Skip to content

VPC

  • VPC: IP range, subnets, topologies, routing tables, network gateway, NACL, Sec Groups, VPN
    • Connect to either Internet, VPN or other VPCs
    • 200 subnets
  • AWS Direct Connect (1 gbps or 10 gbps):
    • Multiple VLANs
    • Consistent, low cost, network performance
  • Route 53 integrated with ELB, CloudFront, S3, Management Console
    • Helps take advantage of multiple AZ
  • CloudFront: CDN, can distribute dynamic, static and streaming contents to edge locations
  • Default VPC includes default (public) subnet for each AZ, and an IGW (IGW max 1/VPC).
  • VPC can have multiple IP4 or one IP6 CIDR block. You cannot remove primary CIDR block.
  • Each non-default subnet is private, and instances get only private IP address
  • Scenarios
    • To enable internet access, attach IGW to VPC (if non-default) and assign elastic IP
    • Or, if only outbound internet access is needed, use a NAT device to assign IP, or for IP6 use egress-only IGW
    • To establish site-to-site VPN, VPG on AWS, and an on-prem Customer Gateway (physical) is needed
  • Largest /16 and smallest /28. IP6 size is fixed at ::/56
  • No charges for basic VPC, but charges for site-to-site VPN and NAT gateway
  • Connection between two VPCs (peering) or VPC and VPN should use non-overlapping CIDR blocks
    • otherwise overlapping ranges will always be routed locally
  • Two or more account can share VPC by sharing one or more subnets
    • Must also enable resource sharing from master account using RAM
    • Only accounts or OUs belonging to the same Organization can share VPCs
  • NAT instance, unlike NAT gateway,
    • require source/destination check disabled
    • SG
    • Must explicitly be placed in public subnet

Interconnect

  • Virtual Private Gateway offers routing to VPC using either VPN or Direct Connect Gateway
    • Offers connectivity to only one VPC, requiring one VPG for each VPC
  • Transit Gateway TGW allows multiple VPC connections with a single VPN connection
    • For example, use a TGW to route traffic to an endpoint in a single VPC, instead of creating an endpoint in multiple VPCs

VPC endpoints

  • enables connecting VPC to AWS services and AWS PrivateLink without requiring internet gateway. Consists of:
  • VPC endpoint: VPC entry point that allows privately connecting to a service. Types of VPC endpoint:
    • Interface endpoint (AWS PrivateLink): an ENI with private IP from a subnet that servers as entry-point for traffic destined for supported AWS or VPC endpoint service. Application needs to be pointed to endpoint
    • Gateway endpoint: supported for AWS services (S3 and DynamoDB). Specify endpoint as target in route table. Routing table takes care of routing the correct service instead of application needing to use the correct endpoint.
    • Gateway Load Balancer endpoint: is an ENI with private IP from subnet. The traffic is intercepted and routed to service configured using Gateway Load Balancer. Specify this type of endpoint as a target in a route table.
  • Endpoint Service: An application or service running in a separate VPC from other VPC that access this service using VPC endpoint
  • PrivateLink: technology that provides private connectivity between VPC and services. Powers VPC and Gateway Load Balancer endpoints
  • offers connections to inter-customer AWS services and AWS partners without going over internet
  • VPC Endpoint Service allows the producer hosting a custom application on AWS using PrivateLink that consumers can connect to using interface VPC endpoint
    • on the service side, PrivateLink works with NLB for routing, but on the client side it appears as an endpoint
  • interface VPC endpoint: to enable a service over PrivateLink, add a VPC endpoint and and elastic NIC with private IP
    • Having IP => can be managed using SG and accessed using VPN
  • no data transfer fees for consumers or provides (v/s externally hosted services)
  • allows private SaaS offers on Amazon Market Place
  • PrivateLink uses hyperplane based ENI, software defined networking, provides throughput of 10-40 Gbps
(old) VPC Endpoint PrivateLink
Limited to S3,DynamoDB many more, including custom applications
endpoint outside customer VPC endpoint inside customer VPC
N/A Uses ENI and IP from subnet
  • Allows access to resources in another VPC by creating a private IP address that links to service provider's VPC
  • Endpoint creates an ENI withing CIDR range of consumer's VPC
    • Just like any other ENI, consumers can create security-group, filter traffic etc
    • Endpoints can also have IAM policy that can restrict traffic
  • Endpoints allow access to either AWS services, or third-party services

Architectural Patterns for multiple (100+) VPCs

  • Decentralized: endpoints for each VPC/availability zone, for each service
  • Centralized: using multi account best practices:
    1. Have a shared services VPC/Account that hosts all endpoints
    2. Transit Gateway allows other accounts to access shared services account/VPC.
      • Can also use VPC peering, but for a large number of VPCs, TGW is a better solution
    3. DNS:
      • disable private hosted zone at endpoint/input level
      • configure private hosted zone using Route 53, and share it with consumers
  • cost:
    • Decentralized: per each endpoint + per GB data processed by the endpoint
    • Centralized: per each endpoint + per GB data processed by the endpoint + TGW + per GB data processed by the TGW
  • BP:
Criterion Centralized Decentralized
cost per EP + GB by EP EP + GB by EP + TGW + GB by TGW
is cheaper if large # of VPCs and Services high volume traffic
Security+Management ends up whitelisting all More granular
Management fewer SG+policies but large # of rules large # of SG+policies
Supports overlapping IPs No Yes
Chargeback/accounting Hard Easier
DNS: private hosted zone Need one defined in Route 53

VPC Peering

  • Connect different VPCs using private IP addresses
  • Same or different AWS accounts allowed
  • Not transitive => all VPC must have explicit peering
  • V/S PrivateLink
    • Requires non-overlapping IP addresses.
    • VPC exposes entire VPC, which needs to controlled by SG, NACL, routing tables etc)
    • can peer to only 125 VPCs
    • allows bi-directional connectivity. For PrivateLink, consumer must initiate the request

Subnet

  • AWS reserves first 4 and the last IPs of every subnet.
  • IP6 size is fixed at ::/64
  • Cannot span AZ
  • Each can have a different routing table that directs to
    • Internet Gateway IGW (public)
    • VPG (VPN), or local only

Routing tables

  • VPC comes with a default Main routing table. Custom ones can be created and associated with a Subnet
  • contains by default local route for communicating within VPC.
    • if VPC has multiple CIDR blocks, a route is added for each CIDR block
  • most specific (longest prefix) route is chosen