4
4
4
Internet Gateway
Route Tables
NAT Gateway
Security Groups
Network ACLs
VPC subnet
Route Table
Elastic IPs
Internet Gateway
Network ACLs
Security Group
Amazon VPC Definition
Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
Main Route Table
Default Subnet 1
172.31.0.0/20 Internet Gateway Destination Target
Availability Zone A
172.31.0.0/16 local
Router
Private: 172.31.16.5 0.0.0.0/0 igw-id
Public: 203.0.113.23
EC2 Instance
Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
172.31.0.0/16
Region
Amazon VPC is a component of which AWS service?
Compute
Analytics
Networking
Databases
Amazon VPC is a component of which AWS service?
Compute
Analytics
Networking
Databases
c.
b.
Amazon Virtual Private Cloud (Amazon VPC) allows you to launch Amazon Web Services (AWS)
resources into a virtual network that you've defined.
Amazon VPC
Using Virtual Private Clouds in AWS
Default Amazon VPC
Availability Zone 1
Preconfigured
Availability Zone 2
Region
Default Amazon VPC (contd.)
The CIDR (Classless Inter-Domain Routing) block for a default VPC is always a /16 netmask, for example,
172.31.0.0/16.
Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
65,536 Private IP addresses
172.31.0.0/16
Region
Custom VPC
Internet Gateway
The default VPC is great for launching Main Route Table
Customer
10.0.0.5 Router VPN Connection
Network
10.0.0.6
10.0.0.7
Database
VPN-only subnet Servers Main Route Table
Customer Gateway
Customer Network
Los Angeles
VPN Connection
Customer Gateway
Customer Network
Miami
VPC Peering
VPC Peering - A peering connection allows you to route traffic between two VPCs using the private IP addresses
so EC2 instances in either network can communicate directly with each other.
O
VPC B VPC C
10.0.0.0/16 192.168.0.0/16
P P
VPC A
192.16.0.0/16
Default VPC Deletion
If you delete the default VPC, you have to contact AWS Support to get it restored.
Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
EC2 Instance
Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
172.31.0.0/16
Region
Demo 1: Creating a custom VPC
Demonstrate how to create a custom VPC.
What is attached to the default VPC?
Availability Zone
Internet Gateway
Availability Zone
Internet Gateway
c.
The default VPC has an IGW attached, meaning that each subnet is public or has Internet access. Any
EC2 instance launched into the default VPC will have both a public and private IP address attached.
Why would you create a custom VPC?
To save money
To make allowances for cases where you delete the default VPC
Why would you create a custom VPC?
To save money
To make allowances for cases where you delete the default VPC
a.
Creating a custom VPC allows you to customize your virtual network by defining your own IP address
range, create subnets that are both private and public, and strengthen your security settings.
IP Addresses
Using IP Addresses in Amazon VPC
Private IP Addresses
Private IP address is not reachable over the Internet.
It is used for communication between instances in the same network. When you launch a new instance, it’s
given a private IP address and an internal DNS host name that resolves to the private IP address of the
instance.
10.0.0.1
10.0.0.1 10.0.0.2
Public IP Addresses
A public IP address is reachable from the Internet. You can use public IP addresses for communication between
your instances and the Internet.
74.85.2.2
10.0.0.1 10.0.0.2
74.85.2.2
Elastic IP Addresses
Elastic IP address is a static/public persistent public IP address that is allocated to your account and can be
associated to and from your instances as required.
74.85.2.2
10.0.0.1 10.0.0.2
74.85.2.2
Demo 2: Creating an Elastic IP Address
Demonstrate how to create an Elastic IP Address.
When is an Elastic IP address released from your account?
c.
It remains in your account until you choose to release it; till then it can be associated with and from your
instances as required.
Subnets
Using subnets in Amazon VPC
Subnet Definition
Subnets
172.31.0.0/20 172.31.16.0/20
Subnet Diagram
A VPC can span multiple Availability Zones, but a subnet is always mapped to a single Availability Zone.
Amazon
Route 53
Load
Balancer
VPC subnet
Availability Zone
Public subnet
Availability Zone
Internet
Private subnet
Availability Zone
d.
A subnet can only be mapped to one Availability Zone and the default subnet is always /20, which
provides up to 4,096 addresses per subnet, a few of which are reserved for AWS use.
Internet Gateways
Using Internet Gateways in Amazon VPC
Internet Gateway Definition
WAN
LAN, Wi-Fi
Internet gateway
wireless terminals
Internet Gateway Diagram
To allow your VPC the ability to connect to the Internet, you need to attach an Internet Gateway.
Public subnet
Availability Zone
Internet
gateway
Internet
Private subnet
Availability Zone
Region
Internet Gateway Requirements
b.
An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows
communication between instances in your VPC and the Internet. It therefore imposes no availability
risks or bandwidth constraints on your network traffic. Once attached to your VPC, there are several
other steps that must be met before Internet access is available.
Route Tables
Using Route Tables in Amazon VPC
Route Table Overview
VPC subnet
Availability Zone
A route table contains a set of rules, called routes, which is used to determine where
network traffic is directed.
A route table contains a set of rules, called routes, which is used to determine where
network traffic is directed.
c.
Every VPC has a default route table. It’s good practice to leave this in its original state and create a new
route table to customize the network traffic routes.
NAT Devices
Using NAT devices in Amazon VPC
NAT Devices Overview
You can use a Network Address Translation (NAT) device to enable instances in a private subnet to connect to
the Internet or other AWS services, but prevents the Internet from initiating connections with the instances.
Internet From
Internet Private subnet
NAT Devices Overview (contd.)
You can connect your private subnet database to other AWS resources if you use a NAT device.
Custom route
table
NAT device Private subnet
Availability Zone
Private subnet
Availability Zone
Virtual Private Cloud
Main route
table Region
NAT Gateway versus NAT Device
AWS provides two kinds of NAT devices: a NAT gateway or a NAT instance.
AWS cloud
NAT NAT
Gateway instance
NAT Gateway
A NAT Gateway must be launched into a public subnet.
NAT
Gateway
d.
AWS recommends a NAT Gateway as it’s a managed service that provides better availability and
bandwidth than NAT instances. Each NAT gateway is created in a specific Availability Zone and
implemented with redundancy in that zone.
What does a NAT Gateway require to function properly?
b.
A NAT Gateway must be launched into a public subnet and have an Elastic IP address as it needs
Internet connectivity.
Security Groups
Using Security Groups in Amazon VPC
Security Groups Overview
“A security group acts as a virtual firewall that controls the traffic for one or more instances. You
add rules to each security group that allow traffic to or from its associated instances.”
Security Group Diagram
Security Groups control what can and what cannot access our instances that reside in the VPC.
Custom route
table
NAT device Private subnet
Availability Zone
Security Groups
Private subnet
Availability Zone
Virtual Private Cloud
Main route
table Region
Security Groups for Webservers
Let’s take a look at some examples:
The webserver needs to receive traffic from the Internet on HTTP and HTTPS ports.
HTTP
HTTPS
All other
traffic
Security group
Security Groups for Database Servers
Let’s take a look at a database server security group.
SQL
Server
RDP
All other
traffic Database Server
Security group
Security Groups Rules
Security group
Demo 7: Creating a Security Group
Demonstrate how to create a Security Group.
Which of the following statements about Security Groups is NOT true?
b.
Security groups are stateful—for any request that comes from your instance, the response traffic for that
request is automatically allowed to flow in regardless of what inbound security group rules have been
configured.
Network ACL
Using Network ACLs in Amazon VPC
Network ACL Overview
You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your
VPC.”
Network ACL Overview (contd.)
A Network ACL is placed between the route table and the Subnet.
Network ACL
NAT Device
Custom Route
Public subnet
Table
Availability Zone
Port Allow/
Security Group Security Group Security Group Rule # Type Protocol Source
Range Deny
100 All traffic All All 0.0.0.0/0 ALLOW
Outbound
Routing Table Routing Table
Port Allow/
Rule # Type Protocol Source
Range Deny
100 All traffic all all 0.0.0.0/0 ALLOW
Router * All traffic all all 0.0.0.0/0 DENY
VPC
10.0.0.0/16
Virtual Private Internet
Gateway Gateway
Network ACL Rules
A subnet can only be associated with one ACL. However, an ACL can be associated with
multiple subnets.
An ACL contains a list of numbered rules which are evaluated in order, starting with
the lowest.
ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound
traffic.
Demo 8: Network ACL Overview
Demonstrate where to look for Network ACL settings.
Which of the following statements about Network ACLs is NOT true?
A subnet can only be associated with one ACL; however, an ACL can be associated with
multiple subnets.
An ACL contains a list of numbered rules which are evaluated in order, starting with the
highest.
A subnet can only be associated with one ACL; however, an ACL can be associated with
multiple subnets.
An ACL contains a list of numbered rules which are evaluated in order, starting with the
highest.
c.
An ACL contains a list of numbered rules which are evaluated in order, starting with the lowest.
Amazon VPC Best Practices
Overview of Amazon VPC recommended best practices
VPC Best Practices
Choose CIDR Blocks available from the Internet such as database servers.
Tier Security Groups VPC will improve operations/management for large scale
deployments inside VPC.
2. It avoids manual errors, leaks, and saves cost and time.
Standardize Security Group
Naming Conventions
If you create a hardware VPN Connection to your VPC using a Virtual Private Gateway, you are charged for each "VPN
Connection-hour" that your VPN connection is provisioned and available.
Customer Gateway
Customer Network
Los Angeles
Customer Network
Chicago
VPN Connection
VPN Connection
Customer Gateway
Customer Network
Miami
Amazon VPC Costs (contd.)
If you create a NAT gateway in your VPC, you are charged for each “NAT Gateway-hour" that your NAT gateway is
provisioned and available.
NAT Gateway
Using the concepts learned in this lesson, recreate the custom VPC as
shown in the demonstrations:
• Amazon’s definition of a VPC: “Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon
Web Services (AWS) resources into a virtual network that you've defined. This virtual network closely resembles
a traditional network that you'd operate in your own data center, with the benefits of using the scalable
infrastructure of AWS.”
• Private IP address is not reachable over the Internet; it’s used for communication between instances in the same
network.
• A public IP address is reachable from the Internet. You can use public IP addresses for communication between
your instances and the Internet.
• Elastic IP address is a static/public persistent public IP address that persists after an instance restarts.
Key Takeaways (contd.)
• AWS defines a subnet as a range of IP addresses in your VPC. You can launch AWS resources into a subnet
that you select. A subnet is always mapped to a single Availability Zone. You can use a public subnet for
resources that must be connected to the Internet and a private subnet for resources that won't be connected to
the Internet.
• To allow your VPC the ability to connect to the Internet, you need to attach an Internet Gateway. You can only
attach one IGW per VPC.
• A route table determines where network traffic is directed. It does this by defining a set of rules.
• Every subnet has to be associated with a route table and a subnet can only be associated with one route table;
however, multiple subnets can be associated with the same subnet.
• You can use a NAT device to enable instances in a private subnet to connect to the Internet or other AWS
services. However, it will prevent the Internet from initiating connections with the instances.
Key Takeaways (contd.)
• A security group acts as a virtual firewall that controls the traffic for one or more instances.
• You add rules to each security group that allows traffic to or from its associated instances.
• A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for
controlling traffic in and out of one or more subnets.
What is the minimum subnet size you can have?
1
/16
/10
/28
/24
What is the minimum subnet size you can have?
1
/16
/10
/28
/24
Explanations: The allowed block size is between a /28 netmask and /16 netmask. In other words, the VPC can contain
from 16 to 65,536 IP addresses.
In a custom VPC, you created three subnets. Can they communicate with each other by default?
2
Yes
No
In a custom VPC, you created three subnets. Can they communicate with each other by default?
2
Yes
No
Explanations: By default all subnets in a VPC can communicate with each other.
What aspect of a VPC is stateful?
3
Security Groups
Network ACLs
Elastic IP Addresses
NAT Gateways
What aspect of a VPC is stateful?
3
Security Groups
Network ACLs
Elastic IP Addresses
NAT Gateways
Explanations: Security groups are stateful-if you send a request from your instance, the response traffic for that request is
allowed to flow in regardless of inbound security group rules.
Which of the following routes do you need to add to allow your subnet Internet access?
4
Explanations: You need to allow a route for all traffic to access the Internet Gateway.
What is the default limit for VPCs in an AWS Region?
5
10
Unlimited
What is the default limit for VPCs in an AWS Region?
5
10
Unlimited
Explanations: By default you can have five VPCs per Region. If you need more, you need to raise a ticket with AWS
Support to increase the limit.
This concludes the lesson “Amazon VPC.”