft Azure Administrator AZ-104
Digital Transformation Officer
Certified Full Stack Data Scientist
Microsoft Azure DevOps Engineer
OCM Foundation
SRE Practitioner
Professional Scrum Product Owner II (PSPO II) Certification
Certified Associate in Project Management (CAPM)
Practitioner Certified In Business Analysis
Certified Blockchain Professional Program
Certified Cyber Security Foundation
Post Graduate Program in Project Management
Certified Data Science Professional
Certified PMO Professional
AWS Certified Cloud Practitioner (CLF-C01)
Certified Scrum Product Owners
Professional Scrum Product Owner-II
Professional Scrum Product Owner (PSPO) Training-I
GSDC Agile Scrum Master
ITILŽ 4 Certification Scheme
Agile Project Management
FinOps Certified Practitioner certification
ITSM Foundation: ISO/IEC 20000:2011
Certified Design Thinking Professional
Certified Data Science Professional Certification
Generative AI Certification
Generative AI in Software Development
Generative AI in Business
Generative AI in Cybersecurity
Generative AI for HR and L&D
Generative AI in Finance and Banking
Generative AI in Marketing
Generative AI in Retail
Generative AI in Risk & Compliance
ISO 27001 Certification & Training in the Philippines
Generative AI in Project Management
Prompt Engineering Certification
SRE Certification Course
Devsecops Practitioner Certification
AIOPS Foundation Certification
ISO 9001:2015 Lead Auditor Training and Certification
ITIL4 Specialist Monitor Support and Fulfil Certification
SRE Foundation and Practitioner Combo
Generative AI webinar
Leadership Excellence Webinar
Certificate Of Global Leadership Excellence
SRE Webinar