AWS Solutions Architect Lesson 4

AWS Solution Architect—Associate Level
Lesson 4: Amazon Virtual Private Cloud (VPC)
1
What You’ll Learn
Virtual Private Cloud
Public, Private, and Elastic IP addresses
Public and Private Subnets
Internet Gateway
Route Tables
NAT Gateway
Security Groups
Network ACLs
VPC Best Practices
2
Amazon VPC Overview
Overview of Virtual Private Cloud Concepts
3
Amazon VPC Terminology
The following are the terms that are used in VPCs:
VPC subnet
Route Table
Elastic IPs
Internet Gateway
VPC NAT Gateway
Network ACLs
Security Group
4
Direct Connect
• AWS Direct Connect is an alternative to using the Internet

while utilizing AWS cloud services
• It is a dedicated network connection from your premises

to AWS
5
Direct Connect
• Establishes private connectivity between AWS and your

datacenter to:
• reduce your network costs
• increase bandwidth throughput
• provide consistent network experience
• Locations all over the world
• Port speeds up to 10G
6
Amazon VPC Definition
Amazon’s definition of a VPC:

“Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual
network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own
data center, with the benefits of using the scalable infrastructure of AWS.”
7
Amazon VPC Diagram
A VPC is your own virtual network in the Amazon cloud used as the network layer for your EC2 resources.
Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
Main Route Table
Default Subnet 1
172.31.0.0/20 Internet Gateway Destination Target
Availability Zone A
172.31.0.0/16 local
Router
Private: 172.31.16.5 0.0.0.0/0 igw-id
Public: 203.0.113.23
EC2 Instance
Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
172.31.0.0/16
Region
8
Knowledge Check
9
KNOWLEDGE
CHECK
Amazon VPC is a component of which AWS service?
a. Compute
b. Analytics
c. Networking
d. Databases
10
KNOWLEDGE
CHECK
Amazon VPC is a component of which AWS service?
a. Compute
b. Analytics
c. Networking
d. Databases
The correct answer is c.
Amazon VPC is a component of the Networking service.
11
KNOWLEDGE
CHECK
Amazon VPC allows you to _____.
a. control the IP addresses used in your local data center
b. launch resources into a virtual network that you've defined
c. create physical networks wherever you want
d. associate Security Groups with your IAM users
12
KNOWLEDGE
CHECK
Amazon VPC allows you to _____.
a. control the IP addresses used in your local data center
b. launch resources into a virtual network that you've defined
c. create physical networks wherever you want
d. associate Security Groups with your IAM users
The correct answer is b.
Amazon Virtual Private Cloud (Amazon VPC) allows you to launch Amazon Web Services (AWS)
resources into a virtual network that you've defined.
13
Amazon VPC
Using Virtual Private Clouds in AWS
14
Default Amazon VPC
Each Amazon account comes with a default

VPC that is preconfigured for you to start
using straight away.
Availability Zone 1
Preconfigured
Availability Zone 2
Region
15
Default Amazon VPC (contd.)
The CIDR (Classless Inter-Domain Routing) block for a default VPC is always a /16 netmask, for example,
172.31.0.0/16.
Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
Default Subnet 1 Main Route Table

172.31.0.0/20 Internet Gateway
Destination Target
Availability Zone A
Router 172.31.0.0/16 local

Private: 172.31.16.5
Public: 203.0.113.23 0.0.0.0/0 igw-id
EC2 Instance
Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
65,536 Private IP addresses
172.31.0.0/16
Region
16
Custom VPC
Internet Gateway
The default VPC is great for launching Main Route Table
new instances when you are testing Target

10.0.0.5 Destination
AWS, but creating a custom VPC allows 198.51.100.1 (EIP)
10.0.0.6 172.31.0.0/16 local
you to secure your resources. 198.51.100.2 (EIP)
10.0.0.7
198.51.100.3 (EIP) 0.0.0.0/0 igw-id
Web Servers
Public Subnet
10.0.0.0/24 VGW Customer Gateway
Availability Zone A
Customer
10.0.0.5 Router VPN Connection
Network
10.0.0.6
10.0.0.7
Database
VPN-only subnet Servers Main Route Table
10.0.0.0/24 Destination Target
Availability Zone B 172.31.0.0/16 local
VPC 0.0.0.0/0 igw-id

10.0.0.0/16
Region
17
Hardware VPN Access
Connect your VPCs to your existing data center using Hardware VPN Access so you can extend your data
center into the cloud and create a hybrid environment.
Customer Gateway
Customer Network
Los Angeles
VPN Connection Customer Gateway

Customer Network
Chicago
VPN Connection
Availability Zone Availability Zone Customer Gateway

VPN Connection Customer Network
New York
Router Virtual Private Gateway
VPN Connection
Customer Gateway
Customer Network
Miami
18
VPC Peering
VPC Peering - A peering connection allows you to route traffic between two VPCs using the private IP
addresses so EC2 instances in either network can communicate directly with each other.
O
VPC B VPC C
10.0.0.0/16 192.168.0.0/16
P P
VPC A
192.16.0.0/16
19
Default VPC Deletion
If you delete the default VPC, you have to contact AWS Support to get it restored.
Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
Default Subnet 1 Main Route Table

172.31.0.0/20
Internet Gateway
Destination Target
Availability Zone A
Router 172.31.0.0/16 local

Private: 172.31.16.5
Public: 203.0.113.23 0.0.0.0/0 igw-id
EC2 Instance
Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
172.31.0.0/16
Region
20
Demo 1: Creating a custom VPC
Demonstrate how to create a custom VPC.
21
Knowledge Check
22
KNOWLEDGE
CHECK
What is attached to the default VPC?
a. Availability Zone
b. VPC Peering Connection
c. Internet Gateway
d. None of the above
23
KNOWLEDGE
CHECK
What is attached to the default VPC?
a. Availability Zone
b. VPC Peering Connection
c. Internet Gateway
d. None of the above
The default VPC has an IGW attached, meaning that each subnet is public or has Internet access.
Any EC2 instance launched into the default VPC will have both a public and private IP address
attached.
24
KNOWLEDGE
CHECK
Why would you create a custom VPC?
a. To customize the VPC to your own configuration
b. To save money
c. To avoid AWS from having access to your EC2 instances
d. To make allowances for cases where you delete the default VPC
25
KNOWLEDGE
CHECK
Why would you create a custom VPC?
a. To customize the VPC to your own configuration
b. To save money
c. To avoid AWS from having access to your EC2 instances
d. To make allowances for cases where you delete the default VPC
The correct answer is a.
Creating a custom VPC allows you to customize your virtual network by defining your own IP
address range, create subnets that are both private and public, and strengthen your security
settings.
26
IP Addresses
Using IP Addresses in Amazon VPC
27
Private IP Addresses
Private IP address is not reachable over the Internet.
It is used for communication between instances in the same network. When you launch a new instance, it’s
given a private IP address and an internal DNS host name that resolves to the private IP address of the
instance.
10.0.0.1
10.0.0.1 10.0.0.2
28
Public IP Addresses
A public IP address is reachable from the Internet. You can use public IP addresses for communication
between your instances and the Internet.
74.85.2.2
10.0.0.1 10.0.0.2
74.85.2.2
29
Elastic IP Addresses
Elastic IP address is a static/public persistent public IP address that is allocated to your account and can be
associated to and from your instances as required.
74.85.2.2
10.0.0.1 10.0.0.2
74.85.2.2
30
Demo 2: Creating an Elastic IP Address
Demonstrate how to create an Elastic IP Address.
31
Knowledge Check
32
KNOWLEDGE
CHECK
When is an Elastic IP address released from your account?
a. When the EC2 instance it is attached to is restarted
b. When the EC2 instance it is attached to is terminated
c. Until you choose to release it
d. Until you delete the default VPC
33
KNOWLEDGE
CHECK
When is an Elastic IP address released from your account?
a. When the EC2 instance it is attached to is restarted
b. When the EC2 instance it is attached to is terminated
c. Until you choose to release it
d. Until you delete the default VPC
It remains in your account until you choose to release it; till then it can be associated with and from
your instances as required.
34
Subnets
Using subnets in Amazon VPC
35
Subnet Definition
Amazon’s definition of a Subnet:

“A range of IP addresses in your VPC; you can launch AWS resources into a subnet that you select. Use a public subnet
for resources that must be connected to the Internet and a private subnet for resources that won't be connected to
the Internet.”
Subnets
172.31.0.0/20 172.31.16.0/20
36
Subnet Diagram
A VPC can span multiple Availability Zones, but a subnet is always mapped to a single Availability Zone.
Amazon
Route 53
Load
Balancer
192.168.0.X 192.168.254.X 192.168.254.X
VPC subnet
Availability Zone
VPC Subnet 2 VPC Subnet 2

VPC Subnet 1
Availability Zone 1 Availability Zone 2 Availability Zone 2
VPC subnet
VPN Gateway
192.168.0.0/16 Availability Zone Internet Gateway

Region
37
Public subnets are used for resources

that need to be connected to the
Internet.
Private subnets are resources that don’t
need an Internet connection or those
that you want to protect from the
Internet. Public subnet
Availability Zone
Internet
Private subnet
Availability Zone

Region
38
Demo 3: Creating Subnets
Demonstrate how to create a public and private subnet.
39
Knowledge Check
40
KNOWLEDGE
CHECK
A subnet can _____.
a. span multiple Availability Zones
b. span multiple Regions
c. provide up to 65,536 private IP addresses by default
d. only be mapped to one Availability Zone
41
KNOWLEDGE
CHECK
A subnet can _____.
a. span multiple Availability Zones
b. span multiple Regions
c. provide up to 65,536 private IP addresses by default
d. only be mapped to one Availability Zone
The correct answer is d.
A subnet can only be mapped to one Availability Zone and the default subnet is always /20, which
provides up to 4,096 addresses per subnet, a few of which are reserved for AWS use.
42
Internet Gateways
Using Internet Gateways in Amazon VPC
43
Internet Gateway Definition
Amazon’s definition of an Internet Gateway:

“An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows
communication between instances in your VPC and the Internet. It therefore imposes no availability risks or
bandwidth constraints on your network traffic.”
WAN
LAN, Wi-Fi
Internet gateway
wireless terminals
44
Internet Gateway Diagram
To allow your VPC the ability to connect to the Internet, you need to attach an Internet Gateway.
Public subnet
Availability Zone
Internet
gateway
Internet
Private subnet
Availability Zone
Region
45
Internet Gateway Requirements
1 An Internet gateway must be attached to your

VPC.
All instances in your subnet must have either a 2

public IP address or an Elastic IP address.
3 Your subnet's route table must point to the

Internet gateway.
All network access control and security group 4

rules must be configured to allow the required
traffic to and from your instance.
46
Demo 4: Creating Internet Gateways
Demonstrate how to create an Internet Gateway.
47
Knowledge Check
48
KNOWLEDGE
CHECK
An Internet Gateway allows _____.
a. Internet access to your VPC as soon as you attach it
b. communication between instances in your VPC and the Internet
c. high bandwidth constraints on your network traffic
d. you to attach one Internet Gateway per subnet
49
KNOWLEDGE
CHECK
An Internet Gateway allows _____.
a. Internet access to your VPC as soon as you attach it
b. communication between instances in your VPC and the Internet
c. high bandwidth constraints on your network traffic
d. you to attach one Internet Gateway per subnet

An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that
allows communication between instances in your VPC and the Internet. It therefore imposes no
availability risks or bandwidth constraints on your network traffic. Once attached to your VPC,
there are several other steps that must be met before Internet access is available.
50
Route Tables
Using Route Tables in Amazon VPC
51
Route Table Overview
Amazon’s definition of a route table:

“A route table contains a set of rules, called routes,
which are used to determine where network traffic is
directed.
Each subnet in your VPC must be associated with a

route table; the table controls the routing for the
subnet. A subnet can only be associated with one route
table at a time, but you can associate multiple subnets Route Table
with the same route table.”
52
Internet Gateway Diagram
Every VPC has a default route table. It is best to leave it in its original state and create a new route table to
customize the network traffic routes.
Custom Route Table

Destination Target
0.0.0.0/0 Internet Gateway
VPC subnet
Availability Zone
Internet Internet Router

Gateway
Main Route Table

VPC subnet
Destination Target
Availability Zone
10.0.0.0/16 local Virtual Private Cloud
Region
53
Demo 5: Creating Route Tables
Demonstrate how to create a custom route table.
54
Knowledge Check
55
KNOWLEDGE
CHECK
Which of the following is NOT true about route tables?
a. A route table contains a set of rules, called routes, which is used to determine where
network traffic is directed.
b. Multiple subnets can be associated with the same route table.
c. It is recommended to only use the default route table.
d. Each subnet in your VPC must be associated with a route table.
56
KNOWLEDGE
CHECK
Which of the following is NOT true about route tables?
a. A route table contains a set of rules, called routes, which is used to determine where
network traffic is directed.
b. Multiple subnets can be associated with the same route table.
c. It is recommended to only use the default route table.
d. Each subnet in your VPC must be associated with a route table.
Every VPC has a default route table. It’s good practice to leave this in its original state and create a
new route table to customize the network traffic routes.
57
NAT Devices
Using NAT devices in Amazon VPC
58
NAT Devices Overview
You can use a Network Address Translation (NAT) device to enable instances in a private subnet to connect
to the Internet or other AWS services, but prevents the Internet from initiating connections with the
instances.
From NAT device

Subnet
Internet From
Internet Private subnet
59
NAT Devices Overview (contd.)
You can connect your private subnet database to other AWS resources if you use a NAT device.
Custom route
table
NAT device Private subnet
Availability Zone

Gateway
Private subnet
Availability Zone
Main route
table Region
60
NAT Gateway versus NAT Device
AWS provides two kinds of NAT devices: a NAT gateway or a NAT instance.
AWS cloud
NAT NAT
Gateway instance
61
NAT Gateway
A NAT Gateway must be launched into a public subnet.
NAT
Gateway
Public subnet Private subnet
Private Subnet Route Table

Destination Target
0.0.0.0/0 NAT Gateway
62
Demo 6: Creating a NAT Gateway
Demonstrate how to create a NAT Gateway.
63
Knowledge Check
64
KNOWLEDGE
CHECK
Why does AWS recommend using a NAT Gateway?
a. It’s a managed service.
b. It provides better availability and bandwidth than NAT instances.
c. It provides redundancy in the AZ where it is created.
d. All of the above are correct.
65
KNOWLEDGE
CHECK
Why does AWS recommend using a NAT Gateway?
a. It’s a managed service.
b. It provides better availability and bandwidth than NAT instances.
c. It provides redundancy in the AZ where it is created.
d. All of the above are correct.
The correct answer is d.
AWS recommends a NAT Gateway as it’s a managed service that provides better availability and
bandwidth than NAT instances. Each NAT gateway is created in a specific Availability Zone and
implemented with redundancy in that zone.
66
KNOWLEDGE
CHECK
What does a NAT Gateway require to function properly?
a. To be launched in a private subnet and have an Elastic IP address
b. To be launched in a public subnet and have an Elastic IP address
c. To be launched in a private subnet and have an private IP address
d. To be launched in a public subnet and have an private IP address
67
KNOWLEDGE
CHECK
What does a NAT Gateway require to function properly?
a. To be launched in a private subnet and have an Elastic IP address
b. To be launched in a public subnet and have an Elastic IP address
c. To be launched in a private subnet and have an private IP address
d. To be launched in a public subnet and have an private IP address
A NAT Gateway must be launched into a public subnet and have an Elastic IP address as it needs
Internet connectivity.
68
Security Groups
Using Security Groups in Amazon VPC
69
Security Groups Overview
Amazon’s definition of a Security Group:
“A security group acts as a virtual firewall that controls the traffic for one or more instances.
You add rules to each security group that allow traffic to or from its associated instances.”
70
Security Group Diagram
Security Groups control what can and what cannot access our instances that reside in the VPC.
Custom route
table
NAT device Private subnet
Availability Zone
Security Groups

Gateway
Private subnet
Availability Zone
Main route
table Region
71
Security Groups for Webservers
Let’s take a look at some examples:
The webserver needs to receive traffic from the Internet on HTTP and HTTPS ports.
HTTP
HTTPS
All other
traffic
Security group
72
Security Groups for Database Servers
Let’s take a look at a database server security group.
SQL
Server
RDP
All other
traffic Database Server
Security group
73
Security Groups Rules
By default, security groups allow all outbound traffic.
Security group rules are always permissive.
Security groups are stateful.
You can modify the rules of a security group at any

time and the rules are applied immediately.
Security group
74
Demo 7: Creating a Security Group
Demonstrate how to create a Security Group.
75
Knowledge Check
76
KNOWLEDGE
CHECK
Which of the following statements about Security Groups is NOT true?
a. Security group rules are always permissive.
b. Security groups are stateless.
c. Security group rules can be modified at any time.
d. Security Group rules are applied immediately.
77
KNOWLEDGE
CHECK
Which of the following statements about Security Groups is NOT true?
a. Security group rules are always permissive.
b. Security groups are stateless.
c. Security group rules can be modified at any time.
d. Security Group rules are applied immediately.
Security groups are stateful—for any request that comes from your instance, the response traffic
for that request is automatically allowed to flow in regardless of what inbound security group rules
have been configured.
78
Network ACL
Using Network ACLs in Amazon VPC
79
Network ACL Overview
Amazon’s definition of a Network ACL:

“A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic
in and out of one or more subnets.
You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to
your VPC.”
80
Network ACL Overview (contd.)
A Network ACL is placed between the route table and the Subnet.
Network ACL
NAT Device
Custom Route
Public subnet
Table
Availability Zone

Gateway
Main Route VPC subnet

Table
Availability Zone
Network ACL
Region
81
Network ACL Overview (contd.)
The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it
is associated.
Instance Instance Instance Instance Inbound
Port Allow/
Security Group Security Group Security Group Rule # Type Protocol Source
Range Deny
100 All traffic All All 0.0.0.0/0 ALLOW
Subnet Subnet * All traffic All All 0.0.0.0/0 DENY

10.0.0.0/24 10.0.0.0/24
Network ACL Network ACL
Outbound
Routing Table Routing Table
Port Allow/
Rule # Type Protocol Source
Range Deny
100 All traffic all all 0.0.0.0/0 ALLOW
Router * All traffic all all 0.0.0.0/0 DENY
VPC
10.0.0.0/16
Virtual Private Internet
Gateway Gateway
82
Network ACL Rules
Each subnet in your VPC must be associated with an ACL.
A subnet can only be associated with one ACL. However, an ACL can be associated with
multiple subnets.
An ACL contains a list of numbered rules which are evaluated in order, starting with
the lowest.
ACLs are stateless; responses to allowed inbound traffic are subject to the rules for
outbound traffic.
83
Demo 8: Network ACL Overview
Demonstrate where to look for Network ACL settings.
84
Knowledge Check
85
KNOWLEDGE
CHECK
Which of the following statements about Network ACLs is NOT true?
a. Each subnet in your VPC must be associated with an ACL.
b. A subnet can only be associated with one ACL; however, an ACL can be associated
with multiple subnets.
c. An ACL contains a list of numbered rules which are evaluated in order, starting with
the highest.
d. ACLs are stateless.
86
KNOWLEDGE
CHECK
Which of the following statements about Network ACLs is NOT true?
a. Each subnet in your VPC must be associated with an ACL.
b. A subnet can only be associated with one ACL; however, an ACL can be associated
with multiple subnets.
c. An ACL contains a list of numbered rules which are evaluated in order, starting with
the highest.
d. ACLs are stateless.
An ACL contains a list of numbered rules which are evaluated in order, starting with the lowest.
87
Amazon VPC Best Practices
Overview of Amazon VPC recommended best practices
88
VPC Best Practices
1. The default network ACL is configured to allow all traffic to

Provide NAT to Private
Subnets flow in and out of the subnets with which it is associated.
2. Use private subnets to secure resources that don't need to
Choose CIDR Blocks be available from the Internet such as database servers.
Amazon VPC Limits
89
VPC Best Practices (contd.)
Use NAT Gateway over NAT instances, to provide secure Internet

Provide NAT to Private access to your private subnets
Subnets
1. to save storage costs.
Choose CIDR Blocks
Amazon VPC Limits
90

1. Amazon VPC can contain 16 to 65536 IP addresses.
Provide NAT to Private 2. Create separate Amazon VPC for Development, Staging, and
Subnets
Production environments.
3. Create one Amazon VPC with Separate Subnets. save storage co
Choose CIDR Blocks
Amazon VPC Limits
91

1. 5 VPCs per region
2. 200 subnets per VPC
Provide NAT to Private
Subnets 3. 200 route tables per VPC
4. 500 security groups per VPC
Choose CIDR Blocks 5. 50 in/outbound rules per VPC

6. Some rules can be increased by raising a ticket with AWS
support
Amazon VPC Limits
92
Security Groups and

Network ACLs
Use Security groups for white list and Network ACLs for blacklist.
Tier Security Groups
Standardize Security Group

Naming Conventions
Span Amazon VPC
93
Security Groups and

Network ACLs
1. Create different security groups for different tiers of your
Tier Security Groups infrastructure architecture inside your VPC.

2. If you create Amazon VPC security groups for each and every
tier/service separately, it will be easier to open a port to a
Naming Conventions particular service.
Span Amazon VPC
94
Security Groups and

Network ACLs
1. Following a security group naming convention inside Amazon
Tier Security Groups VPC will improve operations/management for large scale
deployments inside VPC.
2. It avoids manual errors, leaks, and saves cost and time.
Naming Conventions
Span Amazon VPC
95
Security Groups and

Network ACLs
Span your Amazon VPC across multiple subnets in multiple

Tier Security Groups Availability Zones inside a Region. This helps in architecting high
availability inside your Amazon VPC.
Naming Conventions
Span Amazon VPC
96
Amazon VPC Costs
Overview of the Amazon VPC associated costs
97
Amazon VPC Costs
If you create a hardware VPN Connection to your VPC using a Virtual Private Gateway, you are charged for each
"VPN Connection-hour" that your VPN connection is provisioned and available.
Customer Gateway
Customer Network
Los Angeles
VPN Connection Customer Gateway
Customer Network
Chicago
VPN Connection
Availability Zone Availability Zone Customer Gateway

VPN Connection Customer Network
New York
Router Virtual Private
Gateway
VPN Connection
Customer Gateway
Customer Network
Miami
98
Amazon VPC Costs (contd.)
If you create a NAT gateway in your VPC, you are charged for each “NAT Gateway-hour" that your NAT gateway is
provisioned and available.
NAT Gateway
Public subnet Private subnet
Private Subnet Route Table

Destination Target
0.0.0.0/0 NAT Gateway
99
Practice Assignment: Designing a Custom VPC
Create a custom VPC using the concepts learned in this lesson
100
Build a Custom VPC
Using the concepts learned in this lesson, recreate the custom VPC as
shown in the demonstrations:
VPC Name: SIMPLILEARN_VPC

CIDR: 10.0.0.0/16
Subnets: 1 public (10.0.1.0) and 1 private (10.0.2.0) placed in separate
availability zones
Internet Gateway: 1
NAT Gateway: 1
Route Table: 1 (in the public subnet)
Security Groups: SIMPLILEARN_WEBSERVER_SG and
SIMPLILEARN_DBSERVER_SG
101
Key Takeaways
102
Key Takeaways
• Amazon’s definition of a VPC: “Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon
Web Services (AWS) resources into a virtual network that you've defined. This virtual network closely
resembles a traditional network that you'd operate in your own data center, with the benefits of using the
scalable infrastructure of AWS.”
• Private IP address is not reachable over the Internet; it’s used for communication between instances in the
same network.
• A public IP address is reachable from the Internet. You can use public IP addresses for communication
between your instances and the Internet.
• Elastic IP address is a static/public persistent public IP address that persists after an instance restarts.
103
Key Takeaways (contd.)
• AWS defines a subnet as a range of IP addresses in your VPC. You can launch AWS resources into a subnet
that you select. A subnet is always mapped to a single Availability Zone. You can use a public subnet for
resources that must be connected to the Internet and a private subnet for resources that won't be
connected to the Internet.
• To allow your VPC the ability to connect to the Internet, you need to attach an Internet Gateway. You can
only attach one IGW per VPC.
• A route table determines where network traffic is directed. It does this by defining a set of rules.
• Every subnet has to be associated with a route table and a subnet can only be associated with one route
table; however, multiple subnets can be associated with the same subnet.
• You can use a NAT device to enable instances in a private subnet to connect to the Internet or other AWS
services. However, it will prevent the Internet from initiating connections with the instances.
104
Key Takeaways (contd.)
• A security group acts as a virtual firewall that controls the traffic for one or more instances.
• You add rules to each security group that allows traffic to or from its associated instances.
• A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for
controlling traffic in and out of one or more subnets.
105
Quiz
106
QUIZ
What is the minimum subnet size you can have?
1
a. /16
b. /10
c. /28
d. /24
107
QUIZ
What is the minimum subnet size you can have?
1
a. /16
b. /10
c. /28
d. /24
The correct answer is c
Explanations: The allowed block size is between a /28 netmask and /16 netmask. In other words, the VPC can
contain from 16 to 65,536 IP addresses.
@Simplilearn. All rights reserved 108

QUIZ
In a custom VPC, you created three subnets. Can they communicate with each other by default?
2
a. Yes
b. No
109
QUIZ
In a custom VPC, you created three subnets. Can they communicate with each other by default?
2
a. Yes
b. No
The correct answer is a
Explanations: By default all subnets in a VPC can communicate with each other.

QUIZ
What aspect of a VPC is stateful?
3
a. Security Groups
b. Network ACLs
c. Elastic IP Addresses
d. NAT Gateways
111
QUIZ
What aspect of a VPC is stateful?
3
a. Security Groups
b. Network ACLs
c. Elastic IP Addresses
d. NAT Gateways
Explanations: Security groups are stateful-if you send a request from your instance, the response traffic for that
request is allowed to flow in regardless of inbound security group rules.

QUIZ
Which of the following routes do you need to add to allow your subnet Internet access?
4
a. Destination: 0.0.0.0/0 --> Target: Your Internet Gateway
b. Destination: 0.0.0.0/16 --> Target: 0.0.0.0/28
c. Destination: 10.0.1.0/0 --> Target: 0.0.0.0/28
d. Destination: 0.0.0.0/0 --> Target: Direct Connect
113
QUIZ
Which of the following routes do you need to add to allow your subnet Internet access?
4
a. Destination: 0.0.0.0/0 --> Target: Your Internet Gateway
b. Destination: 0.0.0.0/16 --> Target: 0.0.0.0/28
c. Destination: 10.0.1.0/0 --> Target: 0.0.0.0/28
d. Destination: 0.0.0.0/0 --> Target: Direct Connect
Explanations: You need to allow a route for all traffic to access the Internet Gateway.

QUIZ
What is the default limit for VPCs in an AWS Region?
5
a. 1
b. 5
c. 10
d. Unlimited
115
QUIZ
What is the default limit for VPCs in an AWS Region?
5
a. 1
b. 5
c. 10
d. Unlimited
The correct answer is b
Explanations: By default you can have five VPCs per Region. If you need more, you need to raise a ticket with AWS
Support to increase the limit.

This concludes the lesson “Amazon VPC.”
The next lesson is “Amazon EC2.”

AWS Solutions Architect Lesson 4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS Solutions Architect Lesson 4

Uploaded by

Copyright:

Available Formats

AWS Solution Architect—Associate Level

Lesson 4: Amazon Virtual Private Cloud (VPC)

Virtual Private Cloud

Public, Private, and Elastic IP addresses

Public and Private Subnets

VPC Best Practices

VPC NAT Gateway

• AWS Direct Connect is an alternative to using the Internet

• It is a dedicated network connection from your premises

• Establishes private connectivity between AWS and your

• Locations all over the world

• Port speeds up to 10G

Amazon’s definition of a VPC:

The correct answer is c.

Amazon VPC is a component of the Networking service.

a. control the IP addresses used in your local data center

b. launch resources into a virtual network that you've defined

c. create physical networks wherever you want

d. associate Security Groups with your IAM users

a. control the IP addresses used in your local data center

b. launch resources into a virtual network that you've defined

c. create physical networks wherever you want

d. associate Security Groups with your IAM users

The correct answer is b.

Each Amazon account comes with a default

Virtual Private Cloud

Default Subnet 1 Main Route Table

Router 172.31.0.0/16 local

new instances when you are testing Target

10.0.0.0/24 Destination Target

Availability Zone B 172.31.0.0/16 local

VPC 0.0.0.0/0 igw-id

VPN Connection Customer Gateway

Availability Zone Availability Zone Customer Gateway

Default Subnet 1 Main Route Table

Router 172.31.0.0/16 local

b. VPC Peering Connection

d. None of the above

b. VPC Peering Connection

d. None of the above

The correct answer is c.

a. To customize the VPC to your own configuration

c. To avoid AWS from having access to your EC2 instances

a. To customize the VPC to your own configuration

c. To avoid AWS from having access to your EC2 instances

The correct answer is a.

a. When the EC2 instance it is attached to is restarted

b. When the EC2 instance it is attached to is terminated

c. Until you choose to release it

d. Until you delete the default VPC

a. When the EC2 instance it is attached to is restarted

b. When the EC2 instance it is attached to is terminated

c. Until you choose to release it

d. Until you delete the default VPC

The correct answer is c.

Amazon’s definition of a Subnet:

192.168.0.X 192.168.254.X 192.168.254.X

VPC Subnet 2 VPC Subnet 2

Virtual Private Cloud

Public subnets are used for resources

Virtual Private Cloud

a. span multiple Availability Zones

b. span multiple Regions

c. provide up to 65,536 private IP addresses by default