Amazon VPC


Think of Amazon Virtual Private Cloud (VPC) as a virtual data center the cloud. Amazon VPC lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. AWS allows you to create up to 5 VPCs per region.

You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Additionally, you can create Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

Big Picture


  • Virtual Private Cloud: Logically isolated virtual network in the AWS cloud. You define a VPC's IP address space from ranges you select.
  • Subnet: A segment of a VPC's IP address range where you can place groups of isolated resources.
  • Internet Gateway: The Amazon VPC side of a connection to the public Internet.
  • Route Table: Contains a set of rules that are used to determine where network traffic is directed.
  • Security Group: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance.
  • Network ACL: A second layer of security that acts as a firewall for controlling traffic in and out of one or more subnets.
  • NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.

What Can You Do with a VPC?

  • Create subnets which go in different Availability Zones (one subnet is in one availability zone).
  • Launch instances into a subnet of your choosing.
  • Assign custom address ranges to subnets.
  • Configure route tables between subnets.
  • Create an Internet Gateway and attach it to your VPC (can only have one per VPC).
  • Have much better security control over your AWS resources.
  • Create instance security groups (which can span Availability Zones).

VPC consists of IGWs (Or Virtual Private Gateways), Route Tables, Network Access Control Lists, Subnets, and Security Groups. Note that Security Groups are Stateful; Network Access Control Lists are Stateless.

When you create a VPC, you must assign it an IPv4 CIDER block (a range of private IPv4 addresses). Private IPv4 addresses are not reachable over the Internet. In CIDER notation, IP addresses are followed by a slash and a decimal value. This value indicates the number of bits in the routing prefix.

Default VPC

AWS creates automatically creates a Default VPC in every AWS region for you. The default VPC is user friendly, allowing you to immediately deploy instances. All subnets in the default VPC have a route out to the Internet. Each EC2 instance has both a public and private IP address. Default VPC is in contrast to Custom VPC.

VPC Peering

VPC Peerting allows you to connect one VPC with another via a direct network route using private IP addresses. Instances behave as if they were on the same private network. You can peer VPCs with other AWS accounts as well as with other VPCs in the same account. Peerting is in a start configuration. There's no transitive peeting.

Route Tables

Contains a set of rules that are used to determine where network traffic is directed. Allows you to specify which subnets are routed to the Internet gateway, the virtual private gateway, or other instances (communication between subnets).

To add Internet access, create a new route table and add the (IPv6 is ::/0) destination and the target of your Internet Gateway (IGW). Subnets that access to the Internet are called Public Subnets. Those that don't are called Private Subnets.

NAT Instances and NAT Gateways

If you have a private server, how can you install software, perform updates, etc?

You can have your private instances flow through NAT instances for Internet access. NAT Instances are a type of Amazon Machine Image (IMA). When creating a NAT instance, disable source/destination check. NAT instances must be in a public subnet. There must be a route our of the private subnet to the NAT instance, in order for this to work. The amount of traffic that NAT instances can support depends on the instance size. If you are bottlenecking, increase the instance size. You can create high availability using autoscaling groups, multiple subnets in different AZs, and a script to automate failover. NAT Instances are behind a security group.

However, NAT Gateways are preferred. They scale automatically up to 10 Gbps. You can create a NAT Gateway from the VPC console. There no need to patch and NAT Gateways are not associated with security groups. NAT Gateways are managed by Amazon and are automatically assigned a public IP address. Remember to update your route tables: Add destination and target nat-<id>. NAT Gateways are more secure than NAT Instances.

A NAT is used to provide instance traffic to EC2 instances in private subnets. A Bastion is used to securely administer EC2 instances (using SSH or RDP) in private subnets.

Network Access Control Lists (ACL)

The AWS documentation has a nice comparison of Security Groups and Network Access Control Lists (ACLs).

Security Group Network ACL
Operates at the instance level (first layer of defense). Operates at the subnet level (second layer of defense)
Supports allow rules only. Supports allow rules and deny rules.
Is stateful: return traffic is automatically allowed regardless of any rules. Is stateless: return traffic must be explicitly allowed by rules.
AWS evaluates all rules before deciding whether to allow traffic. AWS processes rules in number order when deciding whether to allow traffic.
Applices to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on. Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)

Note that you can block IP addresses using network ACLs, not security groups.

Your VPC automatically comes with a default network ACL and by default it allows all outbound and inbound traffic. You can also create a custom network ACL. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL. You can associate a nework ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed.

A network ACL contains a numbered list of rules that is evaluated in order, starting with the lowest numbered rule. A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic. Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic.

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Flow logs can be created at 3 levels: VPC, subnet, or network interface level. Note that not all IP traffic is monitored.

VPC Endpoints

A VPC endpoint allows you to securely connect your VPC to another service. An interface endpoint is an elastic network interface (ENI) that serves as an entry point for traffic destined to the service. A gateweay endpoint serves as a target for a route in your route table for traffic destined for the service.