22. Networking and Content Delivery - AWS VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

You can easily customize the network configuration for your VPC. For example, you can create a public-facing subnet for your web servers that has access to the Internet, and place your backend systems, such as databases or application servers, in a private-facing subnet with no Internet access. You can leverage multiple layers of security (including security groups and network access control lists) to help control access to EC2 instances in each subnet.

Additionally, you can create a hardware virtual private network (VPN) connection between your corporate data center and your VPC and leverage the AWS Cloud as an extension of your corporate data center.

VPC Components

• Subnets
• segment of an VPC’s IP address range to launch EC2 instances, Amazon RDS databases, and other AWS resources.
• smallest subnet is a /28 (or 16 IP addresses).
• AWS reserves first four IP addresses and the last IP address of every subnet for internal networking purposes.
• Route tables
• A logical construct within VPC having set of rules (or routes) applied to subnet and used to determine where network traffic is directed.
• With route table EC2 instances in different subnets in a VPC to communicate with each other.
• Route table has default route called local route, to communication within Amazon VPC, and this route cannot be modified or removed.
• Dynamic Host Configuration Protocol (DHCP) option sets –
• DHCP passes configuration information to hosts on a TCP/IP network like domain name, domain name server, and the netbios-node-type.
• AWS automatically creates and associates a DHCP option set for the Amazon VPC upon creation and sets two options:
• domain-name-servers (defaulted to AmazonProvidedDNS)
• domain-name (defaulted to the domain name for your region).
• AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
• Security groups
• A virtual statefull firewall controlling inbound and outbound network traffic to AWS resources and EC2 instances.
• All Amazon EC2 instances must be launched into a security group.
• If not specified at launch, then instance will be in default security group for VPC, which allows communication between all resources within security group, allows all outbound traffic, and denies all other traffic.
• Network Access Control Lists (ACLs)
• Acts as stateless firewall on a subnet level.
• A numbered list of rules that AWS evaluates in order, starting with lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
• Amazon VPCs have modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic.