- Virtual Private Cloud (VPC)
- A Virtual Private Cloud (VPC) is logically isolated from other VPCs on AWS.
- A default VPC is created in each region with a subnet in each AZ.
- The default VPC has all-public subnets.
Amazon VPC – Components
- NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet
Amazon VPC – Routing
- The VPC router performs routing between AZs within a region.
- Each subnet has a route table the router uses to forward traffic within the VPC.
- Route tables also have entries to external destinations
Amazon VPC – Subnets and Addressing
- The VPC is created with a master address range (CIDR block, can be anywhere from 16-28 bits), and subnet ranges are created within that range.
- Once the VPC is created you cannot change the CIDR block
- Subnets with overlapping IP address ranges cannot be created.
- The first 4 and last 1 IP addresses in a subnet are reserved.
- Subnets map 1:1 to AZs and cannot span AZs.
Amazon VPC – Security Groups
- Security group membership can be changed whilst instances are running.
- You cannot block specific IP addresses using security groups, use NACLs instead
- Security groups cannot be used to block specific ranges
Amazon VPC – Network ACLs
- NACLs only apply to traffic that is ingress or egress to the subnet not to traffic within the subnet.
- A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic.
- custom NACL denies all traffic both inbound and outbound by default.
- All subnets must be associated with a network ACL.
- Changes to NACLs take effect immediately
VPC Flow Logs
- Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC.
- Flow log data is stored using Amazon CloudWatch Logs
Techglot 