Professional Documents
Culture Documents
Introduction
1 Overview
VPC Definition
AWS Cloud
⬥ the AWS Cloud is a shared network
⬦ WAN/LAN
⬦ Hardware (Nodes, Storage etc.)
⬥ VPC
⬦ private network inside the shared cloud
4
AWS Cloud
AWS Cloud
VPC VPC
S3
Customer A Customer B
SQS
DynamoDB
5
AWS Cloud
AWS Cloud
Region 1 Region 2
VPC VPC
Subnet Subnet
6
Manage resources
Manage resources
● https://us-east-1.console.aws.amazon.com
● https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
● https://aws.amazon.com/tools/?nc1=h_ls
8
Pricing
Pricing
In principle, there are no additional costs for the
VPC. However, you should check the pricing again
for the following services:
⬥ Control / Monitoring
⬥ Connectivity / Data Transmission
⬥ Security
10
Prepare
2 Prerequisites the AWS Account
Create an IAM User
Assign IAM Permissions
AWS Command Line
Interface (CLI)
3 Default VPC
Default VPC
⬥ there is one VPC per region by default
⬥ each VPC has a public subnet in each AZ
⬥ Purpose
⬦ fast launching of public components like e.g.
a website
16
Helicopter View
Default VPC - Übersicht
AWS Cloud
Availability Zone
Public subnet
10.0.0.0/24
NACL
Internet
Router
Instance gateway
Route table
18
Overview of automatically
created components
Limits of the Default VPC
Limits of the Default VPC
⬥ little control over networking settings
⬥ CIDR blocks not adjustable / IP range predefined
⬥ no private subnet by default
⬥ no easy replication of environments possible
21
4 Non-Default VPC
Advantages of the
Non-Default VPC
Advantages of the Non-Default VPC
⬥ full control over the networking settings
⬥ VPC size and CIDR block size are adjustable
⬥ creation of a private subnet possible
⬥ easy replication of environments possible, e.g.
dev, staging, prod
24
Classless Inter-Domain
Routing (CIDR)
CIDR Blocks
26
Specify network size
CIDR Block range
28
CIDR Rules
⬥ multiple CIDR blocks can be assigned to one VPC
⬥ CIDR blocks in a VPC cannot overlap each other
⬥ the size of an existing CIDR block cannot be
changed
29
Create a Non-Default VPC
5 Subnets I - Public
Overview
Overview
AWS Cloud
● IPv4-only
● IPv6-only
● Dual-stack (IPv4 und IPv6)
33
Public IP Addresses
Public IP Addresses
⬥ AWS provides a pool of public IP addresses
⬥ the public IP addresses are not associated with the
respective AWS account → e.g. when an EC2 instance is
terminated, it is released to the global pool again
⬥ you can set a flag on each subnet whether to assign a
public IPv4 address or not
35
Elastic IP Addresses
Elastic IP Addresses
⬥ AWS provides a pool of public EIP addresses
⬥ these static IP addresses can be mapped to your VPC
⬥ you can map multiple private IP addresses to one EIP
⬥ if the EIP is no longer needed, it can be returned to the
pool
37
Create Public Subnets
Create Public Subnets
AWS Cloud
VPC
Availability Zone
10.0.0.0/24 10.0.1.0/24
10.0.0.0/16
39
EC2 instances in the public
subnet
Overview
AWS Cloud
VPC
Availability Zone
prod-ec2-1 prod-ec2-2
10.0.0.0/24 10.0.1.0/24
10.0.0.0/16
41
Internet Gateway (IGW)
Internet Gateway (IGW)
⬥ is a horizontally scalable, redundant and highly available VPC component
⬥ connects to and from the Internet when the requesting resource has a
public IP address assigned to it
⬥ does not cause any risks in terms of availability or bandwidth limitations
⬥ no additional costs
⬥ Purpose
⬦ Destination in the routing table for traffic from the Internet
⬦ Network Address Translation for instances with a public IP address
43
Internet Gateway
AWS Cloud
VPC
Availability Zone
IGW
Router
prod-ec2-1 prod-ec2-2
10.0.0.0/24 10.0.1.0/24
10.0.0.0/16
44
Route Tables
Route Tables
AWS Cloud
VPC
Availability Zone
IGW
Router
10.0.0.0/24 10.0.1.0/24
10.0.0.0/16
46
Route Tables
● each VPC has a router which can be configured with route tables
● a route table consists of routes that define where the network traffic is routed in
the VPC/subnet
Rules
● each subnet is assigned to exactly one route table
Destination Target ● you can assign the same route table to multiple
subnets
● the Main route table is created with the VPC and can
0.0.0.0/0 igw-XYZ be used for all subnets
● with Custom route tables you can make more detailed
settings
47
Establish internet access
Overview
AWS Cloud
VPC
Availability Zone
IGW
Router
10.0.0.0/16
49
6 Subnets II - Private
Overview
Overview
AWS Cloud
VPC
Availability Zone
IGW
Router
10.0.0.0/16
52
Private IP Addresses
Private IP Addresses
⬥ are not accessible via the Internet
⬥ for communication of instances within the VPC
⬥ if no private IP is specified when starting an EC2 instance,
AWS automatically assigns an available IP address in the
subnet range
⬥ multiple private IPs can also be assigned to an instance
54
Basics NAT Gateway
Basics NAT Gateway
⬥ NAT = Network Address Translation, i.e. the source IP address of the instance is replaced by
the IP address of the NAT gateway.
⬥ for response traffic the IP of the NAT GW is translated back to the original source IP address
⬥ For HA (High Availability) a separate NAT GW should be created in each AZ
⬥ Public NAT GW
⬦ allows outgoing traffic + associated replies for resources in a private subnet,
prevents incoming traffic
⬦ private IP addresses are translated to a public IP address (Elastic IP assigned to the
NAT GW)
⬥ Private NAT GW
⬦ private connections to other VPCs or on-premises networks can be established
⬦ the private IP addresses of the instances are replaced by the private IP address of the
NAT GW (no Elastic IP at the private NAT GW)
56
Create a NAT Gateway
Public vs. Private Subnet
Public vs. Private Subnet
AWS Cloud
VPC
Availability Zone
IGW
Router
10.0.0.0/16
59
Public vs. Private Subnet
AWS Cloud
VPC
Availability Zone
IGW
NAT gateway
Router
10.0.0.0/16
60
Bastion Host
Bastion Host
62
7 Security
Security
Hint: Assign a high priority to security right from the start
You can increase the security level with the help of:
● Access Control Lists (ACLs)
● Security Groups
● Firewalls
● Subnets / Route Tables
● Monitoring
● IAM Permissions
● Encryption
64
Network Access Control
List (NACL)
NACL
● is an additional security layer
● works as a firewall on subnet level
● by default every VPC has a NACL which allows all traffic
● you can assign custom NACLs to a subnet, where traffic must be explicitly
allowed
● NACLs are stateless (rules for return traffic must be mapped separately)
● rules are evaluated in order from 1 to 32766 (recommendation: create rules
in increments of 10)
● a rule can allow or deny traffic
66
Security Group
Security Group
● virtual firewall on resource level
● each VPC has a default security group
● security groups are stateful (the response of a network request is
allowed)
● there are only Allow assignments
68
Security Group vs. ACL
Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison
69
Network Firewall
Network Firewall
● stateful
● can filter traffic in the VPC, e.g. traffic to/from an IGW, NAT GW, VPN
● uses the open source intrusion prevention system (IPS) Suricata for
stateful inspection
● comes with additional costs
71
8 Monitoring
Flow Logs
Flow Logs
● Logs of incoming and outgoing traffic
Elastic network
(to/from network interfaces in the VPC) are interface
recorded
● Flow logs can help in diagnosing and
monitoring the traffic
● The logging does not affect the bandwidth or
latency of the traffic Flow logs
● Flow logs can be created for entire VPCs,
subnets or individual network interfaces
● Flow logs do not act in real time
● Flow logs can be stored in either S3 or Amazon Simple Storage Amazon CloudWatch
CloudWatch Service (Amazon S3)
74
Flow Logs
IAM Role for CloudWatch:
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html
75
9 Connectivity I - Endpoints
Endpoints
77
Interface Endpoints
Interface Endpoints
79
Gateway Endpoints
Gateway Endpoints
● target in a route table
● currently only available for AWS S3 and AWS DynamoDB
● without additional costs
DynamoDB
Amazon Simple Storage
Service (Amazon S3)
81
10 Connectivity II - Advanced
VPC Peering
VPC Peering
● Goal: Connect VPCs
● no additional hardware resources
● each VPC must be connected directly
● Route tables must be adapted
Source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
84
VPC Transit Gateway
VPC Transit Gateway
● is an additional resource in the VPC
● VPCs, VPN gateways and AWS Direct
Connect endpoints can be connected
● Is an additional transitive router, i.e. a
hub-and-spoke topology can be set up
where each VPC does not need to be
directly connected to the other one
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-centralized-router.html
86
VPN
VPN
VPC On-Premises Network
88
Outro
11 tear down