Introducing Amazon Vpc

Introducing Amazon VPC

AWS Physical Infrastructure

AWS Cloud infrastructure resides in data centers containing thousands of servers built into racks. Each rack has network routers and switches to route traffic.

Data Centers: Grouped together in Availability Zones (AZs)
Availability Zones: Connected with single digit millisecond latency network
- AZs are grouped together in an AWS Region
- Code for an AZ is its Region code followed by a letter identifier (e.g., us-east-1a)
- Made up of one or more data centers with redundant power, networking, and connectivity
AWS Regions: Separate geographic areas located in countries
- Latency between AWS Regions is 10s of milliseconds
- Each Region has at least three isolated and physically separate AZs

AWS Account Resource Isolation

When you request a new AWS account, network resources are dedicated to the account. An AWS account spans across AWS Regions and contains a default virtual, software defined network in each public accessible Region - called an Amazon Virtual Private Cloud (Amazon VPC).

VPC Characteristics:
- Belongs to one Region and can span multiple AZs
- Logically isolated from other virtual networks in the AWS cloud and the internet
- Can’t be accessed unless you add configuration to allow access
AWS Services Integration:
- Services like Amazon EC2 and Amazon RDS operate inside a VPC
- Can connect to AWS serverless services like AWS Lambda and Amazon CloudWatch (operate outside customer VPC)

Amazon Virtual Private Cloud

Amazon VPC is a programmatically defined, logically isolated virtual network similar to a traditional data center network. Key characteristics include:

Region-specific: Belongs to one Region
Customizable: Control traffic flow to and from the VPC
IP Address Sizing: Sized by a range of private IP addresses called a CIDR block

VPC CIDR Block Specifications

Maximum IPv4 VPC size: /16 netmask with 65,536 IP addresses
Minimum IPv4 VPC size: /28 netmask with 16 IP addresses
IP Version Options: IPv4 only or dual stack (both IPv4 and IPv6 CIDR blocks)
IPv6 Benefits: Large address space (128 bits vs 32 bits), better speed performance due to no NAT

Important Effective early 2024, there will be a per hour cost for all public IPv4 addresses, whether attached to a service or not.

VPC Route Tables and Subnets

After creating the VPC, a VPC automatically comes with a router using a VPC main route table containing routing rules called routes.

Main Route Table

Default Route: Destination 10.0.0.0/16 with target “local” (allows VPC internal communication)
Cannot be deleted: This default route is permanent

Subnets

A subnet is a container for routing policies and belongs to one AZ. Each subnet:

Is a segment of the VPC’s IP address range
Should be significantly smaller than the VPC
Cannot have overlapping CIDR blocks

Public Subnets

To isolate resources requiring internet access, create a public subnet with an associated internet gateway.

Internet Gateway

Purpose: Allows communication between VPC resources and the internet
Characteristics: Horizontally scaled, redundant, and highly available
Functions:
- Provides target in VPC route tables for internet-routable traffic
- Performs NAT for instances with public IPv4 addresses

Public Subnet Configuration

Create EC2 instance with public IP address in the public subnet
Create public subnet route table with route destination 0.0.0.0/0 targeting the internet gateway ID
Requirement: EC2 instance must have a public IP address for internet reachability

Elastic IP Addresses

An Elastic IP address is a static and public IPv4 address that can be associated with an EC2 instance.

Transfer Capability: Can be transferred to a new, healthy EC2 instance if original instance health deteriorates
Cost Structure:
- No cost for first Elastic IP address associated with running EC2 instance
- Cost incurred for additional Elastic IP addresses or when instance is stopped
- Hourly cost if detached from instance and not associated with another

Private Subnets

For resources that shouldn’t be accessible from the internet, define a VPC private subnet.

Isolation: All resources aren’t reachable from internet and don’t have direct access to internet
Route Table: Custom route table recommended for every subnet
Default Behavior: When subnet doesn’t have explicit routing table, main VPC route table is used

NAT for Private Subnet Internet Access

When private subnet resources need internet connectivity while remaining private:

NAT Gateway (AWS Managed)

Recommended: AWS managed service with better availability and bandwidth
Cost: Incurs hourly cost
Resilience: Deploy NAT gateway in each AZ for multi-AZ resilience

NAT Instance (Customer Managed)

Alternative: Customer-created NAT device on EC2 instance
Cost: Incurs EC2 costs
Administration: Requires more customer effort

IPv6 Private Subnets

Use egress-only internet gateway to allow outbound IPv6 communication while preventing inbound IPv6 connections.

Subnet Selection Guidelines

Database Instances

Private subnet - No direct internet access needed

Batch Processing

Private subnet - Background processing doesn’t require internet exposure

Web Applications

Public or private subnet - Can be public or private behind load balancer (AWS recommends private with load balancer)

NAT Gateway/Instance

Public subnet - Must have internet gateway access

Amazon VPC provides programmatically defined, logically isolated virtual networking with flexible subnet configurations for public and private resource placement. NAT gateways enable secure internet access for private subnet resources while maintaining isolation from inbound internet traffic.