In this post, I will give you a walkthrough of Amazon Virtual Private Cloud (AWS VPC) that can help you understand how to implement AWS VPC and how to do that in relation to your infrastructure. AWS VPC is one of the most popular and widely used services of Amazon Web Services. This is generally because Amazon VPC is mostly related to the security concepts in the cloud and access to the data inside a third-party data center. AWS VPC is a private subsection of AWS in which you can
place AWS resources such as EC2 instances and databases. You have full control over who has access to the resources that you place inside the AWS Virtual Private Cloud. Overview
- Virtual Private Cloud (VPC) is a logically isolated network from another virtual network in the AWS cloud where you can launch the AWS resources.
- It gives all the benefits of the traditional network
that you have for your own data center.
- Resources and applications are accessed through IPv4 or IPv6 in your AWS VPC.
- It gives the benefit of scalable infrastructure in the AWS environment.
- It gives you complete control over your virtual network.
- EC2 Instance security group membership can be changed while it is running.
- Static IPv4 assigned to Instances that persist across the start and stop.
- Create a layered network of resources.
- A single-tenant hardware option is available to run
EC2 Instances.
- Access Control List (ACL) is an additional security layer to protect Instances.
- Multiple IPv4 can be assigned to your Instances.
- Control both inbound and outbound traffic of Instances.
- Multiple network interfaces can be attached to EC2 Instances.
Components of AWS Virtual Private Cloud- Route Table: In AWS Virtual Private Cloud, route Tables are the set of rules, that are used to determine where the network traffic has to be directed. Route table specifies the destination (IP address)
and target (where do want to send the traffic of that destination). The target can be Internet gateway, NAT gateway, Virtual private gateway, VPC peering connection, etc
- Subnet: It is a portion of the network that shares a common address component. All devices whose addresses have the same prefix are in the same subnet. For example, all those devices whose IP address would start with 172.31.1 would be part of the same subnet. There are two types of subnets. Private
Subnet where resources are not exposed to the outside world and Public Subnet where resources are exposed to the internet through Internet Gateway.
- Security Groups: Security groups are a set of firewall rules that controls the traffic for your instance. In Amazon Firewall the only action that can be carried out is allowed. You cannot create a rule to deny. The destination is always the instance on which the service security group is
running. You can have a single security group associated with multiple instances.
- NAT Gateway: Network Address Translation (NAT) Gateway is used when higher bandwidth, availability with lesser administrative effort is required. NAT gateway always resides inside the public subnet of an Availability Zone. It updates the route table of the private subnet such that it sends the traffic to the NAT gateway. Elastic IP must be attached to the NAT gateway while creating. It
supports only TCP, UDP, and ICMP protocols.
- VPC Peering: A VPC peering connection allows you to route traffic between two Virtual Private Cloud’s using IPv4 or IPv6 private addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. A VPC peering connection helps you to facilitate the transfer of data
- Network
Access Control Lists (NACL): an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated.
- Virtual Private Gateway: A virtual private gateway is
the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection.
- Customer Gateway: An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC (virtual private cloud). A customer gateway is an anchor on your side of that connection. It can be a physical or software appliance.
- Elastic IP: It is a static IP
address that never changes and is a reserved public IP address that can be assigned to any Instance in a particular region. An elastic IP is reserved for your AWS account and is yours until you release it.
- Network Interface: Network Interface is a point of connection between a public and a private network. Every instance has a default network interface, called the primary network interface. Network traffic is automatically shifted to the new instance if you move it
from one instance to the other.
- VPC Endpoints: VPC endpoints allow private connection between your AWS VPC and other AWS services without using the internet. VPC endpoint devices are scaled, redundant, and highly available VPC components. There are two types of AWS Virtual Private Cloud endpoints Interface endpoints and Gateway Endpoints.
Best Practices For Securing Your AWS
VPC ImplementationRunning a machine with mission-critical workloads requires multiple layers of security. Amazon Virtual Private Cloud can be secured like your on-premises data center by following some of these useful tips: - Amazon Web Services marketplace offers you a web application firewall, a firewall virtual appliance, and a few other tools which you can use to secure your Amazon VPC.
- To secure your protocols from unauthorized access you can configure
intrusion detection systems and intrusion prevention virtual appliances.
- With the help of Configure Privileged Identity access management, you can audit and monitor Administrator access to your VPC.
- For transferring information securely between Amazon VPC among diverse regions or Amazon VPC to an on-premises data center, you can easily configure a Site-to-Site VPN.
- Another option to transfer information securely is to use AWS Transfer for Secure File Transfer
Protocol (AWS SFTP). With AWS SFTP, you use VPC endpoints and avoid using public IP addresses or going through the internet. In addition, VPC endpoints for AWS SFTP leverage security functionality via AWS private link, which provides private connections between your VPCs and AWS services.
Read: AWS RAM – Resource Access Manager AWS VPC PricingAmazon VPC
Traffic Mirroring Pricing If you choose to enable traffic mirroring on Elastic Network Interface (ENI) of Amazon EC2 instances, you will be charged hourly for each ENI that is enabled with traffic mirroring. If you no longer wish to be charged for traffic mirroring, simply disable traffic mirroring on EC2 instance ENIs using the AWS Management Console, command-line interface, or API. The hourly price per ENI is :
$0.015 NAT Gateway Pricing - NAT Gateway Hourly Charge: NAT Gateway is charged on an hourly basis. For this region, the rate is $0.045 per hour.
- NAT Gateway Data Processing Charge: 1 GB of data went through NAT gateway. The NAT Gateway Data Processing charge is applied and will result in a charge of
$0.045.
- Data Transfer Charge: This is the standard EC2 Data Transfer charge. 1 GB of data was transferred from the EC2 instance to S3 via the NAT gateway. There was no charge for the data transfer from the EC2 instance to S3 as it is Data Transfer Out to Amazon EC2 to S3 in the same region.
AWS VPN pricing If you create an AWS Site-to-Site VPN connection to your Amazon VPC, you are charged for each VPN connection-hour i.e.
$0.05 per Site-to-Site VPN connection per hour AWS provides a number of efficient, secure connectivity options to help you get the most out of AWS when integrating your remote networks with Amazon VPC. AWS Virtual Private Cloud enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional
network that you would operate in your own data center, with the benefits of using the scalable infrastructure of AWS. - Overview of Amazon Web Services & Concept
- AWS Management Console Walkthrough
Next Task For YouIn our AWS Solution Architect Associate training program, we will cover how to Create a Custom VPC in detail and 30 other
Hands-On Labs. If you want to begin your journey towards becoming an AWS Certified Solution Architect Associate by checking our
FREE CLASS
Which VPC controls inbound and outbound traffic?
AWS Security group is like a virtual firewall within a VPC that acts at the instance level and not at a subnet level. Security groups have a set of rules to allow/disallow incoming/outgoing traffic to an instance.
What should you use to control traffic in and out of EC2 instances?
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups.
What is inbound and outbound in VPC?
Inbound means incoming traffic coming to your EC2 instances.
Outbound means outgoing traffic from your EC2 instances.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose.
| 
