AWS VPC
Summary
- CIDR – IP Range
- VPC – Virtual Private Cloud => we define a list of IPv4 & IPv6 CIDR
- Subnets – tied to an AZ, we define a CIDR
- Internet Gateway – at the VPC level, provide IPv4 & IPv6 Internet Access
- Route Tables – must be edited to add routes from subnets to the IGW,VPC Peering Connections,VPC Endpoints, ...
- Bastion Host – public EC2 instance to SSH into, that has SSH connectivity to EC2 instances in private subnets
- NAT Instances – gives Internet access to EC2 instances in private subnets. Old, must be setup in a public subnet, disable Source / Destination check flag
- NAT Gateway – managed by AWS, provides scalable Internet access to private EC2 instances, when the target is an IPv4 address
- NACL – stateless, subnet rules for inbound and outbound, don’t forget Ephemeral Ports
- Security Groups – stateful, operate at the EC2 instance level
- VPC Peering – connect two VPCs with non overlapping CIDR, non-transitive
- VPC Endpoints – provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within a VPC
- VPC Flow Logs – can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights
- Site-to-Site VPN – setup a Customer Gateway on DC, a Virtual Private Gateway on VPC, and site-to-site VPN over public Internet
- AWS VPN CloudHub – hub-and-spoke VPN model to connect your sites
-
Direct Connect – setup a Virtual Private Gateway on VPC, and establish a direct private connection to an AWS Direct Connect Location
- Direct Connect – setup a Virtual Private Gateway on VPC, and establish a direct private connection to an AWS Direct Connect Location
- Direct Connect Gateway – setup a Direct Connect to many VPCs in different AWS regions
-
AWS PrivateLink / VPC Endpoint Services
- Connect services privately from your service VPC to customers VPC
- Doesn’t need VPC Peering, public Internet, NAT Gateway, Route Tables • Must be used with Network Load Balancer & ENI
- ClassicLink – connect EC2-Classic EC2 instances privately to your VPC
- Transit Gateway – transitive peering connections forVPC,VPN & DX
- Traffic Mirroring – copy network traffic from ENIs for further analysis
- Egress-only Internet Gateway – like a NAT Gateway, but for IPv6 targets
1️⃣ Understanding CIDR – IPv4
- CIDR (Classless Inter-Domain Routing) defines IP address ranges using a prefix notation:
IP_address/prefix_length
Example: 192.168.0.0/24
-
/24means 24 bits for the network and 8 bits for hosts, allowing 256 IP addresses.
2️⃣ Understanding CIDR – Subnet Mask
- Subnet Mask determines which part of an IP is network vs. host.
- Example:
- CIDR:
192.168.1.0/24 - Subnet Mask:
255.255.255.0 - Network =
192.168.1 - Host = last
8 bits(0-255)
- CIDR:
Calculating a subnet mask involves determining how many bits you want to allocate to the network portion versus the host portion of an IP address. This is fundamental in subnetting, which divides a large network into smaller, more manageable sub-networks.
1️⃣ Understanding the Basics
- IPv4 Address: 32 bits (divided into 4 octets of 8 bits each).
- Subnet Mask: Indicates which portion of the IP address is the network ID and which part is the host ID.
-
CIDR Notation: A suffix like
/24that tells how many bits are allocated to the network portion.
Example:
IP Address: 192.168.1.10
Subnet Mask: 255.255.255.0 (/24)
Here:
- Network bits: 24
- Host bits: 8 (32 – 24)
- Usable hosts = (2^8) - 2 = 254
2️⃣ Formula to Calculate Subnet Mask
-
Determine the required number of hosts per subnet.
-
Use the formula:
Number of host bits = ⌈log2(required hosts + 2)⌉(+2 accounts for network & broadcast addresses)
-
Calculate:
Network bits = 32 - host bits -
Subnet mask in decimal:
-
Convert the network bits into binary, then into decimal.
-
3️⃣ Example Calculation
Suppose you need 50 hosts in a subnet.
- Step 1: Host bits = log2(50 + 2) = log2(52) ≈ 6 bits
- Step 2: Network bits = 32 - 6 = 26
-
Step 3: Subnet mask =
/26- Binary:
11111111.11111111.11111111.11000000 - Decimal:
255.255.255.192
- Binary:
-
Usable hosts:
2^6 - 2 = 62
4️⃣ Quick Reference Table
| CIDR | Subnet Mask | Hosts/Subnet |
|---|---|---|
| /24 | 255.255.255.0 | 254 |
| /25 | 255.255.255.128 | 126 |
| /26 | 255.255.255.192 | 62 |
| /27 | 255.255.255.224 | 30 |
| /28 | 255.255.255.240 | 14 |
| /29 | 255.255.255.248 | 6 |
| /30 | 255.255.255.252 | 2 |
3️⃣ Public vs. Private IP (IPv4)
| Type | Range Example | Usage |
|---|---|---|
| Private |
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
|
Internal communication, no internet routing |
| Public | Any non-private IP | Accessible over the internet |
4️⃣ Default VPC Walkthrough
- Every AWS account comes with one default VPC per region.
- Features:
- Public and private subnets
- Internet Gateway (IGW)
- Default Security Group
- Default NACL
- Ready-to-use setup for quick deployments
5️⃣ VPC in AWS – IPv4
- A Virtual Private Cloud (VPC) is a logically isolated network in AWS.
- You define:
-
CIDR block (e.g.,
10.0.0.0/16) - Subnets (public or private)
- Routing tables
- Network security
-
CIDR block (e.g.,
6️⃣ Internet Gateway (IGW)
- An IGW connects your VPC to the public internet.
- Allows instances with public IPs to:
- Send traffic to the internet
- Receive traffic from the internet
- Must be attached to a VPC and referenced in the route table.
7️⃣ Bastion Hosts
- A Bastion Host is a securely configured EC2 instance used to:
- Access private instances via SSH/RDP
- Acts as a jump server in a private subnet
8️⃣ NAT Instance
- A manually created EC2 instance that:
- Enables private subnets to access the internet
- Does not allow inbound traffic
- Requires configuration of iptables and routing manually.
9️⃣ NAT Gateway
- A managed AWS service for NAT (Network Address Translation).
- Allows private subnets to:
- Download updates, access APIs
- Block inbound internet traffic
- Highly available in a single AZ by default.
🔟 NAT Gateway with High Availability
- Deploy multiple NAT Gateways in different Availability Zones.
- Configure separate route tables for each private subnet for fault tolerance.
1️⃣1️⃣ NAT Gateway vs. NAT Instance
| Feature | NAT Gateway | NAT Instance |
|---|---|---|
| Managed Service | ✅ Yes | ❌ No |
| Scalability | Auto scales | Manual instance sizing |
| High Availability | Built-in (multi-AZ possible) | Manual setup |
| Maintenance | No admin needed | Needs patching/configuration |
1️⃣2️⃣ Security Groups & NACLs
-
Security Group (SG):
- Instance-level virtual firewall
- Stateful (Return traffic is automatically allowed)
-
NACL (Network ACL):
- Subnet-level firewall rules
- Stateless (Explicit rules needed for both inbound and outbound)
1️⃣3️⃣ Network Access Control List (NACL)
- Controls traffic to and from a subnet.
- Rules are evaluated in order by number.
- Default behavior:
- Default NACL: Allows all traffic.
- Custom NACL: Denies all until rules are added.
1️⃣4️⃣ Ephemeral Ports
-
Temporary ports (1024–65535) used for:
- Response traffic (e.g., HTTP reply)
- NACLs must allow ephemeral port ranges for outbound connections.
1️⃣5️⃣ Security Group vs. NACLs
| Feature | Security Group | NACL |
|---|---|---|
| Scope | Instance-level | Subnet-level |
| Stateful | ✅ Yes | ❌ No |
| Rule types | Allow only | Allow & Deny |
| Default rules | Deny all except explicitly | Allow all (default NACL) |
1️⃣6️⃣ VPC Peering
- Allows private communication between two VPCs.
- Uses AWS backbone, no internet required.
-
Limitations:
- No transitive peering
- CIDR blocks must not overlap
1️⃣7️⃣ VPC Endpoints & Types
- Allows private connection to AWS services without internet or NAT.
- Types:
- Gateway Endpoint: S3, DynamoDB
- Interface Endpoint (PrivateLink): Other AWS services and third-party apps
1️⃣8️⃣ Gateway or Interface Endpoint for S3?
-
Gateway Endpoint is usually preferred for S3:
- Free
- Scales automatically
- Configured in route tables
1️⃣9️⃣ Lambda in VPC accessing DynamoDB
- If a Lambda is in a private subnet:
- It needs NAT Gateway or VPC Endpoint (Gateway) to access DynamoDB privately.
2️⃣0️⃣ VPC Flow Logs
- Capture IP traffic logs for:
- Network interfaces
- Subnets
- VPCs
- Used for:
- Troubleshooting
- Security analysis
2️⃣1️⃣ AWS Site-to-Site VPN
- Secure connection between:
- On-premises data center and AWS VPC
- Uses IPSec tunnels over the Internet.
2️⃣2️⃣ AWS VPN CloudHub
- Connects multiple on-premises VPNs to a single AWS VPC.
- Used for hub-and-spoke topology.
2️⃣3️⃣ AWS Direct Connect (DX)
- Dedicated physical network connection from on-prem to AWS.
- Benefits:
- Lower latency
- Stable performance
- Reduced data transfer cost
2️⃣4️⃣ Direct Connect Gateway
-
Allows DX connections to multiple VPCs (across accounts or regions).
2️⃣5️⃣ Site-to-Site VPN connection as a backup
- Common setup:
- Primary: Direct Connect
- Backup: VPN over internet
- Ensures redundancy if DX link fails.
2️⃣6️⃣ AWS Transit Gateway
- A hub-and-spoke model for connecting:
- Multiple VPCs
- On-premises networks
- Replaces complex peering mesh architectures.
2️⃣7️⃣ VPC – Traffic Mirroring
- Captures network packets for:
- Security monitoring
- Intrusion detection
- Troubleshooting
2️⃣8️⃣ Pricing: NAT Gateway vs. Gateway VPC Endpoint
| Feature | NAT Gateway | Gateway Endpoint |
|---|---|---|
| Cost | Paid per hour + data processed | Free |
| Latency | Slightly higher (NAT translation) | Lower (direct route) |
| Use Case | Internet access for private subnets | Private S3/DynamoDB access |
2️⃣9️⃣ Network Protection on AWS
- Tools:
- Security Groups
- NACLs
- AWS WAF
- Shield
- AWS Network Firewall
- Helps mitigate:
- DDoS attacks
- Malicious requests
- Unauthorized access
3️⃣0️⃣ AWS Network Firewall
- Managed, stateful network firewall service.
- Used for:
- Deep packet inspection
- Domain and IP filtering
- Egress controls
3️⃣1️⃣ What is IPv6?
- 128-bit addressing system allowing virtually unlimited unique addresses.
- Format example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
- Eliminates IP exhaustion problem of IPv4.
3️⃣2️⃣ IPv6 in VPC
- AWS supports dual-stack VPCs:
- Assign IPv4 + IPv6 addresses to instances.
- IPv6 provides global unicast routing without NAT.