Cloud Computing - 4 - Virtual Private Cloud (VPC) Dan Network Sec. Group

LOGO
UNIV/POLTEK
DIGITAL
TALENT
SCHOLARSHIP
2019
digitalent.kominfo.go.id
LOGO
UNIV/POLTEK
Virtual Private Cloud

dan
Network Security Group
LOGO
UNIV/POLTEK
VPC (Virtual Private Cloud)

• A virtual private cloud is a private virtual network in the
cloud
• VPC provide a certain level of isolation between the
different organizations/users using the resources
• The isolation between one VPC user and all other users
of the same cloud is achieved normally through
allocation of a private IP subnet and a virtual
communication construct (such as a VLAN or a set
of encrypted communication channels) per user
LOGO
UNIV/POLTEK

• VPC is most commonly used in the context of
cloud infrastructure as a service.
• The infrastructure provider, providing the underlying
public cloud infrastructure, and the provider realizing
the VPC service over this infrastructure, may be
different vendors.
LOGO
UNIV/POLTEK

• In AWS, VPC is a virtual network dedicated to your AWS
account.
• It is logically isolated from other virtual networks in the
AWS Cloud.
• In AWS, users allowed to provision virtual network for
free, however users will be charged for any virtual
private networks (VPN) they use
LOGO
UNIV/POLTEK

• Features in AWS VPC:
• IP ranges
• Routing
• Network gateways
• Security settings
• Control traffic going out of the subnet
• AWS VPC Deployment:
• Layered security controls
• Multiple AWS service inherit the security deployed
LOGO
UNIV/POLTEK
User A’s User B’s

VPC VPC
User C’s User D’s

VPC VPC
Cloud Provider
LOGO
UNIV/POLTEK
VPC and Subnet

• When you create a VPC, you must specify a range of
IPv4 addresses for the VPC in the form of a Classless
Inter-Domain Routing (CIDR) block
• You can launch AWS resources into a specified subnet.
• Use a public subnet for resources that must be connected to
the internet
• Use a private subnet for resources that won't be connected to
the internet
LOGO
UNIV/POLTEK
VPC and Subnet
Subnet X Subnet Y Subnet Z

10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
To internet or
other networks
Gateway
Router
User A’s VPC
LOGO
UNIV/POLTEK
VPC and Subnet

• If a subnet's traffic is routed to an internet gateway, the
subnet is known as a public subnet
• If you want your instance in a public subnet to communicate
with the internet over IPv4, it must have a public IPv4
address or an Elastic IP address (IPv4)
• If a subnet doesn't have a route to the internet gateway, the
subnet is known as a private subnet
• If a subnet doesn't have a route to the internet gateway, but
has its traffic routed to a virtual private gateway for a Site-to-
Site VPN connection, the subnet is known as a VPN-only
subnet
LOGO
UNIV/POLTEK
VPC and Subnet

Resource Default limit Comments
VPCs per Region 5 The limit for internet
• Regardless of the gateways per Region is
directly correlated to this
type of subnet, one. Increasing this limit
increases the limit on
internet gateways per
the internal IPv4 Region by the same
amount.
address range of Customers can have 100s
of VPCs per Region for
the subnet is their needs even though
the default limit is 5
always private VPCs per Region. You
can request an increase
for these limits using the
• You have a limit Amazon VPC limits for
m
.
on the number of Subnets per VPC
IPv4 CIDR blocks per VPC
200
5
-
This limit is made up of
VPCs and subnets your primary CIDR block
plus 4 secondary CIDR
blocks.
you can create IPv6 CIDR blocks per VPC 1 This limit cannot be
increased.
LOGO
UNIV/POLTEK
VPC Subnet Sizing

• The allowed block size is between a /16 netmask (65,536 IP
addresses) and /28 netmask (16 IP addresses)
• When you create a VPC, we recommend that you specify a CIDR
block (of /16 or smaller) from the private IPv4 address ranges as
specified in RFC 1918:
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
• There are many tools available to help you calculate subnet CIDR
blocks; for example, see http://www.subnet-
calculator.com/cidr.php. Also, your network engineering group can
help you determine the CIDR blocks to specify for your subnets
LOGO
UNIV/POLTEK
VPC Subnet Sizing

• The first four IP addresses and the last IP address in each subnet
CIDR block are not available for you to use, and cannot be assigned
to an instance. For example, in a subnet with CIDR block 10.0.0.0/24,
the following five IP addresses are reserved:
• 10.0.0.0: Network address.
• 10.0.0.1: Reserved by AWS for the VPC router.
• 10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the
base of the VPC network range plus two; however, we also reserve the base
of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP
address of the DNS server is located in the primary CIDR. For more
information, see Amazon DNS Server.
• 10.0.0.3: Reserved by AWS for future use.
• 10.0.0.255: Network broadcast address. We do not support broadcast in a
VPC, therefore we reserve this address.
LOGO
UNIV/POLTEK
Subnet Routing
• Each subnet must be associated with a route table, which specifies
the allowed routes for outbound traffic leaving the subnet. Every
subnet that you create is automatically associated with the main
route table for the VPC. You can change the association, and you
can change the contents of the main route table.
• The Elastic IPv4 address or public IPv4 address that's associated
with your instance is accessed through the internet gateway of
your VPC. Traffic that goes through a AWS Site-to-Site VPN
connection between your instance and another network traverses
a virtual private gateway, not the internet gateway, and therefore
does not access the Elastic IPv4 address or public IPv4 address.
LOGO
UNIV/POLTEK
Subnet Security
• AWS provides two features that you can use to increase
security in your VPC: security groups andnetwork ACLs.
Security groups control inbound and outbound traffic
for your instances, and network ACLs control inbound
and outbound traffic for your subnets. In most cases,
security groups can meet your needs; however, you can
also use network ACLs if you want an additional layer of
security for your VPC.
LOGO
UNIV/POLTEK
Security Groups
• A security group acts as a virtual firewall for your
instance to control inbound and outbound traffic. When
you launch an instance in a VPC, you can assign up to
five security groups to the instance. Security groups act
at the instance level, not the subnet level. Therefore,
each instance in a subnet in your VPC could be assigned
to a different set of security groups. If you don't specify
a particular group at launch time, the instance is
automatically assigned to the default security group for
the VPC.
LOGO
UNIV/POLTEK
Security Groups
• For each security group, you add rules that control the
inbound traffic to instances, and a separate set of rules
that control the outbound traffic. This section describes
the basic things you need to know about security
groups for your VPC and their rules.
LOGO
UNIV/POLTEK
Security Groups
• You have limits on the number of security groups that you can create per
VPC, the number of rules that you can add to each security group, and the
number of security groups you can associate with a network interface. For
more information, see Amazon VPC Limits.
• You can specify allow rules, but not deny rules.
• You can specify separate rules for inbound and outbound traffic.
• When you create a security group, it has no inbound rules. Therefore, no
inbound traffic originating from another host to your instance is allowed
until you add inbound rules to the security group.
• By default, a security group includes an outbound rule that allows all
outbound traffic. You can remove the rule and add outbound rules that
allow specific outbound traffic only. If your security group has no outbound
rules, no outbound traffic originating from your instance is allowed.
LOGO
UNIV/POLTEK
Security Groups
• Security groups are stateful — if you send a request from your
instance, the response traffic for that request is allowed to flow in
regardless of inbound security group rules. Responses to allowed
inbound traffic are allowed to flow out, regardless of outbound rules.
• Instances associated with a security group can't talk to each other
unless you add rules allowing it (exception: the default security group
has these rules by default).
• Security groups are associated with network interfaces. After you
launch an instance, you can change the security groups associated
with the instance, which changes the security groups associated with
the primary network interface (eth0). You can also change the security
groups associated with any other network interface. For more
information about network interfaces, see Elastic Network Interfaces.
LOGO
UNIV/POLTEK
Security Groups
• When you create a security group, you must provide it
with a name and a description. The following rules
apply:
• Names and descriptions can be up to 255 characters in
length.
• Names and descriptions are limited to the following
characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.
• A security group name cannot start with sg-.
• A security group name must be unique within the VPC.
LOGO
UNIV/POLTEK
Security Groups
• Your VPC automatically comes with a default security
group. If you don't specify a different security group
when you launch the instance, each EC2 instance that
you launch in your VPC is automatically associated with
a security group named "launch-wizard-xx". For
example, the security group for the first EC2 instance
that you launch is named "launch-wizard-1".
LOGO
UNIV/POLTEK
Security Groups
• The following table describes the default rules for a
default security group.
Inbound
Source Protocol Port Range Comments
The security group ID All All Allow inbound traffic from instances
(sg-xxxxxxxx) assigned to the same security group.
Outbound
Destination Protocol Port Range Comments
0.0.0.0/0 All All Allow all outbound IPv4 traffic.
::/0 All All Allow all outbound IPv6 traffic. This rule is
added by default if you create a VPC with an
IPv6 CIDR block or if you associate an IPv6
CIDR block with your existing VPC.
LOGO
UNIV/POLTEK
Security Groups
• You can add or remove rules for a security group (also
referred to as authorizing or revoking inbound or
outbound access). A rule applies either to inbound
traffic (ingress) or outbound traffic (egress). You can
grant access to a specific CIDR range, or to another
security group in your VPC or in a peer VPC (requires a
VPC peering connection).
LOGO
UNIV/POLTEK
Security Groups
• The following are the basic parts of a security group rule in a VPC:
• (Inbound rules only) The source of the traffic and the destination port or
port range. The source can be another security group, an IPv4 or IPv6
CIDR block, or a single IPv4 or IPv6 address.
• (Outbound rules only) The destination for the traffic and the destination
port or port range. The destination can be another security group, an IPv4
or IPv6 CIDR block, a single IPv4 or IPv6 address, or a prefix list ID ( A
service is identified by a prefix list—the name and ID of a service for a
Region).
• Any protocol that has a standard protocol number. If you specify ICMP as
the protocol, you can specify any or all of the ICMP types and codes.
• An optional description for the security group rule to help you identify it
later. A description can be up to 255 characters in length. Allowed
characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*.
LOGO
UNIV/POLTEK
Security Groups
• When you specify a CIDR block as the source for a rule, traffic is
allowed from the specified addresses for the specified protocol
and port. When you specify a security group as the source for a
rule, traffic is allowed from the elastic network interfaces (ENI)
for the instances associated with the source security group for
the specified protocol and port. Adding a security group as a
source does not add rules from the source security group.
• Some systems for setting up firewalls let you filter on source
ports. Security groups let you filter only on destination ports.
• When you add or remove rules, they are automatically applied
to all instances associated with the security group.
LOGO
UNIV/POLTEK
Network ACLs
• A network access control list (ACL) is an optional layer of
security for your VPC that acts as a firewall for
controlling traffic in and out of one or more subnets.
You might set up network ACLs with rules similar to
your security groups in order to add an additional layer
of security to your VPC
LOGO
UNIV/POLTEK
Connections with Other VPCs

• VPC peering can be used to establish connections with
other VPC
• You can create a VPC peering connection between your
VPCs, or with a VPC in another AWS account.
• A VPC peering connection enables you to route traffic
between the VPCs using private IP addresses; however,
you cannot create a VPC peering connection between
VPCs that have overlapping CIDR blocks
LOGO
UNIV/POLTEK
VPC Peering
• A VPC peering connection is a networking connection
between two VPCs that enables you to route traffic
between them using private IPv4 addresses or IPv6
addresses
LOGO
UNIV/POLTEK
VPC Peering
• Instances in two or more VPC can communicate with
each other as if they are within the same network
• You can create a VPC peering connection between your
own VPCs, or with a VPC in another AWS account
• AWS uses the existing infrastructure of a VPC to create a
VPC peering connection
• It is neither a gateway nor a VPN connection, and does not
rely on a separate piece of physical hardware.
• There is no single point of failure for communication or a
bandwidth bottleneck
LOGO
UNIV/POLTEK
Connections with Other Providers

• Connection between your VPC and outside world (your
corporate or home network or other cloud providers)
can be done using VPN. If you have an IPv4 address
prefix in your VPC that overlaps with one of your
networks' prefixes, any traffic to the network's prefix is
dropped
LOGO
UNIV/POLTEK
Connections with Other Providers
Subnet X Subnet Y Subnet Z Subnet A Subnet B Subnet C

10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24
VPN VPN
Router Router
Other Network
VPC
LOGO
UNIV/POLTEK
References
• AWS (2019) Amazon Virtual Private Cloud User Guide.
https://docs.aws.amazon.com/vpc/latest/userguide/ind
ex.html
• AWS (2019) Amazon Virtual Private Cloud VPC Peering.
https://docs.aws.amazon.com/vpc/latest/peering/what
-is-vpc-peering.html
• AWS (2019) Security Groups for Your VPC.
https://docs.aws.amazon.com/vpc/latest/userguide/VP
C_SecurityGroups.html
LOGO
UNIV/POLTEK
IKUTI KAMI
digitalent.kominfo
digitalent.kominfo
DTS_kominfo
Digital Talent Scholarship 2019
Pusat Pengembangan Profesi dan Sertifikasi

Badan Penelitian dan Pengembangan SDM
Kementerian Komunikasi dan Informatika
Jl. Medan Merdeka Barat No. 9
(Gd. Belakang Lt. 4 - 5)
Jakarta Pusat, 10110

Cloud Computing - 4 - Virtual Private Cloud (VPC) Dan Network Sec. Group

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Computing - 4 - Virtual Private Cloud (VPC) Dan Network Sec. Group

Uploaded by

Copyright:

Available Formats

LOGO

Virtual Private Cloud

VPC (Virtual Private Cloud)

VPC (Virtual Private Cloud)

VPC (Virtual Private Cloud)

VPC (Virtual Private Cloud)

VPC (Virtual Private Cloud)

User A’s User B’s

User C’s User D’s

VPC and Subnet

VPC and Subnet

Subnet X Subnet Y Subnet Z

User A’s VPC

VPC and Subnet

VPC and Subnet

VPC Subnet Sizing

VPC Subnet Sizing

Connections with Other VPCs

Connections with Other Providers

Connections with Other Providers

Subnet X Subnet Y Subnet Z Subnet A Subnet B Subnet C

Pusat Pengembangan Profesi dan Sertifikasi

You might also like