Virtual Private Cloud

VPC (Virtual Private Cloud) is logical data center.  Amazon VPC lets you provision a logicaly isolated section of the Amazon web services cloud where you can launch AWS resources in a virtual network that you define.  You have complete control over your Virtual networking environment, including selection of your own IP address range, creation of subnets, configuration of route tables and network gateways. 

You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public facing subnet for your webservers that access to the internet and place your backend systems such as databases or application servers in a private facing subnet with no internet access.  You can leverage multiple layers of security, including security groups and network access control lists, to help control acces to Amazon EC2 instances in each subnet.  Additionaly, you can create a hardware VPN (Virtual Private Network) connection between your corporate data center to your VPC and leverage the AWS cloud as extension of your corporate data center.  Below are few important points about VPC and its setup.

Example Blue Print of VPC:

Note:  Please go through Networking and Subnet setup if you have any specific doubt on Network address range and prefixing.

What we can do with VPC?

Default VPC vs Custom VPC?

VPC Peering

• As per above VPC setup, No Transitive means, if VPC B wants to communicate to VPC C then separate star network has to be setup between VPC B and VPC C. 
• It can not be communicated via VPC A. 

Amazon VPC Dashboard

Amazon VPC dashboard is centralized location where you can find all the relavent resources and services of VPC.  Below is screen shot of Amazon Dashboard.

Creating VPC

Amazon VPC lets you provision a logicaly isolated section of the Amazon web services cloud where you can launch AWS resources in a virtual network that you define.  You have complete control over your Virtual networking environment, including selection of your own IP address range, creation of subnets, configuration of route tables and network gateways. 

The following diagram shows a VPC that has been configured with subnets in multiple Availability Zones. 1A, 1B, 2A, and 3A are instances in your VPC. An IPv6 CIDR block is associated with the VPC, and an IPv6 CIDR block is associated with subnet 1. An internet gateway enables communication over the internet, and a virtual private network (VPN) connection enables communication with your corporate network.

When you create custom VPC with help of below dialog box which will be opened when you tap on Create VPC button at your VPC page, CIDR IPv4 address along with Name Tag.

Below resources will be created automatically when you create your custom VPC.

• New VPC.
• Route Table.
• Security Groups.
• Network ACL (Access Control List)

• 

Creating Subnet

Subnet is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC.

The following diagram shows a new VPC with an IPv4 CIDR block, and the main route table.

When you create a VPC, you must specify an IPv4 CIDR block for the VPC. The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). After you've created your VPC, you can associate secondary CIDR blocks with the VPC. For more information, see Adding IPv4 CIDR Blocks to a VPC.

When you create a VPC, we recommend that you specify a CIDR block (of /16 or smaller) from the private IPv4 address ranges as specified in RFC 1918:

• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Also, site http://www.subnet-calculator.com/cidr.php may help you to calculate CIDR address ranges.  Additionaly, Network engineering team can help to identify it.

In the following example, the VPC on the left has a single CIDR block (10.0.0.0/16) and two subnets. The VPC on the right represents the architecture of the same VPC after you've added a second CIDR block (10.2.0.0/16) and created a new subnet from the range of the second CIDR.

The first 4 IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following 5 IP addresses are reserved:

• 10.0.0.0: Network address.
• 10.0.0.1: Reserved by AWS for the VPC router.
• 10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, we also reserve the base of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. For more information, see Amazon DNS Server.
• 10.0.0.3: Reserved by AWS for future use.
• 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

Creating Internet Gateway

An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic. An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

An Internet gateway supports IPv4 and IPv6 traffic.

Note: We can’t attach multiple Internet Gateway to VPCs

In the following diagram, Subnet 1 in the VPC is associated with a custom route table that points all Internet-bound IPv4 traffic to an Internet gateway. The instance has an Elastic IP address, which enables communication with the Internet.

Creating Route Tables

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

The following diagram shows the routing for a VPC with both an Internet gateway and a virtual private gateway, plus a public subnet and a VPN-only subnet. The main route table came with the VPC, and it also has a route for the VPN-only subnet. A custom route table is associated with the public subnet. The custom route table has a route over the Internet gateway (the destination is 0.0.0.0/0, and the target is the Internet gateway).

By default, Main Route table of Subnet will not route out to Internet.  However, Custom Route table may get routed to Internet by adding route or rules in it.

The following diagram shows a VPC with two subnets that are implicitly associated with the main route table (Route Table A), and a custom route table (Route Table B) that isn't associated with any subnets.

After you've tested Route Table B, you can make it the main route table. Note that Subnet 2 still has an explicit association with Route Table B, and Subnet 1 has an implicit association with Route Table B because it is the new main route table. Route Table A is no longer in use.

Creating Elastic IP Address

An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. An Elastic IP address is a public IPv4 address, which is reachable from the Internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the Internet; for example, to connect to your instance from your local computer.

Creating End Points

A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.

In the following diagram, instances in subnet 2 can access Amazon S3 through the VPC endpoint.

DHCP (Dynamic Host Configuration Protocol)

The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. Some of those parameters are the domain name, domain name server, and the netbios-node-type.

DHCP is at the heart of assigning you (and everyone) their IP address. The key word in DHCP is protocol—the guiding rules and process for Internet connections for everyone, everywhere. DHCP is consistent, accurate and works the same for every computer. Remember that without an IP address, you would not be able to receive the information you requested. As you've learned (by reading IP: 101), your IP address tells the Internet to send the information that you requested (Web page, email, data, etc.) right to the computer that requested it.

There are more than one billion computers in the world, and each individual computer needs its own IP address whenever it's online. The TCP/IP protocols (our computers' built-in, internal networking software) include a DHCP protocol. It automatically assigns and keeps tabs of IP addresses and any "subnetworks" that require them. Nearly all IP addresses are dynamic, as opposed to "static" IP addresses that never change. DHCP is a part of the "application layer," which is just one of the several TCP/IP protocols. All of the processing and figuring out of what to send to whom happens virtually instantly.

How DHCP Works

The key word in DHCP is "dynamic." Because instead of having just one fixed and specific IP address, most computers will be assigned one that is available from a subnet or "pool" that is assigned to the network. The Internet isn't one big computer in one big location. It's an interconnected network of networks, all created to make one-on-one connections between any two clients that want to exchange information.  One of the features of DHCP is that it provides IP addresses that "expire." When DHCP assigns an IP address, it actually leases that connection identifier to the user's computer for a specific amount of time. The default lease is five days.

Here is how the DHCP process works when you go online:

1. Your go on your computer to connect to the Internet.
2. The network requests an IP address (this is actually referred to as a DHCP discover message).
3. On behalf of your computer's request, the DHCP server allocates (leases) to your computer an IP address. This is referred to as the DHCP offer message.
4. Your computer (remember—you're the DHCP client) takes the first IP address offer that comes along. It then responds with a DHCP request message that verifies the IP address that's been offered and accepted.
5. DHCP then updates the appropriate network servers with the IP address and other configuration information for your computer.
6. Your computer (or whatever network device you're using) accepts the IP address for the lease term.

Typically, a DHCP server renews your lease automatically, without you (or even a network administrator) having to do anything. However, if that IP address's lease expires, you'll be assigned a new IP address using the same DHCP protocols.

The Amazon EC2 instances you launch into a nondefault VPC are private by default; they're not assigned a public IPv4 address unless you specifically assign one during launch, or you modify the subnet's public IPv4 address attribute. By default, all instances in a nondefault VPC receive an unresolvable host name that AWS assigns (for example, ip-10-0-0-202). You can assign your own domain name to your instances, and use up to four of your own DNS servers. To do that, you must specify a special set of DHCP options to use with the VPC.

The following table lists all the supported options for a DHCP options set. You can specify only the options you need in your DHCP options set.

NAT Instances and NAT Gateways

You can use a network address translation (NAT) gateway or instances to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.  To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you've created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.

The following diagram illustrates the architecture of a VPC with a NAT gateway. The main route table sends internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP address as the source IP address.

NAT Instances (AMI) can be searched and configured as below in Amazon

NAT Gateway Can be created in amazaon as below at NAT Gateway page in VPC Dashboard

Security Groups and Network Access Control List (ACL)

Amazon VPC provides features that you can use to increase and monitor the security for your VPC:

• Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
• Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
• Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basic things you need to know about security groups for your VPC and their rules. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule.

The following diagram illustrates the layers of security provided by security groups and network ACLs. For example, traffic from an Internet gateway is routed to the appropriate subnet using the routes in the routing table. The rules of the network ACL associated with the subnet control which traffic is allowed to the subnet. The rules of the security group associated with an instance control which traffic is allowed to the instance.

Creating Peering Connections

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. In both cases, the VPCs must be in the same region.

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

A VPC peering connection can help you to facilitate the transfer of data; for example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a file sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.

Difference between NAT and Bastion/JumpBox

NAT Instance or Gateway is system or computer to enable to Private Instances to connect internet.  However Bastion or JumpBox are system or computer which will allow administrator to login into that and do their admin work for instances, which are located in Private Subnets, due to some security concerns which will not allow them to access private subnet instances directly.