Skip to content

Virtual Private Cloud (VPC)⚓︎

Launch Configuration (Tenancy vs VPC Tenancy)⚓︎

In AWS, launching instances involves configuring tenancy options, which determine the placement of instances on physical hardware within the infrastructure. The tenancy attribute of the VPC controls the instance tenancy.

Launch Configuration Tenancy VPC Tenancy = Default VPC Tenancy = Dedicated
Null Shared Dedicated
Default Shared Dedicated
Dedicated Dedicated Dedicated

Amazon VPC Console Wizard Configurations⚓︎

The Amazon VPC console provides several wizard configurations for setting up VPCs tailored to specific needs:

  • VPC with public/private subnets
  • VPC with public/private subnets and AWS Site-to-Site VPN access
  • VPC with a single public subnet
  • VPC with a private subnet only and AWS Site-to-Site VPN access

VPC Traffic Mirroring⚓︎

VPC Traffic Mirroring allows the capture and inspection of network traffic within a VPC. Key features include:

  • Capturing and routing traffic to managed security appliances.
  • Specifying source and target Elastic Network Interfaces (ENIs) or Network Load Balancers (NLBs).
  • Configuring the capture of all packets or specific packets of interest.
  • Supporting source and target configurations within the same or different VPCs through VPC peering.

Direct Connect Gateways⚓︎

Direct Connect Gateways enable connections to multiple VPCs across different AWS regions.

Virtual Private Gateway⚓︎

  • Serves as the VPN connector on the AWS side of a VPN connection.
  • Attached to the VPC to establish site-to-site VPN connections.
  • Essential for setting up AWS Direct Connect.

AWS VPN (AWS Site-to-Site VPN)⚓︎

  • Establishes an ongoing VPN connection between on-premises data centers (customer gateway) and Amazon VPC (Virtual Private Gateway - VGW).
  • Utilizes IPSec for encrypted tunnel creation, ensuring secure network connectivity.
  • Quick configuration suitable for immediate needs with low to modest bandwidth requirements.
  • Requires configuration of VGW, Customer Gateway, and enabling Route Propagation in associated route tables.

Transit VPC⚓︎

Transit VPC leverages customer-managed EC2 VPN instances in a dedicated transit VPC with an Internet Gateway (IGW). Considerations include:

  • Data transfer costs for traffic traversing the VPC and from the transit VPC to on-premises or different AWS regions.
  • AWS Transit Gateway as a cost-effective and less maintenance alternative.

VPC Peering⚓︎

VPC Peering establishes private connections between two VPCs on AWS's network, creating the illusion of the same network. Key points include:

  • No overlapping CIDRs allowed between peered VPCs.
  • Non-transitive connectivity requiring individual peering for each VPC.
  • Update route tables in each VPC's subnets to ensure communication between EC2 instances.

AWS Transit Gateway (Shared Services VPC)⚓︎

AWS Transit Gateway enables transitive peering among thousands of VPCs and on-premises data centers, working on a hub-and-spoke model. Additional features include:

  • Regional functionality, accessible across multiple regions.
  • Compatibility with Direct Connect and VPN connections.
  • Supports IP multicast, a unique feature not found in other AWS services.
  • Site-to-site VPN ECMP for increased bandwidth.

AWS VPN CloudHub⚓︎

AWS VPN CloudHub connects multiple sites with individual VPN connections over the public internet. Key considerations:

  • Suitable for a hub-and-spoke model for primary and secondary network connectivity between different locations.
  • Requires VPN connections to a Virtual Private Gateway (VPG).
  • Encrypted traffic between customer gateways and AWS VPN CloudHub.
flowchart TD
    A{VPC-VGW}
    A --> B[Customer N via Customer Gateway]
    A --> C[Customer N + 1 via Customer Gateway]
    A --> D[Customer N + 2 via Customer Gateway]
    B --> A
    C --> A
    D --> A

Internet Gateway (IGW)⚓︎

An Internet Gateway (IGW) enables resources within a VPC to connect to the internet via a route table. Key features include:

  • Scalable, horizontally and redundant.
  • One VPC per IGW; VPC route tables must be edited to allow internet access.
  • Cannot be used directly in a private subnet without a NAT instance or gateway in a public subnet.
  • Acts as a NAT for instances assigned public IPv4 addresses.

NAT Gateway⚓︎

NAT Gateway, used in a public subnet, enables instances in a private subnet to initiate outbound IPv4 traffic to the internet or other AWS services. Key characteristics include:

  • Fully managed by AWS; tied to a specific AZ/subnet.
  • Uses Elastic IP; requires an Internet Gateway (IGW).
  • No Security Group association; cannot be used by EC2 instances in the same subnet.

NAT Instance⚓︎

NAT Instance, also used in a public subnet, facilitates outbound IPv4 traffic from private subnet instances. Notable features include:

  • Managed by the user, involving software, patches, etc.
  • Tied to a specific AZ/subnet; requires disabling source/destination check on EC2.
  • Uses Elastic IP; route tables must be configured for traffic from private subnets.
  • Requires Security Group management.

NAT Gateway vs NAT Instance⚓︎

NAT Gateway NAT Instance
Availability Highly available within AZ Managed by user, script for failover
Bandwidth Up to 45 Gbps Depends on EC2 instance type
Maintenance Managed by AWS Managed by user, including updates
Cost Per hour usage and data transferred Per hour usage, EC2 instance type/size, network costs
Public IPv4 Yes Yes
Private IPv4 Yes Yes
Elastic IP Yes Yes
Security Groups No Yes
Bastion Host No Yes
Port Forwarding No Yes

VPC Endpoint⚓︎

VPC Endpoints, utilizing AWS PrivateLink, allows connections to AWS services using a private network rather than the public internet. Key features include:

  • Redundant and scalable architecture.
  • Eliminates the need for Internet Gateway (IGW) and NAT Gateway (NATGW).
  • Two types: Interface Endpoints (ENI-based, supports most AWS services) and Gateway Endpoints (provisions a gateway for S3 and DynamoDB).
  • Gateway Endpoints are preferred for cost efficiency.

VPC Flow Logs⚓︎

VPC Flow Logs capture information about IP traffic entering interfaces, aiding in monitoring and troubleshooting connectivity issues. Important points include:

  • Flow Logs can go to S3 or CloudWatch Logs.
  • Capture network information from AWS managed interfaces, such as ELB, RDS, Elasticache, Redshift, Workspaces, NATGW, and Transit Gateway.
  • Querying via Athena on S3 or CloudWatch Log Insights is effective for troubleshooting Security Group (SG) and Network Access Control List (NACL) issues.

Bastion Host/Server⚓︎

A Bastion Host, an EC2 instance, serves as a gateway for SSH access to private EC2 instances. Key considerations:

  • Placed in a public subnet connected to other private subnets.
  • Security Group must be tightly configured, allowing only port 22 access.
  • Can be implemented using NAT instances for additional functionality.
  • SG of instances must allow access from the Bastion Host's SG or private IP.

Egress-only Internet Gateway⚓︎

Similar to NAT Gateway but for IPv6, the Egress-only Internet Gateway facilitates outbound IPv6 connections while preventing incoming connections from the internet. Key steps involve updating route tables.

AWS CloudHSM⚓︎

AWS CloudHSM provides dedicated HSM services for secure key generation, storage, and management, meeting various compliance requirements. Notable features include:

  • Dedicated to a VPC, used for decryption/encryption in databases and data warehouses.
  • Accessible only within a VPC.