AWS Virtual Private Cloud

Introduction
1 Overview
VPC Definition
AWS Cloud
⬥ the AWS Cloud is a shared network
⬦ WAN/LAN
⬦ Hardware (Nodes, Storage etc.)
⬥ VPC
⬦ private network inside the shared cloud

4
AWS Cloud
AWS Cloud

VPC VPC

S3

Customer A Customer B

SQS

DynamoDB

5
AWS Cloud

AWS Cloud

Region 1 Region 2

VPC VPC

Availability Zone A Availability Zone A

Region = Geographic Area

Availability Zone B Availability Zone B AZ = Datacenter

Availability Zone C Availability Zone C

Subnet Subnet

6
Manage resources
Manage resources

AWS Management AWS Command Line AWS Tools

Console Interface (AWS CLI) and SDKs

● https://us-east-1.console.aws.amazon.com
● https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
● https://aws.amazon.com/tools/?nc1=h_ls

8
Pricing
Pricing
In principle, there are no additional costs for the
VPC. However, you should check the pricing again
for the following services:
⬥ Control / Monitoring
⬥ Connectivity / Data Transmission
⬥ Security

10
 Prepare
2 Prerequisites the AWS Account
Create an IAM User
Assign IAM Permissions
AWS Command Line
Interface (CLI)
3 Default VPC
Default VPC
⬥ there is one VPC per region by default
⬥ each VPC has a public subnet in each AZ
⬥ Purpose
⬦ fast launching of public components like e.g.
a website

16
Helicopter View
Default VPC - Übersicht

AWS Cloud

VPC 10.0.0.0/16 DHCP option set

Availability Zone

Public subnet
10.0.0.0/24
NACL

Internet
Router
Instance gateway

Route table

18
Overview of automatically
created components
Limits of the Default VPC
Limits of the Default VPC
⬥ little control over networking settings
⬥ CIDR blocks not adjustable / IP range predefined
⬥ no private subnet by default
⬥ no easy replication of environments possible

21
4 Non-Default VPC
Advantages of the
Non-Default VPC
Advantages of the Non-Default VPC
⬥ full control over the networking settings
⬥ VPC size and CIDR block size are adjustable
⬥ creation of a private subnet possible
⬥ easy replication of environments possible, e.g.
dev, staging, prod

24
Classless Inter-Domain
Routing (CIDR)
 CIDR Blocks

CIDR Subnetmask (binary) Subnetmask max. addresses

(decimal)

/0 00000000.00000000.00000000.00000000 0.0.0.0 4.294.967.296 232

/1 10000000.00000000.00000000.00000000 128.0.0.0 2.147.483.648

/16 11111111.11111111.00000000.00000000 255.255.0.0 65.536 216

/32 11111111.11111111.11111111.11111111 255.255.255.255 1 20

26
Specify network size
 CIDR Block range

⬥ min. size: /28 → 16 addresses

⬥ max. size: /16 → 65536 addresses
Source: https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html

28
 CIDR Rules
⬥ multiple CIDR blocks can be assigned to one VPC
⬥ CIDR blocks in a VPC cannot overlap each other
⬥ the size of an existing CIDR block cannot be
changed

29
Create a Non-Default VPC
5 Subnets I - Public
Overview
Overview
AWS Cloud

Public subnet Private subnet VPN-only subnet

Public access Only private Only VPN

access connections

● IPv4-only
● IPv6-only
● Dual-stack (IPv4 und IPv6)

33
Public IP Addresses
Public IP Addresses
⬥ AWS provides a pool of public IP addresses
⬥ the public IP addresses are not associated with the
respective AWS account → e.g. when an EC2 instance is
terminated, it is released to the global pool again
⬥ you can set a flag on each subnet whether to assign a
public IPv4 address or not

35
Elastic IP Addresses
Elastic IP Addresses
⬥ AWS provides a pool of public EIP addresses
⬥ these static IP addresses can be mapped to your VPC
⬥ you can map multiple private IP addresses to one EIP
⬥ if the EIP is no longer needed, it can be returned to the
pool

37
Create Public Subnets
Create Public Subnets
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (public)

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

39
EC2 instances in the public
subnet
Overview
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (public)

prod-ec2-1 prod-ec2-2

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

41
Internet Gateway (IGW)
Internet Gateway (IGW)
⬥ is a horizontally scalable, redundant and highly available VPC component
⬥ connects to and from the Internet when the requesting resource has a
public IP address assigned to it
⬥ does not cause any risks in terms of availability or bandwidth limitations
⬥ no additional costs
⬥ Purpose
⬦ Destination in the routing table for traffic from the Internet
⬦ Network Address Translation for instances with a public IP address

43
Internet Gateway
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (public)

IGW

Router

prod-ec2-1 prod-ec2-2

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

44
Route Tables
Route Tables
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (public)

IGW

Router

Route prod-ec2-1 prod-ec2-2

table

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

46
Route Tables
● each VPC has a router which can be configured with route tables
● a route table consists of routes that define where the network traffic is routed in
the VPC/subnet

Rules
● each subnet is assigned to exactly one route table
Destination Target ● you can assign the same route table to multiple
subnets
● the Main route table is created with the VPC and can
0.0.0.0/0 igw-XYZ be used for all subnets
● with Custom route tables you can make more detailed
settings

47
Establish internet access
Overview
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (public)

IGW

Router

Route prod-ec2-1 prod-ec2-2

table
Destination Target Destination Target

10.0.0.0/16 Local 10.0.0.0/16 Local

0.0.0.0/0 igw-XYZ 0.0.0.0/0 igw-XYZ

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

49
6 Subnets II - Private
Overview
Overview
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (public)

IGW

Router

Route prod-ec2-1 prod-ec2-2

table
Destination Target Destination Target

10.0.0.0/16 Local 10.0.0.0/16 Local

0.0.0.0/0 igw-XYZ 0.0.0.0/0 igw-XYZ

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

52
Private IP Addresses
Private IP Addresses
⬥ are not accessible via the Internet
⬥ for communication of instances within the VPC
⬥ if no private IP is specified when starting an EC2 instance,
AWS automatically assigns an available IP address in the
subnet range
⬥ multiple private IPs can also be assigned to an instance

54
Basics NAT Gateway
Basics NAT Gateway
⬥ NAT = Network Address Translation, i.e. the source IP address of the instance is replaced by
the IP address of the NAT gateway.
⬥ for response traffic the IP of the NAT GW is translated back to the original source IP address
⬥ For HA (High Availability) a separate NAT GW should be created in each AZ
⬥ Public NAT GW
⬦ allows outgoing traffic + associated replies for resources in a private subnet,
prevents incoming traffic
⬦ private IP addresses are translated to a public IP address (Elastic IP assigned to the
NAT GW)
⬥ Private NAT GW
⬦ private connections to other VPCs or on-premises networks can be established
⬦ the private IP addresses of the instances are replaced by the private IP address of the
NAT GW (no Elastic IP at the private NAT GW)

56
Create a NAT Gateway
Public vs. Private Subnet
Public vs. Private Subnet
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (private)

IGW

Router

Route prod-ec2-1 prod-ec2-2

table
Destination Target

10.0.0.0/16 Local Destination Target

0.0.0.0/0 igw-XYZ 10.0.0.0/16 Local

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

59
Public vs. Private Subnet
AWS Cloud

VPC
Availability Zone

prod-sub1 (public) prod-sub2 (private)

IGW

NAT gateway

Router

prod-ec2-1 Route prod-ec2-2

table
Destination Target Destination Target

10.0.0.0/16 Local 10.0.0.0/16 Local

0.0.0.0/0 igw-XYZ 0.0.0.0/0 nat-gw

10.0.0.0/24 10.0.1.0/24

10.0.0.0/16

60
Bastion Host
Bastion Host

ssh -L 2222:<PRIVATE_RESOURCE_IP>:22 ubuntu@<BASTION_HOST_IP> \

-o UserKnownHostsFile=/dev/null

62
7 Security
Security
Hint: Assign a high priority to security right from the start

Security of the Cloud → AWS

Security in the Cloud → User

You can increase the security level with the help of:
● Access Control Lists (ACLs)
● Security Groups
● Firewalls
● Subnets / Route Tables
● Monitoring
● IAM Permissions
● Encryption

64
Network Access Control
List (NACL)
NACL
● is an additional security layer
● works as a firewall on subnet level
● by default every VPC has a NACL which allows all traffic
● you can assign custom NACLs to a subnet, where traffic must be explicitly
allowed
● NACLs are stateless (rules for return traffic must be mapped separately)
● rules are evaluated in order from 1 to 32766 (recommendation: create rules
in increments of 10)
● a rule can allow or deny traffic

66
Security Group
Security Group
● virtual firewall on resource level
● each VPC has a default security group
● security groups are stateful (the response of a network request is
allowed)
● there are only Allow assignments

68
Security Group vs. ACL

Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

69
Network Firewall
Network Firewall
● stateful
● can filter traffic in the VPC, e.g. traffic to/from an IGW, NAT GW, VPN
● uses the open source intrusion prevention system (IPS) Suricata for
stateful inspection
● comes with additional costs

71
8 Monitoring
Flow Logs
Flow Logs
● Logs of incoming and outgoing traffic
Elastic network
(to/from network interfaces in the VPC) are interface
recorded
● Flow logs can help in diagnosing and
monitoring the traffic
● The logging does not affect the bandwidth or
latency of the traffic Flow logs
● Flow logs can be created for entire VPCs,
subnets or individual network interfaces
● Flow logs do not act in real time
● Flow logs can be stored in either S3 or Amazon Simple Storage Amazon CloudWatch
CloudWatch Service (Amazon S3)

74
Flow Logs
IAM Role for CloudWatch:

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html

75
9 Connectivity I - Endpoints
Endpoints

VPC endpoints allow global AWS services and resources to be connected in a

VPC without the need to route traffic out of the AWS cloud. No IGW or NAT GW
is required for this. The AWS service for this is called AWS Private Link.

77
Interface Endpoints
Interface Endpoints

● Elastic Network Interface with a private IP-address in the subnet

● Pricing: https://aws.amazon.com/privatelink/pricing/?nc1=h_ls

79
Gateway Endpoints
Gateway Endpoints
● target in a route table
● currently only available for AWS S3 and AWS DynamoDB
● without additional costs

DynamoDB
Amazon Simple Storage
Service (Amazon S3)

81
10 Connectivity II - Advanced
VPC Peering
VPC Peering
● Goal: Connect VPCs
● no additional hardware resources
● each VPC must be connected directly
● Route tables must be adapted

Source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

84
VPC Transit Gateway
VPC Transit Gateway
● is an additional resource in the VPC
● VPCs, VPN gateways and AWS Direct
Connect endpoints can be connected
● Is an additional transitive router, i.e. a
hub-and-spoke topology can be set up
where each VPC does not need to be
directly connected to the other one

Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-centralized-router.html

86
VPN
VPN
VPC On-Premises Network

VPN gateway VPN connection Customer gateway

88
 Outro
11 tear down