Amazon VPC  - A Complete Guide with Architecture and Components

Amazon VPC - A Complete Guide with Architecture and Components

·

6 min read

Amazon Virtual Private Cloud is a networking service that you can use to establish boundaries around your AWS resources. So, in simpler words, Amazon Virtual Private Cloud (Amazon VPC) enables the users to define some virtual network and then launch the AWS resources into that virtual network. It gives you full control over various network environments, resources, connectivity, and security.

Moreover, it defines how a network should communicate across different Availability Zones or regions. Users have a option of easy customization of the network configuration for their Amazon Virtual Private Cloud(VPC).

Architecture of VPC

  • The outer line represents the region, and the region is ap-south-1.

  • Inside the region, we have VPC, and outside the VPC, we have internet gateway.

  • Internet Gateway are the way of connecting to the VPC. The connection go to the router in a VPC and then router directs the traffic to the route table. Route table will then direct the traffic to Network ACL.

  • Network ACL is the firewall or much like security groups. Network ACLs are stateless, allowing you to define rules for both allowing and denying traffic based on specified criteria. You can also block the IP address on your Network ACL.

  • Now, move over to the security group that accesses another line against the EC2 instance. Within the VPC, we create public subnets across two availability zones. Public subnets are designed for resources requiring direct internet access

  • In public subnet, the internet is accessible by an EC2 instance, but in private subnet, an EC2 instance cannot access the internet on their own. We can connect to the instances. Private subnets, if used, require a Network Address Translation (NAT) Gateway or NAT instance for outbound traffic, maintaining instance security.

  • Another way to connect to an instance in a private subnet through an instance in a public subnet is by using a mechanism known as "Bastion Host" or "Jump Host." This is a common security practice to restrict direct access to instances in private subnets from the internet while providing controlled access through a more secure gateway. In this way, we can connect an instance in public subnet to an instance in private subnet.

Components of AWS VPC

  • Subnet: A subnet in VPC is something a range of IP addresses. It is a section of a VPC that can contain resources such as Amazon EC2 services and shares a common address component. Public Subnet where resources are exposed to the internet through Internet Gateway and Private Subnet where resources are not exposed to the outside world.

  • Route Table: They are the set of rules used to decide where the network traffic has to be managed. It specifies the destination i.e IP address and target. The target can be Internet gateway, NAT gateway, Virtual private gateway, etc. With the use of route tables, users can determine where the network traffic will be directed from your subnet or gateway.

  • Virtual Private Gateway: It is the VPN(Virtual Private Network) hub on the Amazon side of the VPN connection to have a secure transaction. Users can attach it to the VPC from which they want to create the VPN connection.

  • NAT Gateway: Network Address Translation (NAT) Gateway is used when higher bandwidth, availability with lesser management effort is required. It updates the routing table of the private subnet such that it sends the traffic to the NAT gateway. It supports only UDP, TCP, and ICMP protocols.

  • Security Groups: Security groups are a set of firewall rules that controls the traffic for your instance. In Amazon Firewall the only action that can be carried out is allowed. You cannot create a rule to deny. The destination is always the instance on which the service security group is running. You can have a single security group associated with multiple instances.

  • VPC Peering: A VPC peering connection allows you to route traffic between two Virtual Private Cloud’s using IPv4 or IPv6 private addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. A VPC peering connection helps you to facilitate the transfer of data

  • Network Access Control Lists (NACL): an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated.

  • Customer Gateway: VPN connection links your network (or data) to your Amazon VPC (virtual private cloud). A customer gateway is a presenter on your side of that connection. It can be a physical or software appliance.

  • Elastic IP: It is a static IP address that never changes and is a reserved public IP address that can be assigned to any Instance in a particular region. An elastic IP is reserved for your AWS account and is yours until you release it.

  • Network Interface: Network Interface is a point of connection between a public and a private network. Every instance has a default network interface, called the primary network interface. Network traffic is automatically shifted to the new instance if you move it from one instance to the other.

  • VPC Endpoints: VPC endpoints allow private connection between your AWS VPC and other AWS services without using the internet. VPC endpoint devices are scaled, redundant, and highly available VPC components. There are two types of AWS Virtual Private Cloud endpoints Interface endpoints and Gateway Endpoints.

VPC Peering

  • VPC Peering is a networking connection that allows you to connect one VPC with another VPC through a direct network route using private IP addresses.

  • Instances behave as if they were on the same private network.

  • You can peer VPC's with other AWS accounts as well as other VPCs in the same account.

  • You can peer between regions. Suppose you have one VPC in one region and other VPC in another region, then you can peer the VPCs between different regions.

Pricing for Amazon VPC

As there is no additional charge for using a VPC. but there are charges for using some of VPC components like NAT gateways, IP Address Manager, traffic mirroring and many more. If user wants to create a NAT gateway in their VPC and choose this service, then the users are charged for every “NAT Gateway-hour” used. Please click here to check the prices.

Best Practices For Securing Your AWS VPC

The following are the best practice in order to secure the AWS VPC:

  • Use AWS Identity and Access Management (IAM) for controlling access.

  • Multiple Availability Zones(AZs) will increase the availability.

  • Use Amazon CloudWatch to manage the VPC components.

  • To control traffic and manage a network, use AWS security and groups.

Closing Note:

👍 If you found this blog insightful, a like and share would mean the world!

Your support helps us continue delivering quality content.

Let's empower the tech community together! 🌐💬