AWS VPC

John

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

The following are the key concepts for VPCs:

  • A virtual private cloud (VPC) is a virtual network dedicated to your AWS account.
  • A subnet is a range of IP addresses in your VPC.
  • A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
  • An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
  • A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Features

  • VPC access can be done by an Internet Gateway, Peering or a VPN
  • Can only have 1 IGW per 1 VPC
  • 1 Subnet = 1 AZ
    • Can have multiple subnets in same AZ
  • 1 Subnet = 1 Network ACL
    • The same Network ACL can be applied to multiple subnets
  • Security Groups are stateful
    • Works on only inbound
  • Network ACL are stateless
    • Works both inbound and outbound ports
  • Network ACL can be customized
  • There is not transitive VPC peering (Can only connect to VPC that is directly peered)
  • IP Address blocking happens at the network ACL, not security group

 

A VPC is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch AWS resources, such as Amazon EC2 instances, into the VPC. You can configure the VPC by modifying its IP address range, create subnets, and configure route tables, network gateways, and security settings.

A VPC can expand multiple availability zones in a region. The default VPC comes with the 172.16.0.x address space. This space provides over 64k IP addresses. It is good practice to create custom VPCs, such as VPN connections back into local on premise network.

Any Amazon EC2 instances launched into the VPC will now automatically receive a DNS hostname. You can also add a more meaningful DNS Name (eg app.company.com) later by using Amazon Route 53.

Note: you should not delete the default VPC provided by AWS. It cannot be undone and you need to contact AWS to fix it.

When creating a vpc we need to set the subnet mask and tenancy. The subnet mask of 16 provides 65,500 IPs. By default the subnet is 20, which equates to about 4,900 IP address. Note that AWS uses some of these IPs as part of the underlying infrastructure.

Dedicated Tenancy

The dedicated tenancy option allows EC2 instances to reside on dedicated hardware – which means high performance but also higher cost.

Can switch from Dedicated back to default immediately.

https://aws.amazon.com/about-aws/whats-new/2017/10/switch-the-tenancy-of-your-vpc-from-dedicated-to-default-instantly/

The following services allow traffic to get in or out of a VPC:

  • Internet Gateway – access to internet
  • Virtual Private Gateway – for VPN
  • AWS Direct Connect – a dedicated pipe to another network (on prem)
  • VPC Peering – connecting one VPC to another VPC
  • NAT Gateways – allow internet traffic into a private subnet

 

Elastic IP Address

In order to expose a resource to the internet, you need a public IP. AWS provides Elastic IPs which can be tied to any of your resources. Note there is a charge if an IP is created but not used. An Elastic IP address can be created in the VPC dashboard.

 

Subnets

A subnet is a sub-range of IP addresses within the VPC. Every VPC must have at least one subnet. AWS resources can be launched into a specified subnet. Use a public subnet for resources that must be connected to the internet, and use a private subnet for resources that are to remain isolated from the internet.

There are only two types of subnets, public and private. Even though this subnet has been named Public Subnet, it is not yet public. A public subnet must have an internet gateway, which you will attach in the next task. Private subnets will not have an internet gateway, though if necessary outbound-only internet traffic can be configured using a NAT, procy or bastion host (aka ‘jump box’).

The default subnet provided to a VPC has a net mask of 20, for example: 172.31.0.0/20 or 172.31.16.0/20

Although a VPC could span multiple availability zones, a subnet can only span one.

 

Subnet Mask

Subnet mask is a filter to separate the IP addresses between the network devices and the end node devices. IP addresses is all about binary numbers and thats where we can see how the subnet mask works. An IP address is a representation of 32bit number. An IP ending in 0, xxx.xxx.xxx.0, is used as network addresses such as routers. Node addresses have ending numbers and are used for the end devices. The default subnet mask depends on the classes:

  • Class A: 255.0.0.0
  • Class B: 255.255.0.0
  • Class C: 255.255.255.0

The binary representation of 255 = 11111111 as shown below:

128 | 64 | 32 | 16 | 8 | 4 | 2 | 1
 1    1     1    1   1   1   1   1

Therefore an IP address of 135.68.1.1 is represented as 10000111.01000100.00000001.00000001 shown below:

128 | 64 | 32 | 16 | 8 | 4 | 2 | 1
 1    0    0    0    1   1   1   1
 0    1    0    0    1   0   0   0
 0    0    0    0    0   0   0   1
 0    0    0    0    0   0   0   1

The next section shows how the masks are applied to node addresses and network IDs.

 

CIDR Block Notation

AWS Subnets use CIDR notations. CIDR notation is the “/nn” at the end of an IP address. It refers to the number of bits turned on in the subnet mask. In the example below we have the first 24 bits turned on.

Example1
192.168.1.0/24 = The 24 is the Subnet Mask, it shows we can get 255 addresses below it
11111111.11111111.11111111.00000000
255.255.255.0 = Subnet Mask

Example2
255.255.248.0 = Subnet Mask
11111111.11111111.11111000.00000000 = 8 + 8 + 5 bits covered, therefore
192.168.1.0/21 = CIDR notation 
Expand the 3rd octet:
128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 
 1    1    1    1    1   0   0   0 = 5 of 8 bits covered

Example3
192.168.40.55 = node IP and 255.255.248.0 is mask, whats the network ID?
40 = 00101000, 248=11111000
128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 
 0    0    1    0    1   0   0   0 = 40 node IP
 1    1    1    1    1   0   0   0 = 248 mask
-----------------------------------
 0    0    1    0    1   0   0   0 = 40 Network ID, therefore network ID
192.168.40.0/21

Since the CIDR is referring to the number of bits turned on, of which there are 4 octets, we know that the highest CIDR number possible is 32. This is indicative that IP addresses are 32bits.

 

Internet Gateway

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in a VPC and the internet. It imposes no availability risks or bandwidth constraints on network traffic.An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in a VPC and the internet. It imposes no availability risks or bandwidth constraints on network traffic.An internet gateway serves two purposes:

  • To provide a target in route tables to connect to the internet
  • To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses

This will attach the internet gateway to your Lab VPC. Even though you have created an internet gateway and attached it to your VPC, you must also configure the public subnet route table to use the internet gateway. Note that also when trying to make an EC2 public accessible, all network access control (via the Security Group) must also allow internet based traffic.

 

Route Tables

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

To use an internet gateway, a subnet’s route table must contain a route that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it is known as a public subnet.

In the example below, we have two subnets. The one on the top has a Route Table to the Internet Gateway, thereby allowing outside internet access into the network. The bottom subnet has a default Route Table that only allows internal private network.

Every VPC has a default route table called Main. This should not be touched and instead, to make changes we should create Custom route tables. The above example is implemented below. The Default has a main and custom route table where the custom points to the IGW.

 

NAT

A NAT device can enable resources in a private subnet to be able to access the internet. It also can block traffic from the internet coming into the private subnet. There are NAT gateway and NAT instances. The NAT Gateway is managed by AWS, whereas the NAT instance is an EC2 that needs to be managed by the user.

NAT Gateway

A NAT Gateway needs to be published into a public subnet. The private subnet needing internet access would connect to the NAT Gateway via the route table (which maps the private subnet to the NAT gateway). On the public subnet, resources needing internet access would map directly to the Internet Gateway. This ensures a more secure connection to the internet for the private subnet.

Note that in order to use the NAT Gateway we need to assign it an elastic IP address.

NAT instances 

These are manually created, make sure to disable source/destination check on the instance. Also ensure the instance is on a public subnet. There must be a route out of the private subnet to the NAT instance. Make sure the instance size is appropriately sized based on expected traffic.

Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their names, so you can search for them in the Amazon EC2 console.

NAT Instances need to be patch. They also sit behind a Security Group so make sure those are properly configured. NAT is not supported for IPv6 traffic—use an egress-only Internet gateway instead.

NAT Gateway vs NAT Instance

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

NAT vs Bastion

Bastion (aka Jump Boxes) are a way for public internet side to access a resource in a private subnet. The resources in the private subnet would only allow traffic from the Bastion server. But the outside internet users would need to login to the Bastion server (SSH or RDP).

The difference with NAT Instances (or Gateways) is that they are providing direct internet traffic to the private resource. Bastion is a jump box that must be accessed first before being able to access the private resource.

 

Security Group and Network ACL

A security group acts as a virtual firewall for instances to control inbound and outbound traffic. Security groups operate at the instance network interface level, not the subnet level. Therefore, each instance can have its own firewall that controls traffic. If you do not specify a particular security group at launch time, the instance is automatically assigned to the default security group for the VPC.

Security Groups are found on the EC2 and VPC dashboards in the console. The rules define allowed traffic (not disallowed traffic) for inbound or outbound. Whenever you want to use an internet (all) range, use the address 0.0.0.0/0 (CIDR 0 meaning all addresses).

A network access control list (ACL) is an additional security layer for your VPC to control inbound and outbound traffic for a subnet. Network ACLs can be setup with Security Groups to add an additional layer of security. It sits at a lower layer than Security Groups. The ACL is a numbered list indicating order of priority when applying the rules. Every subnet must have an associating ACL, where AWS provides a default. A single ACL can be applied to multiple subnets.

Ephemeral Ports

An ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications. Ephemeral ports are allocated automatically from a predefined range by the IP stack software. An ephemeral port is typically used by the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or the Stream Control Transmission Protocol (SCTP) as the port assignment for the client end of a client–server communication to a particular port (usually a well-known port) on a server. For example – FTP, RPC are ephemeral ports.

The client that initiates the request chooses the ephemeral port range. The range varies depending on the client’s operating system.

  • Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000.
  • Requests originating from Elastic Load Balancing use ports 1024-65535.
  • Windows operating systems through Windows Server 2003 use ports 1025-5000.
  • Windows Server 2008 and later versions use ports 49152-65535.
  • A NAT gateway uses ports 1024-65535.
  • AWS Lambda functions use ports 1024-65535. 

 

VPC Endpoints

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

VPC Endpoints come in 3 different types

  • Gateway Endpoint
  • Interface Endpoint
  • Gateway Load Balancer Endpoint

Gateway Endpoint

gateway endpoint is for the following supported AWS services:

  • S3
  • DynamoDB

You specify a gateway endpoint as a route table target for traffic that is destined for the supported AWS services.

Interface Endpoint

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service. Interface endpoints are powered by AWS PrivateLink. The owner of the service is the service provider, and you, as the principal creating the interface endpoint, are the service consumer.

Gateway Load Balancer Endpoint

A Gateway Load Balancer endpoint enables you to intercept traffic and route it to a service that you’ve configured using Gateway Load Balancers, for example, for security inspection. The owner of the service is the service provider, and you, as the principal creating the Gateway Load Balancer endpoint, are the service consumer.

 

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination.

Flow logs can help you with a number of tasks, such as:

  • Diagnosing overly restrictive security group rules
  • Monitoring the traffic that is reaching your instance
  • Determining the direction of the traffic to and from the network interfaces

VPC Flow Logs capture layer 3 and 4 IP level logs. Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.

Features:

  • Cannot enable flow logs for VPCs peered
  • Cannot tag flow log
  • Cannot change configuration of flowlog after creation
  • Not all network traffic is captured – such as DNS lookup or 169.254.169.254 for metadata

 

VPC Peering

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.

Paired VPCs must have different IP address ranges. Transitive pairing is not allowed, as shown below.

Also, cannot have a VPC occupy same IP address space as another.

How it should be worked

 

Transit Gateway

Transit Gateway is a distributed managed routing service that is deployed in a region. It manages many VPCs in a scalable fashion, which VPC peering does not do well since it must define connections at each VPC. With Transit Gateway, all VPCs connect to the gateway and using the TGW routing table, defines what other VPCs it can connect with.

TGW can also go across accounts.

 

Connecting VPC to On Premise

There are two options of connecting a VPC in AWS back into an on premise network.

  • VPN – most common option. Need to define the customer gateway, which is usually the customer’s Firewall or VPN endpoint, supporting IPSEC. AWS requires at least 2 VPN IPSEC tunnels to ensure high availability.
    • Can be configured in minutes and good for immediate needs
    • Has modest bandwidth and can tolerate the inherent variability in Internet-based connectivity
  • Direct Connect – dedicated physical connection, no Internet. There are list of physical locations on AWS. You connect to the one closest to you. On Premise side requires creating a new VLAN which connects into the physical location. From that location it will connect into one or more AWS VPCs.
    • Reduce costs when using large volumes of data
    • Increase reliability
    • Increase bandwidth
    • 10Gbps / 1Gbps

Note that when connecting VPCs together, Route53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.

 

References

AWS VPC Lab
https://aws.qwiklabs.com/catalog_lab/3744

AWS VPC Tutorial
https://www.youtube.com/watch?v=fpxDGU2KdkA

AWS Summit – Networking
https://www.youtube.com/watch?v=hiKPPy584Mg

CIDR notation tool
https://cidr.xyz/