Amazon VPC

What is Amazon VPC?

It basically enables launching the AWS(Amazon Web Services) resources in a defined virtual network. These resources can be launched in a logically isolated area of the AWS cloud.  

Amazon VPC is a foundational AWS service. By foundational means that other AWS services, like EC2(Elastic Compute Cloud), cannot be accessed in the absence of an underlying VPC network.

The virtual network created closely resembles a traditional network that would operate in the user's own data center, with the benefits of utilizing the AWS scalable infrastructure . A user has complete control over their virtual networking environment, along with network gateways, the configuration of route tables, creating subnets, and selecting IP address ranges.

Interfaces are employed in order to create, manage, and access the Amazon VPC. These interfaces are as follows:

• AWS CLI(AWS Command Line Interface) - It offers commands for a wide set of AWS services, like Amazon VPC. It is supported on Windows, Mac, and Linux.
• AWS Management Console - It offers a web interface that can be used to access VPCs.
• AWS SDKs(AWS Software Development Toolkit) - It offers APIs that are language-specific and takes care of many of the connection details, like error handling, handling request retries, and calculating signatures. 
• Query API -  It offers low-level API actions that are called using HTTPS requests. It is the most direct way to use Amazon VPC, but it needs an application that can handle low-level details such as generating the hash for error handling and signing the request. 

How Amazon VPC works 

Now that we know the basics of VPC and specifically Amazon VPC let’s look at the working of the Amazon VPC. 

As mentioned earlier in this article, users can mention an IP address range for the VPC, add subnets and associate security groups, and also configure route tables. 

Subnets

A subnet can be considered as a range of IP addresses in the created VPC. AWS resources can also be launched into a specified subnet. Usage of a private subnet for resources that will not be connected to the internet and a public subnet for resources that should be connected to the internet and is recommended. 

Based on the VPC configuration, subnets are classified as follows:

• Public subnet: The subnet traffic is routed to the public internet through an egress-only internet gateway or an internet gateway. 
• Private subnet: The subnet traffic cannot reach the public internet through an egress-only internet gateway or an internet gateway. A NAT device is required for accessing the public internet.
• VPN-only subnet: The subnet traffic is routed to a Site-to-Site VPN connection via a virtual private gateway. The subnet traffic cannot reach the public internet via any of the internet gateways. 

 

When a subnet is created, its IP addresses are specified. Based on the configuration of the VPC, subnets are classified as:

• IPv6 only: This subnet has an IPv6 CIDR block but does not have an IPv4 CIDR block. The VPC should have an IPv6 CIDR block. Resources in an IPv6-only subnet must communicate over IPv6. 
• IPv4 only: This subnet has an IPv4 CIDR block but does not have an IPv6 CIDR block. Resources in an IPv4-only subnet must communicate over IPv4.
• Dual stack: The subnet has an IPv6 CIDR block and an IPv4 CIDR block. The VPC must have an IPv6 CIDR block and an IPv4 CIDR block. Resources in a dual-stack subnet can communicate over IPv6 and IPv4.

source

Default VPCs and Non-Default VPCs

A Default VPC comes with a default subnet in each Availability Zone. A default VPC provides the advantages of the advanced features offered by EC2-VPC and is ready to use. If a subnet is not specified in a default VPC, when an instance is launched, the instance is launched into the default VPC. In fact, instances can be launched into the default VPC without having any knowledge of Amazon VPC. 

Components of  Default VPCs are:

• A VPC with a size /16 IPv4 CIDR block (172.31.0.0/16). This offers up to 65,536 private IPv4 addresses.
• A size /20 default subnet in each Availability Zone. This offers up to 4,096 addresses per subnet, a few of which are reserved for users.
• An internet gateway and its connection to default VPC.
• A route to the main route table pointing to all traffic (0.0.0.0/0) to the internet gateway.
• A default security group and its association with default VPC.
• A  default network ACL(Access Control List) and its association with default VPC.
• Association of the default DHCP options set of the related AWS account with default VPC.  

source

 

When a user creates their own VPC and configures it as per their requirement, it is called Non-Default VPC. Subnets created in Non-Default VPC ad additional subnets created in the default VPC are Non-Default subnets.  

IP Addressing

IP addresses enable resources in the specific VPC to communicate with each other and with resources through the internet.

When a user creates a VPC, an IPv4 CIDR block that is a collection of an IPv6 CIDR block, private IPv4 addresses, or both IPv6 and IPv4 CIDR blocks (or dual-stack) are assigned to it.

Private IPv4 addresses are not reachable on the internet, whereas IPv6 addresses are globally unique and can be configured to be reachable over the internet or remain private.

A VPC can operate in dual-stack mode. This means that the resources can communicate over IPv4, IPv6, or both IPv4 and IPv6 in the case of dual-stack. IPv6 and IPv4 addresses are independent of each other; therefore, separate routes and security group rules must be added for them independently.

Route tables

A route table includes a set of rules, called routes, that help in determining where network traffic from the specific VPC is directed. A subnet can be associated explicitly with a particular route table. 

Otherwise, the subnet is implicitly related to the main route table.

Every route in a route table specifies the range of IP addresses where the traffic would go, the destination and the gateway, network interface, or connection through which to send the traffic. 

Accessing the internet

By default, each instance launched into a nondefault subnet has a private IPv4 address but not a public IPv4 address. At launch, it needs to be assigned one or modifies the subnet's public IP address attribute. These instances are able to communicate with each other, but cannot access the internet.

Internet access can be enabled or an instance launched into a nondefault subnet by attaching an internet gateway to its VPC and associating an Elastic IP address with that instance.

The other way to achieve that is to allow an instance in the specific VPC to initiate outbound connections to the internet but disable unpermitted inbound connections from the internet. 

For this, a Network Address Translation (NAT) device. NAT maps several private IPv4 addresses to one public IPv4 address. 

DNS attributes for the VPC

DNS is short for Domain Name System. It is the naming convention that is used to resolve website names to their corresponding IP address. A DNS hostname is a name that absolutely and uniquely names a system; it consists of a domain name and a hostname. It is the DNS servers that perform the resolving part.

The Amazon DNS server does not reside in a specific Availability Zone or subnet in a VPC.

Whenever an instance is launched into a VPC, it is offered with a private DNS hostname. It also provides a public DNS hostname if the instance is configured with a public IPv4 address and the VPC DNS attributes are enabled. 

DHCP concept 

DHCP stands for Dynamic Host Configuration Protocol. Each device on a TCP/IP network requires an IP address to communicate through the network. IP addresses are given dynamically by DHCP servers with the Dynamic Host Configuration Protocol (DHCP).

Applications running on EC2 instances in subnets can communicate with Amazon DHCP servers as needed to retrieve their IP address lease or other network configuration information (such as the IP address of an Amazon DNS server or the IP address of the router in the VPC).

Amazon VPC enables users to specify the network configurations that are offered by Amazon DHCP servers with the help of DHCP option sets.

DHCP option sets give users control over the following aspects of routing in the virtual network:

• DNS servers, domain names, or NTP(Network Time Protocol) servers can be controlled and used by the devices in the particular VPC.
• DNS resolution can be disabled entirely in the VPC. 

 

The options set is classified as follows: 

Default DHCP option set

The default DHCP option set contains the following network configurations:

• Domain Name: It is the name that a client must use when resolving hostnames via the Domain Name System.
• Domain Name Servers: The DNS servers that users’ network interfaces use for domain name resolution.

 

In this option set, the Amazon DHCP server makes use of the network configurations stored in the default options set. Whenever an instance is launched in the VPC, the instance interacts with the DHCP server, the Amazon DNS server, and connects to other devices in the network through the router of the VPC. The instances are allowed to interact with the Amazon DHCP server to get their IP address and any other additional network configurations.

source  

Custom DHCP option set

With Custom DHCP option set, the following network configurations can be altered:

• Domain name: A client must use the domain name when resolving hostnames via the Domain Name System.
• Domain name servers: The network interfaces will use DNS servers for domain name resolution.
• NTP servers: The NTP servers offer the time to the instances in the network.
• NetBIOS name servers: A NetBIOS name server makes a list of mappings between NetBIOS computer names and network addresses for networks that use NetBIOS as their naming service.
• NetBIOS node type: The instances use this method to resolve NetBIOS names to IP addresses for EC2 instances running a Windows OS.

 

If a custom option set is used, instances launched into the VPC use the network configurations in the custom DHCP options set, interact with non-Amazon DNS, NTP, and NetBIOS servers, and then connect to other devices in the network through your VPC's router.

source

Data Protection in Amazon VPC 

The AWS Shared Responsibility Model is applicable to data protection in Amazon VPC. According to this, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. User is responsible for managing control over the content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that users use.

The following steps can be adopted to data security:

• Using multi-factor authentication (MFA) with every account.
• Setting up API and user activity logging with AWS CloudTrail.
• Using TLS/SSL to communicate with AWS resources.
• Using AWS encryption solutions and all default security controls within AWS services.
• Using advanced managed security services like Amazon Macie that help in securing and discovering personal data stored in Amazon S3.

Encryption in transit

AWS offers private and secure connectivity between EC2 instances of all kinds. Additionally, some instance types use the offload capabilities of the underlying Nitro System hardware to encrypt in-transit traffic between instances by default. 

Security in Amazon VPC

Security is a shared responsibility between users and AWS. Here, again The Shared Responsibility model describes this as security in the cloud and security of the cloud:

• Security in the cloud – The user’s responsibility is specified by the AWS service that can be used. Users are also responsible for other factors, including the sensitivity of user information, the company’s requirements, and applicable laws and regulations. 
• Security of the cloud – AWS has the responsibility of protecting the infrastructure that enables running AWS Services in the AWS Cloud. Third-party auditors regularly verify and test the effectiveness of users’ security. 

Frequently Asked Questions

How is EC2 different from VPC?

In Amazon VPC, the instances run in a VPC that is logically isolated to the user’s AWS account, whereas with EC2-Classic, the instances run in a flat, single network that can be shared.  

What is the difference between VPC and VPN?

A VPC can be considered as a private network on the cloud. Several VPCs can be created in the single region but are isolated from one another . A VPC can be divided into more than one subnets. A VPN gateway is the acces point of a VPN connection and is created based on a VPC.

What is CIDR? 

CIDR is short for Classless Inter-Domain Routing. It is a way of representing an IP address and related network mask. An IPv4 CIDR block has a four groups of up to three decimal digits, 0-255, separated by periods, followed by a '/' and a number from 0 to 32.  

Conclusion

This article extensively discusses Amazon VPC, its properties, working and other aspects.

We hope that this blog has helped you enhance your knowledge regarding Amazon VPC, and if you would like to learn more, check out our articles on Coding Ninjas Blogs. 
You can refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and Algorithms, Competitive Programming, JavaScript, SQL, System Design, and many more!

If you want to test your competency in coding, you may check out the Mock Test Series and participate in the Contests organized on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc; you must look at the Problems, Interview Experiences, and Interview Bundle for placement preparations.

Nevertheless, you may consider our Courses to give your career an edge over others!

Do upvote our blog to help other ninjas grow. 

Happy Coding!