Amazon Virtual Private Cloud (VPC) Overview

Amazon VPC lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.  You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC.

You can easily customize the network configuration for your VPC. For example, you can create a public-facing subnet for your webservers that has access to Internet, and place backend systems such as databases or app servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security (see below) to help control access to EC2 instances in each subnet.

Amazon VPC provides security features such as security groups and network ACLs to enable inbound and outbound filtering at the instance level and subnet level. You can also store data in S3 and restrict access so that it’s only accessible from instances in your VPC. You may also choose to launch Dedicated Instances which run on hardware dedicated to a single customer for additional isolation.

You can connect your VPC to the Internet, to your datacenter, or other VPC's, based on the AWS resources that you want to expose publicly and those that you want to keep private. For example, you can create a Hardware VPN connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

You can create a VPC quickly and easily using the AWS Management Console.

Important Terms and Concepts

Route Table

Routing information (inbound or outbound) is associated with route tables.

We can configure route tables between subnets which decide whether a subnet is public or private.

When a subnet is created, by default, it gets associated with your main route table. You can however create your own route table.

Default VPC

Amazon creates a Default VPC for every region when you create the account.

All subnets have a route out to the internet (All public). Can override.

All EC2 instances will have a public and private IP. Can override.

We can delete the default VPC, but will have to contact AWS to get it back.

VPC Peering

VPC Peering allows to connect one VPC with another via a direct network route using private IP addresses without going through internet.

Can also peer VPCs across AWS accounts.

Peering is done in star configuration: 1 VPC peers with all others (as required). No transitive peering. One VPC cannot connect to another through another one.

VPC Flow Logs

VPC Flow Logs enable you to capture IP traffic flow information for the network interfaces in your resources. After selecting your VPC you can go to Actions and create Flow logs.  

VPCs and ELB

You can create ELBs with custom VPCs.

When configuring ELB, you need to select Subnet for each availability zone where you wish traffic to be routed by your load balancer.

If you have instances only in one AZ, Amazon recommends to select at least two subnets in two AZs to provide higher availability.  

Additional Points (Exam Tips)

1. VPCs cannot span regions, but can span AZs.

2. Each subnet is mapped to an AZ. They cannot span AZs.

3. Route tables, Security groups and Network ACLs can span subnets and AZs.

4. Can assign custom IP address range to different subnets.

5. Can launch instances to a subnet of choice.

6. Can create internet gateway and attach it to the VPC.

7. Can have only one internet gateway per VPC.

8. Can have 5 VPCs per region by default.

9. While security groups are stateful, Network ACLs are stateless (see security notes).

10. Enabling Auto Assign Public IP feature (Subnets > Subnet Actions) will automatically request a public IP address for instances launched into this subnet. This setting can be overridden (if needed) while launching an instance.