Back to Catalog
Networking & Content Delivery

Amazon VPC

"Define and launch AWS resources in a logically isolated virtual network."

Amazon VPC (Virtual Private Cloud)

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Key Components

  • CIDR Block: Classless Inter-Domain Routing. Defines the IP address range of the VPC (e.g., 10.0.0.0/16).
  • Subnets: Segments of the VPC's IP range where you launch resources.
    • Public Subnet: Has a route to an Internet Gateway.
    • Private Subnet: No direct route to the Internet.
  • Route Tables: Rules (routes) that determine where network traffic is directed.
  • Internet Gateway (IGW): Allows communication between the VPC and the Internet. (Horizontal scaling, redundant).
  • NAT Gateway: Allows instances in a Private Subnet to connect to the Internet (for updates) but prevents the Internet from initiating connections.
    • Managed by AWS.
    • Created in a Public Subnet.
  • NAT Instance: Legacy EC2 instance acting as a NAT. (Not managed, disable Source/Dest check).

Security

  1. Security Groups:
    • Instance Level.
    • Stateful: If you allow inbound, outbound is automatically allowed.
    • "Allow" rules only (cannot deny).
  2. Network ACLs (NACLs):
    • Subnet Level.
    • Stateless: Must explicitly allow inbound and outbound.
    • Supports "Allow" and "Deny" rules.
    • Process rules in number order (lowest first).

Connectivity Features

  • VPC Peering: Connect two VPCs (same or different account/region) privately. Transitive peering is NOT supported.
  • VPC Endpoints: Private connection to AWS services (S3, DynamoDB) without using public internet.
    • Gateway Endpoint: S3 and DynamoDB. (Updates Route Table).
    • Interface Endpoint (PrivateLink): Most other services. (eni-xxxx).
  • VPN (Site-to-Site): Connect on-prem data center to VPC.
    • Virtual Private Gateway (VGW): AWS side.
    • Customer Gateway (CGW): Customer/On-prem side.
  • Direct Connect: Dedicated physical fiber connection (Not over internet). High bandwidth, reliable.
  • Transit Gateway: Hub-and-spoke model to connect many VPCs and on-prem networks.

Exam Tips

  • Peering is not transitive: If A peers with B, and B peers with C, A cannot talk to C.
  • Stateful vs Stateless: Security Groups are Stateful, NACLs are Stateless.
  • Subnet = Availability Zone: A subnet is mapped to exactly one AZ.
  • Flow Logs: Capture IP traffic information for interfaces, subnets, or VPC. Use for troubleshooting.

Common Use Cases

  • Hosting multi-tier web applications (Web in Public, DB in Private).
  • Hybrid Cloud architectures (VPN/Direct Connect).
  • Isolating workloads (Dev vs Prod VPCs).
Managed Blockchain
Elastic Load Balancing
SWIPE ZONE
< DRAG ME >