Amazon AWS Virtual Private Cloud (VPC)

Virtual Private Cloud is an architecture that enables tenants to create a logically isolated network within the cloud. The purpose is to provide maximum control within the cloud environment for applications. The tenant can implement virtual machines (EC2 instances) for servers and virtual appliances with different subnetting models. There is also hybrid integration with on-premises applications.

VPC permits private cloud applications with security compliance requirements. AWS architecture is comprised of regions with multiple availability zones per region. Each availability zone is either a single or multiple data centers. Any single VPC must reside within the same AWS region and VPCs can span multiple availability zones for redundancy. VPC subnets however cannot span multiple availability zones.  

AWS VPC Router

VPC router is the AWS native router assigned to each VPC that routes packets within the same VPC. Any packets destined for the internet are forwarded to the internet gateway. The customer gateway is deployed on-premises for VPN connection. The local route is used for communicating between instances within the same CIDR block only. The local route is the top level CIDR subnet used to create VPC subnets. There is a local route installed in the main route table or custom route table for each CIDR block.

Main Route Table

VPC creates a main route table as the default table. The tenant can then reassign the subnet to a custom route table based on routing requirements. The main route table cannot be deleted and can be assigned to private or public subnets. The tenant can associate a single or multiple subnets to the main route table. The same subnet cannot be assigned to more than one route table.

Any new subnet created after defining the VPC is associated with the main route table. It has a local route that is used for routing within a CIDR block. The main route table is typically used for private subnets however the tenant could deploy a single public subnet with web servers for example. The tenant would assign a public IP address to each EC2 instance for connecting to the internet. The main route table has a default route (0.0.0.0/0) to the internet gateway if created with default VPC option.

Custom Route Table

The custom route table has one or more local routes that are used for routing within CIDR blocks as well. There is also a default route to the internet gateway if deployed. The tenant can associate single or multiple subnets to the custom route table. The best practice is to move all subnets that require internet access to a custom route table and assign public addressing. The tenant must create a custom route table and associate the new public subnet to it. That will move the public subnet from the main route table and advertise the servers assigned to that subnet across the internet. That allows for control of VPC routing and optimizes security.

Network Interfaces

EC2 instances are assigned a private IP address whether they are in a public or private subnet for local routing. When launching an instance into a VPC, you can optionally assign a primary private IP address from the IPv4 address range of the subnet or AWS will assign it from the configured CIDR block. The private address is assigned to the default network interface (eth0) of the instance. You can add single or multiple secondary private IP addresses that are often used for virtual appliances. EC2 instances must be terminated to reassign an Elastic IP address to a new EC2 instance.

Elastic Network Interface (ENI)

Elastic Network Interfaces are virtual network interfaces assigned to an EC2 instance within a VPC. ENI supports multiple private IP addresses assignable per network interface. Tenants can also assign a single public IPv4 address or public Elastic IP to the same network interface. In the context of VPC architecture, EC2 instances could include virtual servers and virtual appliances. ENI supports multiple IPv6 addresses, security groups, MAC addresses, and source/destination check attribute.

Elastic IP (EIP)

The public Elastic IP address (EIP) is assigned to a network interface and advertised across the internet. EIP is a static public address that is persistent (remains assigned) even when the instance is stopped. The support for private and public addressing allows for subnetting and security zones

The tenant is assigned a maximum of five static Elastic IP (EIP) addresses per region. There are often multiple public web servers deployed across availability zones. Tenants can enable NAT to conserve addresses or request some additional EIP addresses from AWS.

Elastic IP vs Public IPv4 Address

Public IPv4 addresses are not persistent or reassignable to a different EC2 instance or interface. AWS returns public IPv4 addresses to a shared pool when an EC2 instance is stopped. The primary private IPv4 addressing assigned to EC2 instances are persistent and cannot be reassigned after launch. They are assignable with DHCP or can be manually assigned.

Elastic IP address (EIP) is a static internet routable IP address that is persistent when an EC2 instance is stopped. EIP is released from an EC2 instance when it is terminated. EIP can be manually reassigned to another EC2 instance when the instance is stopped or fails. There is a nominal charge for EIP while an EC2 instance is stopped. AWS automatically assigns a public IPv4 address to a network interface when the tenant disassociates an EIP from it. Conversely, the public IPv4 address is released when an EIP is assigned to the network interface. Elastic IP addresses are statically assigned to an AWS account in contrast to public IPv4 addresses that are allocated from a pool.

VPC Platforms

VPC console permits tenants to select either a default VPC or nondefault VPC. AWS will then programmatically configure and deploy the VPC based on what platform was selected. The following is a feature comparison of each platform.

Default VPC

The default VPC type is a starting point for tenants that enable basic cloud services and internet access. Tenants can create a VPC from CLI or AWS management console. EC2 instances are initially assigned a private IPv4 address and public IPv4 address for internet access. EC2 instances also support multiple Elastic Network Interfaces (ENI) that can be configured with a private and/or public IP address.

There is an internet gateway automatically added to the VPC and a default route (0.0.0.0/0) added to the main route table. This is used for forwarding traffic to the internet gateway. EC2 instances are automatically assigned public DNS hostnames in the default VPC. AWS creates a default subnet in all selected availability zones (AZ) in the region where your VPC is located. EC2 instance is launched into the subnet associated with an availability zone. There is however no automatic replication to each availability zone.

AWS automatically assigns 172.31.0.0/16 default CIDR block to your VPC. It further subnets your VPC with 172.31.0.0/20 private addressing for EC2 instances. That subnets the third octet so that adding four subnets on the bottom end of the range would include 172.31.0.0/20, 172.31.16.0/20, 172.31.32.0/20, and 172.31.48.0/20 subnets.

The first ten instances assigned to the first subnet (172.31.0.0/20) for example could be assigned 172.31.0.1/20 – 172.31.0.10/20 address range. The tenant could assign multiple subnets based on network design, security and application requirements. The main route table has 172.31.0.0/16 as a local route added as well.

EC2 instances launched in the default VPC are assigned to the default security group that allows all inbound and outbound traffic. The tenant can modify any default configuration and create up to 100 security groups per VPC. Each subnet is also assigned to a default network ACL that permits all inbound and outbound traffic.

Nondefault VPC

The primary reason for selecting nondefault VPC type is to configure all customized settings. EC2 instances are assigned 10.0.0.0/16 CIDR block private addressing when nondefault VPC is created with VPC wizard. There are no gateways attached to the VPC unless explicitly enabled. By default, EC2 instances launched into a nondefault VPC are not assigned a public IPv4 address or public DNS hostname. It permits you to configure a customized environment and enable internet connectivity at some point if required.

The maximum CIDR block range supported for IPv4 addressing within any single VPC is /16 to /28 subnet mask. That could include 10.0.0.0/16 to 10.0.0.0/28 CIDR block range for that private subnet addressing selected. Overlapping IP addresses are not permitted within a VPC.

When an instance is launched into nondefault VPC, each instance is provided a private DNS hostname from AWS. In addition a public DNS hostname is provided only when DNS hostnames attribute is changed from no to yes and your instance is using a public IPv4 address.

AWS Reserved Addressing Example

The first five IP addresses of any subnetted CIDR block are reserved for use by AWS for any VPC. The following is an example of excluded addresses based on 10.0.0.0/16 subnet addressing. The instances assigned to the first available subnet (10.0.0.0/24) would start IP addressing for tenant instances at 10.0.0.5/24 address. The /24 subnet mask is used to subnet the 3rd octet of the CIDR block.

10.0.0.0 = network address

10.0.0.1 = reserved for VPC router

10.0.0.2 = reserved for DNS services

10.0.0.3 = reserved address

10.0.0.255 = broadcast address

The next subnet CIDR block available is 10.0.1.0/24 with the following reserved IP addresses:

10.0.1.0 = network address

10.0.1.1 = reserved for VPC router

10.0.1.2 = reserved for DNS services

10.0.1.3 = reserved address

10.0.1.255 = broadcast address

VPC Hardware Tenancy

VPC hardware (instance) tenancy is a global attribute that is configured when the VPC is created. The default setting is shared hardware unless configured with dedicated (single-tenant). The hardware tenancy of a VPC can be changed from dedicated to default after you create it. You cannot change the instance tenancy of a VPC to dedicated after it is created. EC2 instances are launched using the global VPC tenancy however that can be modified at launch time.

The advantages of selecting default tenancy for your VPC is compatibility with AWS services and launch support. Default tenancy permit tenants to launch an EC2 instance as either default (shared hardware) or dedicated (single-tenant) isolated hardware. Creating a VPC with dedicated tenancy only allows EC2 instances to launch as dedicated or host. The VPC does not permit running instances with default (shared) tenancy for that configuration.

There is dedicated host option as well that assigns a physical server to a tenant for running instances. It provides server-level isolation and a customizable environment. The host option is typically required for licensing or security compliance requirements. The advantages of dedicated and host tenancy is performance, reliability and security. Some AWS services do not work with a dedicated tenancy VPC and there is increased cost. The choice is based on requirements for performance and security.

Internet Gateway

AWS internet gateway enables internet connectivity for all traffic external to the private AWS cloud. That creates a distributed network architecture with high availability. There is only one internet gateway assigned to each VPC. Internet gateway is available for connecting to the internet, on-premises applications, and AWS services such as S3 storage.

EC2 instances require a public internet routable IP address to communicate with the internet. AWS provides a default of five Elastic IP addresses (EIP) to each user account. There is horizontal scaling with virtually no bandwidth limits. The network capacity limits occur with EC2 instance or internet connection speed. Internet gateway automatically translates between public and private IP address assigned to public instances for internal routing. AWS tenants connect with a variety of internet services including broadband services, MPLS and Metro Ethernet. AWS perimeter devices inspect and forward packets to the internet gateway for any public IP address assigned to the tenant.

Virtual Private Gateway

The purpose of virtual private gateway is to connect corporate (on-premises) hosts and servers to a VPC. The virtual private gateway is assigned to private subnet/s within an AWS VPC. That provides a secure connection for corporate connectivity. The packets from private subnet/s are forwarded to the gateway that is configured with an assigned public address. That is used for connectivity to the customer gateway.

There is only one virtual private gateway assigned to each VPC. Amazon provides a default feature that terminates VPN tunnels at redundant virtual private gateways located at different availability zones. That provides link redundancy and VPN gateway redundancy for the same assigned VPC.

There is support for static routing or BGP dynamic routing with assigned private ASN numbering. All data is encrypted with IPsec using AES256 cipher. Route propagation feature automatically installs local routes in the main route table for advertising to a peering customer gateway. There is a default route as well added to the main route table (0.0.0.0/0) for EC2 instances to access the virtual private gateway connection.

NAT Instance

Instances in a private subnet are only assigned private addressing and have no access to the internet. Public servers are assigned to the public subnet with a private and public address. NAT instance is assigned to the public subnet to enable packet forwarding from private subnet instances to the internet. Configure either a public IPv4 address or Elastic IP to the NAT instance.

There is a default route (0.0.0.0/0) along with nat-instance-id that is added to the main route table for routing purposes. EC2 instances perform source/destination check as a default setting. EC2 public instances must be the source or destination for any inbound or outbound packets. The NAT instance is a security transit point between public and private subnets within any VPC. As a result tenants must disable the source/destination check for the NAT instance. The following topology represents multi-tier application subnetting with NAT instance

NAT Gateway vs NAT Instance

NAT gateway and NAT instance enable EC2 instances to initiate outbound packets from a private subnet to a public subnet. VPC does not allow traffic to flow directly from private to public subnets without NAT for security reasons. NAT gateway is a managed service that does not require the tenant to have a running EC2 instance. NAT instances support public and EIP addresses while NAT gateway only permits EIP address. NAT gateway is more scalable than NAT instance with 100 Gbps throughput for faster applications and seamless availability zone failover. There is no support for associating security groups with NAT gateway.

Add a default route to the main route table of private subnet servers that points to the NAT gateway. NAT gateway is assigned to a public subnet and as a result has a custom route table. Add a default route to the custom route table of NAT gateway that points to the internet gateway. The single EIP assigned to the NAT gateway is used to enable internet access for all web servers on a private subnet.

AWS Subnetting

The VPC wizard is designed to automatically deploy any VPC based on your design requirements. The following are standard pre-packaged VPC subnet models for customers.

  • Public subnet only
  • Public subnet and private subnet
  • Public subnet and private VPN
  • Private VPN-only subnet
  • Dynamic Multipoint VPN (DMVPN)

Public Subnet Only

The public subnet model is selected primarily for internet connectivity. The public subnets forward all traffic to an attached AWS internet gateway. The custom route table for a public subnet has default route (0.0.0.0/0) to the internet gateway and local route for routing within VPC. The default route (::/0) is used for IPv6 addressing when configured. The public subnet model assigns all EC2 instances to a public subnet. In addition there is a private and public IP address assigned to each EC2 instance. The primary private IP address is assigned to eth0 interface. EC2 instances are assigned either a temporary IPv4 public address or a static public Elastic IP address. The public IP address is advertised across the internet.

Public and Private Subnet

The public and private subnet model allows tenants to assign EC2 instances to public and private subnets. The public EC2 instances are assigned to a public subnet and private EC2 instances to a private subnet. EC2 instances in all subnets are assigned at least a single private IP address for routing within the VPC. There is a public Elastic IP (EIP) address assigned to the primary interface eth0 for instances in the public subnet as well. There is a single internet gateway that enables public internet access. The custom route table assigned to the public subnet has a default route to the internet gateway. 

EC2 instances assigned to a private subnet are only assigned private IP addressing. There are no incoming sessions allowed from the internet to the private subnets. The tenant can assign a NAT instance to a public subnet. That will forward traffic from private subnets to the public subnet and internet gateway for internet access. There is a default route to the NAT instance added to the main route table for the private subnet.

The private subnets can then connect to S3 storage, on-premises software and internet-based services. Any public EC2 instance without a public EIP address can use the NAT assigned EIP for internet access as well.

Public Subnet and Private VPN

VPN gateway enables a subnet design with public and private VPN. The public EC2 instances are assigned to a public subnet and private EC2 instances to a private VPN subnet. The tenant can deploy multiple public and private VPN subnets and route between them. The tenant attaches an internet gateway to the VPC for public internet access. The public EC2 instances from the public subnet are assigned a private IP address and a static public EIP address. The public EIP is used to advertise EC2 instances across the internet.

The private EC2 instances are assigned private IP addressing only. There is a single AWS virtual private gateway (VPN) attached to the VPC. That is used for terminating VPN connections from an on-premises network. The main route table assigned to the private subnet has a default route to the VPN gateway.

Tenants can assign a single NAT instance in the public subnet to enable internet access for private subnet applications to the internet gateway. There is a default route added to the main route table for routing to the NAT instance shown with the following table.

Main Route Table
  Destination  Target
  10.0.0.0/16  local
  172.16.0.0/24  vgw-id
  0.0.0.0./0  nat-instance-id

The private subnets can then connect to S3 storage and get company software updates for example. That is preferred to routing through the virtual private gateway and then egress across an on-premises internet connection. Any public EC2 instance without an assigned public EIP can use NAT assigned EIP for internet access as well. The main route table is updated with the subnet address used by on-premises VPN connection. You cannot assign two default routes to the same route table.

Private VPN-Only Subnet

VPN-only subnet model is comprised of all private subnets. There is no direct connection to the internet. EC2 instances are assigned private IP addressing only since it it a private subnet. Tenants can also assign multiple private subnets per VPC and communication between them is with a local route. There is a single AWS virtual private gateway attached to the VPC. It is used for terminating VPN connection to the on-premises customer gateway. All VPC traffic to an external destination are forwarded to the virtual private gateway using the default route.

Dynamic Multipoint VPN (DMVPN)

DMVPN is a public route-based VPN solution that is based on public and private subnets. This subnetting model supports dynamic routing and on-demand VPN connectivity across the internet. DMVPN also forwards traffic to internet-based AWS services such as S3 storage.

The private EC2 instances are assigned private IP addressing only. The public EC2 instances are assigned a private IP address and public EIP address. The public subnets are assigned EIP addressing for internet connectivity. The tenant attaches a virtual private gateway (VPG) or Cisco CSR 1000V router to the VPC. That is used for terminating on-premises DMVPN connections. Traffic from the private and public subnets are forwarded to the CSR 1000V router. The tenant must attach an internet gateway as well for internet access. CSR 1000V router manages routing for internet and VPN traffic. In addition CSR 1000V also supports interconnecting multiple VPCs for high availability.

Domain Name System (DNS)

EC2 instance that are launched into a default VPC are assigned AWS public and/or private DNS hostnames. The following DNS attributes are configured when default VPC type is selected:

  • DNS resolution: yes (enable AWS provided DNS services)
  • DNS hostnames: yes (AWS assigns private and/or public DNS hostnames)

EC2 instances that are launched into a nondefault VPC type are assigned AWS private DNS hostnames. AWS only provides public DNS hostnames when the DNS hostnames attribute is changed from no to yes and your EC2 instance is using a public address.

DNS attributes are changed to false (no) and DHCP options are modified to enable private DNS servers (on-premises). That points instances to private DNS servers and customized DNS hostnames. The DHCP attributes “domain-name-servers” allow four private DNS servers to be specified. In addition the “domain-name” attribute is configured for the company domain name assigned.

Private DNS Attributes

  • DNS resolution: no (disable AWS DNS and use tenant private DNS servers)
  • DNS hostnames: no (tenant custom public and/or private DNS hostnames)

Private DHCP Options

  • domain-name-servers = your-server1…
  • domain-name = company domain

VPC Endpoints

VPC endpoints enable EC2 instances in private subnets to communicate directly with supported services from within AWS cloud instead of traversing the internet. This includes AWS services such as S3, DynamoDB, and Kinesis streams. VPC endpoints create a connection from a single VPC only. Traffic is internal to the AWS cloud eliminating any support for cross-region requests.

The primary reason for deploying VPC endpoints is to minimize the costs associated with internet connectivity for S3, DynamoDB, and Kinesis traffic classes. It is preferable as well to avoid performance problems inherent with internet connections. All traffic remains within the AWS cloud and does not traverse the public internet. That is preferred for applications that have security compliance requirements. The following topology is a VPC endpoint private connection to AWS S3 storage

Usage costs for internet gateway and NAT are eliminated for AWS services that support endpoints. The VPC endpoint is an Elastic Network Interface (ENI) with a private IP address assigned or AWS private link service. ENI is nothing more than EC2 instance interface that supports multiple public and/or private IP addresses. There is a network load balancer that forwards requests to AWS services from a VPC endpoint for network level connectivity.

External links such as Direct Connect are not supported with VPC endpoints. VPC peering is not permitted either since traffic does not leave the source VPC. AWS permits security policies that are endpoint centric for managing access to S3 buckets as an added layer of security when there are existing bucket permissions. VPC endpoint default policy is to allow full access to S3 buckets when there is no bucket-level or object-level permissions.

VPC Peering

VPC peering connection is a direct private connection between two VPCs that enable you to route traffic between them using private IP addresses. EC2 Instances in either VPC can communicate with each other and traffic remains within AWS cloud (not internet). The VPC peering feature can link different AWS accounts as well. There is only a single VPC peering connection permitted between two VPC’s.

The required information include neighbor VPC ID, account ID, and CIDR block. The VPC ID and account ID are administrative attributes that identify the AWS account. The tenant must add a route to the main route table that point to the neighbor CIDR block range. IAM cross-account access role is assigned to the initiating tenant from the neighbor that allows connection setup.

Transitive routing occurs when a hub VPC is used to route packets between two connected spoke VPCs. There is no support for transitive routing between VPC peering links . Routing only occurs between directly connected VPCs. AWS internet gateway and virtual private gateway are not required since all traffic is within the AWS cloud. Tenants can assign IP addresses from any private RFC 1918 address space.

Refer to the topology drawing. Your company has asked you to configure a peering link between two VPCs that are currently not connected or exchanging any packets. What destination and target is configured in the routing table of VPC1 to enable packet forwarding to VPC2?

VPC peering link (pcx-vpc1vpc2) requires a single route entry added to each VPC main route table. Any route entry is comprised of a destination and a target. The main route table for each VPC require the following destination and target (route).

Main Route Table: VPC1

Destination             Target

10.0.0.0/16               Local

172.16.0.0/16           pcx-vpc1vpc2

Main Route Table: VPC2

Destination             Target

172.16.0.0/16           Local

10.0.0.0/16               pcx-vpc1vpc2

Transit Gateway

AWS transit gateway is an alternative to VPC peering for more complex connectivity between VPCs and on-premises applications. This is similar to Cisco virtual routing and forwarding (VRF) operation. The transit gateway is a central hub that isolates and routes traffic between multiple VPCs and external locations. This includes on-premises data centers and remote connectivity. There are route tables configured on the transit gateway that represent VRFs used to manage routing decisions. VPC peering only allows point-to-point direct peering between VPCs within the cloud while transit gateway is a scalable hub and spoke topology. Transit gateway traffic is encrypted and also does not traverse the public internet for added security.

Direct Connect

The purpose of AWS Direct Connect service is to enable a private dedicated connection between on-premises data centers and AWS cloud. Direct Connect private WAN is only available at AWS regional data centers. The advantages of Direct Connect are security, performance, and reliability with high speed cloud connectivity up to 100 Gbps. The high performance can result in costs that are competitive or lower than internet-based services. The increased bandwidth optimizes bulk data transfers from databases and delay sensitive traffic such as voice and video. Direct Connect provides access at the AWS cloud connection point to all AWS public and private services through virtual interfaces.

The public virtual interfaces are configured at the tenant colocated router for accessing S3 and Glacier storage. In addition private virtual interfaces are configured for VPC access where EC2 instances reside. Direct Connect is a private and not internet-based service that is not a solution for extending on-premises VLANs to AWS. There is active/passive and active/active topology options that supports load balancing to the AWS cloud.

Direct Connect vs IPsec VPN

Direct ConnectIPsec VPN
takes longer to turn up servicefaster to turn-up service
higher startup and monthly costlower costs
higher bandwidth and scalablelower bandwidth and less scalable
reliable private serviceinternet-based service is less reliable
dedicated access to AWS servicesrecommended for backup service