VPC

Virtual Private Cloud

Provision a logically isolated section of the AWS cloud where you can
launch AWS resources in a virtual network that you define

Complete control over your virtual networking environment, including

selection of your own IP address range, creation of subnets, and
configuration of route tables and network gateways
 Why Custom VPC? What is the problems with default VPC?

1. Default VPC is a flat network where all the default VPCs of all the users are present
2. Custom VPC will provide isolation from default network available to world
3. Custom VPC is the next level of security

Few notable points

❏ think of a VPC as a virtual data center in cloud

❏ Subnet (sub-network) is a segment of VPC where you can launch EC2, create RDS etc.
❏ The smallest subnet that can be created in AWS is /28 mask i.e. 16 IP addresses
❏ all subnets in default VPC is Internet facing and hence lesser security
❏ two types of subnet- PUBLIC & PRIVATE
❏ Subnets must be associated with a Route Table either explicitly or implicitly
❏ By default, all subnets are associated with default Route Table( provided by AWS at time of
VPC creation)
❏ If you explicitly associate a subnet to a Route Table then that subnet will get out of the
defaut Route Table.
❏ Subnets reside within one AZ and can’t span AZs
❏ One Subnet = One AZ
❏ Twist in Story- In one AZ, there can be multiple Subnets

Route Table
➢ RT contains set of rules(called routes) that are applied to Subnet and used to determine
where network traffic is directed
➢ Each RT contains a default route called local route, which enables communication within
the VPC and this route can’t be modified or removed
➢ Additional routes can be added to direct traffic to exit the VPC via IGW
➢ Your custom VPC has an implicit ROUTER
➢ Your VPC automatically comes with a main RT that you can modify to apply additional
routing
➢ You can also create additional RTs if needed( we will create one each for Public subnet and
Private subnet)
➢ You can’t delete a RT if it has dependencies i.e. any associated subnets
Let’s try to answer a tricky Question to check our understanding.

Q. Which of the following is TRUE about Route Table? [Multiple Choice]

1. main route table is created along with VPC

2. the main route table can be replaced with a custom route table
3. route tables are automatically created and can’t be edited/modified
4. a subnet can exist without association with route table
ANSWER- 1 and 2

Explanation- Each subnet must be associated with a route table, which controls the routing
for subnet.
If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly
associated with main route table.

IGW
★ a software router which connects VPC with internet
★ Only 1 IGW can be attached to a VPC at a time
★ An IGW can’t be detached from a VPC while there are active resources in VPC
★ One IGW can only connect to 1 VPC at a time
★ If you detach IGW from VPC and then go in Route Table, you will see the status of IGW
entry as “Black Hole”
● A subnet can only be associated with only one route table at a time
● However, you can associate multiple subnets with the same route table

NACL (access control at Subnet level)

➔ an optional layer of security for your VPC
➔ Default VPC already has a NACL in place with default subnets
➔ In NACL, we have to define both inbound and outbound rules
➔ Rules are evaluated based on the rule number from lowest to highest
➔ The first rule evaluated that applies to the traffic type gets immediately applied and
executed regardless of the rules that come after (having a higher rule number)
Rule Number Type Protocol Source Allow/Deny
80 HTTP TCP 0.0.0.0/0 ALLOW
90 HTTP TCP 0.0.0.0/0 DENY
* ALL ALL 0.0.0.0/0 DENY
 Rule Number Type Protocol Source Allow/Deny
80 HTTP TCP 0.0.0.0/0 ALLOW
70 HTTP TCP 0.0.0.0/0 DENY
* ALL ALL 0.0.0.0/0 DENY

Example1- Will allow all inbound HTTP to come because the rule 80 will be evaluated and the
rule 90 of DENY will not be evaluated

Example2- Will DENY all inbound HTTP traffic because the rule 70 will get evaluated and hence
denied even after rule 80 is allowing

➔ Any subnet can only be associated with one NACL at a time. An instance can have multiple
SGs.
➔ NACL is associated with VPC and it can’t span in another VPC, just like SG can’t span VPC
but buth NACL and SG can span AZs.
 NACL Vs SG… Who Wins?
NACL has higher power than SG. NACL gets evaluated before SG. If a particular traffic is denied by
NACL and if allowed in SG, then the traffic will be denied

★ Each Subnet in your VPC must be associated with a NACL. If you do not explicitly associate,
the subnet is automatically with the default NACL
★ A NACL can be associated with multiple subnets, however, a subnet can only be associated
with one NACL at a time.

➢ NACL is STATELESS i.e. both inbound & outbound rules need to be defined
➢ SG is STATEFUL i.e. only inbound rule is to be defined

A Question- I want to block a specific IP address to hit my VPC. Which will help me- NACL or SG?

● NACL is the answer. Why? In SG you can only allow a particular traffic to come in, There is no
option to DENY. In NACL, I have both options of ALLOW and DENY
 SG NACL

Operates at instance level Operates at subnet level

Supports only ALLOW rules Supports both ALLOW and DENY rule

Stateful. Return traffic is automatically Stateless. Return traffic must be explicitly

allowed regardless of any rules allowed by rules

AWS evaluates all rules before deciding AWS processes rules in number order
whether to ALLOW/DENY traffic when deciding to ALLOW/DENY traffic

Applied selectively to individual instance Automatically applied to all instances in

associated subnet
Mandatory for all instances Optional layer of security for Subnets
What is Bastion Host or Jump Server?

For some reason I want to access Internet from my instance in Private Subnet (a use case-
downloading software patches on DB server in private subnet)

There is 1 option to achieve this-

1. NAT Gateway (recommended as we have to pay only for traffic and no worries of maintaing
the EC2 instance)
→ need one EIP for this
→ create NAT gateway in public subnet
→ NAT route table add entry of NAT Gateway(if you add IGW entry then it will
not work)

● Is NAT optional or mandatory? It is optional, based on requirement

● What is there is no NAT and then how to install patch on DB server? How can you forget SCP
(Secure Copy) the installables from Bastion Host to your DB server
VPC Peering

❏ Can be peered between VPC in one region or different region

❏ Can be peered between VPC of one or different account
❏ CIDR of two VPC to be peered can’t be same or overlapping

❏ What is use-case of Peering- Private IP of one VPC can connect to Private IP of other VPC
❏ One VPC will request and other VPC will have to accept peering request
❏ VPC peering does not support transitive peering relationship
 VPC Endpoint
A VPC endpoint enables you to privately connect your VPC to supported AWS services
and VPC endpoint services powered by AWS PrivateLink without requiring an internet
gateway, NAT device, VPN connection, or AWS Direct Connect connection

Practical-
1. create two subnets, launch instances in both public and private subnets
2. create a NAT gateway and try accessing internet from private instance
3. now create a role (s3 full access), attach this role to private instance and try listing
all buckets in your account
4. delete NAT gateway and create a endpoint for s3. check if route tables have proper
entry of endpoint’s private link
5. now try listing s3 buckets from private instance
6. if you can’t see buckets then try adding --region in cli command (aws s3 ls --region
ap-south-1)
7. after deleting NAT gateway, you must see blackhole in the route table entry