AWS virtual private cloud (VPC) is a virtual network dedicated to the AWS account that logically isolated from other networks.
AWS VPC only allow to expand through multiple availability zones in a region.
A VPC comes with route table, subnets and security – NACL and security group. Also there any may value added feature such VPC peering, NAT, IPv6 support and many more. Let’s talk about each.
VPC must have set of IP addresses call CIDR – Classless Inter-Domain Routing.
Allowed range for VPC as below.
- /28 netmask (minimum with 2^4 – 16 IP address)
- /16 netmask (maximum with 2^16 – 65536 IP address)
Elastic Network Interface (ENI)
- Each Instance is attached with default elastic network interface – eth0 and cannot be detached from the instance
- Multiple ENIs can be attached to an instance
- Route table has rules which tells each request where should be routed.
- Each VPC comes with default route table which is customizable and can have multiple custom route tables up to 200 per a VPC.
- Each subnet within a VPC must associate with a single route table and a single route table can associate with many subnets.
- Each subnet associated with main route table by default.
- Route priority is decided by matching the most specific route in the route table that matches the traffic.
- When you add an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint in your VPC, you must update the route table.
- Network access control lists (ACLs) – Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.
- Security groups – Act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level
Internet Gateways – IGW
- Internet gateway is a aws manage service which provide internet access to the VPC
- When adding internet gateway into VPC, you must update route table where each traffic should be redirected.
- NAT instance is a just a EC2 instance which provider internet to private Subnet.
- This service is available in AWS market place and it is much cheaper that Internet IGW.
- It does not support IPv6 and user has to maintain server- patch OS, increase resources when high demand.
- NTA – Network Address Translators witch hide IP address of AWS services withing a Subnet.