Amazon VPC

AWS Virtual Private Cloud (VPC) is an Amazon service that enables clients to make their own virtual network inside Amazon cloud and utilize this network to dispatch amazon resources. Amazon  VPC allows customers to create their own virtual private cloud; that allows them to logically isolate a section of the cloud.

AWS Clients can think of a VPC as their own network of machines and databases that live totally inside Amazon’s infrastructure, that can be overseen as if they were in customers own data center.  Amazon VPC with a virtual private network (VPN) or Direct Connect, it becomes an extension of customers data center in the cloud, which enables them to have complete control over how they want to configure the networking. 

  • A virtual private cloud (VPC) is a virtual network dedicated to customers AWS accounts.
    • This virtual network closely resembles a traditional network that would operate in customers own data center, with the benefits of using the scalable infrastructure of AWS.
  • It is logically isolated from other virtual networks in the AWS Cloud.
    • Customers can launch their AWS resources, such as Amazon EC2 instances, into their VPC. 
    • Customers can also specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
  • Customers must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block during the creation of an Amazon VPC. The address range of the Amazon VPC can not be changed after the Amazon VPC is created
Amazon VPC

Amazon VPC benefits

Amazon VPC gives customers complete freedom to host their applications in the cloud and at the same time lets them interact with  the applications running in their data center.

AWS Customers can customize their virtual networking environment as they like, such as selecting their own IP address range; creating their own subnets; and configuring their own route tables, network gateways, and security settings.

AWS Customers control their virtual networking environment, including selection of their own IP address range, creation of subnets, and configuration of route tables and network gateways. 

AWS Customers can add additional layer of control by using security groups and network access control lists. They can store data in Amazon S3 and restrict access so that it’s only accessible from instances inside your VPC.

Types of VPC

The Amazon VPC service have two different networking platforms available within AWS: 

1. EC2-Classic
  •  Amazon EC2 originally launched with a single, flat network shared with others, thus AWS accounts created prior to the arrival of the Amazon VPC service can launch instances into the EC2-Classic network and EC2-VPC.
  • Instance receives a public IPv4 address from the EC2-Classic public IPv4 address pool. 
2. A non-default (also called Customer VPC)

A non-default (also called Customer VPC) is not automatically created when EC2 resources are provisioned and the customer needs to create their own VPC.

  • Non-default VPC needs to be manually configured by each customer and resources need to be provisioned.
      • Customers instance doesn’t receive a public IPv4 address by default, unless they specify otherwise during launch, or they modify the subnet’s public IPv4 address attribute.
  • IPv4 address are not assigned in non-default VPC.

EC2-VPC:– AWS accounts that support EC2-VPC will have a default VPC created in each region with a default subnet created in each Availability Zone. The assigned CIDR block of the VPC will be 172.31.0.0/16.

Default VPC is a Virtual network which is automatically created for customer AWS account the very 1st time EC2 resources are provisioned. 

  • Default VPC is automatically created by AWS system 
  • Default VPC is assigned when an instance is launched without allocating subnet. 
  • Default VPC is that access to the Internet is available by default and it has an internet gateway and public subnets with corresponding route table.
  • Customers can immediately start launching Amazon EC2 instances into their default VPC. 
  • Customers instance launched in a default subnet receives a public IPv4 address by default, unless you specify otherwise during launch, or you modify the subnet’s public IPv4 address attribute. 
  • Customers can also use services such as Elastic Load Balancing, Amazon RDS, and Amazon EMR in your default VPC.
  • A default VPC is suitable for getting started quickly, and for launching public instances such as a blog or simple website. 
  • Some of features under default VPC are:
    • Option to change security group membership almost instantly 
    • Security group egress filtering 
    • Multiple IP addresses 
    • Multiple network interfaces without explicitly creating a VPC

Amazon VPC Features

Create multiple Virtual networks (VPC) inside Amazon cloud.

Divide customers VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in their VPC.

Manage ( inbound and outbound) access to the subnet using route tables and Access control list.

Bridge your Amazon VPC and your on-site IT infrastructure with AWS Site-to-Site VPN.

Expand your VPC by adding secondary IP ranges.

Connect customers VPC with other VPCs and access resources in other VPCs via private IP addresses using VPC Peering.

Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.

Associate VPC Security Groups with instances on EC2-Classic.

Use Amazon VPC traffic mirroring to capture and mirror network traffic for Amazon EC2 instances.

Store data in Amazon S3 and set permissions such that the data can only be accessed from within your Amazon VPC.

Available AWS services include S3, DynamoDB, Kinesis Streams, Service Catalog, EC2 Systems Manager (SSM), Elastic Load Balancing (ELB) API, Amazon Elastic Compute Cloud (EC2) API, and Amazon SNS.

Allow a secure private connection between a VPC and your own data center using a secure VPN connection. The secured connection as three parts:

A VPN gateway in VPC

The actual VPN connection

A customer gateway in the customer data center.

Privately connect to clients own services or SaaS solutions powered by AWS PrivateLink.

Enable both IPv4 and IPv6 in your VPC.

Create an Amazon VPC on AWS’s scalable infrastructure and specify its private IP address range from any range you choose.

Create multiple subnets within each VPC. Each subnet, however, can be in only one availability zone. The subnet can be private (not publicly accessible) or public (publicly accessible). 

  • The private subnet generally does not have public IP addresses.
  • Customers can create Internet gateways to allow a subnet to be publically accessible.
  • Add NAT gateways to allow a private subnet to access the internet.
  • Privately connect to AWS services without using an internet gateway, NAT or firewall proxy through a VPC Endpoint. 

Create elastic IPs to attach to NAT gateways or other instances. It enable to assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC.

Attach one or more Amazon Elastic IP addresses to any instance in your VPC so it can be reached directly from the internet.

Divide your VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in your VPC.

Connect your VPC with other VPCs and access resources in other VPCs via private IP addresses using VPC Peering.

Control inbound and outbound access to and from individual subnets using network access control lists.

Intercept and analyze ingress and egress traffic using a network and security appliance, including third-party offerings.

  • Associate VPC Security Groups with instances on EC2-Classic.
  • Use VPC Flow Logs to log information about network traffic going in and out of network interfaces in your VPC.
  • Enable both IPv4 and IPv6 in your VPC.

VPCs and subnets

 

VPC and subnet basics

A virtual private cloud (VPC) is a virtual network dedicated to clients AWS account. It is logically isolated from other virtual networks in the AWS Cloud. It can be launched from AWS resources, such as Amazon EC2 instances, into your VPC.

When creating a VPC, customers needs to specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block, such as 10.0.0.0/16. This is the primary CIDR block for the customer VPC.

Subnets

A subnet is a segment of a VPC’s IP address range where customers can place groups of isolated resources.

  • Each subnet must reside entirely within one Availability Zone and cannot span zones. 
  • When customers create a subnet, they specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.
  • Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that the customers  create is automatically associated with the main route table for the VPC.
  • Customers use a public subnet for resources that must be connected to the internet.
  • A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.
  • Public subnets are subnets that have: 
    • “Auto-assign public IPv4 address” set to “Yes”. 
    • The subnet route table has an attached Internet Gateway.
    • A custom route table associated with the public subnet.
      • It enables instances in the subnet to communicate directly with the Internet over IPv4.
  • Private subnet is a subnet that doesn’t have a route to the internet gateway.. 
    • Instances with private IPv4 addresses in the subnet range can communicate with each other and other instances in the VPC.
    • Instances in the private subnet are back-end servers, and they don’t need to accept incoming traffic from the Internet and therefore do not have public IP addresses; however, they can send requests to the Internet using the NAT gateway.
    • The main route table associated with the private subnet.
      • It enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.
  • If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.
  • AWS provides two features that customers can use to increase security in their VPC: security groups and network ACLs. 
    • Security groups control inbound and outbound traffic for customers instances.
    • Network ACLs control inbound and outbound traffic for customers subnets.
The diagram shows a VPC that has been configured with subnets in multiple Availability Zones. 1A, 2A, and 3A are instances in the VPC.
The diagram shows a VPC that has been configured with subnets in multiple Availability Zones. 1A, 2A, and 3A are instances in the VPC.

IP Address

 

Public IP address:- public IP address is the address that is assigned to a computing device to allow direct access over the Internet. A web server, email server and any server device directly accessible from the Internet are candidates for a public IP address. A public IP address is globally unique, and can only be assigned to a unique device.

Private IP Address:- A private IP address is the address space allocated by InterNIC to allow organizations to create their own private network. Class A, Class B and  Class C the the three IP blocks that are reserved for private use. The computers, tablets and smartphones sitting behind clients home, and the personal computers within an organizations are usually assigned private IP addresses.

ELASTIC IP ADDRESS

 

An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. Elastic IP addresses are used by AWS to manage its dynamic cloud computing services. Within the AWS infrastructure, customers can create virtual private clouds (EC2-VPCs). Inside the VPCs, they have instances. Thus, customers can associate an Elastic IP address with any instance or network interface for any VPC in their account.

An Elastic IP address is a combination of a public IP address and a static IP address. It allows clients continue to use AWS instances within their AWS network infrastructure.

  • A dynamic IP address is the most common for average customers. This means that the IP address changes frequently, which provides customers and ISPs cost savings.
  • Static IP addresses are IPs which do not change. They are common for business and cloud computing, which is why AWS includes this within the Elastic IP framework.
  • Customers are limited to five Elastic IP addresses; 
  • An Elastic IP address is accessed through the Internet gateway of a VPC.
  • An Elastic IP address is a property of network interfaces. Thus, customers can associate an Elastic IP address with an instance by updating the network interface attached to the instance.
  • There are differences between an Elastic IP address that  customers use in a VPC and one that they use in EC2-Classic.
    • An Elastic IP is disassociated from customers instance when they stop it.
    • An Elastic IP remains associated with customers instance when they stop it.

ELASTIC NETWORK INTERFACES

 

An Elastic Network Interface is a virtual interface that can be attached to an instance in a Virtual Private Cloud (VPC). It is referred to as a network interface,  that is a logical networking component in a VPC which represents a virtual network card.

  • ENI virtual network closely resembles a traditional network that customers would operate in their own data center, with the benefits of using the scalable infrastructure of AWS.
  • ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses.
  • An ENI can have many attributes, such as a primary private IPv4 address, a MAC address, one or more security groups, one or more IPv6 addresses, and more.
    • These attributes will move with ENI when an ENI is attached to an instance; when this ENI is detached from an instance, these attributes will be removed.
  • By default, every VPC has a network interface attached to every instance. This ENI is known as a primary network interface (eth0), that is assigned a private IPv4 address from the IPv4 address range of your VPC.
    • This default ENI cannot be detached from an instance. You can, however, create and attach many additional ENIs to your instances inside a VPC.
  • ENI created independently of a particular instance, which persists regardless of the lifetime of any instance to which it is attached; if an underlying instance fails, the IP address may be preserved by attaching the ENI to a replacement instance. 
  • ENIs allow customers to create a management network, use network and security appliances in their Amazon VPC, create dual-homed instances with workloads/roles on distinct subnets, or create a low-budget, high-availability solution.

NETWORK ACCESS CONTROL LISTS (ACLS)

 

network access control list (ACL) is an optional layer of security for customers VPC that acts as a firewall for controlling traffic in and out of one or more subnets. In other words Access Control Lists “ACLs” are network traffic filters that control incoming or outgoing traffic.

  • Clients VPC automatically comes with a modifiable default network ACL. Which allows all inbound and outbound traffic.
  • In order to allow inbound and outbound traffic, clients need to create a custom network ACL and associate it with a subnet. However, each subnet in their VPC must be explicitly associated with a subnet in the network ACL, otherwise, the subnet is automatically associated with the default network ACL.
  • A network ACL is a numbered list of rules that AWS evaluates in order, usually it starts with the lowest numbered rule to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
  • A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
  • ACLs work on a set of rules that define how to forward or block a packet at the router’s interface. 
  • An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination.
  • The main idea behind using an ACL is to provide security to customers network. Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic.
  • ACLs are directly configured in a device’s forwarding hardware, so they do not compromise the end performance

VPC PEERING

 

PostgreSQL is an advanced, enterprise class open source relational database that supports both SQL (relational) and JSON (non-relational) querying. It is a highly stable database management system, backed by more than 20 years of community development which has contributed to its high levels of resilience, integrity, and correctness. PostgreSQL is used as the primary data store or data warehouse for many web, mobile, geospatial, and analytics applications.

With Amazon RDS, AWS clients can deploy scalable PostgreSQL deployments in minutes with cost-efficient and resizable hardware capacity. Amazon RDS manages complex and time-consuming administrative tasks such as PostgreSQL software installation and upgrades; storage management; replication for high availability and read throughput; and backups for disaster recovery. Amazon RDS for PostgreSQL gives customers access to the capabilities of the familiar PostgreSQL database engine. 

  • PostgreSQL possesses Multi-Version Concurrency Control (MVCC), point in time recovery, granular access controls, tablespaces, asynchronous replication, nested transactions, online/hot backups, a refined query planner/optimizer, and write ahead logging.
  • PostgreSQL’s write ahead logging makes it a highly fault tolerant database. Its large base of open source contributors lends it a built-in community support network. PostgreSQL is ACID compliant, and has full support for foreign keys, joins, views, triggers, and stored procedures, in many different languages.
  • PostgreSQL source code is available under an open source license, granting customers the freedom to use, modify, and implement it as fit, at no charge. PostgreSQL carries no licensing cost, which eliminates the risk for over-deployment.

Route Tables

route table contains a set of rules, called routes, that are used to determine where network traffic from their subnet or gateway is directed. Customers VPC has an implicit router, and they can use route tables to control where network traffic is directed. 

  • Each subnet in their VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). 
  • Customers can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table. 
  •  A subnet can only be associated with one route table at a time, but it can be associated with multiple subnets with the same subnet route table.
  • When customers create a VPC, it automatically has a main route table. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. 
  • By default, when customers create a non-default VPC, the main route table contains only a local route.
  • Customers can add, remove, and modify routes in the main route table. However, they cannot create a more specific route than the local route. They cannot delete the main route table, but it can be replaced by a custom subnet route table
  • Customers can associate a route table with an internet gateway or a virtual private gateway. When a route table is associated with a gateway, it’s referred to as a gateway route table.
  • Each subnet in customers VPC must be associated with a route table. A subnet can be explicitly associated with custom route table, or implicitly or explicitly associated with the main route table. 

Internet Gateway 

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances customers VPC and the internet

  • An internet gateway serves two purposes: 
    • To provide a target in your VPC route tables for internet-routable traffic, and 
    • To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
  • It provides a target in customers Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.
  • When an instance receives traffic from the Internet, the Internet Gateway translates the destination address (public IP address) to the instance’s private IP address and forwards the traffic to the Amazon VPC.
  • An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with customers instances.
  • An egress-only Internet gateway is stateful: it forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances. 
  • An egress-only Internet gateway has the following characteristics: 
    • Customers cannot associate a security group with an egress-only Internet gateway. 
    • Customers can use security groups for your instances in the private subnet to control the traffic to and from those instances. 
    • Customers  can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.
  • To use an internet gateway, customers subnet’s route table must contain a route that directs internet-bound traffic to the internet gateway.
  • To enable communication over the internet for IPv4, customers instance must have a public IPv4 address or an Elastic IP address that’s associated with a private IPv4 address on their instance.
  • To enable communication over the internet for IPv6, customers VPC and subnet must have an associated IPv6 CIDR block, and their instance must be assigned an IPv6 address from the range of the subnet.
VPC Endpoint

An endpoint is a network component that connects EC2 instances in a VPC to certain AWS services without requiring public IP addresses. With a VPC endpoint, instances don’t need a NAT device, VPN connection, internet gateway, or AWS Direct Connect to communicate with supported services — they can communicate solely within AWS. There are two types of VPC endpoints: 

  1. Interface endpoints:– An interface endpoint is an elastic network interface that allows a private IP address in a subnet to connect VPC resources to a number of AWS services, such as CloudFormation, Elastic Load Balancers (ELBs), SNS, and more.
    • Traffic from VPC resources to the endpoint network interface is controlled by security group rules
    • An interface VPC endpoint (interface endpoint) enables customers to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
    • Traffic from VPC resources to the endpoint network interface is controlled by security group rules. AWS PrivateLink then enables the endpoint to connect the traffic to other services without going over the internet.
    • AWS charges usage and data processing rates for PrivateLink

2. Gateway endpoints:– A gateway endpoint is a target for a route in a route table to connect VPC resources to S3 or DynamoDB. Traffic is then routed from instances in a subnet to one of these two services.

  • A VPC may have multiple gateway endpoints to different services in a route table or multiple gateway endpoints to the same service in different route tables.
  • Gateway endpoints do not use PrivateLink. 
  • AWS doesn’t charge extra for using gateway endpoints, unlike interface endpoints.
Amazon VPC

Dynamic Host Configuration Protocol (DHCP)

Amazon VPC

Dynamic Host Configuration Protocol(DHCP) is an application layer protocol which is used to provide; Subnet Mask, Router Address, DNS Address, and Vendor Class Identifier. 

  • The key word in DHCP is “dynamic.” Because instead of having just one fixed and specific IP address, most computers will be assigned one that is available from a subnet or “pool” that is assigned to the network.
  • The application layer is present at the top of the OSI model. It is the layer through which customers interact. It provides services to the customers.
      • The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a computing system without regard to its underlying internal structure and technology.
  • DHCP provides a standard for passing configuration information to hosts on a TCP/IP network. 
  • DHCP is based on a client-server model and based on discovery, offer, and request.
  • A DHCP server is one computer on the network that has a number of IP addresses at its disposal to assign to the computers/hosts on that network.
  • AWS automatically creates and associates a DHCP option set for customers’ Amazon VPC upon creation.
  • DHCP provides IP addresses that “expire” in a certain time. When DHCP assigns an IP address, it actually leases that connection identifier to the user’s computer for a specific amount of time. The default lease is usually five days.
  • AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances that need to communicate over the Amazon VPC’s IGW.
  • The options field of a DHCP message contains the configuration parameters. Some of those parameters are the 
  • Domain name:– The IP addresses of up to four domain name servers, separated by commas. The default is AmazonProvidedDNS.
  • Domain name server:– Specify the desired domain name. (defaulted to the domain name for your region).
  • The netbios-node-type:– The IP addresses of up to four NetBIOS name servers, separated by commas.
Domain Name System (DNS)

The Domain Name System (DNS) is a distributed directory that resolves human-readable hostnames, such as www.example.com, into machine-readable IP addresses likas 10.06.57.203. 

  • A DNS hostname is a name that is unique and absolute names of a computer.
  • A DNS composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
  • DNS is also a directory of crucial information about domain names, such as email servers (MX records) and sending verification (DKIM, SPF, DMARC), TXT record verification of domain ownership, and even SSH fingerprints (SSHFP).
  • During the launch of customers instance into a default VPC, AWS provides the instance with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance. However, when they launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname.
  • Amazon-provided private (internal) DNS hostname resolves to the private IPv4 address of the instance.

In Summary

DHCP is at the heart of assigning everyone their IP address. The key word here in DHCP is protocol—the guiding rules and process for Internet connections for everyone, everywhere. DHCP is consistent, accurate and works the same for every computer. Remember that without an IP address, users would not be able to receive the information they requested. In other words IP address tells the Internet to send the information that the user requested through Web page, email, data, etc. right to the computer that they requested it.

Network Address Translation (NAT)

Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts.

  • NAT allow multiple devices to access the Internet through a single public address. 
  • The main use of NAT is to limit the number of public IP addresses in an organization or company must use, for both economy and security purposes.
  • NAT device enable instances in a private subnet to connect to the internet, or other AWS services, but prevent the internet from initiating connections with the instances. A NAT device forwards traffic from the instances in the private subnet to the internet and sends the response back to the instances.
    • NAT devices are not supported for IPv6 traffic, instead it uses an egress-only Internet gateway.
    • AWS offers two kinds of NAT devices—a NAT gateway or a NAT instance.
Network Address Translation Gateway

Network Address Translation (NAT) Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an AWS Virtual Private Cloud (VPC). 

  • Customers can use a NAT gateway to enable instances in a private subnet to connect to the internet or other AWS services,
  • NAT gateways are not supported for IPv6 traffic—use an egress-only internet gateway instead.
  • Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.
  • A NAT gateway supports TCP, UDP,  ICMP protocols, and 5 Gbps of bandwidth, which automatically scales up to 45 Gbps.
  • Security group can’t be associated with a NAT gateway. However, clients can associate security groups with their resources behind the NAT gateway to control inbound and outbound traffic.
  • Customers can use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located.
  • When a NAT gateway is created, it receives a network interface that’s automatically assigned a private IP address from the IP address range of customers subnet. 
  • A NAT gateway can support up to 55,000 simultaneous connections to each with a unique destination.
  • To avoid data processing charges for NAT gateways when accessing Amazon S3 and DynamoDB that are in the same Region, set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway.
AWS Direct Connect

AWS Direct Connect is a network service that provides an alternative to using the Internet to connect a customer’s on premise sites to AWS. Data is transmitted through a private network connection between AWS and a customer’s datacenter or corporate network. Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs). Public VIFs allow access to public services such as S3, EC2, and DynamoDB. In addition it also:

  • Using AWS Direct Connect, customers can establish private connectivity between AWS and their datacenter, office, or colocation environment, which in many cases can reduce their network costs, increase bandwidth throughput, Increase reliability, Increase bandwidth, and Decrease latency.
  • AWS Direct Connect lets customers establish a dedicated network connection between their network and one of the AWS Direct Connect locations.
  • AWS Direct Connect makes it easy to scale customers connection to meet their needs.
  •  With AWS Direct Connect, customers can transfer their business critical data directly from their datacenter, office, or colocation environment into and from AWS bypassing their Internet service provider and removing network congestion.
  • With AWS Direct Connect, customers control how their data is routed, which can provide a more consistent network experience over Internet-based connections.
  • AWS Direct Connect can help customers build hybrid environments that satisfy regulatory requirements requiring the use of private connectivity.
Network Address Translation Instance

A Network Address Translation(NAT) instance is an EC2 instance that lives inside clients public subnet. However, it allows their private instances outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet.

NAT instances are managed by customers . It is used to enable private subnet instances to access the Internet. When creating NAT instances always disable the source/destination check on the instance. 

  • It must be in a single public subnet. 
  • It need to be assigned to security groups.
  • Use a script to manage failover between instances.
  • Installing software updates, operating system patches on the instance, or any necessary maintenance need to be managed by customers.
  • Security group Associate with customers NAT instance and the resources behind their NAT instance to control inbound and outbound traffic.
  • Use a network ACL to control the traffic to and from the subnet in which your NAT instance resides.
  • Assign a specific private IP address from the subnet’s IP address range when clients launch the instance.
  • Use an Elastic IP address or a public IP address with a NAT instance. Users can change the public IP address at any time by associating a new Elastic IP address with the instance.
Transit gateway

A transit gateway is a network transit hub that AWS customers can use to interconnect their virtual private clouds (VPC) and on-premises networks. Using the following concept AWS customer can;

  • Attachment — Easily attach a VPC, an AWS Direct Connect gateway, a peering connection with another transit gateway, or a VPN connection to a transit gateway.
  • Transit gateway Maximum Transmission Unit (MTU) — The maximum transmission unit (MTU) of a network connection is the size, in bytes, of the largest permissible packet that can be passed over the connection. The larger the MTU of a connection, the more data can be passed in a single packet. A transit gateway supports an MTU of 8500 bytes for traffic between VPCs, Direct Connect and peering attachments. Traffic over VPN connections can have an MTU of 1500 bytes.
  • Transit gateway route table — A transit gateway has a default route table and can optionally have additional route tables. A route table includes dynamic and static routes that decide the next hop based on the destination IP address of the packet. The target of these routes could be a VPC or a VPN connection. By default, transit gateway attachments are associated with the default transit gateway route table.
  • Associations — Each attachment is associated with exactly one route table. Each route table can be associated with zero to many attachments.
  • Route propagation — A VPC or VPN connection can dynamically propagate routes to a transit gateway route table. With a VPC, you must create static routes to send traffic to the transit gateway. With a VPN connection, routes are propagated from the transit gateway to your on-premises router using Border Gateway Protocol (BGP). With a peering attachment, a static route in the transit gateway route table to point to the peering attachment needs to be created.

Amazon VPC-to-Amazon VPC 

Amazon Virtual Private Cloud (Amazon VPC) enables customers to launch AWS resources into a virtual network that they’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Amazon VPC provides multiple network connectivity options for customers to use, depending on their current network designs and requirements. These connectivity options include using either the internet or an AWS Direct Connect connection as the network backbone and terminating the connection into AWS or user-managed network endpoints. Additionally, with AWS, customers can choose how network routing is delivered between Amazon VPC and the networks, leveraging either AWS services or user-managed network equipment and routes.

Amazon VPC-to-Amazon VPC is useful to create multiple VPCs due to security, billing, presence in multiple regions, or internal charge-back requirements, to more easily integrate AWS resources between Amazon VPCs. ASW customers combine these patterns with the Network–to–Amazon VPC connectivity options for creating a corporate network that spans remote networks and multiple VPCs.

AWS PrivateLink

AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

  • Connect customers VPCs to services in AWS in a secure and scalable manner with AWS PrivateLink. AWS PrivateLink traffic doesn’t traverse the Internet, reducing the exposure to threat vectors such as brute force and distributed denial-of-service attacks.
  • Connect services across different accounts, and VPCs within customers own organization, with no need for firewall rules, path definitions, or route tables.
  • Easily migrate traditional on-premises applications to SaaS offerings hosted in the cloud with AWS PrivateLink.
  • Preventing personally identifiable information (PII) from traversing the Internet helps maintain compliance with regulations such as HIPAA or PCI. 
  • Customers can create their own AWS PrivateLink-powered service (endpoint service) and enable other AWS customers to access their service. 
  • AWS PrivateLink is integrated with AWS Marketplace through an easy lookup of the services that are available over AWS PrivateLink.
VPC peering

A VPC peering connection is a networking connection between two VPCs that enables customers to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.

  • AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. 
  • There is no single point of failure for communication or a bandwidth bottleneck.
  • A VPC peering connection helps customers to facilitate the transfer of data.
  • It can also be used in a VPC peering connection to allow other VPCs to access resources, where customers have in one of their me VPCs.
  • Customers can establish peering relationships between VPCs across different AWS Regions (also called Inter-Region VPC Peering).
    • Inter-Region VPC Peering allows VPC resources including EC2 instances, Amazon RDS databases and Lambda functions that run in different AWS Regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances.
    • It also provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.

Virtual Private Network (VPN)

A virtual private network (VPN) is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. VPN prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely.  VPN technology is widely used in corporate environments

  • VPN connection configure between customer’s Amazon VPC and their data center effectively extending their data center to the cloud while also providing direct access to the Internet for public subnet instances in your Amazon VPC.
  • Traffic on the virtual network can be sent through secured and established encrypted connection across the Internet known as a tunnel. VPN traffic from a device such as a computer, tablet, or smartphone is encrypted as it travels through this tunnel. 
  • Clients can create an IPsec VPN connection between their VPC and their remote network. On the AWS side of the Site-to-Site VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover.
    • Site-to-site VPNs are used when distance makes it impractical to have direct network connections.
    • A virtual private gateway (VPG) is the virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks. 
    • A customer gateway (CGW) represents a physical device or a software application on the customer’s side of the VPN connection.
  • AWS Client VPN is a managed client-based VPN service that enables them to securely access their AWS resources in their on-premises network. This enables clients to access resources in AWS or an on-premises from any location using an OpenVPN-based VPN client.
  • Clients can create a VPN connection to their remote network by using an Amazon EC2 instance their VPC that’s running a third party software VPN appliance.
AWS Managed VPN

Amazon VPC provides the option of creating an IPsec VPN connection between remote customer networks and their Amazon VPC over the internet.

  • Reuse existing VPN equipment and processes
  • Reuse existing internet connections
  • AWS managed endpoint includes multi-data center redundancy and automated failover
  • Supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies

AWS Client VPN is a managed client-based VPN service that enables customers to securely access AWS resources and resources in their on-premises network.

The Amazon virtual private gateway represents two distinct VPN endpoints, physically located in separate data centers to increase the availability of your VPN connection.

  • Client VPN endpoint — The Client VPN administrator creates and configures a Client VPN endpoint in AWS. Your administrator controls which networks and resources you can access when you establish a VPN connection.
  • VPN client application — The software application that you use to connect to the Client VPN endpoint and establish a secure VPN connection.
  • Client VPN endpoint configuration file — A configuration file that’s provided to you by your Client VPN administrator. The file includes information about the Client VPN endpoint and the certificates required to establish a VPN connection. You load this file into your chosen VPN client application.
Site-to-Site VPN

Site-to-Site VPN connection is either an AWS Classic VPN connection or an AWS VPN connection. Since instances that was launch into an Amazon VPC can’t communicate with customers own (remote) network, clients needs to create an AWS Site-to-Site VPN  connection, and configuring routing to pass traffic through the connection.

Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections. In this case VPN connection refers to the connection between customers VPC and their own on-premises network. 

  • VPN connection: A secure connection between your on-premises equipment and your VPCs.

  • VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.

  • Customer gateway: An AWS resource which provides information to AWS about your customer gateway device.

  • Customer gateway device: A physical device or software application on your side of the Site-to-Site VPN connection.

  • Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.

  • Transit gateway: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.

AWS Virtual Private Cloud (VPC) is an Amazon service that enables clients to make their own virtual network inside Amazon cloud and utilize this network to dispatch amazon resources. Amazon VPC allows customers to create their own virtual private cloud; that allows them to logically isolate a section of the cloud.

AWS Clients can think of a VPC as their own network of machines and databases that live totally inside Amazon’s infrastructure, that can be overseen as if they were in customers own data center.  Amazon VPC with a virtual private network (VPN) or Direct Connect, it becomes an extension of customers data center in the cloud, which enables them to have complete control over how they want to configure the networking. 

  • A virtual private cloud (VPC) is a virtual network dedicated to customers AWS accounts.
    • This virtual network closely resembles a traditional network that would operate in customers own data center, with the benefits of using the scalable infrastructure of AWS.
  • It is logically isolated from other virtual networks in the AWS Cloud.
    • Customers can launch their AWS resources, such as Amazon EC2 instances, into their VPC. 
    • Customers can also specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
  • Customers must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block during the creation of an Amazon VPC. The address range of the Amazon VPC can not be changed after the Amazon VPC is created