What is VPC?

  • With VPC you get an isolated network section in AWS cloud. In VPC, customers have complete control over IP address range, subnets, route tables and network gateways
  • VPC is a logical datacenter in a region. It can span availability zones in the region
  • On Premise datacenters, can be extended to AWS VPC by creating hardware VPN connection. (Hybrid cloud)

What can you do with VPC?

  • Create subnets in VPC (Subnet cannot span multiple AZs)
  • Assign custom ip address ranges to each subnet
  • Configure route tables between subnets
  • Launch instances in VPC subnets
  • Create internet gateway and attach to VPC. (One internet gateway per VPC)
  • Better security control over your AWS resources
  • Instance security groups (Stateful)
  • Subnet network ACLs(Stateless)

Default VPC

  • All subnets in the default VPC have a route out to the internet
  • Each EC2 Instance has both a private IP and public IP
  • If you delete the default VPC you need to contact AWS to get it back

VPC Peering

  • Allows you to connect one VPC with another in the same region via direct network route using IP address.
  • Peering is not Transitive.
  • VPC peering can be done with other VPCs in same account or different AWS account
  • Instances behave as if they are on same private network

Create VPC

  • When you create a VPC
    • Subnets ( not created by default)
    • Internet gateway (not created by default)
    • Route table (created by default)
    • Network ACL(created by default)
    • Security group(created by default)
  • When you create a subnet (e.g.
    • First 4 IP addresses and the last IP address in each subnet CIDR are not available for customers to use
    • First address is network address (
    • Last address is network broad cast address(
    • AWS reserves 3 IP address in the subnet (,,
  • To make a subnet public,
    • Attach internet gateway to VPC
    • Create a route out to the internet. Source subnet and Target is internet gateway. Best practice is to create new route table. Main route table will have all subnets associated to it.
    • Associate the subnet to route table
    • Enable ‘auto assign public IP’ in the subnet. If you don’t enable this option at subnet level , you can enable at instance level while launching instances

Secure internet access to private subnet
Instances in private subnet will not have a route to internet. We can provide secure internet access through NAT instance or NAT gateway

  • NAT Instance
    • NAT instance is an Amazon AMI
    • Deploy the NAT instance in public subnet. NAT instances are always behind a security group. Use an Elastic IP or a Public IP address
    • Disable source/destination check for the NAT instance. If Source/Destination check instance is enabled the instance should be either source or destination for the network traffic
    • Create a route; Destination Target Nat Instance
    • NAT Instance is managed by Customer. Need to consider SPOF situation. You can consider Auto scaling groups
    • The amount of traffic that NAT Instance supports, depends on the instance sizes.
    • Supports bursts up to Instance bandwidth
    • Can be used as a bastion server
  • NAT gateway
    • Create NAT gateway, Deploy in public subnet and assign elastic IP.
    • Add route to private subnet in route table. Destination Target Nat gateway
    • With NAT gateway : need not disable “Source/Destination Check, Need not put behind Security group
    • NAT gateways are managed by AWS
    • Supports bursts up to 1Gbps
    • Security groups cannot have associated (not required)
  • AWS Link : http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html

Security for VPC

  • Security groups: Instance Level. Acts as firewall for associated EC2 instances. Controls both inbound and outbound traffic.
  • ACLs: Subnet Level. Act as firewall for associated subnets. Controls both inbound and outbound traffic
  • Flow Logs: Capture information about the IP traffic going to and from network interfaces in your VPC.

Network ACL

  • ACLs are stateless. Return traffic must be explicitly allowed by rules. Responses to allowed input traffic are subject to the rules for outbound traffic.
  • Default ACL – By default, allows all inbound and outbound traffic
  • Custom ACL – By default, Denies all inbound and outbound traffic
  • Each subnet must be associated with a network ACL, if you don’t explicitly associate a subnet to ACL, it will be automatically associated with default ACL.
  • When you change ACL association of a subnet, its previous association will be removed.
  • Subnet can be associated with only one ACL. But ACL can span multiple subnets.
  • ACL rules are evaluated in number order. In case of conflict lower order rule wins. (e.g. inbound rule# 200 denies http traffic for and inbound rule# 500 allows http traffic for> rule# 200 wins)
  • (Amazon Recommendation): Create rule numbers in increments of 100.
  • (Amazon Recommendation): Create inbound rule for ephemeral ports.
  • (Exam Tip): Block IP Addressing using ACLs not security groups

VPC Flow logs

  • VPC Actions -> Create Flow Log: Filter, IAM Role, and Destination CloudWatch Log group.

NAT vs Bastion

  • NAT instance is used to route traffic to instances in private subnet from Internet
  • Bastion host (Jump Box) is used to administer instances in private subnet from internet. Bastion host is hardened one.
  • For highly available create bastion instance, create at least two public subnets in different AZs and Auto scaling group.


Cloud Best Practices
No tags for this post.

Leave a Comment