Amazon Computer Services
Amazon Virtual Private Cloud (Amazon VPC)
Amazon Virtual Private Cloud is the networking layer for Amazon Elastic Compute Cloud (Amazon EC2), and it allows us to build our virtual network within AWS. We control various aspects of our Amazon VPC, including selecting our IP address range; creating our subnets; and configuring our route tables, network gateways, and security settings. Within a region, we can create multiple Amazon VPCs, and each Amazon VPC is logically isolated even if it shares its IP address space.
When we create an Amazon VPC, we must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block, such as 10.0.0.0/16. The address range of the Amazon VPC cannot be modified after the Amazon VPC is generated.
An Amazon VPC address range can be as broad as /16 (65,536 available addresses) or as small as /28 (16 available addresses). It should not overlap any other network with which they are to be connected.
Components of VPC
The components of VPC are as follows:
A subnet is a segment of an Amazon VPC’s IP address range where we can launch Amazon EC2 instances, Amazon Relational Database Service (Amazon RDS) databases, and other AWS resources. CIDR blocks represent subnets (for example, 10.0.1.0/24 and 192.168.0.0/24).
The smallest subnet that we can create is a /28 (16 IP addresses). AWS reserves the first four IP addresses and the last IP address of each subnet for internal networking goals. For example, a subnet defined as a /28 has 16 available IP addresses; subtract the 5 IPs needed by AWS to yield 11 IP addresses for our use within the subnet.
Subnets can be typed as public, private, or VPN-only.
A public subnet is one in which the related route table directs the subnet’s traffic to the Amazon VPC’s IGW.
A private subnet is one in which the related route table does not direct the subnet’s traffic to the Amazon VPC’s IGW.
A VPN-only subnet is one in which the associated route table directs the subnet’s traffic to the Amazon VPC’s VPG and does not have a route to the IGW.
A route table is a logical construct within an Amazon VPC that includes a collection of rules (known as routes) that are applied to the subnet and used to decide where network traffic is directed. A route table’s routes are what allow Amazon EC2 instances within multiple subnets within an Amazon VPC to interact with each other.
An Internet Gateway (IGW) is a horizontally scaled, redundant, and hugely available Amazon VPC elements that enable interaction between instances in our Amazon VPC and the Internet. An IGW supports a target in our Amazon VPC route tables for Internet-routable traffic, and it executes network address translation for instances that have been assigned public IP addresses.
Dynamic Host Configuration Protocol (DHCP) Option Sets
Dynamic Host Configuration Protocol (DHCP) supports a standard for passing configuration data to hosts on a TCP/IP network. The options area of a DHCP message includes the configuration parameters. Some of those parameters are the domain name, domain name server, and the NetBIOS-node-type.
AWS automatically creates and associates a DHCP option set for our Amazon VPC upon creation and sets two options: domain-name-servers (defaulted to Amazon Provided DNS) and domain-name (defaulted to the domain name for our region). Amazon Provided DNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
Elastic IP Addresses (EIPs)
AWS maintains a pool of public IP addresses in each region and creates them available for us to relate to resources inside our Amazon VPCs. An Elastic IP Addresses (EIP) is a static, public IP address in the pool for the region that we can allocate to our account (pull from the pool) and release (return to the pool). EIPs allows us to maintain a set of IP addresses that remain fixed while the underlying infrastructure can change over time.
Elastic Network Interfaces (ENIs)
An Elastic Network Interface (ENI) is a virtual network interface that we can attach to an instance in an Amazon VPC. ENIs are only available inside an Amazon VPC, and they are related with a subnet upon creation. They can have one public IP address and multiple private IP addresses. If there are many private IP addresses, one of them is primary.
Assigning a second network interface to an instance via an ENI enables it to be dual-homed (have network presence in different subnets). An ENI developed independently of a specific instance persists regardless of the lifetime of some instance to which it is connected; if an underlying instance fails, the IP address can be preserved by connecting the ENI to a replacement instance.
An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect.
We can create multiple endpoints for a single service, and we can use different route tables to enforce different access policies from different subnets to the same service.